In 2018, GDPR took effect. In 2020, CCPA went live. In 2023, the SEC adopted cybersecurity disclosure rules. In 2024, the EU AI Act was signed. In 2025, HIPAA's mandatory security rule updates arrived. In 2026, the EU AI Act's high-risk system provisions become enforceable.
Each regulation adds requirements: data mapping, consent management, audit trails, access controls, incident response plans, risk assessments, impact analyses, documentation, and reporting. Each one assumes the others exist. None of them reduce the burden of the others.
McKinsey found that organizations with legacy systems face 4.7x higher compliance overhead than those with modern architectures. PwC's Global Risk Survey found that 67% of organizations say regulatory compliance costs have increased "significantly" over the past 3 years. Thomson Reuters estimates that global regulatory spending across all industries exceeds $270 billion annually.
We build software for FinTech, healthcare, and legal tech clients. Compliance is not a feature we add at the end. It is the architecture we start with.
The Regulatory Stack
GDPR (EU, 2018)
Applies to any company that processes data of EU residents. Requirements: lawful basis for processing, data subject rights (access, erasure, portability), Data Protection Officer appointment, breach notification within 72 hours, data processing agreements with vendors, privacy impact assessments.
We build with GDPR from our Lisbon headquarters. Our privacy policy and cookie policy are GDPR-native. Every application we build for EU clients includes: consent management, data subject access request handling, encryption at rest and in transit, audit logging, and data retention policies.
HIPAA (US Healthcare, updated 2025)
Applies to covered entities and their business associates handling protected health information (PHI). The 2025 mandatory Security Rule updates add: encryption requirements (previously "addressable," now mandatory), MFA for ePHI access, network segmentation, and 72-hour security incident notification.
We build healthcare applications for RiseMD and WinitClinic on HIPAA-eligible infrastructure. BAA chain maintained from cloud to application. PHI encrypted at rest and in transit. Audit logging for every data access.
PCI DSS (Payments, v4.0)
Applies to anyone processing, storing, or transmitting cardholder data. Version 4.0 (effective 2025) adds: targeted risk analysis for security controls, enhanced authentication requirements, and more granular access controls.
Float Financial operates PCI-certified payment card programs. Nautical Commerce processes 200K+ monthly transactions through Stripe. Our approach: delegate PCI scope to certified processors (Stripe, Adyen) wherever possible, minimize cardholder data in our systems, and implement PCI requirements for any data we must handle.
EU AI Act (2024, phased enforcement through 2026)
The world's first comprehensive AI regulation. High-risk AI systems (healthcare, employment, credit scoring) face requirements: risk management systems, data governance, technical documentation, transparency obligations, human oversight, and conformity assessment.
This directly affects our AI development work. AI features in healthcare applications, recruitment tools, and financial products will require documented risk assessments, bias testing, and ongoing monitoring. We are building these practices into our AI engineering workflow now, before enforcement begins.
SOC2 (Service Organization Controls)
Not a regulation but a trust framework that clients increasingly require. SOC2 Type II attestation requires demonstrating operational security controls over a 6-12 month audit period. Controls cover: security, availability, processing integrity, confidentiality, and privacy.
For clients pursuing SOC2, we build with SOC2-aligned practices: access management, change management, incident response, monitoring, and vendor management. The architecture supports the attestation before the auditor arrives.
Why Compliance Compounds
Each regulation was designed independently. GDPR does not reduce HIPAA requirements. PCI DSS does not satisfy SOC2 controls. The EU AI Act adds requirements on top of GDPR, not instead of it.
For a company building a healthcare AI product that processes EU patient data and accepts payments, the compliance stack is: GDPR + HIPAA + PCI DSS + EU AI Act. Each regulation requires: its own risk assessment, its own documentation, its own audit trail, its own incident response procedure.
The controls overlap significantly. Encryption satisfies GDPR, HIPAA, PCI DSS, and SOC2 simultaneously. Access controls are required by all of them. Audit logging is universal. But the documentation, assessment, and reporting requirements are separate. You cannot submit one impact assessment to four regulators.
The Architecture Advantage
McKinsey's 4.7x overhead for legacy systems exists because legacy systems were built before these regulations existed. Adding GDPR consent management to a system designed in 2008 requires retrofitting the data model, the UI, the API, and the storage layer. Adding the same to a system designed in 2025 requires configuring what was already built in.
Modern architectures reduce compliance cost through:
Role-based access control (RBAC) from day one. When access controls are built into the first sprint, adding a new regulation's access requirements is a configuration change, not an architecture change.
Encryption at rest and in transit by default. TLS for all connections. Field-level encryption for sensitive data. Key management through cloud provider services (AWS KMS, GCP KMS). This satisfies GDPR, HIPAA, PCI, and SOC2 encryption requirements simultaneously.
Audit logging as infrastructure. Every data access, every authentication event, every permission change is logged. The logs support compliance reporting for any regulation. Without audit logging, generating compliance evidence for a single regulation requires manual reconstruction. With it, the evidence is automatic.
Automated compliance testing in CI/CD. Security scans, dependency checks, and configuration validation run on every build. Compliance drift is caught in the pipeline, not in the annual audit.
What We Build
Every application we build for regulated industries starts with compliance architecture:
For healthcare: HIPAA-eligible cloud, BAA chain, PHI encryption, MFA, audit logging, breach notification procedures. See medical software development.
For FinTech: PCI scope delegation, PSD2 SCA implementation, KYC/AML workflow support, transaction monitoring hooks. See FinTech development.
For legal tech: GDPR Article 9 awareness, data retention automation, court jurisdiction routing, evidence chain integrity. See legal software development.
For AI products: EU AI Act risk categorization, bias testing framework, transparency documentation, human-in-the-loop architecture. See AI development services.
The compliance burden is real and compounding. The answer is not to hire more compliance officers. It is to build systems where compliance is a property of the architecture, not a layer added on top.
Last updated January 19, 2025