amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fce952e90072fff24d172e214ea2972067e171f1
hermes-brain/ideas/passepartout-economics/compliance-framework-reference.org
Hermes fce952e900 Expand compliance study to global master mapping: 30+ frameworks across OECD + international orgs 
Major expansion of compliance-framework-reference.org from 4 frameworks (HIPAA,
SOC 2, GDPR, FedRAMP) to ~33 frameworks covering:

US: SOX, GLBA, NY DFS 500, CCPA/CPRA, Quebec Law 25
UK/EU: UK GDPR, NIS2, EU AI Act, DORA, eIDAS 2.0, CRA
Asia-Pacific: APPI (Japan), ISMAP (Japan), PIPA (South Korea),
  Privacy Act/Australia, APRA CPS 234, IRAP, DPDP Act (India)
Latin America: LGPD (Brazil), LFPDPPP (Mexico)
International: ISO 27001, ISO 27701, Basel III, FATF AML/CFT,
  IFRS 17, OECD Privacy/AI Principles, World Bank ESF, IFC PS,
  UN/CEFACT

Each entry: what it is, who must comply, penalties, first-mover
advantage analysis. Added First-Mover Window Analysis table
(Critical/Wide/Mature/Latent) and Expanded Revenue Table with
30+ rows mapping framework → price → addressable orgs → revenue
potential → window → gate rule type.
2026-05-23 06:02:39 +00:00

44 KiB
Raw Blame History

Compliance Framework Mapping — Global Regulated Industries

The verification monopoly and domain gate package revenue streams depend on selling into regulated industries. These industries buy compliance, not software. The four frameworks below are the most commonly referenced across the triad knowledge base. This file defines each one, the economic pressure it creates, and where it maps to the revenue model.

HIPAA (Health Insurance Portability and Accountability Act)

What it is

US federal law enacted 1996. Governs how protected health information (PHI) is stored, transmitted, and accessed. Two relevant rules:

  • Privacy Rule: controls use and disclosure of PHI. Patients have rights to access, amend, and request accounting of disclosures. Minimum necessary standard — only the minimum PHI needed for the task may be used.
  • Security Rule: administrative, physical, and technical safeguards for electronic PHI (ePHI). Requires access controls, audit controls, integrity controls, person/entity authentication, and transmission security.

Who must comply

Covered entities (health plans, healthcare clearinghouses, healthcare providers who transmit any ePHI) and business associates (any vendor handling PHI on behalf of a covered entity). Business Associate Agreements (BAAs) are mandatory.

Penalties

Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per violation category. Criminal penalties for knowing misuse (up to 10 years imprisonment). State AGs can also bring civil actions.

Why it matters for the triad

HIPAA is the largest single compliance market in US healthcare — every hospital, clinic, insurer, and health-tech vendor must comply. The HIPAA gate package ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate constraints. Every PHI access attempt passes through the gate stack, producing a machine-checkable audit trail that satisfies the Security Rule's audit control requirement automatically. No separate logging infrastructure needed. Over a five-year deployment, the accumulated fact store and proof history create infrastructure lock-in — switching to a competitor means discarding all of it.

SOC 2 (System and Organization Controls 2)

What it is

An auditing standard developed by AICPA (American Institute of CPAs). Not a law. Certifies that a service organization's controls over security, availability, processing integrity, confidentiality, and privacy meet defined criteria.

Five Trust Service Criteria (TSC):

  • Security (mandatory): protection against unauthorized access (firewall, access control, intrusion detection)
  • Availability (optional): system available for operation and use as committed (uptime, redundancy, disaster recovery)
  • Processing Integrity (optional): system processing is complete, valid, accurate, timely, and authorized
  • Confidentiality (optional): information designated as confidential is protected as committed
  • Privacy (optional): personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments

Two types:

  • Type I: controls are suitably designed at a specific point in time
  • Type II: controls operated effectively over a period (6-12 months)

Who must comply

Any SaaS or cloud service provider whose enterprise customers require audited vendors. Table stakes for B2B — most enterprise procurement contracts require SOC 2 Type II.

Penalties

No direct fines (not a law). But losing SOC 2 certification means losing enterprise customers. Misrepresentation of certification status is fraud.

Why it matters for the triad

SOC 2 is the entry-level certification for the compute marketplace. A provider needs SOC 2 Type II to sell compute to enterprises whose procurement policy requires audited vendors. The gate stack itself maps directly to the Security criterion (access controls, audit trails) — the Passepartout instance's deterministic gate log serves as the evidence artifact for the audit. No separate logging SIEM needed. This is the prerequisite to the larger verification monopoly play — once enterprises trust the audit trail, they buy domain-specific gate packages for the same infrastructure.

GDPR (General Data Protection Regulation)

What it is

EU regulation (effective May 2018) governing the processing of personal data of natural persons in the EU. Extraterritorial — applies to any organization processing EU personal data regardless of where the organization is based.

Key requirements:

  • Lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests)
  • Data minimization — collect only what is necessary
  • Purpose limitation — do not reuse data for incompatible purposes
  • Storage limitation — delete when no longer needed
  • Right of access, rectification, erasure (right to be forgotten), data portability, restriction, objection
  • Data Protection Impact Assessment (DPIA) for high-risk processing
  • Breach notification within 72 hours to supervisory authority
  • Data Protection Officer (DPO) appointment for certain controllers/processors
  • Data Processing Agreements (DPAs) between controllers and processors

Who must comply

Any organization that processes personal data of EU residents. Includes controllers (determine purposes and means) and processors (process on behalf of controller). Non-EU organizations with EU data subjects are in scope.

Penalties

Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered system. Supervisory authorities in each member state enforce. Private right of action for damages.

Why it matters for the triad

GDPR is the most extraterritorial and aggressively enforced privacy framework. The gate stack's principle of least privilege maps naturally to GDPR's data minimization requirement. Every data access is gated by a verified rule that states the purpose — the proof log is a built-in DPIA artifact. For the compute marketplace: a provider processing proofs on EU users' gate data must maintain DPAs with all clients. Proof logs themselves may constitute personal data if they reference natural persons (names in access rules, etc.), creating a demand for privacy-preserving proof techniques. This is why the GDPR gate package includes data-processing agreement templates and purpose-boundary gate rules that are independently verified by the provider's evaluation harness.

FedRAMP (Federal Risk and Authorization Management Program)

What it is

US federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud services. OMB policy mandate — federal agencies must use FedRAMP-authorized services when available.

Three impact levels based on data sensitivity:

Level Data type Examples Cost to achieve Timeline
Low Public or low-sensitivity Public websites, unclassified comms $500K-$1M 6-12 months
Moderate Controlled Unclassified Info (CUI) Tax records, health data, law enforcement $1M-$3M 12-24 months
High National security, classified Defense, intelligence, critical infra $3M-$5M 18-36 months

Two authorization paths:

  • JAB (Joint Authorization Board): provisional authorization by DHS, GSA, DOD. Hardest path, most reusable across agencies.
  • Agency: authorization by a single federal agency for its own use. Faster but less portable.

Requires continuous monitoring (monthly scans, annual assessments, POA&M for findings).

Who must comply

Any cloud service provider that sells to US federal agencies. Including IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies are strongly discouraged from using non-authorized services.

Penalties

No direct fines. Non-authorized providers are simply ineligible for federal contracts. FedRAMP is a procurement gate, not a regulatory one.

Why it matters for the triad

FedRAMP is the highest bar and the most expensive certification to obtain. Few cloud providers achieve it (fewer than 300 authorized products as of 2025). But those that do capture the US government market with minimal competition. For the triad: a compute marketplace provider with FedRAMP Moderate or High authorization can sell to every federal agency. The gate stack's deterministic audit trail maps directly to FedRAMP's continuous monitoring requirement — producing verifiable evidence of control effectiveness on every access, not just during the annual assessment. This is what justifies the FedRAMP gate package at $100K/yr (the highest price) — it is not a software package, it is the evidence pipeline for a certification that costs $1M-$5M and 12-36 months to obtain independently. The verification monopoly argument applies hardest here: an agency that has relied on a FedRAMP-authorized compute provider for five years cannot switch without re-running the entire authorization process with a new provider.

US — Financial and Corporate Frameworks

SOX (Sarbanes-Oxley Act)

US federal law (2002). Mandates internal controls over financial reporting (ICFR) for publicly traded companies. Section 404 requires management to assess and auditors to attest to the effectiveness of internal controls.

Who must comply: All US public companies; foreign issuers trading on US exchanges. ~6,000 public companies + foreign filers.

Penalties: Up to $5M fines and 20 years imprisonment for certifying false financial statements. CEO and CFO personally liable.

Why it matters: Every financial control is a gate rule — who can approve a journal entry, who can release a payment, who can modify a vendor record. The gate stack encodes these as ACL2-verified rules and produces the audit trail that the external auditor needs for Section 404 attestation. First-mover advantage: SOX is mature (24 years old) but the audit market is $4B+ and entirely manual — no competitor has automated the evidence pipeline.

GLBA (Gramm-Leach-Bliley Act)

US federal law governing financial institutions' handling of nonpublic personal information (NPI). Requires privacy notices, opt-out rights, and a Safeguards Rule requiring an information security program.

Who must comply: Banks, credit unions, insurance companies, securities firms, financial advisers. ~20,000 institutions.

Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers and directors personally liable.

Why it matters: The Safeguards Rule maps directly to gate stack access controls. Every NPI access is gated; the proof log is the security program's evidence. First-mover advantage is narrow (GLBA is well-understood) but the market is large because every financial institution that dodges HIPAA still faces GLBA.

NY DFS 500 (23 NYCRR 500)

New York State Department of Financial Services cybersecurity regulation for financial services. The most aggressive US state-level financial cybersecurity rule. Requires: risk assessment, penetration testing, multi-factor authentication, incident response plan, annual certification of compliance by the board.

Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage brokers, virtual currency companies operating in New York. ~3,000 institutions.

Penalties: $200K-$1M per violation; business license revocation possible.

Why it matters: The annual board certification requirement creates demand for verifiable evidence of control effectiveness — exactly what the gate stack produces. First-mover advantage is significant (few vendors target NY DFS 500 specifically) and the regulation is a template that other states are adopting.

US — State Privacy Frameworks

CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

California's comprehensive privacy law — the closest US analogue to GDPR. CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to know, delete, opt out of sale/sharing, correct inaccurate data, limit use of sensitive PI. Private right of action for data breaches.

Who must comply: For-profit businesses with >$25M revenue, or handling >100K consumer records, or deriving >50% revenue from selling PI. Extraterritorial — applies to any business collecting CA resident data.

Penalties: $2,500 per violation (intentional: $7,500). Private right of action for breaches: $100-$750 per incident per consumer. CPRA created the California Privacy Protection Agency (CPPA) for enforcement.

Why it matters: The opt-out/sale/sharing requirements create complex data flow gate rules. The gate stack can encode "this data flow crosses a CCPA boundary" and automatically enforce the opt-out at every data access. First-mover advantage is moderate (many CCPA tools exist) but none provide a deterministic, verifiable audit trail — they are all document-based.

Canadian provincial privacy (Quebec Law 25, Ontario PHIPA)

Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment, privacy impact assessments, consent modernization, data portability, right to de-index, algorithm transparency (automated decision-making disclosures). Penalties up to $25M CAD or 4% of global revenue.

Why it matters: The algorithm transparency requirement is unique — organizations must disclose how automated decision systems work. The gate stack's ACL2 proof log is a natural algorithm transparency artifact. First-mover advantage: this is a new requirement with no established vendor tooling.

UK and EU — Additional Frameworks

UK GDPR / Data Protection Act 2018

Post-Brexit, the UK maintains its own version of GDPR via the Data Protection Act 2018. Substantively identical to EU GDPR but diverging over time. The UK has announced separate reforms targeting AI and digital identity. ICO (Information Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover.

Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed for EU GDPR ports directly with verified translation of terminology (supervisory authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2 prover can verify that the UK version's rules are consistent with the EU version (and alert when they diverge). This is a concrete ACL2 application.

NIS2 (Network and Information Security Directive)

EU directive (effective October 2024, member states transpose by October 2025). Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, food, chemicals, manufacturing (critical products).

Key requirements: risk management measures (supply chain security, incident handling, business continuity), incident notification (24-hour early warning, 72-hour full report), C-level accountability (management can be held personally liable for non-compliance), supply chain security for critical vendors.

Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS). Two tiers: essential (strict) and important (moderate). Extraterritorial — any organization providing services to EU entities in covered sectors.

Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal liability for management.

Why it matters: NIS2 is the largest European cybersecurity mandate ever. Every requirement maps to a gate rule: supply chain access verification, incident notification triggers, business continuity approval chains. First-mover advantage is urgent — the transposition deadline is October 2025 (17 months). Organizations need gate packages now. No competitor has a declarative gate model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell.

EU AI Act

First comprehensive AI regulation globally (effective August 2026). Risk-based tiers: unacceptable (banned), high-risk (conformity assessment), limited (transparency), minimal (code of conduct). High-risk systems require: risk management, data governance, technical documentation, transparency, human oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment for some high-risk systems (notified bodies).

Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI) with additional obligations for systemic-risk GPAI.

Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).

Why it matters: The EU AI Act's conformity assessment requirement creates an instant certification market. Passepartout's gate stack can serve as the human oversight and accuracy/robustness infrastructure for any AI system deployed through it. The verification monopoly argument applies at maximum force: an ACL2-verified gate stack is the most defensible approach to AI Act compliance. First-mover advantage: the regulation takes effect August 2026. No certification body or tool vendor has an ACL2-based compliance pipeline. First to market captures the standard-setting role.

DORA (Digital Operational Resilience Act)

EU regulation (effective January 2025) for the financial sector. Requires: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management (including contractual access and audit rights for critical ICT providers), information sharing, threat-led penetration testing (TLPT) for systemic institutions.

Who must comply: 22,000+ financial entities in the EU (banks, investment firms, payment processors, crypto-asset providers, insurance companies). Also ICT third-party providers deemed critical.

Penalties: Up to 2% of average daily turnover × number of days breached, or 10M EUR for legal entities. Personal liability for management.

Why it matters: DORA's third-party risk management requirement is a natural gate stack use case — every ICT provider access must be gated, logged, and auditable. TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover advantage is extremely time-sensitive: DORA is already in effect (January 2025). Financial institutions are scrambling for compliance tooling. A DORA gate package at $50K/yr with zero incremental cost per additional user is an immediate sale.

eIDAS 2.0 (Electronic Identification, Authentication and Trust Services)

EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory for member states to offer, optional for citizens. Requires: qualified electronic signatures/seals/timestamps, qualified trust service providers (QTSPs), and the EU Digital Identity Wallet for identity verification across borders.

Who must comply: Trust service providers, government digital identity systems, any organization accepting eIDAS-qualified identities. 27 member states must provide wallets by 2026.

Penalties: Member state enforcement; penalties vary but non-compliance blocks access to the EU digital identity market.

Why it matters: eIDAS 2.0 creates a verified digital identity layer across the EU. The gate stack can integrate with eIDAS wallets as the identity provider for gate rules — "only X, authenticated via eIDAS wallet, may approve this transaction." First-mover advantage: wallets are being built now; the provider that integrates with the wallet standard first locks in the identity gate integration.

CRA (Cyber Resilience Act)

EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM (software bill of materials) disclosure, CE marking for cybersecurity.

Who must comply: Manufacturers, importers, and distributors of connected products sold in the EU. Categories: default (self-declaration), Class I (third-party audit), Class II (notified body assessment).

Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with reporting obligations.

Why it matters: CRA's CE marking requirement creates a certification pipeline that the verification appliance can supply. If Passepartout's gate stack is itself CRA-compliant (verified by the evaluation harness), it becomes the compliance infrastructure for any product built on it. First-mover advantage: Class II products require notified body assessment — the bottleneck is notified body capacity. The gate stack's automated evidence pipeline bypasses the bottleneck.

Japan

APPI (Act on Protection of Personal Information)

Japan's comprehensive privacy law (amended 2022, fully effective 2023). Applies to any business handling personal information of Japanese residents. Key requirements: consent, purpose specification, data retention limits, cross-border transfer restrictions (opt-in required), mandatory breach reporting, data subject access/deletion rights, pseudonymized/anonymized data provisions. Personal Information Protection Commission (PPC) enforces.

Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to 1 year imprisonment. Orders to suspend data processing or delete data.

Who must comply: All businesses handling personal information of Japanese residents. Extraterritorial — applies to non-Japanese businesses targeting Japanese residents.

Why it matters: APPI's cross-border transfer restrictions require fine-grained control over which data leaves Japan. The gate stack can encode "this data has APPI cross-border consent flag = false → block egress." First-mover advantage is moderate — few non-Japanese vendors target APPI specifically, and the 2022 amendments added requirements that created compliance gaps.

ISMAP (Government Information System Security Management and Assessment Program)

Japan's government cloud security program — analogous to FedRAMP. Cloud services used by Japanese government agencies must be ISMAP-authorized. Managed by the Digital Agency and the Information-technology Promotion Agency (IPA).

Who must comply: Cloud service providers selling to Japanese national and local government agencies.

Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is time-consuming and expensive. A compute marketplace provider with ISMAP authorization has exclusive access to the Japanese government market. First-mover advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered.

South Korea

PIPA (Personal Information Protection Act)

South Korea's comprehensive privacy law (enacted 2011, major amendments 2023 and 2024). One of the strictest privacy regimes globally. Key requirements: consent, data minimization, purpose limitation, mandatory privacy impact assessment, data protection officer, breach notification within 72 hours, cross-border transfer restrictions, right to request data transmission (portability). The Personal Information Protection Commission (PIPC) enforces aggressively.

Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M) against major tech companies. Class action lawsuits permitted.

Who must comply: Any organization handling personal information of South Korean residents. Extraterritorial scope is broad and actively enforced.

Why it matters: PIPA is structurally similar to GDPR but with stricter enforcement and higher penalties relative to market size. The gate stack's purpose-boundary gates map directly to PIPA's purpose limitation requirement. First-mover advantage is large — PIPA has fewer compliance automation vendors than GDPR, and the 2024 amendments (stricter consent, higher fines) are still settling.

Australia

Privacy Act 1988 / Notifiable Data Breaches (NDB) scheme

Australia's federal privacy law (amended 2023-2025). Comprehensive reform in progress — the Privacy Act Review (2023) proposes significant expansion: tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained), direct right of action for individuals, new tort of serious invasion of privacy, children's privacy code, automated decision-making transparency.

Who must comply: Most Australian businesses with >$3M AUD turnover; all health service providers; all businesses handling tax file numbers. Extraterritorial — applies to any organization with an Australian link.

Penalties: Current maximum $50M AUD (from amendments effective late 2024). OAIC (Office of the Australian Information Commissioner) enforces. New direct right of action will increase private litigation.

Why it matters: The Privacy Act Review's proposed automated decision-making transparency requirements are unique — organizations must disclose the logic and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the most defensible transparency artifact available. First-mover advantage: the reforms are being legislated now; early adoption positions the gate stack as the reference implementation.

APRA CPS 234 (Prudential Standard — Information Security)

Australian Prudential Regulation Authority standard for regulated financial institutions. Requires: clearly defined information security roles and responsibilities, periodic cybersecurity capability assessments, robust control testing, timely remediation of control weaknesses, mandatory notification of material incidents to APRA within 72 hours.

Who must comply: Banks, insurers, superannuation funds regulated by APRA. ~500 entities.

Penalties: APRA can impose capital requirements, license conditions, or license cancellation for non-compliance. Personal liability for board and senior management.

Why it matters: CPS 234's control testing requirement creates demand for continuous verification — exactly what the gate stack and evaluation harness provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is escalating. No vendor provides a deterministic control-testing pipeline.

IRAP (Infosec Registered Assessors Program)

Australian government's cloud security assessment program — analogous to FedRAMP. Cloud services used by Australian government agencies must have an IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC). Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.

Who must comply: Cloud providers selling to Australian federal, state, and local government agencies. Also critical infrastructure providers.

Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP Protected-level assessment is expensive and takes 6-12 months. First-mover advantage: the gate stack's deterministic audit trail can be the primary evidence artifact, reducing assessment scope/cost.

India

DPDP Act 2023 (Digital Personal Data Protection Act)

India's first comprehensive federal privacy law (enacted August 2023, rules drafting in progress, enforcement expected 2026-2027). Key features: consent for personal data processing, data processor obligations, data principal rights (right to access, correction, erasure, grievance redressal), Data Protection Board of India (DPBI) enforcement, significant penalties, exempted government processing for sovereignty/national security.

Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary responsibility regardless of processor fault.

Who must comply: Any organization processing personal data of Indian residents, where the data is collected in India or used to profile Indian residents. Offshore data processors are in scope.

Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive privacy law before 2023. The rules (implementation details) are being drafted now. This is the widest first-mover window in the global privacy landscape: organizations need compliance tooling that doesn't exist yet. The gate stack's consent-managed data access model maps directly to DPDP's consent framework. A DPDP gate package at $30K/yr (discounted for India market) captures a market of hundreds of thousands of businesses with no incumbent vendor.

Brazil

LGPD (Lei Geral de Proteção de Dados — Law 13,709/2018)

Brazil's comprehensive privacy law (effective 2020, fines effective 2023). Modeled on GDPR but with differences: LGPD defines "data processing agents" (controller and operator), requires appointment of DPO (data protection officer), mandates breach notification to ANPD (National Data Protection Authority) and affected data subjects. 10 legal bases for processing (vs 6 in GDPR).

Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL (~$10M) per violation. ANPD can also order suspension of processing, partial or total prohibition of database operation.

Who must comply: Any organization (public or private) processing personal data of Brazilian residents, regardless of where the organization is based. No revenue threshold.

Why it matters: LGPD affects every business operating in Latin America's largest economy. The 2% revenue penalty structure creates strong economic incentive. First-mover advantage: fewer compliance automation vendors in the Portuguese market. A Portuguese-language gate package with LGPD-specific consent and data subject rights gates captures a market of 210M people.

Mexico

LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties)

Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements: consent, notice (privacy notice must specify the "responsible party"), purpose limitation, data subject rights (ARCO — access, rectification, cancellation, opposition + deletion, portability), cross-border data transfer limitations, security breach notification. INAI (National Institute for Transparency, Access to Information and Personal Data Protection) enforces.

Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also suspend data processing.

Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are pushing toward privacy regime interoperability. A bilingual (Spanish/English) gate package covering both LFPDPPP and US frameworks serves the massive US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is less automated than GDPR; the market has fewer vendors and lower expectations.

International Frameworks

ISO 27001 (Information Security Management)

International standard for information security management systems (ISMS). The most widely adopted security certification globally — ~60,000 certified organizations. Requires: risk assessment, security controls (Annex A, 93 controls across 4 domains), continuous improvement (Plan-Do-Check-Act), management review, internal audit.

Who must comply: Self-selected — enterprises pursue ISO 27001 certification because supply chain partners and regulators require it. Increasingly mandatory for: cloud providers, government contractors, critical infrastructure, and regulated financial institutions in multiple jurisdictions.

Penalties: No direct fines. Losing certification means losing business.

Why it matters: ISO 27001 is the universal baseline. It is the entry-level certification that opens every other regulated market. The gate stack maps to Annex A controls directly (A.9 access control, A.12 operations security, A.16 incident management, A.18 compliance). First-mover advantage: the ISO 27001 audit market is mature ($68B) and entirely manual (auditors flip through binders). A gate stack that produces audit evidence automatically is not competing with other software — it is competing with binders.

ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001)

International standard extending ISO 27001 for privacy information management. Aligns with GDPR requirements. Provides a framework for PII (personally identifiable information) controllers and processors.

Why it matters: ISO 27701 bridges information security and privacy compliance. An organization with ISO 27001 + ISO 27701 certification has a unified audit framework. The gate stack's access control gates + privacy gates satisfy both standards from the same infrastructure. First-mover advantage: adoption is growing but still low (~1,000 certifications). Early gate package captures the growth market.

Basel III (Bank for International Settlements — Basel Committee)

International banking regulatory framework (BIS Basel Committee). Sets minimum capital requirements, liquidity coverage ratio (LCR), net stable funding ratio (NSFR), leverage ratio, and counterparty credit risk requirements. National implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.).

Who must comply: All internationally active banks. Systemically important financial institutions (G-SIBs) face additional surcharges.

Penalties: Capital adequacy violations trigger regulatory intervention at increasing severity — restrictions on dividends, mandatory capital raising, management replacement, resolution.

Why it matters: Basel's risk-weight calculation is rule-heavy and verification-friendly. The gate stack can encode credit risk weight mappings and produce auditable proof that capital calculations follow the correct methodology. First-mover advantage: Basel compliance is done via spreadsheets and specialized risk platforms. No platform uses formal verification for risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB is a trivial expense relative to the capital requirement penalty of getting the mapping wrong.

FATF (Financial Action Task Force) — AML/CFT Standards

International standard-setter for anti-money laundering and counter-terrorism financing. 40 Recommendations covering: risk assessment, customer due diligence (CDD), beneficial ownership transparency, suspicious transaction reporting, targeted financial sanctions, proliferation financing. National implementation varies by jurisdiction.

Who must comply: Financial institutions, DNFBPs (designated non-financial businesses and professions), virtual asset service providers (VASPs). In practice: every bank, money service business, crypto exchange, and high-value dealer globally.

Penalties: National enforcement varies. Systemic failures lead to FATF grey-list (monitoring) or black-list (counter-measures). Grey-listing increases transaction costs — Iran and North Korea are black-listed.

Why it matters: FATF's CDD requirements are the most widespread and rule-complex compliance obligation globally. The gate stack can encode tiered CDD rules, prove that every customer onboarding followed the correct verification path, and produce an auditable trail for every suspicion determination. First-mover advantage: AML compliance is a $50B+ market dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use formal verification. The gate stack's proof log is a "deterministic audit trail" that regulators would recognize as superior to the current paper-trail approach.

OECD Privacy Guidelines and AI Principles

OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability. Non-binding but foundational — the basis for GDPR, APPI, LGPD, and most other privacy laws.

OECD AI Principles (adopted 2019, updated 2024): Five values-based principles — inclusive growth and well-being, human-centered values and fairness, transparency and explainability, robustness and safety, accountability. Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI guidelines all cite them.

Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory alignment with OECD principles is often a procurement requirement for international organizations and development finance institutions. First-mover advantage is about standard-setting: the gate package that maps to OECD principles first becomes the reference implementation.

World Bank Environmental and Social Framework (ESF)

The World Bank's framework for managing environmental and social risk in investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3 (resource efficiency), ESS4 (community health), ESS5 (land/resettlement), ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage), ESS9 (financial intermediaries), ESS10 (stakeholder engagement).

Who must comply: Borrowers and project implementers across World Bank-financed projects in 100+ countries. Also adopted by many multilateral development banks (MDBs) as their standard.

Why it matters: ESF compliance is condition precedent to World Bank disbursement. Delays in compliance verification delay project funding. The gate stack's deterministic rule system can encode ESF standards as execution gates — "no disbursement unless ESS5 resettlement plan is verified complete." First-mover advantage: World Bank compliance is entirely document-based (reports, audits, site visits). A verified gate system is unprecedented.

IFC Performance Standards (PS)

International Finance Corporation's standards for environmental and social sustainability in private sector investment. Eight standards: PS1 (risk management), PS2 (labor), PS3 (resource efficiency), PS4 (community health), PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8 (cultural heritage). Adopted by over 80 Equator Principles financial institutions (project finance lenders).

Who must comply: IFC investees and clients; any project finance deal under the Equator Principles.

Why it matters: The Equator Principles affect $100B+/yr in project finance. Compliance verification is done by external consultants. The gate stack can automate the evidence collection and provide verifiable proof that each PS requirement has been met before financial close. First-mover advantage: no vendor serves this market with automation — it is entirely consultant-delivered.

IFRS (International Financial Reporting Standards)

International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17 (insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the most rule-complex — requiring actuarial models, expected credit loss calculations, and contract classification algorithms.

Who must comply: Publicly listed companies in 166 jurisdictions including the EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most of Asia and Africa. The US (GAAP) is the major holdout.

Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets. Getting an actuarial model or credit loss calculation wrong is a financial reporting error. The gate stack's ACL2 prover can verify that the calculation implementations match the standard's mathematical requirements. First-mover advantage: IFRS 17 was the largest accounting change in a decade. Implementation was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures via ISSB) is coming. A verified IFRS gate package is a unique value proposition.

UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business)

UN standards for electronic data interchange (EDI), trade facilitation, and cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis for WTO Trade Facilitation Agreement compliance.

Who must comply: Customs authorities, logistics providers, trade finance banks, exporters/importers in 170+ WTO member countries.

Why it matters: Cross-border trade data exchange is rule-intensive (tariff classification, rules of origin, customs valuation, sanitary/phytosanitary requirements). The gate stack can encode trade compliance rules and prove that every cross-border data exchange satisfies the applicable regulation. First-mover advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle modules and customs brokerages. None use verification.

First-Mover Window Analysis

The first-mover window is the time in which a new compliance tool can establish dominance before incumbents respond or the market settles on a standard approach.

Window Frameworks Rationale
Critical (<12 months) EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) Regulation is active or imminent. Buyers are desperate. No established vendor.
Wide (12-36 months) DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement Regulation not yet fully enforced. Rules being written. Market forming.
Mature (commodity) GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture.
Latent (undiscovered) OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category.

Expanded Revenue Table

Framework Region Gate price/yr Addressable orgs Revenue potential First-mover window Gate rule type
HIPAA US $50K 500K+ $25B Mature (incumbent disruption) Privacy + access control
SOC 2 US/Global $50K 100K+ $5B Mature (incumbent disruption) Access control + audit
GDPR EU $50K 500K+ $25B Mature (incumbent disruption) Privacy + consent
FedRAMP US $100K 1K (providers) $100M Moderate (<300 authorized) Continuous monitoring
SOX US $50K 10K $500M Mature (manual audit disruption) Financial controls
GLBA US $40K 20K $800M Moderate Financial privacy
NY DFS 500 US (NY) $30K 3K $90M Wide Cybersecurity controls
CCPA/CPRA US (CA) $40K 50K+ $2B Moderate Privacy opt-out flows
NIS2 EU $50K 160K $8B Critical (2025) Cybersecurity + supply chain
EU AI Act EU $75K 100K+ $7.5B Critical (Aug 2026) AI risk management
DORA EU $50K 22K+ $1.1B Critical (in effect) ICT resilience
eIDAS 2.0 EU $30K 10K+ $300M Wide (wallet buildout) Identity gates
CRA EU $40K 50K+ $2B Wide (phased 2025-2027) Product security
UK GDPR UK $40K 100K+ $4B Mature (GDPR derivative) Privacy
APPI Japan $40K 100K+ $4B Moderate Cross-border privacy
ISMAP Japan $75K 500 (providers) $37.5M Wide (<100 registered) Gov cloud assessment
PIPA South Korea $35K 50K+ $1.75B Wide (2024 amendments settling) Privacy + consent
Privacy Act Australia $35K 50K+ $1.75B Wide (reforms legislating) Privacy + AI transparency
APRA CPS 234 Australia $40K 500 $20M Moderate Info security controls
IRAP Australia $75K 300 (providers) $22.5M Wide Gov cloud assessment
DPDP Act India $30K 500K+ $15B Wide (rules drafting) Privacy + consent
LGPD Brazil $30K 200K+ $6B Moderate Privacy
LFPDPPP Mexico $25K 50K+ $1.25B Wide Privacy
ISO 27001 Global $40K 60K+ $2.4B Mature (manual disruption) ISMS controls
ISO 27701 Global $35K 1K+ $35M Wide (growing) Privacy management
Basel III Global (banking) $100K 500 (G-SIBs) $50M Mature (incumbent disruption) Capital adequacy
FATF AML/CFT Global $50K 50K+ $2.5B Mature (incumbent disruption) CDD + screening
IFRS 17 Global (insurance) $75K 5K+ $375M Mature (actuarial verification) Contract classification
UN/CEFACT Global (trade) $30K 50K+ $1.5B Latent (no market exists) Cross-border data rules
World Bank ESF Global (dev finance) $50K 1K+ (projects) $50M Latent (no market exists) ES compliance gates
IFC PS Global (project finance) $50K 500+ (deals) $25M Latent (no market exists) ES compliance gates

A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider for regulated cloud globally. The gate package portfolio alone — a mid-size enterprise running 10+ packages — generates $500K/yr+ in recurring revenue. At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any single framework — it is about being the first to offer a unified gate stack that maps to all of them.

Reference in New Issue View Git Blame Copy Permalink