Compliance Knowledge Base

HIPAA

The Health Insurance Portability and Accountability Act governs how protected health information is handled in the United States.

HITECH Act

The 2009 law that transformed HIPAA from a paper tiger into a regulation with teeth — adding breach notification, expanded enforcement, and business associate liability.

21st Century Cures Act

The 2016 law that banned information blocking and mandated patient data access, reshaping how EHRs, payers, and health IT vendors must operate.

ONC Interoperability Rule

The 45 CFR Part 170 rule that operationalizes the 21st Century Cures Act — mandating FHIR APIs, app marketplace openness, and standardized health data for certified health IT.

42 CFR Part 2

The federal regulation that protects substance use disorder treatment records with stricter confidentiality requirements than HIPAA — and the integration nightmare it creates for health systems.

Mental Health Parity and Addiction Equity Act

The federal law requiring health plans to provide mental health and SUD benefits no more restrictively than medical/surgical benefits — and the data infrastructure required to prove it.

CMS Conditions of Participation

The baseline health and safety standards hospitals must meet to participate in Medicare and Medicaid — with technology requirements that have grown significantly in recent years.

CMS Prior Authorization API Rule

The CMS rule mandating FHIR-based prior authorization APIs for payers — automating the most friction-laden process in US healthcare by 2026.

Information Blocking Prohibition

The 21st Century Cures Act prohibition that makes interfering with health data access a federal offense — and the eight exceptions that define the boundaries of permissible restriction.

HL7 FHIR

The RESTful API standard that is replacing decades of HL7 v2 and CDA message-passing with modern web-native healthcare data exchange.

TEFCA

The voluntary national framework that enables health information exchange across organizational boundaries through a single on-ramp for participating networks.

HIPAA De-Identification Standards

The two HIPAA methods for removing PHI from health data — and why Expert Determination is more defensible than Safe Harbor for most analytics use cases.

CMS Star Ratings

The CMS quality measurement programs that tie Medicare Advantage and Part D plan payments to performance — and the data pipelines that determine whether a plan earns 4 stars or 2.

FDA SaMD Classification

The FDA regulatory framework that determines when software becomes a medical device — and the submission, QMS, and postmarket surveillance obligations that follow.

IEC 62304

The international standard defining software lifecycle processes for medical device software — the technical backbone of every FDA and CE-marked software submission.

ISO 13485

The quality management system standard for medical device manufacturers — the global baseline that FDA's updated QMSR and CE marking both now align to.

GDPR

The EU's comprehensive data protection law, setting the global standard for privacy-by-design engineering.

GDPR Article 25 — Privacy by Design and by Default

The GDPR provision requiring controllers to embed data protection into system architecture from inception, not retrofit it at audit time.

GDPR Article 35 — Data Protection Impact Assessment (DPIA)

The GDPR requirement to conduct a formal risk assessment before deploying processing operations that are likely to result in high risk to individuals' rights and freedoms.

Schrems II, Standard Contractual Clauses, and Cross-Border Data Transfers

The landmark CJEU ruling that invalidated Privacy Shield and established the current legal framework for transferring personal data from the EU to third countries.

EU-US Data Privacy Framework (2023)

The third EU-US personal data transfer framework, adopted July 2023, providing an adequacy decision for certified US organizations following Executive Order 14086.

ePrivacy Directive and Cookie Consent Requirements

The EU's Directive 2002/58/EC, amended by Directive 2009/136/EC, governing electronic communications privacy including cookie consent, spam, and confidentiality of communications.

GDPR Article 17 — Right to Erasure (Right to be Forgotten)

The GDPR right requiring controllers to delete personal data without undue delay upon request, subject to specific grounds and exceptions — with significant engineering implementation complexity.

GDPR Article 20 — Right to Data Portability

The GDPR right requiring controllers to provide personal data in a machine-readable format for transfer to another controller — creating meaningful interoperability obligations for engineering teams.

PIPL (China Personal Information Protection Law)

China's comprehensive personal information protection law, effective November 2021, establishing GDPR-comparable rights with unique extraterritorial reach and state data access provisions.

India Digital Personal Data Protection Act 2023

India's landmark data protection law, enacted August 2023, establishing a consent-based framework with a Data Protection Board and significant localization considerations for multinational technology operators.

GDPR Legitimate Interests (Article 6(1)(f))

The most flexible — and most litigated — GDPR lawful basis, requiring a documented balancing test that engineering teams must operationalize before data processing begins.

GDPR Consent — Technical Requirements

GDPR consent is not a checkbox — it is a technical architecture problem involving timestamped records, granular preferences, and withdrawal mechanisms that must work at scale.

GDPR Data Protection Officer (DPO)

The mandatory privacy governance role under GDPR — and the technical infrastructure required to make a DPO operationally effective in a complex data environment.

GDPR Data Controller vs. Processor

The foundational GDPR distinction that determines legal obligations, contractual requirements, and system design responsibilities across every data processing relationship.

Virginia Consumer Data Protection Act (VCDPA)

Virginia's comprehensive consumer privacy law establishing data rights, controller obligations, and opt-out mechanisms effective January 1, 2023.

Colorado Privacy Act (CPA)

Colorado's privacy law introducing universal opt-out mandate and data protection assessments, effective July 1, 2023.

Connecticut Data Privacy Act (CTDPA)

Connecticut's privacy framework effective July 1, 2023, aligning closely with Virginia and Colorado while adding specific children's data safeguards.

Texas Data Privacy and Security Act (TDPSA)

Texas's privacy law effective July 1, 2024, notable for broad applicability with no minimum consumer threshold for large businesses.

Washington My Health My Data Act (MHMDA)

Washington's landmark health data law extending far beyond HIPAA to cover any consumer health data collected by non-HIPAA entities.

Brazil LGPD (Lei Geral de Proteção de Dados) — Engineering Specifics

Brazil's comprehensive data protection law modeled on GDPR, with distinct legal bases, ANPD enforcement, and sector-specific requirements.

Singapore PDPA and Mandatory Breach Notification

Singapore's Personal Data Protection Act 2012, significantly amended in 2020 with mandatory breach notification, deemed consent, and enhanced penalties.

Japan APPI (Act on the Protection of Personal Information) 2022 Amendments

Japan's strengthened privacy law with mandatory breach notification, opt-out restrictions, and extraterritorial enforcement, effective April 2022.

Australia Privacy Act 2023–2024 Reform Proposals

Australia's most significant Privacy Act overhaul in decades, proposing a tort of serious invasion of privacy, enhanced individual rights, and tightened security obligations.

ISO 27701 (Privacy Information Management — Extension to ISO 27001)

The international privacy management system standard that extends ISO 27001/27002 with a full PIMS framework, bridging GDPR and global privacy requirements.

Consent Management Platforms (CMPs) and Technical Requirements

Consent Management Platforms implement the technical infrastructure for collecting, storing, and propagating user consent signals across complex digital advertising and analytics ecosystems.

Data Minimization as an Engineering Principle (GDPR Art. 5)

GDPR Article 5(1)(c) requires data to be adequate, relevant, and limited to what is necessary — a standard that must be enforced through technical architecture, not policy alone.

MiFID II

The EU directive that rewrote market structure rules for investment firms — with granular data reporting, best execution documentation, and systems clock synchronization requirements that define modern trading infrastructure.

EMIR

The EU regulation governing OTC derivatives — requiring trade reporting, central clearing, and risk mitigation for the multi-trillion-euro derivatives market.

Dodd-Frank Act

The 2010 US financial reform law that created the CFPB, mandated derivatives clearing, and imposed systemic risk oversight — generating a decade of technology implementation obligations.

Volcker Rule

Section 619 of Dodd-Frank that prohibits banks from proprietary trading and owning hedge funds — and the real-time monitoring systems banks must maintain to prove compliance.

CCAR and DFAST Stress Testing

The Federal Reserve and FDIC stress testing frameworks that require large banks to demonstrate capital adequacy under severe economic scenarios — generating massive data and modeling obligations.

FFIEC IT Examination Handbook

The examination framework used by federal banking regulators to assess financial institutions' IT risk management — defining what "adequate" technology governance looks like in bank regulatory examinations.

FINRA Regulations

The self-regulatory organization rules governing broker-dealers — covering surveillance, recordkeeping, communications review, and the technology systems that support them.

CFPB UDAAP

The CFPB's prohibition on Unfair, Deceptive, or Abusive Acts or Practices — a principles-based standard that extends to algorithmic decision-making and digital product design.

FATCA

The US tax compliance law that requires foreign financial institutions to identify and report US account holders to the IRS — or face 30% withholding on US-source payments.

CRS Reporting

The OECD Common Reporting Standard — the global tax information exchange framework operating in 110+ countries that requires financial institutions to identify and report non-resident account holders.

PSD2 and Open Banking

The EU directive and UK regulatory framework that mandated API access to bank accounts for third parties — creating the technical infrastructure for open banking ecosystems.

UK FCA SMCR

The FCA's Senior Managers and Certification Regime — the UK personal accountability framework that places regulatory responsibility on named individuals for specific firm functions.

Solvency II

The EU insurance regulatory framework that requires risk-based capital calculation, ORSA, and the three-pillar structure — with quantitative model requirements that rival banking stress testing in complexity.

IFRS 9 and CECL

The expected credit loss accounting standards — IFRS 9 for international filers and CECL for US GAAP filers — that transformed how banks provision for loan losses using forward-looking models.

Basel III/IV

The BCBS capital adequacy and liquidity framework — with the Basel IV finalization fundamentally reworking how banks calculate risk-weighted assets, affecting every risk and finance system in the enterprise.

SOC 2

The de facto security standard for US technology companies handling customer data.

ISO 22301 (Business Continuity Management)

The international standard for Business Continuity Management Systems (BCMS), requiring systematic identification of disruption risks and tested continuity capabilities.

ISO 31000 (Risk Management)

The international risk management framework providing principles, a structured process, and implementation guidelines applicable across all organizational contexts.

SOC 1 Type II (Internal Controls over Financial Reporting)

SOC 1 Type II examines the design and operating effectiveness of service organization controls relevant to user entities' internal controls over financial reporting.

NIST Privacy Framework 1.0

NIST's voluntary privacy risk management framework providing a common language and systematic approach to managing privacy risk across the data lifecycle.

NIST SP 800-63 (Digital Identity Guidelines) — IAL, AAL, FAL Levels

NIST's authoritative digital identity guidelines defining three assurance level scales — identity, authenticator, and federation — for government and regulated-sector systems.

NIST SP 800-37 (Risk Management Framework for Information Systems)

NIST's Risk Management Framework providing a structured six-step process for integrating security and privacy risk management into system development lifecycles.

Third-Party Risk Management (TPRM) Frameworks

Third-party risk management frameworks systematically identify, assess, monitor, and remediate risks introduced by vendors, suppliers, and service providers across the extended enterprise.

ISO 27017 (Cloud Security Controls)

The international standard providing cloud-specific information security controls supplementing ISO 27001, with distinct guidance for cloud service providers and customers.

ISO 27018 (Protection of PII in Public Clouds)

The international standard establishing controls for protecting personally identifiable information in public cloud computing environments.

CSA STAR (Cloud Security Alliance Security, Trust, Assurance, and Risk)

The CSA STAR program provides a cloud-specific assurance framework with three levels of maturity, built on the Cloud Controls Matrix (CCM).

Security by Design Principles and Implementation

Security by Design embeds security requirements into system architecture from inception rather than retrofitting controls after development, reducing remediation cost and residual risk.

Shift-Left Security in CI/CD Pipelines

Shift-left security moves vulnerability detection from production towards development, using automated tooling in CI/CD pipelines to identify and remediate security issues at the lowest cost point.

CASB (Cloud Access Security Broker) in Regulated Cloud Environments

CASB fills the visibility and control gap between an organization's security policies and the cloud services its employees actually use — a gap that becomes a regulatory liability the moment shadow IT includes regulated data.

ISO 42001 (AI Management System Standard)

The first certifiable international standard for AI management systems, establishing requirements for responsible development, deployment, and governance of AI.

OWASP LLM Top 10 (2025 Version)

The definitive list of the ten most critical security risks in large language model applications, updated for 2025 to reflect agentic AI and multi-model deployments.

Model Cards and AI Transparency Requirements

Model cards are structured documentation artifacts for AI systems, increasingly mandated by regulation and procurement requirements to disclose performance, limitations, and risks.

Algorithmic Accountability Act Proposals and Requirements

Federal and state algorithmic accountability proposals requiring impact assessments, audit rights, and explainability for automated decision systems affecting individuals.

Explainable AI (XAI) Requirements in Regulated Sectors

Explainability requirements for AI systems in financial services, healthcare, and government are moving from aspiration to enforceable obligation under multiple regulatory frameworks.

AI Bias Auditing Requirements Under EU AI Act and State Laws

Systematic AI bias auditing is now a legal obligation for high-risk AI systems in employment, credit, and housing under EU and U.S. state requirements.

FedRAMP

The US government's cloud security authorization framework — the price of admission for selling to federal agencies.

ITAR (International Traffic in Arms Regulations)

The US export control regime governing defense articles, services, and technical data on the US Munitions List.

EAR (Export Administration Regulations)

The Commerce Department's dual-use export control framework covering the Commerce Control List and license exception structures.

DFARS (Defense Federal Acquisition Regulation Supplement)

The DoD acquisition supplement that mandates cybersecurity standards for all contractors handling covered defense information.

NIST SP 800-171 (Protecting CUI in Non-Federal Systems)

The 110-control security standard that every DoD contractor and federal research institution must satisfy to handle Controlled Unclassified Information.

CUI (Controlled Unclassified Information) Program

The National Archives-administered framework that standardizes how federal agencies and contractors mark, handle, and protect sensitive unclassified government data.

NIST SP 800-207 (Zero Trust Architecture)

The NIST implementation guide that defines zero trust principles, logical architecture components, and deployment models for federal and enterprise environments.

DISA STIG (Security Technical Implementation Guides)

DISA's mandatory hardening benchmarks for every technology component in DoD information systems, from OS kernels to containerization platforms.

RMF and the ATO Process

The NIST Risk Management Framework six-step lifecycle that governs how federal agencies authorize information systems to operate.

FedRAMP High vs. Moderate and DoD IL4/IL5

The authorization tiers that determine which cloud services federal agencies — and especially DoD — are permitted to use for sensitive workloads.

Executive Order 14028 on Improving the Nation's Cybersecurity

The May 2021 executive order that reshaped federal software supply chain security, mandated SBOMs, and accelerated zero trust adoption across civilian agencies.

SBOM (Software Bill of Materials)

The machine-readable inventory of software components, dependencies, and provenance data now required for federal contracts and increasingly demanded across critical infrastructure sectors.

NIST SP 800-218 (Secure Software Development Framework — SSDF)

The NIST framework that organizes secure software development practices into four groups, now required for all software sold to the US federal government.

Supply Chain Risk Management (SCRM) Frameworks

The multi-framework discipline for identifying, assessing, and mitigating cybersecurity risks introduced by hardware, software, and service providers across the technology supply chain.

FAR Cybersecurity Clauses for Government Contractors

The Federal Acquisition Regulation cybersecurity provisions that flow down to all government contractors handling federal information systems and contractor information systems.

Section 889 of the NDAA (Huawei/ZTE Equipment Ban)

The NDAA provision that prohibits federal agencies and contractors from procuring or using telecommunications equipment from designated Chinese manufacturers.

IEC 62443 (Industrial Automation and Control Systems Security)

The international standard series defining security requirements for Industrial Automation and Control Systems (IACS) across the entire product and system lifecycle.

TSA Pipeline Security Directives (2021–2022)

The post-Colonial Pipeline security directives from TSA that imposed mandatory cybersecurity measures on US critical pipeline operators for the first time.

NIST IR 7628 Smart Grid Cybersecurity Guidelines

The NIST framework that maps 189 high-level security requirements to smart grid logical interfaces, addressing the unique cybersecurity challenges of the modernized electrical grid.

NRC 10 CFR 73.54 Nuclear Cybersecurity Requirements

The NRC's binding cybersecurity rule for nuclear power plants, requiring defense-in-depth protection for digital assets that could affect radiological safety and security functions.

SCADA/ICS/OT Security Standards and Frameworks

The layered standards ecosystem governing cybersecurity for Supervisory Control and Data Acquisition systems across critical infrastructure sectors.

OT/IT Convergence Security Architecture

The security architecture discipline that safely bridges operational technology and information technology networks while preserving industrial availability and integrity requirements.

API Rate Limiting and Throttling for Financial and Health APIs

API rate limiting in regulated environments is simultaneously a security control, an availability mechanism, and a fair-use policy enforcement tool — and each of those objectives requires different limiting strategies implemented at different architectural layers.

Webhook Security for Regulated Data Integrations

Webhooks in regulated environments are unauthenticated inbound HTTP endpoints by default — without specific security controls, they become an attack surface that allows injection of fraudulent events into financial, clinical, and compliance workflows.

OWASP Top 10 (2021) for Regulated Industry Applications

The OWASP Top 10 2021 is the most widely referenced application security baseline in regulated industry audit frameworks — and two of its entries, A04 and A08, represent architectural vulnerabilities that code scanning alone cannot detect.

OWASP API Security Top 10 (2023) for Financial and Health APIs

The OWASP API Security Top 10 2023 reflects a threat landscape where APIs — not web applications — are now the primary attack surface for regulated data exfiltration and unauthorized transaction execution.

Domain-Driven Design (DDD)

A software design approach that aligns code structure with business domain concepts, language, and bounded contexts.

Hexagonal Architecture (Ports & Adapters)

An architectural pattern that isolates core business logic from external systems via defined ports and technology-specific adapters.

CAP Theorem

A distributed systems principle stating that a system can guarantee at most two of Consistency, Availability, and Partition Tolerance simultaneously.

Database Sharding

A horizontal scaling technique that partitions database data across multiple independent nodes, each holding a subset of the total dataset.

AWS Well-Architected Framework

Amazon Web Services' prescriptive guidance organized across six pillars — operational excellence, security, reliability, performance, cost optimization, and sustainability.

Multi-Cloud Governance

The policies, tools, and processes that ensure consistent security, compliance, cost control, and operational standards across deployments spanning multiple cloud providers.

Serverless Compliance Architecture

Design and control patterns for meeting regulatory compliance requirements in event-driven, function-as-a-service architectures lacking persistent infrastructure.

FinOps Maturity Model

A framework defining organizational maturity levels — Crawl, Walk, Run — for managing cloud financial accountability, cost optimization, and business value alignment.

Event Sourcing as a Compliance Architecture Pattern

An architectural pattern that stores system state as an immutable sequence of events, providing a native audit log and enabling temporal queries for compliance purposes.

CQRS (Command Query Responsibility Segregation) for Audit Trails

An architectural pattern that separates read and write operations into distinct models, enabling optimized audit trail generation and compliance-grade query capabilities.

Saga Pattern for Distributed Transaction Compliance

A microservices architecture pattern for managing long-running distributed transactions while maintaining data consistency and audit trail integrity across service boundaries.

Domain-Driven Design (DDD) for Regulatory Boundaries

An approach to software design that models regulatory requirements as explicit domain concepts, using Bounded Contexts to enforce data and process boundaries required by compliance frameworks.

Hexagonal Architecture (Ports and Adapters) for Testable Compliance

An architectural pattern that isolates core business and compliance logic from external systems, enabling comprehensive automated testing of regulatory rules without infrastructure dependencies.

Immutable Infrastructure for Auditability

An operational model where infrastructure components are never modified after deployment — replaced wholesale with new versions — providing verifiable configuration state for compliance audits.

NERC CIP (Critical Infrastructure Protection)

Mandatory cybersecurity standards for the North American bulk electric system, covering asset identification, access control, incident response, and supply chain risk.

IEC 62443 Industrial Control System Security

An international standard series defining security requirements and processes for industrial automation and control systems across their entire lifecycle.

NIS2 Directive (EU Network and Information Security)

An EU regulation effective from October 2024 that mandates cybersecurity risk management and incident reporting for a broad range of essential and important entities.

ENISA Cybersecurity Guidelines

Technical and policy guidance published by the EU Agency for Cybersecurity supporting implementation of EU cybersecurity regulations and best practices.

Continuous Compliance

Automating evidence collection in CI/CD pipelines so compliance is a byproduct of normal engineering workflow, not a periodic fire drill.

Compliance as Code

Expressing regulatory requirements as executable tests and policies that live in version control alongside the systems they govern.

GitOps Compliance Workflows

Using Git as the single source of truth for regulated deployments — where every infrastructure change is auditable, reviewable, and reversible by design.

Infrastructure Drift Detection and Remediation

The gap between declared and actual infrastructure state — and why closing it continuously is a compliance obligation, not merely an operational preference.

Chaos Engineering for Compliance Validation

Using controlled failure injection to validate that resilience controls perform as documented — turning chaos experiments into compliance evidence.

Multi-Cloud Compliance Architecture

Designing compliance programs that span AWS, Azure, and GCP without creating vendor-locked control implementations that fail when one provider changes their service.

Threat Modeling (STRIDE)

A structured security analysis methodology that identifies and categorizes threats to a system across six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

CVE/CVSS Vulnerability Scoring

CVE provides a standardized identifier for publicly disclosed security vulnerabilities, while CVSS provides a numerical score reflecting the severity of each vulnerability.

XDR/MDR Security Operations

Extended Detection and Response (XDR) and Managed Detection and Response (MDR) solutions that unify and automate threat detection, investigation, and response across endpoint, network, and cloud telemetry.

SOAR (Security Orchestration, Automation, Response)

Platforms that integrate security tools, automate repetitive analyst tasks, and orchestrate response workflows to improve SOC efficiency and reduce incident response time.

Master Data Management (MDM)

Processes and technology for creating and maintaining a single, authoritative, trusted version of shared data entities across an enterprise.

Data Quality Engineering

The systematic application of engineering practices to measure, monitor, and remediate data quality across dimensions of accuracy, completeness, consistency, and timeliness.

Data Lineage and Provenance Tracking for Regulatory Compliance

Data lineage is no longer a data warehouse optimisation tool — BCBS 239, GDPR accountability, and AI regulation now require organisations to demonstrate a documented, auditable chain from source data to regulatory output for every material data element.

DLP (Data Loss Prevention) Technical Controls for Regulated Data

DLP in regulated environments must be calibrated to the specific data classifications and exfiltration vectors defined in each applicable framework — generic content inspection policies generate noise while missing the regulated data patterns that matter to supervisors.

GitOps Security and Pipeline Integrity

Security controls and integrity guarantees required when Git repositories become the authoritative source of truth for infrastructure and application deployment.

Container Security (CIS Benchmarks, Runtime Security)

The layered security controls required to harden container images, runtime environments, and registries to meet compliance standards in regulated industries.

Kubernetes Security Standards and Hardening

The comprehensive security controls required to harden Kubernetes clusters and workloads to meet CIS, NSA/CISA, and regulatory compliance requirements.

OpenTelemetry and Observability-as-Code for Compliance

The open standard for generating, collecting, and exporting telemetry data that enables compliance-grade observability across distributed systems.

Service Mesh Security (Istio, Linkerd) in Regulated Environments

How service mesh infrastructure enforces mutual TLS, fine-grained authorization, and audit-grade telemetry across microservice communications in regulated industries.

CNCF Cloud Native Security Whitepaper

The Cloud Native Computing Foundation's comprehensive security guidance covering the full lifecycle of cloud native workloads from development through runtime.

Policy as Code (OPA, Sentinel) for Automated Compliance

The practice of expressing compliance and security policies as machine-readable, version-controlled code that can be automatically evaluated and enforced across infrastructure and deployments.

MLOps (Machine Learning Operations)

A discipline combining ML engineering and DevOps practices to automate, monitor, and govern the lifecycle of machine learning models in production.

Feature Store

A centralized data platform that manages the creation, storage, sharing, and serving of ML features for both model training and online inference.

Model Cards

Structured documentation artifacts that describe a machine learning model's intended use, performance characteristics, limitations, and ethical considerations.

Responsible AI Governance

A framework of policies, processes, and technical controls ensuring AI systems are developed and operated ethically, fairly, transparently, and accountably.

FTC Red Flags Rule (Identity Theft Prevention)

The FTC mandate requiring financial institutions and creditors to implement written identity theft prevention programs that detect and respond to warning signs of fraud.

Basel III Liquidity Coverage Ratio (LCR) and NSFR Engineering Requirements

Basel III liquidity ratios demand real-time data pipelines and intraday reporting architectures that most core banking systems were never designed to support.

MiFIR Transaction Reporting and Best Execution Data Requirements

MiFIR reporting obligations generate millions of daily transaction records that must be accurate, complete, and submitted to ARMs within T+1 — leaving no tolerance for data quality failures.

CSDR Settlement Discipline and Central Securities Depositories Regulation

CSDR's mandatory buy-in and cash penalties regime transforms settlement failure from an operational nuisance into a quantified regulatory liability requiring automated monitoring.

SFDR (Sustainable Finance Disclosure Regulation) Technical Implementation

SFDR transforms ESG from a marketing narrative into a data engineering problem, requiring firms to source, validate, and disclose sustainability indicators across entire investment portfolios.

FATF Anti-Money Laundering Standards

The Financial Action Task Force's 40 Recommendations establishing the global framework for anti-money laundering and counter-terrorist financing controls.

KYC/AML Compliance Engineering

Technical systems and workflows for Know Your Customer identity verification and Anti-Money Laundering transaction monitoring in regulated financial institutions.

Volcker Rule

Section 619 of Dodd-Frank prohibiting banking entities from engaging in proprietary trading or acquiring ownership interests in hedge funds and private equity funds.

Dodd-Frank Act

The 2010 US financial reform law that overhauled financial regulation post-crisis, creating the CFPB, FSOC, and new derivatives, resolution, and systemic risk rules.

SEC Rule 17a-4 (WORM Storage)

SEC regulation requiring broker-dealers to preserve electronic records in non-erasable, non-rewritable (WORM) format for defined retention periods.

IFRS 9 Financial Instruments

International accounting standard replacing IAS 39 that governs classification, measurement, impairment, and hedge accounting for financial instruments.

BCBS 239 Risk Data Aggregation

Basel Committee standard requiring systemically important banks to demonstrate strong risk data aggregation and risk reporting capabilities.

HIPAA Omnibus Rule

The 2013 Final Rule that rewired business associate liability and reshaped the entire HIPAA compliance ecosystem.

Meaningful Use / Promoting Interoperability

The federal incentive program that transformed EHR adoption into a measurable compliance obligation tied to reimbursement.

NIST SP 800-66 Rev 2

The definitive NIST guidance document for implementing the HIPAA Security Rule across administrative, physical, and technical safeguard categories.

ICD-10 Coding and Clinical Data Standardization

The clinical classification system that underpins medical billing, analytics, and interoperability — and the engineering discipline required to implement it accurately.

DICOM (Digital Imaging and Communications in Medicine)

The international standard governing the storage, transmission, and display of medical imaging data — and one of the most technically demanding domains in healthcare IT.

X12 EDI Healthcare Transactions

The HIPAA-mandated electronic transaction standards that govern the financial plumbing of US healthcare — claims, remittances, and eligibility inquiries.

CPCDS (Common Payer Consumer Data Set)

The payer-side data model that maps adjudicated claims to FHIR resources for patient-facing interoperability under the CMS Interoperability Rule.

SMART on FHIR Authorization Framework

The OAuth 2.0-based authorization layer that enables secure, standards-based app launch and delegated access to FHIR health data.

ICD-10/ICD-11 Medical Coding

Standardized international classification systems used to encode diagnoses, procedures, and clinical encounters for billing and analytics.

SNOMED CT

A comprehensive multilingual clinical terminology providing precise codes for clinical concepts used in EHR documentation and interoperability.

LOINC

Logical Observation Identifiers Names and Codes — a universal standard for identifying laboratory tests, clinical observations, and measurements.

RxNorm

A normalized naming system for clinical drugs maintained by NLM that provides standard codes for medications to support interoperability across pharmacy systems.

MACRA/MIPS Quality Reporting

The Medicare Access and CHIP Reauthorization Act framework that ties physician reimbursement to quality, cost, and improvement activities through MIPS or APMs.

Meaningful Use / Promoting Interoperability

CMS EHR incentive program requiring providers to use certified EHR technology in ways that improve care quality, safety, and health information exchange.

340B Drug Pricing Program

A federal program requiring drug manufacturers to provide outpatient drugs at significantly reduced prices to qualifying safety-net healthcare providers.

Prior Authorization API (CMS-0057)

CMS rule requiring payers to implement FHIR-based APIs for prior authorization workflows to reduce administrative burden and accelerate care decisions.

CMS Quality Measures

Standardized metrics used by CMS to assess the quality, safety, efficiency, and care experience of healthcare organizations and clinicians.

COBIT 2019 (Governance and Management of Enterprise IT)

The ISACA framework providing a comprehensive governance system for enterprise IT, aligning technology decisions with organizational objectives and compliance obligations.

Change Management Processes for Regulated Systems (ITIL, SOX)

Change management in regulated environments is not just operational risk control — it is the audit evidence mechanism that proves to SOX auditors and banking supervisors that production systems are changed only through authorized, tested, and documented processes.

ISO 55001 (Asset Management)

The international standard specifying requirements for an asset management system, enabling organizations to realize value from their physical and intangible assets.

ITIL 4 Framework (IT Service Management)

The fourth iteration of the IT Infrastructure Library, providing a flexible and integrated operating model for the delivery and operation of tech-enabled products and services.

ISO 20000 (IT Service Management Systems)

The international standard specifying requirements for an IT service management system, providing the only certifiable standard for IT service delivery quality.

Disaster Recovery (RPO/RTO) in Regulated Industries

The design of disaster recovery architectures and testing programs that meet the specific RPO, RTO, and documented recovery requirements of regulated industries.

ISO 27001 Information Security

The international standard specifying requirements for establishing, implementing, and maintaining an Information Security Management System (ISMS).

ISO 27701 Privacy Information Management

An extension to ISO 27001/27002 that adds privacy-specific controls to establish and maintain a Privacy Information Management System (PIMS).

NIST Privacy Framework

A voluntary tool from NIST to help organizations manage privacy risks through five core functions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P.

Capacity Planning and Scaling for Regulated Workloads

Capacity planning for regulated workloads must account for regulatory peak load scenarios — month-end reporting surges, stress test computation windows, and regulatory submission deadlines — that do not appear in baseline utilization metrics.

Network Segmentation and Micro-Segmentation for Compliance

Network segmentation is the foundational control that defines the scope of PCI DSS compliance, the blast radius of ransomware incidents, and the enforceability of zero-trust policies in regulated environments.

DDoS Protection Requirements Under DORA, FFIEC, and NHS Standards

DDoS protection for regulated systems is an operational resilience obligation — not just a performance concern — with DORA, FFIEC, and NHS frameworks each requiring documented capacity thresholds, tested mitigation capabilities, and defined recovery time objectives.

PCI DSS v4.0 New Requirements

The significant new and updated controls introduced in PCI DSS version 4.0 that go beyond the foundational requirements of prior versions.

PCI PIN Security Standard

The PCI Security Standards Council requirements governing the secure management, processing, and transmission of PIN data in payment card transactions.

ISO 9001:2015 Quality Management Systems

The international quality management standard that imposes documented process discipline on engineering organizations operating in regulated industries.

Performance Testing and SLA Compliance in Regulated Systems

Performance testing for regulated systems must validate SLAs defined in regulatory frameworks — PSD2 API availability, DORA ICT service continuity, and FCA operational resilience impact tolerances — not just arbitrary throughput benchmarks.

ESMA Guidelines on Outsourcing to Cloud Service Providers

ESMA's cloud outsourcing guidelines impose a governance and contractual framework on regulated firms that fundamentally changes how cloud procurement, monitoring, and exit planning must be engineered.

EBA Guidelines on ICT and Security Risk Management

EBA ICT guidelines establish a prescriptive security and resilience baseline for EU credit institutions that translates directly into specific technical control requirements and audit evidence obligations.

Quantum-Safe / Post-Quantum Cryptography

Cryptographic algorithms designed to remain secure against attacks from quantum computers, replacing RSA and elliptic curve schemes.

Homomorphic Encryption

A cryptographic technique allowing computations to be performed on encrypted data without decrypting it, preserving privacy throughout processing.

Confidential Computing

A hardware-based security approach that protects data in use by processing it within isolated, attested Trusted Execution Environments (TEEs).

Kubernetes Security (CIS Benchmarks, PSA)

Security hardening practices for Kubernetes clusters, covering CIS Benchmark controls, Pod Security Admission policies, RBAC, and supply chain integrity.

Infrastructure as Code (IaC) Security

The practice of scanning, testing, and enforcing security policies on infrastructure definitions (Terraform, CloudFormation, Bicep) before they are deployed.

Vulnerability Management Program

A continuous lifecycle process for identifying, classifying, prioritizing, remediating, and verifying security vulnerabilities across an organization's technology assets.

Penetration Testing for Regulated Industries

Authorized simulated cyberattacks against systems in regulated environments, used to validate control effectiveness and meet compliance testing requirements.

Software Supply Chain Security

Practices and controls that protect the integrity of software from source code through build, packaging, distribution, and deployment against tampering or malicious injection.

Bug Bounty Programs

Structured programs that invite external security researchers to report vulnerabilities in exchange for monetary rewards, coordinating responsible disclosure at scale.

Secrets Management (Vault, AWS Secrets Manager) Patterns

Architecture patterns for securely storing, distributing, rotating, and auditing access to credentials, API keys, and cryptographic material in regulated systems.

Encryption at Rest — Architecture Patterns for Regulated Data

The cryptographic and architectural controls required to protect sensitive data stored in databases, object stores, and backup media in regulated industries.

Encryption in Transit — TLS 1.3 and Certificate Management

The protocols, configurations, and certificate lifecycle management practices required to protect data moving across networks in regulated environments.

Key Management (KMS) Architecture for Regulated Systems

The design of cryptographic key hierarchies, rotation policies, and hardware security module integration required to meet NIST and regulatory standards for key protection.

IAM (Identity and Access Management) Architecture

The systems and patterns for managing digital identities and controlling their access to resources, implementing least privilege, and generating audit trails for compliance.

PAM (Privileged Access Management) for Regulated Environments

Specialized controls for securing, monitoring, and auditing the high-risk access of administrators, service accounts, and root credentials in regulated IT environments.

Audit Logging Architecture for Compliance Evidence

The design of tamper-evident, high-fidelity logging systems that generate, collect, and retain compliance evidence across distributed application and infrastructure environments.

STRIDE Threat Modeling Methodology for Regulated Systems

STRIDE threat modeling applied systematically during design — not retrospectively — is the most cost-effective control for preventing the categories of vulnerability that dominate regulated industry security incidents.

NIST CSF 2.0 — What Changed from 1.1 and Engineering Implications

NIST CSF 2.0 is not an incremental update — the addition of the Govern function and expanded supply chain requirements fundamentally change how regulated organisations must structure their cybersecurity programs.

CIS Controls v8 Implementation Groups and Regulated Industry Application

CIS Controls v8 Implementation Groups provide a risk-tiered roadmap that maps directly onto regulatory control requirements, making them the most operationally actionable security baseline for regulated mid-market organizations.

MITRE ATT&CK Framework for Regulated Industry Threat Modeling

MITRE ATT&CK translates abstract threat intelligence into specific adversary technique coverage gaps, enabling regulated organizations to align security controls to real-world attack paths rather than checkbox compliance.

Vulnerability Management Programs for Regulated Systems

Vulnerability management in regulated environments demands SLA-bound remediation timelines, asset-criticality-weighted prioritization, and continuous evidence generation — moving far beyond periodic Nessus scans.

Incident Response Planning and Mandatory Notification Timelines

Incident response in regulated environments is a race against mandatory notification clocks — GDPR's 72 hours, DORA's 4-hour initial notification, and HIPAA's 60-day breach notice each require pre-built playbooks and automated detection-to-notification pipelines.

Digital Forensics and Evidence Preservation for Regulatory Investigations

Digital forensics in regulated environments must satisfy both technical integrity standards and legal admissibility requirements — evidence collected without a documented chain of custody is worthless in regulatory enforcement proceedings.

Log Management Architecture and Retention for Compliance

Log management is not a storage problem — it is a data engineering problem where collection completeness, integrity, and queryability within defined retention windows determine whether audit evidence exists when regulators demand it.

SIEM (Security Information and Event Management) for Compliance Monitoring

A SIEM deployed as a compliance log aggregator but not tuned for detection is an expensive storage system — regulated industry SIEMs must have alert fidelity, investigation workflow, and evidence export capabilities built for the specific regulatory obligations they serve.

EDR/XDR Endpoint Detection in Regulated Environments

EDR in regulated environments must do more than detect malware — it must generate tamper-evident forensic telemetry that satisfies regulatory investigation evidence requirements and integrates with mandatory incident notification workflows.

Patch Management Programs in Regulated Environments

Patch management in regulated environments must balance the mandatory remediation SLAs imposed by PCI DSS, DORA, and NHS frameworks against the change management constraints of systems where unplanned downtime carries regulatory consequence.

ISO/IEC 27005 Information Security Risk Management

The ISO standard that provides a structured methodology for information security risk assessment and treatment aligned with ISO 27001.

NIST SP 800-53 Rev 5 Control Families

The most comprehensive security and privacy control catalog in US federal compliance — and the engineering blueprint for FedRAMP, FISMA, and CMMC implementations.

Penetration Testing Requirements in Regulated Environments

Regulated industry penetration testing is not a box-checking exercise — PCI DSS, DORA, and TIBER-EU each impose specific scoping, methodology, independence, and reporting standards that fundamentally shape how tests must be conducted.

FCC Part 64 CPNI (Customer Proprietary Network Information)

Federal regulations governing how telecommunications carriers protect and use sensitive customer data derived from their network usage.

CALEA (Communications Assistance for Law Enforcement Act)

The federal mandate requiring telecommunications carriers and broadband providers to build lawful intercept capabilities into their network infrastructure.