tags: #publish links: [[Business Strategy and Competition]] created: 2021-07-24 Sat --- # Competitive Compliance There's a strong trend in the software industry, especially in the last couple of decades, towards **compliance standards and legislation** that are so complex and expensive to comply with that they lock out smaller vendors from any business opportunities that require these standards. The most egregious example is probably [[FedRAMP]] which requires whole separated teams of staff to achieve the highest level of compliance. There's plenty of other horrors such as [[NIST 800-53]], [[NIST 800-171]], [[HIPAA]], [[FIPS]], SOC2, even GDPR. Even if this trend is driven by governments and genuine attempts at improving consumer security and privacy or national security, there's no denying that one long-term effect is to provide, to large or well-funded companies, a major competitive advantage over new upstarts that don't have the cash or time to run a large compliance program and pay an external auditor. A viable strategy now is to profit from being one of the few organisations to obtain compliance certification, instead of delivering actual value. The amount of technical and organisational effort going into this is absolutely colossal, but it's essentially a [[Vendor Lock-in]] enabled by the regulatory structure, rather than delivering real customer value proportional to the effort invested. The regulations also enable the related strategy of [[Regulatory Arbitrage]]. Related: [[Patents and Competition]], [[Regulatory Capture]], [[The legal system isn't a level playing field]], [[PEST or PESTLE Analysis]]