Compliance

In a heavily regulated economy (nFADP, GDPR, EU AI Act), compliance is no longer tedious checkbox-ticking — it is a core technological responsibility. We transform static policies into Compliance as Code: automated verification processes that continuously ensure all systems meet legal requirements.

The goal is to be audit-ready at any time, without spending weeks manually preparing documentation.

Anti-Patterns: Compliance Theatre

• Paper compliance: Thick policy handbooks exist but are never implemented or verified in technical reality.
• Punctual audits: Once a year everything is frantically prepared, only to fall back into old patterns the moment the audit is over.
• Manual reports: IT staff spend hundreds of hours manually compiling lists of servers and permissions for auditors.

The Automated Proof

1. Compliance as Code: Security policies (e.g. "All disks must be encrypted") are defined as scripts that automatically and continuously monitor infrastructure.
2. Automated Inventory: Real-time inventory of all cloud resources, licences, and data locations in use (see SBOM).
3. Identity Governance: Automated processes for employee on- and offboarding, plus regular reviews of access rights (Recertification).
4. Data Privacy by Design: Technical enforcement of deletion deadlines and data minimisation directly in the database architecture.
5. Continuous Auditing: Dashboards that show management and auditors the current compliance status in real time, at any moment.

The Advantage: Legal Certainty at High Speed

Automated compliance removes friction from the process. Teams can move quickly knowing that the platform's guardrails automatically protect them from policy violations.

FAQ

Can software really replace a human auditor?

No, but it provides the factual basis. The auditor reviews the process and the code; the software checks the millions of individual events per day. This dramatically increases the meaningfulness of the audit.

What will implementing the new Swiss Data Protection Act (nFADP) cost us?

The costs depend on your current technical debt. With an automated approach the upfront costs are higher, but ongoing costs and liability risk drop dramatically.

Reference Guide

• FDPIC — Federal Data Protection and Information Commissioner: Guidelines on nFADP. edoeb.admin.ch
• Open Policy Agent (OPA): Standard for Policy as Code. openpolicyagent.org
• ISO/IEC 27001: The international standard for information security management systems. iso.org

---

Related Topics

• Technology
• Neuland Index

Open Items

• Add template for a "Data Mapping Matrix" per nFADP.
• Link checklist for the "SaaS Vendor Compliance Assessment".