Expand compliance study to global master mapping: 30+ frameworks across OECD + international orgs

Major expansion of compliance-framework-reference.org from 4 frameworks (HIPAA, SOC 2, GDPR, FedRAMP) to ~33 frameworks covering: US: SOX, GLBA, NY DFS 500, CCPA/CPRA, Quebec Law 25 UK/EU: UK GDPR, NIS2, EU AI Act, DORA, eIDAS 2.0, CRA Asia-Pacific: APPI (Japan), ISMAP (Japan), PIPA (South Korea), Privacy Act/Australia, APRA CPS 234, IRAP, DPDP Act (India) Latin America: LGPD (Brazil), LFPDPPP (Mexico) International: ISO 27001, ISO 27701, Basel III, FATF AML/CFT, IFRS 17, OECD Privacy/AI Principles, World Bank ESF, IFC PS, UN/CEFACT Each entry: what it is, who must comply, penalties, first-mover advantage analysis. Added First-Mover Window Analysis table (Critical/Wide/Mature/Latent) and Expanded Revenue Table with 30+ rows mapping framework → price → addressable orgs → revenue potential → window → gate rule type.
2026-05-23 06:02:39 +00:00
parent 3063f8fdf7
commit fce952e900
1 changed files with 649 additions and 15 deletions
--- a/ideas/passepartout-economics/compliance-framework-reference.org
+++ b/ideas/passepartout-economics/compliance-framework-reference.org
@@ -2,8 +2,8 @@
 :ID:       e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
 :CREATED:  [2026-05-23 Sat]
 :END:
-#+title: Compliance Framework Reference — HIPAA, SOC 2, GDPR, FedRAMP
+#+title: Compliance Framework Mapping — Global Regulated Industries
-#+filetags: :passepartout:compliance:reference:regulation:
+#+filetags: :passepartout:compliance:reference:regulation:global:oecd:
 The verification monopoly and domain gate package revenue streams depend on
 selling into regulated industries. These industries buy compliance, not software.
@@ -194,19 +194,653 @@ applies hardest here: an agency that has relied on a FedRAMP-authorized compute
 provider for five years cannot switch without re-running the entire authorization
 process with a new provider.
-* What Each Framework Means for Revenue
+* US — Financial and Corporate Frameworks
-| Framework | Gate package price | What it buys | Buyer |
+** SOX (Sarbanes-Oxley Act)
 |-----------|-------------------|--------------|-------|
 | HIPAA | $50K/yr | ACL2-encoded Privacy + Security Rules; auto-generated audit trail replaces SIEM | Hospitals, insurers, health-tech |
 | SOC 2 | $50K/yr | Gate stack evidence artifacts for Type II auditor; no separate logging | Any B2B SaaS needing enterprise procurement |
 | GDPR | $50K/yr | Purpose-bound data access gates; built-in DPIA evidence; DPA templates | Any org with EU data subjects |
 | FedRAMP | $100K/yr | Deterministic continuous monitoring; control evidence on every access (not annual) | Federal contractors, defense, critical infra |
-A single enterprise running all four packages generates $250K/yr in gate
+US federal law (2002). Mandates internal controls over financial reporting
-package revenue. With infrastructure lock-in, that grows to $500K-$1M/yr
+(ICFR) for publicly traded companies. Section 404 requires management to assess
-by year five as the fact store accumulates compliance decisions.
+and auditors to attest to the effectiveness of internal controls.
-See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]],
+Who must comply: All US public companies; foreign issuers trading on US exchanges.
-[[file:verification-monopoly.org][Verification monopoly]], [[file:compute-marketplace.org][Compute marketplace]],
+~6,000 public companies + foreign filers.
-[[file:evaluation-harness.org][Evaluation harness]], [[file:passepartout-economics.org][Passepartout economics index]]
+
 Penalties: Up to $5M fines and 20 years imprisonment for certifying false
 financial statements. CEO and CFO personally liable.
 Why it matters: Every financial control is a gate rule — who can approve a
 journal entry, who can release a payment, who can modify a vendor record. The
 gate stack encodes these as ACL2-verified rules and produces the audit trail
 that the external auditor needs for Section 404 attestation. First-mover
 advantage: SOX is mature (24 years old) but the audit market is $4B+ and
 entirely manual — no competitor has automated the evidence pipeline.
 ** GLBA (Gramm-Leach-Bliley Act)
 US federal law governing financial institutions' handling of nonpublic personal
 information (NPI). Requires privacy notices, opt-out rights, and a Safeguards
 Rule requiring an information security program.
 Who must comply: Banks, credit unions, insurance companies, securities firms,
 financial advisers. ~20,000 institutions.
 Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers
 and directors personally liable.
 Why it matters: The Safeguards Rule maps directly to gate stack access controls.
 Every NPI access is gated; the proof log is the security program's evidence.
 First-mover advantage is narrow (GLBA is well-understood) but the market is
 large because every financial institution that dodges HIPAA still faces GLBA.
 ** NY DFS 500 (23 NYCRR 500)
 New York State Department of Financial Services cybersecurity regulation for
 financial services. The most aggressive US state-level financial cybersecurity
 rule. Requires: risk assessment, penetration testing, multi-factor authentication,
 incident response plan, annual certification of compliance by the board.
 Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage
 brokers, virtual currency companies operating in New York. ~3,000 institutions.
 Penalties: $200K-$1M per violation; business license revocation possible.
 Why it matters: The annual board certification requirement creates demand for
 verifiable evidence of control effectiveness — exactly what the gate stack
 produces. First-mover advantage is significant (few vendors target NY DFS 500
 specifically) and the regulation is a template that other states are adopting.
 * US — State Privacy Frameworks
 ** CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
 California's comprehensive privacy law — the closest US analogue to GDPR.
 CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to
 know, delete, opt out of sale/sharing, correct inaccurate data, limit use
 of sensitive PI. Private right of action for data breaches.
 Who must comply: For-profit businesses with >$25M revenue, or handling >100K
 consumer records, or deriving >50% revenue from selling PI. Extraterritorial —
 applies to any business collecting CA resident data.
 Penalties: $2,500 per violation (intentional: $7,500). Private right of action
 for breaches: $100-$750 per incident per consumer. CPRA created the California
 Privacy Protection Agency (CPPA) for enforcement.
 Why it matters: The opt-out/sale/sharing requirements create complex data flow
 gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
 and automatically enforce the opt-out at every data access. First-mover
 advantage is moderate (many CCPA tools exist) but none provide a deterministic,
 verifiable audit trail — they are all document-based.
 ** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA)
 Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy
 regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment,
 privacy impact assessments, consent modernization, data portability, right to
 de-index, algorithm transparency (automated decision-making disclosures).
 Penalties up to $25M CAD or 4% of global revenue.
 Why it matters: The algorithm transparency requirement is unique — organizations
 must disclose how automated decision systems work. The gate stack's ACL2 proof
 log is a natural algorithm transparency artifact. First-mover advantage: this
 is a new requirement with no established vendor tooling.
 * UK and EU — Additional Frameworks
 ** UK GDPR / Data Protection Act 2018
 Post-Brexit, the UK maintains its own version of GDPR via the Data Protection
 Act 2018. Substantively identical to EU GDPR but diverging over time. The UK
 has announced separate reforms targeting AI and digital identity. ICO (Information
 Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover.
 Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed
 for EU GDPR ports directly with verified translation of terminology (supervisory
 authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2
 prover can verify that the UK version's rules are consistent with the EU version
 (and alert when they diverge). This is a concrete ACL2 application.
 ** NIS2 (Network and Information Security Directive)
 EU directive (effective October 2024, member states transpose by October 2025).
 Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy,
 transport, banking, financial market infrastructure, health, drinking water,
 wastewater, digital infrastructure, ICT service management, public administration,
 space, postal services, food, chemicals, manufacturing (critical products).
 Key requirements: risk management measures (supply chain security, incident
 handling, business continuity), incident notification (24-hour early warning,
 72-hour full report), C-level accountability (management can be held personally
 liable for non-compliance), supply chain security for critical vendors.
 Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS).
 Two tiers: essential (strict) and important (moderate). Extraterritorial — any
 organization providing services to EU entities in covered sectors.
 Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal
 liability for management.
 Why it matters: NIS2 is the largest European cybersecurity mandate ever.
 Every requirement maps to a gate rule: supply chain access verification,
 incident notification triggers, business continuity approval chains. First-mover
 advantage is urgent — the transposition deadline is October 2025 (17 months).
 Organizations need gate packages now. No competitor has a declarative gate
 model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell.
 ** EU AI Act
 First comprehensive AI regulation globally (effective August 2026). Risk-based
 tiers: unacceptable (banned), high-risk (conformity assessment), limited
 (transparency), minimal (code of conduct). High-risk systems require: risk
 management, data governance, technical documentation, transparency, human
 oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment
 for some high-risk systems (notified bodies).
 Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial
 if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI)
 with additional obligations for systemic-risk GPAI.
 Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).
 Why it matters: The EU AI Act's conformity assessment requirement creates an
 instant certification market. Passepartout's gate stack can serve as the
 human oversight and accuracy/robustness infrastructure for any AI system
 deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
 force: an ACL2-verified gate stack is the most defensible approach to AI Act
 compliance. First-mover advantage: the regulation takes effect August 2026.
 No certification body or tool vendor has an ACL2-based compliance pipeline.
 First to market captures the standard-setting role.
 ** DORA (Digital Operational Resilience Act)
 EU regulation (effective January 2025) for the financial sector. Requires:
 ICT risk management, incident reporting, digital operational resilience testing,
 ICT third-party risk management (including contractual access and audit rights
 for critical ICT providers), information sharing, threat-led penetration testing
 (TLPT) for systemic institutions.
 Who must comply: 22,000+ financial entities in the EU (banks, investment firms,
 payment processors, crypto-asset providers, insurance companies). Also ICT
 third-party providers deemed critical.
 Penalties: Up to 2% of average daily turnover × number of days breached, or
 10M EUR for legal entities. Personal liability for management.
 Why it matters: DORA's third-party risk management requirement is a natural gate
 stack use case — every ICT provider access must be gated, logged, and auditable.
 TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover
 advantage is extremely time-sensitive: DORA is already in effect (January 2025).
 Financial institutions are scrambling for compliance tooling. A DORA gate package
 at $50K/yr with zero incremental cost per additional user is an immediate sale.
 ** eIDAS 2.0 (Electronic Identification, Authentication and Trust Services)
 EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory
 for member states to offer, optional for citizens. Requires: qualified electronic
 signatures/seals/timestamps, qualified trust service providers (QTSPs), and the
 EU Digital Identity Wallet for identity verification across borders.
 Who must comply: Trust service providers, government digital identity systems,
 any organization accepting eIDAS-qualified identities. 27 member states must
 provide wallets by 2026.
 Penalties: Member state enforcement; penalties vary but non-compliance blocks
 access to the EU digital identity market.
 Why it matters: eIDAS 2.0 creates a verified digital identity layer across the
 EU. The gate stack can integrate with eIDAS wallets as the identity provider
 for gate rules — "only X, authenticated via eIDAS wallet, may approve this
 transaction." First-mover advantage: wallets are being built now; the provider
 that integrates with the wallet standard first locks in the identity gate
 integration.
 ** CRA (Cyber Resilience Act)
 EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements
 for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM
 (software bill of materials) disclosure, CE marking for cybersecurity.
 Who must comply: Manufacturers, importers, and distributors of connected products
 sold in the EU. Categories: default (self-declaration), Class I (third-party
 audit), Class II (notified body assessment).
 Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
 reporting obligations.
 Why it matters: CRA's CE marking requirement creates a certification pipeline
 that the verification appliance can supply. If Passepartout's gate stack is
 itself CRA-compliant (verified by the evaluation harness), it becomes the
 compliance infrastructure for any product built on it. First-mover advantage:
 Class II products require notified body assessment — the bottleneck is notified
 body capacity. The gate stack's automated evidence pipeline bypasses the
 bottleneck.
 * Japan
 ** APPI (Act on Protection of Personal Information)
 Japan's comprehensive privacy law (amended 2022, fully effective 2023).
 Applies to any business handling personal information of Japanese residents.
 Key requirements: consent, purpose specification, data retention limits,
 cross-border transfer restrictions (opt-in required), mandatory breach reporting,
 data subject access/deletion rights, pseudonymized/anonymized data provisions.
 Personal Information Protection Commission (PPC) enforces.
 Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to
 1 year imprisonment. Orders to suspend data processing or delete data.
 Who must comply: All businesses handling personal information of Japanese
 residents. Extraterritorial — applies to non-Japanese businesses targeting
 Japanese residents.
 Why it matters: APPI's cross-border transfer restrictions require fine-grained
 control over which data leaves Japan. The gate stack can encode "this data has
 APPI cross-border consent flag = false → block egress." First-mover advantage
 is moderate — few non-Japanese vendors target APPI specifically, and the 2022
 amendments added requirements that created compliance gaps.
 ** ISMAP (Government Information System Security Management and Assessment Program)
 Japan's government cloud security program — analogous to FedRAMP. Cloud services
 used by Japanese government agencies must be ISMAP-authorized. Managed by the
 Digital Agency and the Information-technology Promotion Agency (IPA).
 Who must comply: Cloud service providers selling to Japanese national and local
 government agencies.
 Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is
 time-consuming and expensive. A compute marketplace provider with ISMAP
 authorization has exclusive access to the Japanese government market. First-mover
 advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered.
 * South Korea
 ** PIPA (Personal Information Protection Act)
 South Korea's comprehensive privacy law (enacted 2011, major amendments 2023
 and 2024). One of the strictest privacy regimes globally. Key requirements:
 consent, data minimization, purpose limitation, mandatory privacy impact
 assessment, data protection officer, breach notification within 72 hours,
 cross-border transfer restrictions, right to request data transmission
 (portability). The Personal Information Protection Commission (PIPC) enforces
 aggressively.
 Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal
 penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M)
 against major tech companies. Class action lawsuits permitted.
 Who must comply: Any organization handling personal information of South Korean
 residents. Extraterritorial scope is broad and actively enforced.
 Why it matters: PIPA is structurally similar to GDPR but with stricter
 enforcement and higher penalties relative to market size. The gate stack's
 purpose-boundary gates map directly to PIPA's purpose limitation requirement.
 First-mover advantage is large — PIPA has fewer compliance automation vendors
 than GDPR, and the 2024 amendments (stricter consent, higher fines) are still
 settling.
 * Australia
 ** Privacy Act 1988 / Notifiable Data Breaches (NDB) scheme
 Australia's federal privacy law (amended 2023-2025). Comprehensive reform in
 progress — the Privacy Act Review (2023) proposes significant expansion:
 tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained),
 direct right of action for individuals, new tort of serious invasion of privacy,
 children's privacy code, automated decision-making transparency.
 Who must comply: Most Australian businesses with >$3M AUD turnover; all
 health service providers; all businesses handling tax file numbers. Extraterritorial
 — applies to any organization with an Australian link.
 Penalties: Current maximum $50M AUD (from amendments effective late 2024).
 OAIC (Office of the Australian Information Commissioner) enforces. New direct
 right of action will increase private litigation.
 Why it matters: The Privacy Act Review's proposed automated decision-making
 transparency requirements are unique — organizations must disclose the logic
 and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the
 most defensible transparency artifact available. First-mover advantage: the
 reforms are being legislated now; early adoption positions the gate stack as
 the reference implementation.
 ** APRA CPS 234 (Prudential Standard — Information Security)
 Australian Prudential Regulation Authority standard for regulated financial
 institutions. Requires: clearly defined information security roles and
 responsibilities, periodic cybersecurity capability assessments, robust control
 testing, timely remediation of control weaknesses, mandatory notification of
 material incidents to APRA within 72 hours.
 Who must comply: Banks, insurers, superannuation funds regulated by APRA.
 ~500 entities.
 Penalties: APRA can impose capital requirements, license conditions, or
 license cancellation for non-compliance. Personal liability for board and
 senior management.
 Why it matters: CPS 234's control testing requirement creates demand for
 continuous verification — exactly what the gate stack and evaluation harness
 provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
 escalating. No vendor provides a deterministic control-testing pipeline.
 ** IRAP (Infosec Registered Assessors Program)
 Australian government's cloud security assessment program — analogous to
 FedRAMP. Cloud services used by Australian government agencies must have an
 IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC).
 Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.
 Who must comply: Cloud providers selling to Australian federal, state, and
 local government agencies. Also critical infrastructure providers.
 Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP
 Protected-level assessment is expensive and takes 6-12 months. First-mover
 advantage: the gate stack's deterministic audit trail can be the primary
 evidence artifact, reducing assessment scope/cost.
 * India
 ** DPDP Act 2023 (Digital Personal Data Protection Act)
 India's first comprehensive federal privacy law (enacted August 2023, rules
 drafting in progress, enforcement expected 2026-2027). Key features: consent
 for personal data processing, data processor obligations, data principal rights
 (right to access, correction, erasure, grievance redressal), Data Protection
 Board of India (DPBI) enforcement, significant penalties, exempted government
 processing for sovereignty/national security.
 Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary
 responsibility regardless of processor fault.
 Who must comply: Any organization processing personal data of Indian residents,
 where the data is collected in India or used to profile Indian residents.
 Offshore data processors are in scope.
 Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive
 privacy law before 2023. The rules (implementation details) are being drafted
 now. This is the widest first-mover window in the global privacy landscape:
 organizations need compliance tooling that doesn't exist yet. The gate stack's
 consent-managed data access model maps directly to DPDP's consent framework.
 A DPDP gate package at $30K/yr (discounted for India market) captures a market
 of hundreds of thousands of businesses with no incumbent vendor.
 * Brazil
 ** LGPD (Lei Geral de Proteção de Dados — Law 13,709/2018)
 Brazil's comprehensive privacy law (effective 2020, fines effective 2023).
 Modeled on GDPR but with differences: LGPD defines "data processing agents"
 (controller and operator), requires appointment of DPO (data protection officer),
 mandates breach notification to ANPD (National Data Protection Authority) and
 affected data subjects. 10 legal bases for processing (vs 6 in GDPR).
 Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL
 (~$10M) per violation. ANPD can also order suspension of processing, partial
 or total prohibition of database operation.
 Who must comply: Any organization (public or private) processing personal data
 of Brazilian residents, regardless of where the organization is based. No
 revenue threshold.
 Why it matters: LGPD affects every business operating in Latin America's largest
 economy. The 2% revenue penalty structure creates strong economic incentive.
 First-mover advantage: fewer compliance automation vendors in the Portuguese
 market. A Portuguese-language gate package with LGPD-specific consent and data
 subject rights gates captures a market of 210M people.
 * Mexico
 ** LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties)
 Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements:
 consent, notice (privacy notice must specify the "responsible party"), purpose
 limitation, data subject rights (ARCO — access, rectification, cancellation,
 opposition + deletion, portability), cross-border data transfer limitations,
 security breach notification. INAI (National Institute for Transparency,
 Access to Information and Personal Data Protection) enforces.
 Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also
 suspend data processing.
 Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are
 pushing toward privacy regime interoperability. A bilingual (Spanish/English)
 gate package covering both LFPDPPP and US frameworks serves the massive
 US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is
 less automated than GDPR; the market has fewer vendors and lower expectations.
 * International Frameworks
 ** ISO 27001 (Information Security Management)
 International standard for information security management systems (ISMS).
 The most widely adopted security certification globally — ~60,000 certified
 organizations. Requires: risk assessment, security controls (Annex A, 93
 controls across 4 domains), continuous improvement (Plan-Do-Check-Act),
 management review, internal audit.
 Who must comply: Self-selected — enterprises pursue ISO 27001 certification
 because supply chain partners and regulators require it. Increasingly mandatory
 for: cloud providers, government contractors, critical infrastructure, and
 regulated financial institutions in multiple jurisdictions.
 Penalties: No direct fines. Losing certification means losing business.
 Why it matters: ISO 27001 is the universal baseline. It is the entry-level
 certification that opens every other regulated market. The gate stack maps
 to Annex A controls directly (A.9 access control, A.12 operations security,
 A.16 incident management, A.18 compliance). First-mover advantage: the ISO
 27001 audit market is mature ($68B) and entirely manual (auditors flip through
 binders). A gate stack that produces audit evidence automatically is not
 competing with other software — it is competing with binders.
 ** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001)
 International standard extending ISO 27001 for privacy information management.
 Aligns with GDPR requirements. Provides a framework for PII (personally
 identifiable information) controllers and processors.
 Why it matters: ISO 27701 bridges information security and privacy compliance.
 An organization with ISO 27001 + ISO 27701 certification has a unified
 audit framework. The gate stack's access control gates + privacy gates satisfy
 both standards from the same infrastructure. First-mover advantage: adoption is
 growing but still low (~1,000 certifications). Early gate package captures the
 growth market.
 ** Basel III (Bank for International Settlements — Basel Committee)
 International banking regulatory framework (BIS Basel Committee). Sets minimum
 capital requirements, liquidity coverage ratio (LCR), net stable funding ratio
 (NSFR), leverage ratio, and counterparty credit risk requirements. National
 implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.).
 Who must comply: All internationally active banks. Systemically important
 financial institutions (G-SIBs) face additional surcharges.
 Penalties: Capital adequacy violations trigger regulatory intervention at
 increasing severity — restrictions on dividends, mandatory capital raising,
 management replacement, resolution.
 Why it matters: Basel's risk-weight calculation is rule-heavy and
 verification-friendly. The gate stack can encode credit risk weight mappings
 and produce auditable proof that capital calculations follow the correct
 methodology. First-mover advantage: Basel compliance is done via spreadsheets
 and specialized risk platforms. No platform uses formal verification for
 risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
 is a trivial expense relative to the capital requirement penalty of getting the
 mapping wrong.
 ** FATF (Financial Action Task Force) — AML/CFT Standards
 International standard-setter for anti-money laundering and counter-terrorism
 financing. 40 Recommendations covering: risk assessment, customer due diligence
 (CDD), beneficial ownership transparency, suspicious transaction reporting,
 targeted financial sanctions, proliferation financing. National implementation
 varies by jurisdiction.
 Who must comply: Financial institutions, DNFBPs (designated non-financial
 businesses and professions), virtual asset service providers (VASPs). In
 practice: every bank, money service business, crypto exchange, and high-value
 dealer globally.
 Penalties: National enforcement varies. Systemic failures lead to FATF grey-list
 (monitoring) or black-list (counter-measures). Grey-listing increases transaction
 costs — Iran and North Korea are black-listed.
 Why it matters: FATF's CDD requirements are the most widespread and
 rule-complex compliance obligation globally. The gate stack can encode
 tiered CDD rules, prove that every customer onboarding followed the correct
 verification path, and produce an auditable trail for every suspicion
 determination. First-mover advantage: AML compliance is a $50B+ market
 dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use
 formal verification. The gate stack's proof log is a "deterministic audit
 trail" that regulators would recognize as superior to the current paper-trail
 approach.
 ** OECD Privacy Guidelines and AI Principles
 OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation,
 data quality, purpose specification, use limitation, security safeguards,
 openness, individual participation, accountability. Non-binding but foundational
 — the basis for GDPR, APPI, LGPD, and most other privacy laws.
 OECD AI Principles (adopted 2019, updated 2024): Five values-based principles
 — inclusive growth and well-being, human-centered values and fairness,
 transparency and explainability, robustness and safety, accountability.
 Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI
 guidelines all cite them.
 Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory
 alignment with OECD principles is often a procurement requirement for
 international organizations and development finance institutions. First-mover
 advantage is about standard-setting: the gate package that maps to OECD
 principles first becomes the reference implementation.
 ** World Bank Environmental and Social Framework (ESF)
 The World Bank's framework for managing environmental and social risk in
 investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3
 (resource efficiency), ESS4 (community health), ESS5 (land/resettlement),
 ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage),
 ESS9 (financial intermediaries), ESS10 (stakeholder engagement).
 Who must comply: Borrowers and project implementers across World Bank-financed
 projects in 100+ countries. Also adopted by many multilateral development banks
 (MDBs) as their standard.
 Why it matters: ESF compliance is condition precedent to World Bank disbursement.
 Delays in compliance verification delay project funding. The gate stack's
 deterministic rule system can encode ESF standards as execution gates — "no
 disbursement unless ESS5 resettlement plan is verified complete." First-mover
 advantage: World Bank compliance is entirely document-based (reports, audits,
 site visits). A verified gate system is unprecedented.
 ** IFC Performance Standards (PS)
 International Finance Corporation's standards for environmental and social
 sustainability in private sector investment. Eight standards: PS1 (risk
 management), PS2 (labor), PS3 (resource efficiency), PS4 (community health),
 PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8
 (cultural heritage). Adopted by over 80 Equator Principles financial
 institutions (project finance lenders).
 Who must comply: IFC investees and clients; any project finance deal under
 the Equator Principles.
 Why it matters: The Equator Principles affect $100B+/yr in project finance.
 Compliance verification is done by external consultants. The gate stack can
 automate the evidence collection and provide verifiable proof that each PS
 requirement has been met before financial close. First-mover advantage: no
 vendor serves this market with automation — it is entirely consultant-delivered.
 ** IFRS (International Financial Reporting Standards)
 International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17
 (insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the
 most rule-complex — requiring actuarial models, expected credit loss calculations,
 and contract classification algorithms.
 Who must comply: Publicly listed companies in 166 jurisdictions including the
 EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
 of Asia and Africa. The US (GAAP) is the major holdout.
 Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets.
 Getting an actuarial model or credit loss calculation wrong is a financial
 reporting error. The gate stack's ACL2 prover can verify that the calculation
 implementations match the standard's mathematical requirements. First-mover
 advantage: IFRS 17 was the largest accounting change in a decade. Implementation
 was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures
 via ISSB) is coming. A verified IFRS gate package is a unique value proposition.
 ** UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business)
 UN standards for electronic data interchange (EDI), trade facilitation, and
 cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core
 Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis
 for WTO Trade Facilitation Agreement compliance.
 Who must comply: Customs authorities, logistics providers, trade finance banks,
 exporters/importers in 170+ WTO member countries.
 Why it matters: Cross-border trade data exchange is rule-intensive (tariff
 classification, rules of origin, customs valuation, sanitary/phytosanitary
 requirements). The gate stack can encode trade compliance rules and prove that
 every cross-border data exchange satisfies the applicable regulation. First-mover
 advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle
 modules and customs brokerages. None use verification.
 * First-Mover Window Analysis
 The first-mover window is the time in which a new compliance tool can establish
 dominance before incumbents respond or the market settles on a standard approach.
 | Window | Frameworks | Rationale |
 |--------|-----------|-----------|
 | **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
 | **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
 | **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
 | **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
 * Expanded Revenue Table
 | Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type |
 |-----------|--------|--------------|------------------|-------------------|---------------------|----------------|
 | HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
 | SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit |
 | GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
 | FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
 | SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
 | GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy |
 | NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
 | CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
 | NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
 | EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
 | DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
 | eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
 | CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
 | UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
 | APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
 | ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
 | PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
 | Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency |
 | APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls |
 | IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
 | DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
 | LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
 | LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
 | ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
 | ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
 | Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
 | FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
 | IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
 | UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
 | World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
 | IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
 A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + 
 ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
 for regulated cloud globally. The gate package portfolio alone — a mid-size
 enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
 At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any
 single framework — it is about being the first to offer a unified gate stack
 that maps to all of them.