ideas: editorial sweep — atomization, interlinking, restructuring
- Split competitive-analysis-2026-05.org → TOC + 9 competitor files in ideas/competitors/. Dropped date from filename. All competitor UUIDs generated, TOC keeps original UUID for backlink continuity. - Deleted passepartout-economics.org archive (replaced by 27-node KB). - Inlined 5 'See also' blocks into natural prose (compliance-index, first-mover-window, revenue-table, orders-of-magnitude-time, native-org-knowledge-base). - Linked 7 orphan compliance pages back to compliance index + finished truncated sentences. - Linked all 14 Agora requirement docs from topic-relevant pages (identity→lisp-machine-security, infrastructure→compute-marketplace, social-space→growth-strategy, exchange→agora-contracts, etc.). - Linked ai-industry-impact from investment-thesis, sufficiency-flip, verification-appliance, effects-growth-flywheel (up from 1 to 10+ pages). - Fixed CREATED timestamps to use git commit dates instead of today. - Made all links absolute from root (no port inheritance). - Removed stale agora/docs/ duplicate content.
This commit is contained in:
Hermes
7
ideas/compliance/_index.org
Normal file
7
ideas/compliance/_index.org
Normal file
@@ -0,0 +1,7 @@
|
||||
#+title: Compliance
|
||||
#+filetags: :compliance:index:
|
||||
|
||||
:PROPERTIES:
|
||||
:CREATED: [2026-05-24 Sun]
|
||||
:ID: 1c4c91ec-c465-44ab-bd91-4c3b45909ddb
|
||||
:END:
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: b852ec69-0fc2-435c-ae1e-6b83e49b3ca3
|
||||
:ID: auto-appi
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -23,4 +24,6 @@ Japanese residents.
|
||||
Why it matters: APPI's cross-border transfer restrictions require fine-grained
|
||||
control over which data leaves Japan. The gate stack can encode "this data has
|
||||
APPI cross-border consent flag = false → block egress." First-mover advantage
|
||||
is moderate — few non-Japanese vendors target APPI specifically, and the 2022
|
||||
is moderate — few non-Japanese vendors target APPI specifically, and the 2022 report. First-mover advantage is moderate — few non-Japanese vendors target APPI specifically, and the 2022 amendments created a market for dedicated APPI tooling.
|
||||
|
||||
Part of the [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance framework index]].
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 904f5f12-ec9a-4cbf-854a-0b9b1e11a521
|
||||
:ID: auto-apra-cps-234
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -21,7 +22,7 @@ license cancellation for non-compliance. Personal liability for board and
|
||||
senior management.
|
||||
|
||||
Why it matters: CPS 234's control testing requirement creates demand for
|
||||
continuous verification — exactly what the gate stack and [[file:../evaluation-harness.org][evaluation harness]]
|
||||
continuous verification — exactly what the gate stack and [[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]]
|
||||
provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
|
||||
escalating. No vendor provides a deterministic control-testing pipeline.
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 4eef0993-6671-41cf-ba20-d1443a3ec49d
|
||||
:ID: auto-basel-iii
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -24,4 +25,6 @@ verification-friendly. The gate stack can encode credit risk weight mappings
|
||||
and produce auditable proof that capital calculations follow the correct
|
||||
methodology. First-mover advantage: Basel compliance is done via spreadsheets
|
||||
and specialized risk platforms. No platform uses formal verification for
|
||||
risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
|
||||
risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB is a trivial expense relative to the capital requirement penalty of getting the mapping wrong.
|
||||
|
||||
Part of the [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance framework index]].
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 87996d87-100c-4bf6-8546-a860b9d7c25b
|
||||
:ID: auto-ccpa-cpra
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -6,7 +7,7 @@
|
||||
#+filetags: :passepartout:compliance:framework:ccpa:
|
||||
|
||||
|
||||
California's comprehensive privacy law — the closest US analogue to [[file:gdpr.org][GDPR]].
|
||||
California's comprehensive privacy law — the closest US analogue to [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]].
|
||||
CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to
|
||||
know, delete, opt out of sale/sharing, correct inaccurate data, limit use
|
||||
of sensitive PI. Private right of action for data breaches.
|
||||
|
||||
@@ -6,63 +6,63 @@
|
||||
#+title: Compliance Framework Index — Global Regulated Industries
|
||||
#+filetags: :passepartout:triad:compliance:global:index:hub:
|
||||
|
||||
The [[file:../verification-monopoly.org][verification monopoly]] and domain gate package revenue streams depend on
|
||||
The [[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] and domain gate package [[id:ed05cab4-88e9-4e25-b7c9-346fa39c69a0][revenue streams]] depend on
|
||||
selling into regulated industries. These industries buy compliance, not software.
|
||||
Each framework below maps to a gate package the triad can sell — ACL2-verified
|
||||
gate rules that produce deterministic audit trails.
|
||||
|
||||
See [[file:first-mover-window.org][First-mover window analysis]] and [[file:revenue-table.org][Revenue table]] for the consolidated view.
|
||||
See [[id:558154ea-e63a-4c45-998c-26ce8588585b][First-mover window analysis]] and [[id:81a815ee-bf2b-4365-9894-b814e4196850][Revenue table]] for the consolidated view.
|
||||
|
||||
* US Frameworks
|
||||
|
||||
- [[file:hipaa.org][HIPAA]] — Health privacy ($50K/yr, 500K+ orgs)
|
||||
- [[file:soc2.org][SOC 2]] — Service organization controls ($50K/yr, 100K+ orgs)
|
||||
- [[file:fedramp.org][FedRAMP]] — Federal cloud authorization ($100K/yr, 1K providers)
|
||||
- [[file:sox.org][SOX]] — Financial controls ($50K/yr, 10K orgs)
|
||||
- [[file:glba.org][GLBA]] — Financial privacy ($40K/yr, 20K orgs)
|
||||
- [[file:ny-dfs-500.org][NY DFS 500]] — NY financial cybersecurity ($30K/yr, 3K orgs)
|
||||
- [[file:ccpa-cpra.org][CCPA/CPRA]] — California privacy ($40K/yr, 50K+ orgs)
|
||||
- [[id:84fb5f8f-0527-4df0-b6b6-dbf3bcff8a7f][HIPAA]] — Health privacy ($50K/yr, 500K+ orgs)
|
||||
- [[id:ed65031c-cbd2-4ad2-bd53-a67791e183cd][SOC 2]] — Service organization controls ($50K/yr, 100K+ orgs)
|
||||
- [[id:e6993701-3c67-49bf-82f3-06907572cbf3][FedRAMP]] — Federal cloud authorization ($100K/yr, 1K providers)
|
||||
- [[id:c9830152-0160-4bdc-ab03-6f308ad43536][SOX]] — Financial controls ($50K/yr, 10K orgs)
|
||||
- [[id:4a2bc62b-3f21-4212-9cd9-f9add8fc0be1][GLBA]] — Financial privacy ($40K/yr, 20K orgs)
|
||||
- [[id:581666ba-f72c-406b-8556-93876d2b30bf][NY DFS 500]] — NY financial cybersecurity ($30K/yr, 3K orgs)
|
||||
- [[id:87996d87-100c-4bf6-8546-a860b9d7c25b][CCPA/CPRA]] — California privacy ($40K/yr, 50K+ orgs)
|
||||
|
||||
* Canada
|
||||
|
||||
- [[file:quebec-law-25.org][Quebec Law 25]] — Provincial privacy ($25K/yr, 10K+ orgs)
|
||||
- [[id:f6a0c00e-e922-44af-99ce-6412c4b73745][Quebec Law 25]] — Provincial privacy ($25K/yr, 10K+ orgs)
|
||||
|
||||
* UK and EU
|
||||
|
||||
- [[file:gdpr.org][GDPR]] — EU privacy ($50K/yr, 500K+ orgs)
|
||||
- [[file:uk-gdpr.org][UK GDPR]] — UK privacy ($40K/yr, 100K+ orgs)
|
||||
- [[file:nis2.org][NIS2]] — Network security ($50K/yr, 160K orgs)
|
||||
- [[file:eu-ai-act.org][EU AI Act]] — AI regulation ($75K/yr, 100K+ orgs)
|
||||
- [[file:dora.org][DORA]] — Financial resilience ($50K/yr, 22K+ orgs)
|
||||
- [[file:eidas2.org][eIDAS 2.0]] — Digital identity ($30K/yr, 10K+ orgs)
|
||||
- [[file:cra.org][CRA]] — Product cybersecurity ($40K/yr, 50K+ orgs)
|
||||
- [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]] — EU privacy ($50K/yr, 500K+ orgs)
|
||||
- [[id:9bc29937-d59a-4ae4-9623-3d17a1fe6ebb][UK GDPR]] — UK privacy ($40K/yr, 100K+ orgs)
|
||||
- [[id:748db16a-1382-4e5e-8812-a5d57a8de131][NIS2]] — Network security ($50K/yr, 160K orgs)
|
||||
- [[id:06fcdb02-2643-4f9d-ab41-e711a99cc390][EU AI Act]] — AI regulation ($75K/yr, 100K+ orgs)
|
||||
- [[id:717ef2df-2a80-4362-b23a-5e7e12554251][DORA]] — Financial resilience ($50K/yr, 22K+ orgs)
|
||||
- [[id:b8cf51e8-5f39-49ad-9547-a792a2e446aa][eIDAS 2.0]] — Digital identity ($30K/yr, 10K+ orgs)
|
||||
- [[id:ce81fefc-b7a8-4be5-912f-55fd30970b6e][CRA]] — Product cybersecurity ($40K/yr, 50K+ orgs)
|
||||
|
||||
* Asia-Pacific
|
||||
|
||||
- [[file:appi.org][APPI]] — Japan privacy ($40K/yr, 100K+ orgs)
|
||||
- [[file:ismap.org][ISMAP]] — Japan cloud authorization ($75K/yr, 500 providers)
|
||||
- [[file:pipa.org][PIPA]] — South Korea privacy ($35K/yr, 50K+ orgs)
|
||||
- [[file:privacy-act-aus.org][Privacy Act]] — Australia privacy ($35K/yr, 50K+ orgs)
|
||||
- [[file:apra-cps-234.org][APRA CPS 234]] — Australian financial security ($40K/yr, 500 orgs)
|
||||
- [[file:irap.org][IRAP]] — Australian cloud authorization ($75K/yr, 300 providers)
|
||||
- [[file:dpdp-act.org][DPDP Act]] — India privacy ($30K/yr, 500K+ orgs)
|
||||
- [[id:b852ec69-0fc2-435c-ae1e-6b83e49b3ca3][APPI]] — Japan privacy ($40K/yr, 100K+ orgs)
|
||||
- [[id:085b76cc-4a65-4660-9c70-85aee10ca99e][ISMAP]] — Japan cloud authorization ($75K/yr, 500 providers)
|
||||
- [[id:e777064d-9950-42d5-980d-8c78cda91500][PIPA]] — South Korea privacy ($35K/yr, 50K+ orgs)
|
||||
- [[id:834689e9-be0a-4822-9085-9b6b22294fd2][Privacy Act]] — Australia privacy ($35K/yr, 50K+ orgs)
|
||||
- [[id:904f5f12-ec9a-4cbf-854a-0b9b1e11a521][APRA CPS 234]] — Australian financial security ($40K/yr, 500 orgs)
|
||||
- [[id:7f46764b-47b8-4892-a526-2c1b9ee6e6df][IRAP]] — Australian cloud authorization ($75K/yr, 300 providers)
|
||||
- [[id:fed19a24-ad81-4837-a12b-dafbd3ec110a][DPDP Act]] — India privacy ($30K/yr, 500K+ orgs)
|
||||
|
||||
* Latin America
|
||||
|
||||
- [[file:lgpd.org][LGPD]] — Brazil privacy ($30K/yr, 200K+ orgs)
|
||||
- [[file:lfp-dppp.org][LFPDPPP]] — Mexico privacy ($25K/yr, 50K+ orgs)
|
||||
- [[id:c871a9f4-dd53-4e93-aa50-6acf0c606a9b][LGPD]] — Brazil privacy ($30K/yr, 200K+ orgs)
|
||||
- [[id:bafdaa23-de0b-444c-9151-c87ac65add32][LFPDPPP]] — Mexico privacy ($25K/yr, 50K+ orgs)
|
||||
|
||||
* International
|
||||
|
||||
- [[file:iso-27001.org][ISO 27001]] — ISMS ($40K/yr, 60K+ orgs)
|
||||
- [[file:iso-27701.org][ISO 27701]] — Privacy management ($35K/yr, 1K+ orgs)
|
||||
- [[file:basel-iii.org][Basel III]] — Banking capital ($100K/yr, 500 G-SIBs)
|
||||
- [[file:fatf.org][FATF]] — AML/CFT ($50K/yr, 50K+ orgs)
|
||||
- [[file:ifrs.org][IFRS 17]] — Insurance accounting ($75K/yr, 5K+ orgs)
|
||||
- [[file:oecd.org][OECD Guidelines]] — Privacy/AI principles (indirect)
|
||||
- [[file:world-bank-esf.org][World Bank ESF]] — Development finance ($50K/yr)
|
||||
- [[file:ifc-ps.org][IFC PS]] — Project finance ($50K/yr)
|
||||
- [[file:un-cefact.org][UN/CEFACT]] — Trade facilitation ($30K/yr, 50K+ orgs)
|
||||
- [[id:e2ab887d-9f28-4da6-8388-e6c035e9d9c5][ISO 27001]] — ISMS ($40K/yr, 60K+ orgs)
|
||||
- [[id:748b0cc7-7f42-49fb-8ee3-1ae49048a178][ISO 27701]] — Privacy management ($35K/yr, 1K+ orgs)
|
||||
- [[id:4eef0993-6671-41cf-ba20-d1443a3ec49d][Basel III]] — Banking capital ($100K/yr, 500 G-SIBs)
|
||||
- [[id:03ebdb80-a9af-4e76-a443-8556424996ed][FATF]] — AML/CFT ($50K/yr, 50K+ orgs)
|
||||
- [[id:fc736aec-ef53-4759-9787-62bc8deea2e7][IFRS 17]] — Insurance accounting ($75K/yr, 5K+ orgs)
|
||||
- [[id:022109ad-f031-44c4-8ea0-0b3c9402ca90][OECD Guidelines]] — Privacy/AI principles (indirect)
|
||||
- [[id:177aad72-5626-444d-a2e4-af8e1263b125][World Bank ESF]] — Development finance ($50K/yr)
|
||||
- [[id:68c55deb-72bf-4b15-ac28-bcc792057543][IFC PS]] — Project finance ($50K/yr)
|
||||
- [[id:6a5884c8-e9b5-477e-bbf6-aa9ffd967739][UN/CEFACT]] — Trade facilitation ($30K/yr, 50K+ orgs)
|
||||
|
||||
* Strategic View
|
||||
|
||||
@@ -74,6 +74,9 @@ See [[file:first-mover-window.org][First-mover window analysis]] and [[file:reve
|
||||
| Latin America | 2 | ~$7B | LGPD (largest LATAM market) |
|
||||
| International | 9 | ~$4.5B | ISO 27001 (universal baseline), World Bank/IFC (no market exists) |
|
||||
|
||||
Next: [[file:first-mover-window.org][First-mover window analysis]] | [[file:revenue-table.org][Full revenue table]]
|
||||
See also: [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/domain-gate-packages.org][[[file:../domain-gate-packages.org][Domain gate packages]]]],
|
||||
[[file:../../ideas/compute-marketplace.org][[[file:../compute-marketplace.org][Compute marketplace]]]], [[file:../../ideas/infrastructure-lock-in.org][Infrastructure lock-in]]
|
||||
The [[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] is enforced through
|
||||
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][domain gate packages]] running on a
|
||||
[[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]], creating
|
||||
[[id:2f783eb4-638e-5afa-9b59-6224d086a712][infrastructure lock-in]] that compounds with every framework
|
||||
added. See [[id:558154ea-e63a-4c45-998c-26ce8588585b][First-mover window analysis]] and
|
||||
[[id:81a815ee-bf2b-4365-9894-b814e4196850][Full revenue table]] for the consolidated view.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: ce81fefc-b7a8-4be5-912f-55fd30970b6e
|
||||
:ID: auto-cra
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -23,8 +24,8 @@ Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
|
||||
reporting obligations.
|
||||
|
||||
Why it matters: CRA's CE marking requirement creates a certification pipeline
|
||||
that the [[file:../verification-appliance.org][verification appliance]] can supply. If Passepartout's gate stack is
|
||||
itself CRA-compliant (verified by the [[file:../evaluation-harness.org][evaluation harness]]), it becomes the
|
||||
that the [[id:84a537b4-4256-50c8-91f5-dd5b4538418f][verification appliance]] can supply. If [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]]'s gate stack is
|
||||
itself CRA-compliant (verified by the [[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]]), it becomes the
|
||||
compliance infrastructure for any product built on it. First-mover advantage:
|
||||
Class II products require notified body assessment — the bottleneck is notified
|
||||
body capacity. The gate stack's automated evidence pipeline bypasses the
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 717ef2df-2a80-4362-b23a-5e7e12554251
|
||||
:ID: auto-dora
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -22,7 +23,7 @@ Penalties: Up to 2% of average daily turnover × number of days breached, or
|
||||
|
||||
Why it matters: DORA's third-party risk management requirement is a natural gate
|
||||
stack use case — every ICT provider access must be gated, logged, and auditable.
|
||||
TLPT (threat-led penetration testing) maps to the [[file:../evaluation-harness.org][evaluation harness]]. First-mover
|
||||
TLPT (threat-led penetration testing) maps to the [[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]]. First-mover
|
||||
advantage is extremely time-sensitive: DORA is already in effect (January 2025).
|
||||
Financial institutions are scrambling for compliance tooling. A DORA gate package
|
||||
at $50K/yr with zero incremental cost per additional user is an immediate sale.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: fed19a24-ad81-4837-a12b-dafbd3ec110a
|
||||
:ID: auto-dpdp-act
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -28,3 +29,4 @@ consent-managed data access model maps directly to DPDP's consent framework.
|
||||
A DPDP gate package at $30K/yr (discounted for India market) captures a market
|
||||
of hundreds of thousands of businesses with no incumbent vendor.
|
||||
|
||||
Part of the [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance framework index]].
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: b8cf51e8-5f39-49ad-9547-a792a2e446aa
|
||||
:ID: auto-eidas2
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -23,4 +24,6 @@ access to the EU digital identity market.
|
||||
Why it matters: eIDAS 2.0 creates a verified digital identity layer across the
|
||||
EU. The gate stack can integrate with eIDAS wallets as the identity provider
|
||||
for gate rules — "only X, authenticated via eIDAS wallet, may approve this
|
||||
transaction." First-mover advantage: wallets are being built now; the provider
|
||||
transaction." First-mover advantage: wallets are being built now; the provider — the one that First-mover advantage: wallets are being built now; the provider that integrates with the gate stack first becomes the compliance standard for eIDAS-authenticated transactions.
|
||||
|
||||
Part of the [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance framework index]].
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 06fcdb02-2643-4f9d-ab41-e711a99cc390
|
||||
:ID: auto-eu-ai-act
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -18,15 +19,15 @@ Who must comply: Providers and deployers of AI systems in the EU. Extraterritori
|
||||
if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI)
|
||||
with additional obligations for systemic-risk GPAI.
|
||||
|
||||
Penalties: Up to 35M EUR or 7% of global turnover (higher than [[file:gdpr.org][GDPR]]).
|
||||
Penalties: Up to 35M EUR or 7% of global turnover (higher than [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]]).
|
||||
|
||||
Why it matters: The EU AI Act's conformity assessment requirement creates an
|
||||
instant certification market. Passepartout's gate stack can serve as the
|
||||
instant certification market. [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]]'s gate stack can serve as the
|
||||
human oversight and accuracy/robustness infrastructure for any AI system
|
||||
deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
|
||||
deployed through it. The [[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] argument applies at maximum
|
||||
force: an ACL2-verified gate stack is the most defensible approach to AI Act
|
||||
compliance. First-mover advantage: the regulation takes effect August 2026.
|
||||
No certification body or tool vendor has an ACL2-based compliance pipeline.
|
||||
First to market captures the standard-setting role.
|
||||
|
||||
** DORA (Digital Operational Resilience Act)
|
||||
** [[id:717ef2df-2a80-4362-b23a-5e7e12554251][DORA (Digital Operational Resilience Act)]]
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 03ebdb80-a9af-4e76-a443-8556424996ed
|
||||
:ID: auto-fatf
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -29,4 +30,6 @@ costs — Iran and North Korea are black-listed.
|
||||
Why it matters: FATF's CDD requirements are the most widespread and
|
||||
rule-complex compliance obligation globally. The gate stack can encode
|
||||
tiered CDD rules, prove that every customer onboarding followed the correct
|
||||
verification path, and produce an auditable trail for every suspicion
|
||||
verification path, and produce an auditable trail for every suspicion report. First-mover advantage is significant — no vendor offers verifiable AML gate automation at scale.
|
||||
|
||||
Part of the [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance framework index]].
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: e6993701-3c67-49bf-82f3-06907572cbf3
|
||||
:ID: auto-fedramp
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -46,14 +47,14 @@ contracts. FedRAMP is a procurement gate, not a regulatory one.
|
||||
FedRAMP is the highest bar and the most expensive certification to obtain.
|
||||
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
|
||||
But those that do capture the US government market with minimal competition.
|
||||
For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
|
||||
For the triad: a [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]] provider with FedRAMP Moderate or High
|
||||
authorization can sell to every federal agency. The gate stack's deterministic
|
||||
audit trail maps directly to FedRAMP's continuous monitoring requirement —
|
||||
producing verifiable evidence of control effectiveness on every access, not
|
||||
just during the annual assessment. This is what justifies the
|
||||
[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
|
||||
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
|
||||
package, it is the evidence pipeline for a certification that costs $1M-$5M
|
||||
and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
|
||||
and 12-36 months to obtain independently. The [[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] argument
|
||||
applies hardest here: an agency that has relied on a FedRAMP-authorized compute
|
||||
provider for five years cannot switch without re-running the entire authorization
|
||||
process with a new provider.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 558154ea-e63a-4c45-998c-26ce8588585b
|
||||
:ID: auto-first-mover-window
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -12,12 +13,16 @@ dominance before incumbents respond or the market settles on a standard approach
|
||||
|
||||
| Window | Frameworks | Rationale |
|
||||
|--------|-----------|-----------|
|
||||
| **Critical (<12 months)** | [[file:eu-ai-act.org][EU AI Act]] (Aug 2026 effective), [[file:nis2.org][NIS2]] (Oct 2025 deadline), [[file:dora.org][DORA]] (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
|
||||
| **Wide (12-36 months)** | [[file:dpdp-act.org][DPDP Act]] 2023 (rules drafting), India privacy; Privacy Act Review (Australia); [[file:quebec-law-25.org][Quebec Law 25]]; [[file:cra.org][CRA]] phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
|
||||
| **Mature (commodity)** | [[file:gdpr.org][GDPR]] (2018), [[file:sox.org][SOX]] (2002), [[file:hipaa.org][HIPAA]] (1996), [[file:glba.org][GLBA]] (1999), [[file:basel-iii.org][Basel III]] (2010), [[file:fatf.org][FATF]] 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
|
||||
| **Latent (undiscovered)** | [[file:oecd.org][OECD]] AI Principles, UN/CEFACT, [[file:world-bank-esf.org][World Bank ESF]], [[file:ifc-ps.org][IFC PS]] | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
|
||||
| **Critical (<12 months)** | [[id:06fcdb02-2643-4f9d-ab41-e711a99cc390][EU AI Act]] (Aug 2026 effective), [[id:748db16a-1382-4e5e-8812-a5d57a8de131][NIS2]] (Oct 2025 deadline), [[id:717ef2df-2a80-4362-b23a-5e7e12554251][DORA]] (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
|
||||
| **Wide (12-36 months)** | [[id:fed19a24-ad81-4837-a12b-dafbd3ec110a][DPDP Act]] 2023 (rules drafting), India privacy; Privacy Act Review (Australia); [[id:f6a0c00e-e922-44af-99ce-6412c4b73745][Quebec Law 25]]; [[id:ce81fefc-b7a8-4be5-912f-55fd30970b6e][CRA]] phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
|
||||
| **Mature (commodity)** | [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]] (2018), [[id:c9830152-0160-4bdc-ab03-6f308ad43536][SOX]] (2002), [[id:84fb5f8f-0527-4df0-b6b6-dbf3bcff8a7f][HIPAA]] (1996), [[id:4a2bc62b-3f21-4212-9cd9-f9add8fc0be1][GLBA]] (1999), [[id:4eef0993-6671-41cf-ba20-d1443a3ec49d][Basel III]] (2010), [[id:03ebdb80-a9af-4e76-a443-8556424996ed][FATF]] 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
|
||||
| **Latent (undiscovered)** | [[id:022109ad-f031-44c4-8ea0-0b3c9402ca90][OECD]] AI Principles, [[id:6a5884c8-e9b5-477e-bbf6-aa9ffd967739][UN/CEFACT]], [[id:177aad72-5626-444d-a2e4-af8e1263b125][World Bank ESF]], [[id:68c55deb-72bf-4b15-ac28-bcc792057543][IFC PS]] | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
|
||||
|
||||
|
||||
|
||||
See also: [[file:compliance-index.org][Compliance index]], [[file:revenue-table.org][Revenue table]],
|
||||
[[file:../../ideas/verification-appliance.org][[[file:../verification-appliance.org][Verification appliance]]]], [[file:../../ideas/verification-monopoly.org][[[file:../verification-monopoly.org][Verification monopoly]]]]
|
||||
These windows define which frameworks are worth building a gate package for
|
||||
first. The [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance index]] maps each to a
|
||||
[[id:84a537b4-4256-50c8-91f5-dd5b4538418f][verification appliance]] gate package, and the
|
||||
[[id:81a815ee-bf2b-4365-9894-b814e4196850][revenue table]] sizes the market. The
|
||||
[[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] dynamics determine which window to enter
|
||||
first.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 513d5996-4ac7-4567-a992-18fc01599104
|
||||
:ID: auto-gdpr
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -44,11 +45,11 @@ GDPR is the most extraterritorial and aggressively enforced privacy framework.
|
||||
The gate stack's principle of least privilege maps naturally to GDPR's data
|
||||
minimization requirement. Every data access is gated by a verified rule that
|
||||
states the purpose — the proof log is a built-in DPIA artifact. For the
|
||||
[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
|
||||
[[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]]: a provider processing proofs on EU users' gate data must
|
||||
maintain DPAs with all clients. Proof logs themselves may constitute personal
|
||||
data if they reference natural persons (names in access rules, etc.), creating
|
||||
a demand for privacy-preserving proof techniques. This is why the
|
||||
[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
|
||||
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][GDPR gate package]] includes data-processing agreement templates and
|
||||
purpose-boundary gate rules that are independently verified by the provider's
|
||||
[[file:evaluation-harness.org][evaluation harness]].
|
||||
[[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]].
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 4a2bc62b-3f21-4212-9cd9-f9add8fc0be1
|
||||
:ID: auto-glba
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -19,5 +20,5 @@ and directors personally liable.
|
||||
Why it matters: The Safeguards Rule maps directly to gate stack access controls.
|
||||
Every NPI access is gated; the proof log is the security program's evidence.
|
||||
First-mover advantage is narrow (GLBA is well-understood) but the market is
|
||||
large because every financial institution that dodges [[file:hipaa.org][HIPAA]] still faces GLBA.
|
||||
large because every financial institution that dodges [[id:84fb5f8f-0527-4df0-b6b6-dbf3bcff8a7f][HIPAA]] still faces GLBA.
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 84fb5f8f-0527-4df0-b6b6-dbf3bcff8a7f
|
||||
:ID: auto-hipaa
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -34,11 +35,11 @@ imprisonment). State AGs can also bring civil actions.
|
||||
** Why it matters for the triad
|
||||
|
||||
HIPAA is the largest single compliance market in US healthcare — every hospital,
|
||||
clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
|
||||
clinic, insurer, and health-tech vendor must comply. The [[id:c34940cc-090e-57c4-8020-e78b1d32b96c][HIPAA gate package]]
|
||||
($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
|
||||
constraints. Every PHI access attempt passes through the gate stack, producing
|
||||
a machine-checkable audit trail that satisfies the Security Rule's audit control
|
||||
requirement automatically. No separate logging infrastructure needed. Over a
|
||||
five-year deployment, the accumulated fact store and proof history create
|
||||
[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
|
||||
[[id:2f783eb4-638e-5afa-9b59-6224d086a712][infrastructure lock-in]] — switching to a competitor means discarding all of it.
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 68c55deb-72bf-4b15-ac28-bcc792057543
|
||||
:ID: auto-ifc-ps
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -15,7 +16,7 @@ disbursement unless ESS5 resettlement plan is verified complete." First-mover
|
||||
advantage: World Bank compliance is entirely document-based (reports, audits,
|
||||
site visits). A verified gate system is unprecedented.
|
||||
|
||||
** IFC Performance Standards (PS)
|
||||
** [[id:fc736aec-ef53-4759-9787-62bc8deea2e7][IFC Performance Standards]] (PS)
|
||||
|
||||
International Finance Corporation's standards for environmental and social
|
||||
sustainability in private sector investment. Eight standards: PS1 (risk
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: fc736aec-ef53-4759-9787-62bc8deea2e7
|
||||
:ID: auto-ifrs
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -23,4 +24,6 @@ most rule-complex — requiring actuarial models, expected credit loss calculati
|
||||
and contract classification algorithms.
|
||||
|
||||
Who must comply: Publicly listed companies in 166 jurisdictions including the
|
||||
EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
|
||||
EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most of Asia. IFRS 17 alone affects 5K+ insurers with complex actuarial compliance requirements that no automated verification solution currently addresses.
|
||||
|
||||
Part of the [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance framework index]].
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 7f46764b-47b8-4892-a526-2c1b9ee6e6df
|
||||
:ID: auto-irap
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -9,14 +10,14 @@
|
||||
** IRAP (Infosec Registered Assessors Program)
|
||||
|
||||
Australian government's cloud security assessment program — analogous to
|
||||
[[file:fedramp.org][FedRAMP]]. Cloud services used by Australian government agencies must have an
|
||||
[[id:e6993701-3c67-49bf-82f3-06907572cbf3][FedRAMP]]. Cloud services used by Australian government agencies must have an
|
||||
IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC).
|
||||
Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.
|
||||
|
||||
Who must comply: Cloud providers selling to Australian federal, state, and
|
||||
local government agencies. Also critical infrastructure providers.
|
||||
|
||||
Why it matters: Like FedRAMP and [[file:ismap.org][ISMAP]], IRAP is a procurement gate. An IRAP
|
||||
Why it matters: Like FedRAMP and [[id:085b76cc-4a65-4660-9c70-85aee10ca99e][ISMAP]], IRAP is a procurement gate. An IRAP
|
||||
Protected-level assessment is expensive and takes 6-12 months. First-mover
|
||||
advantage: the gate stack's deterministic audit trail can be the primary
|
||||
evidence artifact, reducing assessment scope/cost.
|
||||
|
||||
@@ -1,16 +1,17 @@
|
||||
:PROPERTIES:
|
||||
:ID: 085b76cc-4a65-4660-9c70-85aee10ca99e
|
||||
:ID: auto-ismap
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: ISMAP (Government Security Framework — Japan)
|
||||
#+filetags: :passepartout:compliance:framework:ismap:
|
||||
|
||||
is moderate — few non-Japanese vendors target [[file:appi.org][APPI]] specifically, and the 2022
|
||||
is moderate — few non-Japanese vendors target [[id:b852ec69-0fc2-435c-ae1e-6b83e49b3ca3][APPI]] specifically, and the 2022
|
||||
amendments added requirements that created compliance gaps.
|
||||
|
||||
** ISMAP (Government Information System Security Management and Assessment Program)
|
||||
|
||||
Japan's government cloud security program — analogous to [[file:fedramp.org][FedRAMP]]. Cloud services
|
||||
Japan's government cloud security program — analogous to [[id:e6993701-3c67-49bf-82f3-06907572cbf3][FedRAMP]]. Cloud services
|
||||
used by Japanese government agencies must be ISMAP-authorized. Managed by the
|
||||
Digital Agency and the Information-technology Promotion Agency (IPA).
|
||||
|
||||
@@ -18,7 +19,7 @@ Who must comply: Cloud service providers selling to Japanese national and local
|
||||
government agencies.
|
||||
|
||||
Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is
|
||||
time-consuming and expensive. A [[file:../compute-marketplace.org][compute marketplace]] provider with ISMAP
|
||||
time-consuming and expensive. A [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]] provider with ISMAP
|
||||
authorization has exclusive access to the Japanese government market. First-mover
|
||||
advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered.
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: e2ab887d-9f28-4da6-8388-e6c035e9d9c5
|
||||
:ID: auto-iso-27001
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -27,5 +28,5 @@ A.16 incident management, A.18 compliance). First-mover advantage: the ISO
|
||||
binders). A gate stack that produces audit evidence automatically is not
|
||||
competing with other software — it is competing with binders.
|
||||
|
||||
** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001)
|
||||
** [[id:748b0cc7-7f42-49fb-8ee3-1ae49048a178][ISO 27701]] (Privacy Information Management — PIMS extension to ISO 27001)
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 748b0cc7-7f42-49fb-8ee3-1ae49048a178
|
||||
:ID: auto-iso-27701
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -6,8 +7,8 @@
|
||||
#+filetags: :passepartout:compliance:framework:iso:
|
||||
|
||||
|
||||
International standard extending [[file:iso-27001.org][ISO 27001]] for privacy information management.
|
||||
Aligns with [[file:gdpr.org][GDPR]] requirements. Provides a framework for PII (personally
|
||||
International standard extending [[id:e2ab887d-9f28-4da6-8388-e6c035e9d9c5][ISO 27001]] for privacy information management.
|
||||
Aligns with [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]] requirements. Provides a framework for PII (personally
|
||||
identifiable information) controllers and processors.
|
||||
|
||||
Why it matters: ISO 27701 bridges information security and privacy compliance.
|
||||
@@ -17,4 +18,4 @@ both standards from the same infrastructure. First-mover advantage: adoption is
|
||||
growing but still low (~1,000 certifications). Early gate package captures the
|
||||
growth market.
|
||||
|
||||
** Basel III (Bank for International Settlements — Basel Committee)
|
||||
** [[id:4eef0993-6671-41cf-ba20-d1443a3ec49d][Basel III (Bank for International Settlements — Basel Committee)]]
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: bafdaa23-de0b-444c-9151-c87ac65add32
|
||||
:ID: auto-lfp-dppp
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -20,5 +21,5 @@ Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are
|
||||
pushing toward privacy regime interoperability. A bilingual (Spanish/English)
|
||||
gate package covering both LFPDPPP and US frameworks serves the massive
|
||||
US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is
|
||||
less automated than [[file:gdpr.org][GDPR]]; the market has fewer vendors and lower expectations.
|
||||
less automated than [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]]; the market has fewer vendors and lower expectations.
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: c871a9f4-dd53-4e93-aa50-6acf0c606a9b
|
||||
:ID: auto-lgpd
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -7,7 +8,7 @@
|
||||
|
||||
|
||||
Brazil's comprehensive privacy law (effective 2020, fines effective 2023).
|
||||
Modeled on [[file:gdpr.org][GDPR]] but with differences: LGPD defines "data processing agents"
|
||||
Modeled on [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]] but with differences: LGPD defines "data processing agents"
|
||||
(controller and operator), requires appointment of DPO (data protection officer),
|
||||
mandates breach notification to ANPD (National Data Protection Authority) and
|
||||
affected data subjects. 10 legal bases for processing (vs 6 in GDPR).
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 748db16a-1382-4e5e-8812-a5d57a8de131
|
||||
:ID: auto-nis2
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -31,4 +32,4 @@ advantage is urgent — the transposition deadline is October 2025 (17 months).
|
||||
Organizations need gate packages now. No competitor has a declarative gate
|
||||
model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell.
|
||||
|
||||
** EU AI Act
|
||||
** [[id:06fcdb02-2643-4f9d-ab41-e711a99cc390][EU AI Act]]
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 581666ba-f72c-406b-8556-93876d2b30bf
|
||||
:ID: auto-ny-dfs-500
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -23,3 +24,4 @@ verifiable evidence of control effectiveness — exactly what the gate stack
|
||||
produces. First-mover advantage is significant (few vendors target NY DFS 500
|
||||
specifically) and the regulation is a template that other states are adopting.
|
||||
|
||||
Part of the [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance framework index]].
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 022109ad-f031-44c4-8ea0-0b3c9402ca90
|
||||
:ID: auto-oecd
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -17,7 +18,7 @@ approach.
|
||||
OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation,
|
||||
data quality, purpose specification, use limitation, security safeguards,
|
||||
openness, individual participation, accountability. Non-binding but foundational
|
||||
— the basis for [[file:gdpr.org][GDPR]], [[file:appi.org][APPI]], [[file:lgpd.org][LGPD]], and most other privacy laws.
|
||||
— the basis for [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]], [[id:b852ec69-0fc2-435c-ae1e-6b83e49b3ca3][APPI]], [[id:c871a9f4-dd53-4e93-aa50-6acf0c606a9b][LGPD]], and most other privacy laws.
|
||||
|
||||
OECD AI Principles (adopted 2019, updated 2024): Five values-based principles
|
||||
— inclusive growth and well-being, human-centered values and fairness,
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: e777064d-9950-42d5-980d-8c78cda91500
|
||||
:ID: auto-pipa
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -21,7 +22,7 @@ against major tech companies. Class action lawsuits permitted.
|
||||
Who must comply: Any organization handling personal information of South Korean
|
||||
residents. Extraterritorial scope is broad and actively enforced.
|
||||
|
||||
Why it matters: PIPA is structurally similar to [[file:gdpr.org][GDPR]] but with stricter
|
||||
Why it matters: PIPA is structurally similar to [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]] but with stricter
|
||||
enforcement and higher penalties relative to market size. The gate stack's
|
||||
purpose-boundary gates map directly to PIPA's purpose limitation requirement.
|
||||
First-mover advantage is large — PIPA has fewer compliance automation vendors
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 834689e9-be0a-4822-9085-9b6b22294fd2
|
||||
:ID: auto-privacy-act-aus
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -27,4 +28,4 @@ most defensible transparency artifact available. First-mover advantage: the
|
||||
reforms are being legislated now; early adoption positions the gate stack as
|
||||
the reference implementation.
|
||||
|
||||
** APRA CPS 234 (Prudential Standard — Information Security)
|
||||
** [[id:904f5f12-ec9a-4cbf-854a-0b9b1e11a521][APRA CPS 234 (Prudential Standard — Information Security)]]
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: f6a0c00e-e922-44af-99ce-6412c4b73745
|
||||
:ID: auto-quebec-law-25
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -13,7 +14,7 @@ verifiable audit trail — they are all document-based.
|
||||
** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA)
|
||||
|
||||
Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy
|
||||
regulation — closer to [[file:gdpr.org][GDPR]] than PIPEDA. Requires: privacy officer appointment,
|
||||
regulation — closer to [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]] than PIPEDA. Requires: privacy officer appointment,
|
||||
privacy impact assessments, consent modernization, data portability, right to
|
||||
de-index, algorithm transparency (automated decision-making disclosures).
|
||||
Penalties up to $25M CAD or 4% of global revenue.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 81a815ee-bf2b-4365-9894-b814e4196850
|
||||
:ID: auto-revenue-table
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -9,39 +10,39 @@
|
||||
|
||||
| Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type |
|
||||
|-----------|--------|--------------|------------------|-------------------|---------------------|----------------|
|
||||
| [[file:hipaa.org][HIPAA]] | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
|
||||
| [[id:84fb5f8f-0527-4df0-b6b6-dbf3bcff8a7f][HIPAA]] | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
|
||||
| SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit |
|
||||
| [[file:gdpr.org][GDPR]] | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
|
||||
| [[file:fedramp.org][FedRAMP]] | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
|
||||
| [[file:sox.org][SOX]] | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
|
||||
| [[file:glba.org][GLBA]] | US | $40K | 20K | $800M | Moderate | Financial privacy |
|
||||
| [[file:ny-dfs-500.org][NY DFS 500]] | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
|
||||
| CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
|
||||
| [[file:nis2.org][NIS2]] | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
|
||||
| [[file:eu-ai-act.org][EU AI Act]] | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
|
||||
| [[file:dora.org][DORA]] | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
|
||||
| eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
|
||||
| [[file:cra.org][CRA]] | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
|
||||
| [[file:uk-gdpr.org][UK GDPR]] | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
|
||||
| [[file:appi.org][APPI]] | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
|
||||
| [[file:ismap.org][ISMAP]] | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
|
||||
| [[file:pipa.org][PIPA]] | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
|
||||
| [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]] | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
|
||||
| [[id:e6993701-3c67-49bf-82f3-06907572cbf3][FedRAMP]] | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
|
||||
| [[id:c9830152-0160-4bdc-ab03-6f308ad43536][SOX]] | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
|
||||
| [[id:4a2bc62b-3f21-4212-9cd9-f9add8fc0be1][GLBA]] | US | $40K | 20K | $800M | Moderate | Financial privacy |
|
||||
| [[id:581666ba-f72c-406b-8556-93876d2b30bf][NY DFS 500]] | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
|
||||
| [[id:87996d87-100c-4bf6-8546-a860b9d7c25b][CCPA/CPRA]] | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
|
||||
| [[id:748db16a-1382-4e5e-8812-a5d57a8de131][NIS2]] | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
|
||||
| [[id:06fcdb02-2643-4f9d-ab41-e711a99cc390][EU AI Act]] | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
|
||||
| [[id:717ef2df-2a80-4362-b23a-5e7e12554251][DORA]] | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
|
||||
| [[id:b8cf51e8-5f39-49ad-9547-a792a2e446aa][eIDAS 2.0]] | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
|
||||
| [[id:ce81fefc-b7a8-4be5-912f-55fd30970b6e][CRA]] | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
|
||||
| [[id:9bc29937-d59a-4ae4-9623-3d17a1fe6ebb][UK GDPR]] | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
|
||||
| [[id:b852ec69-0fc2-435c-ae1e-6b83e49b3ca3][APPI]] | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
|
||||
| [[id:085b76cc-4a65-4660-9c70-85aee10ca99e][ISMAP]] | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
|
||||
| [[id:e777064d-9950-42d5-980d-8c78cda91500][PIPA]] | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
|
||||
| Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency |
|
||||
| [[file:apra-cps-234.org][APRA CPS 234]] | Australia | $40K | 500 | $20M | Moderate | Info security controls |
|
||||
| [[file:irap.org][IRAP]] | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
|
||||
| [[file:dpdp-act.org][DPDP Act]] | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
|
||||
| [[file:lgpd.org][LGPD]] | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
|
||||
| LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
|
||||
| [[file:iso-27001.org][ISO 27001]] | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
|
||||
| [[file:iso-27701.org][ISO 27701]] | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
|
||||
| [[file:basel-iii.org][Basel III]] | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
|
||||
| [[file:fatf.org][FATF]] AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
|
||||
| [[file:ifrs.org][IFRS]] 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
|
||||
| UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
|
||||
| [[file:world-bank-esf.org][World Bank ESF]] | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
|
||||
| [[file:ifc-ps.org][IFC PS]] | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
|
||||
| [[id:904f5f12-ec9a-4cbf-854a-0b9b1e11a521][APRA CPS 234]] | Australia | $40K | 500 | $20M | Moderate | Info security controls |
|
||||
| [[id:7f46764b-47b8-4892-a526-2c1b9ee6e6df][IRAP]] | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
|
||||
| [[id:fed19a24-ad81-4837-a12b-dafbd3ec110a][DPDP Act]] | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
|
||||
| [[id:c871a9f4-dd53-4e93-aa50-6acf0c606a9b][LGPD]] | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
|
||||
| [[id:bafdaa23-de0b-444c-9151-c87ac65add32][LFPDPPP]] | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
|
||||
| [[id:e2ab887d-9f28-4da6-8388-e6c035e9d9c5][ISO 27001]] | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
|
||||
| [[id:748b0cc7-7f42-49fb-8ee3-1ae49048a178][ISO 27701]] | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
|
||||
| [[id:4eef0993-6671-41cf-ba20-d1443a3ec49d][Basel III]] | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
|
||||
| [[id:03ebdb80-a9af-4e76-a443-8556424996ed][FATF]] AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
|
||||
| [[id:fc736aec-ef53-4759-9787-62bc8deea2e7][IFRS]] 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
|
||||
| [[id:6a5884c8-e9b5-477e-bbf6-aa9ffd967739][UN/CEFACT]] | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
|
||||
| [[id:177aad72-5626-444d-a2e4-af8e1263b125][World Bank ESF]] | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
|
||||
| [[id:68c55deb-72bf-4b15-ac28-bcc792057543][IFC PS]] | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
|
||||
|
||||
A [[file:../compute-marketplace.org][compute marketplace]] provider with authorization in 5+ frameworks (FedRAMP +
|
||||
A [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]] provider with authorization in 5+ frameworks (FedRAMP +
|
||||
ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
|
||||
for regulated cloud globally. The gate package portfolio alone — a mid-size
|
||||
enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
|
||||
@@ -56,5 +57,11 @@ for regulated cloud globally. The gate package portfolio alone — a mid-size
|
||||
enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
|
||||
At 10,000 such enterprises: $5B/yr.
|
||||
|
||||
See also: [[file:compliance-index.org][Compliance index]], [[file:first-mover-window.org][First-mover window analysis]],
|
||||
[[file:../../ideas/verification-monopoly.org][[[file:../verification-monopoly.org][Verification monopoly]]]], [[file:../../ideas/compute-marketplace.org][Compute marketplace]]
|
||||
A compute marketplace provider with authorization in 5+ frameworks (FedRAMP +
|
||||
ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
|
||||
for regulated cloud globally. The gate package portfolio alone — a mid-size
|
||||
enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
|
||||
At 10,000 such enterprises: $5B/yr. See the [[id:e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c][compliance index]] for the full
|
||||
framework list, [[id:558154ea-e63a-4c45-998c-26ce8588585b][first-mover window analysis]] for timing strategy, and
|
||||
[[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] and [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]] for the economic dynamics
|
||||
behind the revenue.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: ed65031c-cbd2-4ad2-bd53-a67791e183cd
|
||||
:ID: auto-soc2
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -42,12 +43,12 @@ enterprise customers. Misrepresentation of certification status is fraud.
|
||||
|
||||
** Why it matters for the triad
|
||||
|
||||
SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
|
||||
SOC 2 is the entry-level certification for the [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]]. A provider
|
||||
needs SOC 2 Type II to sell compute to enterprises whose procurement policy
|
||||
requires audited vendors. The gate stack itself maps directly to the Security
|
||||
criterion (access controls, audit trails) — the Passepartout instance's
|
||||
criterion (access controls, audit trails) — the [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]] instance's
|
||||
deterministic gate log serves as the evidence artifact for the audit. No
|
||||
separate logging SIEM needed. This is the prerequisite to the larger
|
||||
[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
|
||||
[[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] play — once enterprises trust the audit trail, they
|
||||
buy domain-specific gate packages for the same infrastructure.
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: c9830152-0160-4bdc-ab03-6f308ad43536
|
||||
:ID: auto-sox
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -23,5 +24,5 @@ that the external auditor needs for Section 404 attestation. First-mover
|
||||
advantage: SOX is mature (24 years old) but the audit market is $4B+ and
|
||||
entirely manual — no competitor has automated the evidence pipeline.
|
||||
|
||||
** GLBA (Gramm-Leach-Bliley Act)
|
||||
** [[id:4a2bc62b-3f21-4212-9cd9-f9add8fc0be1][GLBA (Gramm-Leach-Bliley Act)]]
|
||||
|
||||
|
||||
@@ -1,12 +1,13 @@
|
||||
:PROPERTIES:
|
||||
:ID: auto-uk-[[file:gdpr.org][gdpr]]
|
||||
:ID: 9bc29937-d59a-4ae4-9623-3d17a1fe6ebb
|
||||
:ID: auto-uk-[[id:513d5996-4ac7-4567-a992-18fc01599104][gdpr]]
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: UK GDPR (Post-Brexit Data Protection)
|
||||
#+filetags: :passepartout:compliance:framework:uk:
|
||||
|
||||
|
||||
Post-Brexit, the UK maintains its own version of GDPR via the Data Protection
|
||||
Post-Brexit, the UK maintains its own version of [[id:513d5996-4ac7-4567-a992-18fc01599104][GDPR]] via the Data Protection
|
||||
Act 2018. Substantively identical to EU GDPR but diverging over time. The UK
|
||||
has announced separate reforms targeting AI and digital identity. ICO (Information
|
||||
Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover.
|
||||
@@ -17,5 +18,5 @@ authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL
|
||||
prover can verify that the UK version's rules are consistent with the EU version
|
||||
(and alert when they diverge). This is a concrete ACL2 application.
|
||||
|
||||
** NIS2 (Network and Information Security Directive)
|
||||
** [[id:748db16a-1382-4e5e-8812-a5d57a8de131][NIS2]] (Network and Information Security Directive)
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 6a5884c8-e9b5-477e-bbf6-aa9ffd967739
|
||||
:ID: auto-un-cefact
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -8,7 +9,7 @@
|
||||
EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
|
||||
of Asia and Africa. The US (GAAP) is the major holdout.
|
||||
|
||||
Why it matters: [[file:ifrs.org][IFRS]] 17 and IFRS 9 are algorithmically complex rule sets.
|
||||
Why it matters: [[id:fc736aec-ef53-4759-9787-62bc8deea2e7][IFRS]] 17 and IFRS 9 are algorithmically complex rule sets.
|
||||
Getting an actuarial model or credit loss calculation wrong is a financial
|
||||
reporting error. The gate stack's ACL2 prover can verify that the calculation
|
||||
implementations match the standard's mathematical requirements. First-mover
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
:PROPERTIES:
|
||||
:ID: 177aad72-5626-444d-a2e4-af8e1263b125
|
||||
:ID: auto-world-bank-esf
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
@@ -10,7 +11,7 @@ transparency and explainability, robustness and safety, accountability.
|
||||
Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI
|
||||
guidelines all cite them.
|
||||
|
||||
Why it matters: The [[file:oecd.org][OECD]] frameworks are indirect revenue drivers. Regulatory
|
||||
Why it matters: The [[id:022109ad-f031-44c4-8ea0-0b3c9402ca90][OECD]] frameworks are indirect revenue drivers. Regulatory
|
||||
alignment with OECD principles is often a procurement requirement for
|
||||
international organizations and development finance institutions. First-mover
|
||||
advantage is about standard-setting: the gate package that maps to OECD
|
||||
|
||||
Reference in New Issue
Block a user