diff --git a/ideas/passepartout-economics/compliance-framework-reference.org b/ideas/passepartout-economics/compliance-framework-reference.org index f9d4dec..48ae5a8 100644 --- a/ideas/passepartout-economics/compliance-framework-reference.org +++ b/ideas/passepartout-economics/compliance-framework-reference.org @@ -2,8 +2,8 @@ :ID: e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c :CREATED: [2026-05-23 Sat] :END: -#+title: Compliance Framework Reference — HIPAA, SOC 2, GDPR, FedRAMP -#+filetags: :passepartout:compliance:reference:regulation: +#+title: Compliance Framework Mapping — Global Regulated Industries +#+filetags: :passepartout:compliance:reference:regulation:global:oecd: The verification monopoly and domain gate package revenue streams depend on selling into regulated industries. These industries buy compliance, not software. @@ -194,19 +194,653 @@ applies hardest here: an agency that has relied on a FedRAMP-authorized compute provider for five years cannot switch without re-running the entire authorization process with a new provider. -* What Each Framework Means for Revenue +* US — Financial and Corporate Frameworks -| Framework | Gate package price | What it buys | Buyer | -|-----------|-------------------|--------------|-------| -| HIPAA | $50K/yr | ACL2-encoded Privacy + Security Rules; auto-generated audit trail replaces SIEM | Hospitals, insurers, health-tech | -| SOC 2 | $50K/yr | Gate stack evidence artifacts for Type II auditor; no separate logging | Any B2B SaaS needing enterprise procurement | -| GDPR | $50K/yr | Purpose-bound data access gates; built-in DPIA evidence; DPA templates | Any org with EU data subjects | -| FedRAMP | $100K/yr | Deterministic continuous monitoring; control evidence on every access (not annual) | Federal contractors, defense, critical infra | +** SOX (Sarbanes-Oxley Act) -A single enterprise running all four packages generates $250K/yr in gate -package revenue. With infrastructure lock-in, that grows to $500K-$1M/yr -by year five as the fact store accumulates compliance decisions. +US federal law (2002). Mandates internal controls over financial reporting +(ICFR) for publicly traded companies. Section 404 requires management to assess +and auditors to attest to the effectiveness of internal controls. -See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]], -[[file:verification-monopoly.org][Verification monopoly]], [[file:compute-marketplace.org][Compute marketplace]], -[[file:evaluation-harness.org][Evaluation harness]], [[file:passepartout-economics.org][Passepartout economics index]] +Who must comply: All US public companies; foreign issuers trading on US exchanges. +~6,000 public companies + foreign filers. + +Penalties: Up to $5M fines and 20 years imprisonment for certifying false +financial statements. CEO and CFO personally liable. + +Why it matters: Every financial control is a gate rule — who can approve a +journal entry, who can release a payment, who can modify a vendor record. The +gate stack encodes these as ACL2-verified rules and produces the audit trail +that the external auditor needs for Section 404 attestation. First-mover +advantage: SOX is mature (24 years old) but the audit market is $4B+ and +entirely manual — no competitor has automated the evidence pipeline. + +** GLBA (Gramm-Leach-Bliley Act) + +US federal law governing financial institutions' handling of nonpublic personal +information (NPI). Requires privacy notices, opt-out rights, and a Safeguards +Rule requiring an information security program. + +Who must comply: Banks, credit unions, insurance companies, securities firms, +financial advisers. ~20,000 institutions. + +Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers +and directors personally liable. + +Why it matters: The Safeguards Rule maps directly to gate stack access controls. +Every NPI access is gated; the proof log is the security program's evidence. +First-mover advantage is narrow (GLBA is well-understood) but the market is +large because every financial institution that dodges HIPAA still faces GLBA. + +** NY DFS 500 (23 NYCRR 500) + +New York State Department of Financial Services cybersecurity regulation for +financial services. The most aggressive US state-level financial cybersecurity +rule. Requires: risk assessment, penetration testing, multi-factor authentication, +incident response plan, annual certification of compliance by the board. + +Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage +brokers, virtual currency companies operating in New York. ~3,000 institutions. + +Penalties: $200K-$1M per violation; business license revocation possible. + +Why it matters: The annual board certification requirement creates demand for +verifiable evidence of control effectiveness — exactly what the gate stack +produces. First-mover advantage is significant (few vendors target NY DFS 500 +specifically) and the regulation is a template that other states are adopting. + +* US — State Privacy Frameworks + +** CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) + +California's comprehensive privacy law — the closest US analogue to GDPR. +CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to +know, delete, opt out of sale/sharing, correct inaccurate data, limit use +of sensitive PI. Private right of action for data breaches. + +Who must comply: For-profit businesses with >$25M revenue, or handling >100K +consumer records, or deriving >50% revenue from selling PI. Extraterritorial — +applies to any business collecting CA resident data. + +Penalties: $2,500 per violation (intentional: $7,500). Private right of action +for breaches: $100-$750 per incident per consumer. CPRA created the California +Privacy Protection Agency (CPPA) for enforcement. + +Why it matters: The opt-out/sale/sharing requirements create complex data flow +gate rules. The gate stack can encode "this data flow crosses a CCPA boundary" +and automatically enforce the opt-out at every data access. First-mover +advantage is moderate (many CCPA tools exist) but none provide a deterministic, +verifiable audit trail — they are all document-based. + +** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA) + +Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy +regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment, +privacy impact assessments, consent modernization, data portability, right to +de-index, algorithm transparency (automated decision-making disclosures). +Penalties up to $25M CAD or 4% of global revenue. + +Why it matters: The algorithm transparency requirement is unique — organizations +must disclose how automated decision systems work. The gate stack's ACL2 proof +log is a natural algorithm transparency artifact. First-mover advantage: this +is a new requirement with no established vendor tooling. + +* UK and EU — Additional Frameworks + +** UK GDPR / Data Protection Act 2018 + +Post-Brexit, the UK maintains its own version of GDPR via the Data Protection +Act 2018. Substantively identical to EU GDPR but diverging over time. The UK +has announced separate reforms targeting AI and digital identity. ICO (Information +Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover. + +Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed +for EU GDPR ports directly with verified translation of terminology (supervisory +authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2 +prover can verify that the UK version's rules are consistent with the EU version +(and alert when they diverge). This is a concrete ACL2 application. + +** NIS2 (Network and Information Security Directive) + +EU directive (effective October 2024, member states transpose by October 2025). +Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy, +transport, banking, financial market infrastructure, health, drinking water, +wastewater, digital infrastructure, ICT service management, public administration, +space, postal services, food, chemicals, manufacturing (critical products). + +Key requirements: risk management measures (supply chain security, incident +handling, business continuity), incident notification (24-hour early warning, +72-hour full report), C-level accountability (management can be held personally +liable for non-compliance), supply chain security for critical vendors. + +Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS). +Two tiers: essential (strict) and important (moderate). Extraterritorial — any +organization providing services to EU entities in covered sectors. + +Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal +liability for management. + +Why it matters: NIS2 is the largest European cybersecurity mandate ever. +Every requirement maps to a gate rule: supply chain access verification, +incident notification triggers, business continuity approval chains. First-mover +advantage is urgent — the transposition deadline is October 2025 (17 months). +Organizations need gate packages now. No competitor has a declarative gate +model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell. + +** EU AI Act + +First comprehensive AI regulation globally (effective August 2026). Risk-based +tiers: unacceptable (banned), high-risk (conformity assessment), limited +(transparency), minimal (code of conduct). High-risk systems require: risk +management, data governance, technical documentation, transparency, human +oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment +for some high-risk systems (notified bodies). + +Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial +if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI) +with additional obligations for systemic-risk GPAI. + +Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR). + +Why it matters: The EU AI Act's conformity assessment requirement creates an +instant certification market. Passepartout's gate stack can serve as the +human oversight and accuracy/robustness infrastructure for any AI system +deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum +force: an ACL2-verified gate stack is the most defensible approach to AI Act +compliance. First-mover advantage: the regulation takes effect August 2026. +No certification body or tool vendor has an ACL2-based compliance pipeline. +First to market captures the standard-setting role. + +** DORA (Digital Operational Resilience Act) + +EU regulation (effective January 2025) for the financial sector. Requires: +ICT risk management, incident reporting, digital operational resilience testing, +ICT third-party risk management (including contractual access and audit rights +for critical ICT providers), information sharing, threat-led penetration testing +(TLPT) for systemic institutions. + +Who must comply: 22,000+ financial entities in the EU (banks, investment firms, +payment processors, crypto-asset providers, insurance companies). Also ICT +third-party providers deemed critical. + +Penalties: Up to 2% of average daily turnover × number of days breached, or +10M EUR for legal entities. Personal liability for management. + +Why it matters: DORA's third-party risk management requirement is a natural gate +stack use case — every ICT provider access must be gated, logged, and auditable. +TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover +advantage is extremely time-sensitive: DORA is already in effect (January 2025). +Financial institutions are scrambling for compliance tooling. A DORA gate package +at $50K/yr with zero incremental cost per additional user is an immediate sale. + +** eIDAS 2.0 (Electronic Identification, Authentication and Trust Services) + +EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory +for member states to offer, optional for citizens. Requires: qualified electronic +signatures/seals/timestamps, qualified trust service providers (QTSPs), and the +EU Digital Identity Wallet for identity verification across borders. + +Who must comply: Trust service providers, government digital identity systems, +any organization accepting eIDAS-qualified identities. 27 member states must +provide wallets by 2026. + +Penalties: Member state enforcement; penalties vary but non-compliance blocks +access to the EU digital identity market. + +Why it matters: eIDAS 2.0 creates a verified digital identity layer across the +EU. The gate stack can integrate with eIDAS wallets as the identity provider +for gate rules — "only X, authenticated via eIDAS wallet, may approve this +transaction." First-mover advantage: wallets are being built now; the provider +that integrates with the wallet standard first locks in the identity gate +integration. + +** CRA (Cyber Resilience Act) + +EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements +for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM +(software bill of materials) disclosure, CE marking for cybersecurity. + +Who must comply: Manufacturers, importers, and distributors of connected products +sold in the EU. Categories: default (self-declaration), Class I (third-party +audit), Class II (notified body assessment). + +Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with +reporting obligations. + +Why it matters: CRA's CE marking requirement creates a certification pipeline +that the verification appliance can supply. If Passepartout's gate stack is +itself CRA-compliant (verified by the evaluation harness), it becomes the +compliance infrastructure for any product built on it. First-mover advantage: +Class II products require notified body assessment — the bottleneck is notified +body capacity. The gate stack's automated evidence pipeline bypasses the +bottleneck. + +* Japan + +** APPI (Act on Protection of Personal Information) + +Japan's comprehensive privacy law (amended 2022, fully effective 2023). +Applies to any business handling personal information of Japanese residents. +Key requirements: consent, purpose specification, data retention limits, +cross-border transfer restrictions (opt-in required), mandatory breach reporting, +data subject access/deletion rights, pseudonymized/anonymized data provisions. +Personal Information Protection Commission (PPC) enforces. + +Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to +1 year imprisonment. Orders to suspend data processing or delete data. + +Who must comply: All businesses handling personal information of Japanese +residents. Extraterritorial — applies to non-Japanese businesses targeting +Japanese residents. + +Why it matters: APPI's cross-border transfer restrictions require fine-grained +control over which data leaves Japan. The gate stack can encode "this data has +APPI cross-border consent flag = false → block egress." First-mover advantage +is moderate — few non-Japanese vendors target APPI specifically, and the 2022 +amendments added requirements that created compliance gaps. + +** ISMAP (Government Information System Security Management and Assessment Program) + +Japan's government cloud security program — analogous to FedRAMP. Cloud services +used by Japanese government agencies must be ISMAP-authorized. Managed by the +Digital Agency and the Information-technology Promotion Agency (IPA). + +Who must comply: Cloud service providers selling to Japanese national and local +government agencies. + +Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is +time-consuming and expensive. A compute marketplace provider with ISMAP +authorization has exclusive access to the Japanese government market. First-mover +advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered. + +* South Korea + +** PIPA (Personal Information Protection Act) + +South Korea's comprehensive privacy law (enacted 2011, major amendments 2023 +and 2024). One of the strictest privacy regimes globally. Key requirements: +consent, data minimization, purpose limitation, mandatory privacy impact +assessment, data protection officer, breach notification within 72 hours, +cross-border transfer restrictions, right to request data transmission +(portability). The Personal Information Protection Commission (PIPC) enforces +aggressively. + +Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal +penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M) +against major tech companies. Class action lawsuits permitted. + +Who must comply: Any organization handling personal information of South Korean +residents. Extraterritorial scope is broad and actively enforced. + +Why it matters: PIPA is structurally similar to GDPR but with stricter +enforcement and higher penalties relative to market size. The gate stack's +purpose-boundary gates map directly to PIPA's purpose limitation requirement. +First-mover advantage is large — PIPA has fewer compliance automation vendors +than GDPR, and the 2024 amendments (stricter consent, higher fines) are still +settling. + +* Australia + +** Privacy Act 1988 / Notifiable Data Breaches (NDB) scheme + +Australia's federal privacy law (amended 2023-2025). Comprehensive reform in +progress — the Privacy Act Review (2023) proposes significant expansion: +tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained), +direct right of action for individuals, new tort of serious invasion of privacy, +children's privacy code, automated decision-making transparency. + +Who must comply: Most Australian businesses with >$3M AUD turnover; all +health service providers; all businesses handling tax file numbers. Extraterritorial +— applies to any organization with an Australian link. + +Penalties: Current maximum $50M AUD (from amendments effective late 2024). +OAIC (Office of the Australian Information Commissioner) enforces. New direct +right of action will increase private litigation. + +Why it matters: The Privacy Act Review's proposed automated decision-making +transparency requirements are unique — organizations must disclose the logic +and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the +most defensible transparency artifact available. First-mover advantage: the +reforms are being legislated now; early adoption positions the gate stack as +the reference implementation. + +** APRA CPS 234 (Prudential Standard — Information Security) + +Australian Prudential Regulation Authority standard for regulated financial +institutions. Requires: clearly defined information security roles and +responsibilities, periodic cybersecurity capability assessments, robust control +testing, timely remediation of control weaknesses, mandatory notification of +material incidents to APRA within 72 hours. + +Who must comply: Banks, insurers, superannuation funds regulated by APRA. +~500 entities. + +Penalties: APRA can impose capital requirements, license conditions, or +license cancellation for non-compliance. Personal liability for board and +senior management. + +Why it matters: CPS 234's control testing requirement creates demand for +continuous verification — exactly what the gate stack and evaluation harness +provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is +escalating. No vendor provides a deterministic control-testing pipeline. + +** IRAP (Infosec Registered Assessors Program) + +Australian government's cloud security assessment program — analogous to +FedRAMP. Cloud services used by Australian government agencies must have an +IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC). +Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM. + +Who must comply: Cloud providers selling to Australian federal, state, and +local government agencies. Also critical infrastructure providers. + +Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP +Protected-level assessment is expensive and takes 6-12 months. First-mover +advantage: the gate stack's deterministic audit trail can be the primary +evidence artifact, reducing assessment scope/cost. + +* India + +** DPDP Act 2023 (Digital Personal Data Protection Act) + +India's first comprehensive federal privacy law (enacted August 2023, rules +drafting in progress, enforcement expected 2026-2027). Key features: consent +for personal data processing, data processor obligations, data principal rights +(right to access, correction, erasure, grievance redressal), Data Protection +Board of India (DPBI) enforcement, significant penalties, exempted government +processing for sovereignty/national security. + +Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary +responsibility regardless of processor fault. + +Who must comply: Any organization processing personal data of Indian residents, +where the data is collected in India or used to profile Indian residents. +Offshore data processors are in scope. + +Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive +privacy law before 2023. The rules (implementation details) are being drafted +now. This is the widest first-mover window in the global privacy landscape: +organizations need compliance tooling that doesn't exist yet. The gate stack's +consent-managed data access model maps directly to DPDP's consent framework. +A DPDP gate package at $30K/yr (discounted for India market) captures a market +of hundreds of thousands of businesses with no incumbent vendor. + +* Brazil + +** LGPD (Lei Geral de Proteção de Dados — Law 13,709/2018) + +Brazil's comprehensive privacy law (effective 2020, fines effective 2023). +Modeled on GDPR but with differences: LGPD defines "data processing agents" +(controller and operator), requires appointment of DPO (data protection officer), +mandates breach notification to ANPD (National Data Protection Authority) and +affected data subjects. 10 legal bases for processing (vs 6 in GDPR). + +Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL +(~$10M) per violation. ANPD can also order suspension of processing, partial +or total prohibition of database operation. + +Who must comply: Any organization (public or private) processing personal data +of Brazilian residents, regardless of where the organization is based. No +revenue threshold. + +Why it matters: LGPD affects every business operating in Latin America's largest +economy. The 2% revenue penalty structure creates strong economic incentive. +First-mover advantage: fewer compliance automation vendors in the Portuguese +market. A Portuguese-language gate package with LGPD-specific consent and data +subject rights gates captures a market of 210M people. + +* Mexico + +** LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties) + +Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements: +consent, notice (privacy notice must specify the "responsible party"), purpose +limitation, data subject rights (ARCO — access, rectification, cancellation, +opposition + deletion, portability), cross-border data transfer limitations, +security breach notification. INAI (National Institute for Transparency, +Access to Information and Personal Data Protection) enforces. + +Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also +suspend data processing. + +Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are +pushing toward privacy regime interoperability. A bilingual (Spanish/English) +gate package covering both LFPDPPP and US frameworks serves the massive +US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is +less automated than GDPR; the market has fewer vendors and lower expectations. + +* International Frameworks + +** ISO 27001 (Information Security Management) + +International standard for information security management systems (ISMS). +The most widely adopted security certification globally — ~60,000 certified +organizations. Requires: risk assessment, security controls (Annex A, 93 +controls across 4 domains), continuous improvement (Plan-Do-Check-Act), +management review, internal audit. + +Who must comply: Self-selected — enterprises pursue ISO 27001 certification +because supply chain partners and regulators require it. Increasingly mandatory +for: cloud providers, government contractors, critical infrastructure, and +regulated financial institutions in multiple jurisdictions. + +Penalties: No direct fines. Losing certification means losing business. + +Why it matters: ISO 27001 is the universal baseline. It is the entry-level +certification that opens every other regulated market. The gate stack maps +to Annex A controls directly (A.9 access control, A.12 operations security, +A.16 incident management, A.18 compliance). First-mover advantage: the ISO +27001 audit market is mature ($68B) and entirely manual (auditors flip through +binders). A gate stack that produces audit evidence automatically is not +competing with other software — it is competing with binders. + +** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001) + +International standard extending ISO 27001 for privacy information management. +Aligns with GDPR requirements. Provides a framework for PII (personally +identifiable information) controllers and processors. + +Why it matters: ISO 27701 bridges information security and privacy compliance. +An organization with ISO 27001 + ISO 27701 certification has a unified +audit framework. The gate stack's access control gates + privacy gates satisfy +both standards from the same infrastructure. First-mover advantage: adoption is +growing but still low (~1,000 certifications). Early gate package captures the +growth market. + +** Basel III (Bank for International Settlements — Basel Committee) + +International banking regulatory framework (BIS Basel Committee). Sets minimum +capital requirements, liquidity coverage ratio (LCR), net stable funding ratio +(NSFR), leverage ratio, and counterparty credit risk requirements. National +implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.). + +Who must comply: All internationally active banks. Systemically important +financial institutions (G-SIBs) face additional surcharges. + +Penalties: Capital adequacy violations trigger regulatory intervention at +increasing severity — restrictions on dividends, mandatory capital raising, +management replacement, resolution. + +Why it matters: Basel's risk-weight calculation is rule-heavy and +verification-friendly. The gate stack can encode credit risk weight mappings +and produce auditable proof that capital calculations follow the correct +methodology. First-mover advantage: Basel compliance is done via spreadsheets +and specialized risk platforms. No platform uses formal verification for +risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB +is a trivial expense relative to the capital requirement penalty of getting the +mapping wrong. + +** FATF (Financial Action Task Force) — AML/CFT Standards + +International standard-setter for anti-money laundering and counter-terrorism +financing. 40 Recommendations covering: risk assessment, customer due diligence +(CDD), beneficial ownership transparency, suspicious transaction reporting, +targeted financial sanctions, proliferation financing. National implementation +varies by jurisdiction. + +Who must comply: Financial institutions, DNFBPs (designated non-financial +businesses and professions), virtual asset service providers (VASPs). In +practice: every bank, money service business, crypto exchange, and high-value +dealer globally. + +Penalties: National enforcement varies. Systemic failures lead to FATF grey-list +(monitoring) or black-list (counter-measures). Grey-listing increases transaction +costs — Iran and North Korea are black-listed. + +Why it matters: FATF's CDD requirements are the most widespread and +rule-complex compliance obligation globally. The gate stack can encode +tiered CDD rules, prove that every customer onboarding followed the correct +verification path, and produce an auditable trail for every suspicion +determination. First-mover advantage: AML compliance is a $50B+ market +dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use +formal verification. The gate stack's proof log is a "deterministic audit +trail" that regulators would recognize as superior to the current paper-trail +approach. + +** OECD Privacy Guidelines and AI Principles + +OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation, +data quality, purpose specification, use limitation, security safeguards, +openness, individual participation, accountability. Non-binding but foundational +— the basis for GDPR, APPI, LGPD, and most other privacy laws. + +OECD AI Principles (adopted 2019, updated 2024): Five values-based principles +— inclusive growth and well-being, human-centered values and fairness, +transparency and explainability, robustness and safety, accountability. +Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI +guidelines all cite them. + +Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory +alignment with OECD principles is often a procurement requirement for +international organizations and development finance institutions. First-mover +advantage is about standard-setting: the gate package that maps to OECD +principles first becomes the reference implementation. + +** World Bank Environmental and Social Framework (ESF) + +The World Bank's framework for managing environmental and social risk in +investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3 +(resource efficiency), ESS4 (community health), ESS5 (land/resettlement), +ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage), +ESS9 (financial intermediaries), ESS10 (stakeholder engagement). + +Who must comply: Borrowers and project implementers across World Bank-financed +projects in 100+ countries. Also adopted by many multilateral development banks +(MDBs) as their standard. + +Why it matters: ESF compliance is condition precedent to World Bank disbursement. +Delays in compliance verification delay project funding. The gate stack's +deterministic rule system can encode ESF standards as execution gates — "no +disbursement unless ESS5 resettlement plan is verified complete." First-mover +advantage: World Bank compliance is entirely document-based (reports, audits, +site visits). A verified gate system is unprecedented. + +** IFC Performance Standards (PS) + +International Finance Corporation's standards for environmental and social +sustainability in private sector investment. Eight standards: PS1 (risk +management), PS2 (labor), PS3 (resource efficiency), PS4 (community health), +PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8 +(cultural heritage). Adopted by over 80 Equator Principles financial +institutions (project finance lenders). + +Who must comply: IFC investees and clients; any project finance deal under +the Equator Principles. + +Why it matters: The Equator Principles affect $100B+/yr in project finance. +Compliance verification is done by external consultants. The gate stack can +automate the evidence collection and provide verifiable proof that each PS +requirement has been met before financial close. First-mover advantage: no +vendor serves this market with automation — it is entirely consultant-delivered. + +** IFRS (International Financial Reporting Standards) + +International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17 +(insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the +most rule-complex — requiring actuarial models, expected credit loss calculations, +and contract classification algorithms. + +Who must comply: Publicly listed companies in 166 jurisdictions including the +EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most +of Asia and Africa. The US (GAAP) is the major holdout. + +Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets. +Getting an actuarial model or credit loss calculation wrong is a financial +reporting error. The gate stack's ACL2 prover can verify that the calculation +implementations match the standard's mathematical requirements. First-mover +advantage: IFRS 17 was the largest accounting change in a decade. Implementation +was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures +via ISSB) is coming. A verified IFRS gate package is a unique value proposition. + +** UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business) + +UN standards for electronic data interchange (EDI), trade facilitation, and +cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core +Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis +for WTO Trade Facilitation Agreement compliance. + +Who must comply: Customs authorities, logistics providers, trade finance banks, +exporters/importers in 170+ WTO member countries. + +Why it matters: Cross-border trade data exchange is rule-intensive (tariff +classification, rules of origin, customs valuation, sanitary/phytosanitary +requirements). The gate stack can encode trade compliance rules and prove that +every cross-border data exchange satisfies the applicable regulation. First-mover +advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle +modules and customs brokerages. None use verification. + +* First-Mover Window Analysis + +The first-mover window is the time in which a new compliance tool can establish +dominance before incumbents respond or the market settles on a standard approach. + +| Window | Frameworks | Rationale | +|--------|-----------|-----------| +| **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. | +| **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. | +| **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. | +| **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. | + +* Expanded Revenue Table + +| Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type | +|-----------|--------|--------------|------------------|-------------------|---------------------|----------------| +| HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control | +| SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit | +| GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent | +| FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring | +| SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls | +| GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy | +| NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls | +| CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows | +| NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain | +| EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management | +| DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience | +| eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates | +| CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security | +| UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy | +| APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy | +| ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment | +| PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent | +| Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency | +| APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls | +| IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment | +| DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent | +| LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy | +| LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy | +| ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls | +| ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management | +| Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy | +| FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening | +| IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification | +| UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules | +| World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates | +| IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates | + +A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + +ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider +for regulated cloud globally. The gate package portfolio alone — a mid-size +enterprise running 10+ packages — generates $500K/yr+ in recurring revenue. +At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any +single framework — it is about being the first to offer a unified gate stack +that maps to all of them.