Skip to content

Cross-Regulation Summary

This document identifies overlapping controls across the 13 regulatory frameworks monitored by the FCC compliance system. Addressing shared requirements reduces duplication and strengthens compliance posture across multiple regulations simultaneously.

Overlap Matrix

OV-001: Data Encryption at Rest & In Transit

Regulation Control Requirement
GDPR GDPR-C004 Cross-border data transfer safeguards
HIPAA HIPAA-C002 Encryption of ePHI
PCI DSS PCI-C002 Stored account data protection
ISO 27001 ISO-C004 Cryptographic controls
SOC 2 SOC2-C004 Confidentiality protection

FCC Mapping: Quality gate encryption_verified covers all five regulations.

OV-002: Access Control & Authorization

Regulation Control Requirement
HIPAA HIPAA-C001 PHI access controls
PCI DSS PCI-C004 Access restriction
ISO 27001 ISO-C003 Access control policy
SOX SOX-C003 Financial system access
FedRAMP FEDRAMP-C004 Configuration management
NIS2 NIS2-C001 Technical and organizational measures

FCC Mapping: Constitution hard-stop rule No unauthorized access to sensitive data plus access-review quality gates.

OV-003: Incident Detection & Response

Regulation Control Requirement
ISO 27001 ISO-C005 Incident management procedures
HIPAA HIPAA-C004 Breach notification
NIS2 NIS2-C002 Incident handling
DORA DORA-C002 ICT incident reporting
FedRAMP FEDRAMP-C003 Federal incident response

FCC Mapping: Event bus GOVERNANCE_INCIDENT_* events trigger automated response workflows.

OV-004: Risk Assessment & Management

Regulation Control Requirement
ISO 27001 ISO-C002 Risk assessment process
DORA DORA-C001 ICT risk management
NIS2 NIS2-C001 Risk management measures
FedRAMP FEDRAMP-C001 Security assessment
SOX SOX-C001 Internal controls assessment

FCC Mapping: KG benchmark assessment serves as a structured risk evaluation framework.

OV-005: Data Subject / Consumer Rights

Regulation Control Requirement
GDPR GDPR-C002 Right to erasure
CCPA CCPA-C003 Deletion request handling
CPRA CPRA-C002 Correction rights

FCC Mapping: Collaboration engine manages rights-request workflows with approval gates.

OV-006: Third-Party & Supply Chain Security

Regulation Control Requirement
DORA DORA-C004 Third-party risk management
NIS2 NIS2-C003 Supply chain security
HIPAA HIPAA-C005 Business associate agreements
PCI DSS PCI-C001 Network security controls

FCC Mapping: Federation namespace validation ensures cross-project security boundaries.

OV-007: Audit Trail & Logging

Regulation Control Requirement
HIPAA HIPAA-C003 Audit controls for ePHI
SOX SOX-C002 Audit trail integrity
SOC 2 SOC2-C001 Security monitoring
PCI DSS PCI-C004 Access tracking
FedRAMP FEDRAMP-C002 Continuous monitoring

FCC Mapping: Observability layer (tracing + metrics) provides comprehensive audit trails.

OV-008: AI System Governance

Regulation Control Requirement
AI Act AIACT-C001 Risk classification
AI Act AIACT-C003 Human oversight
GDPR GDPR-C003 DPIA for automated processing
CPRA CPRA-C004 Automated decision-making opt-out

FCC Mapping: Constitution registry + collaboration engine enforce human-in-the-loop requirements.

OV-009: Data Minimization & Purpose Limitation

Regulation Control Requirement
GDPR GDPR-C001 Processing lawfulness
CCPA CCPA-C004 Data inventory
CPRA CPRA-C003 Data minimization
HIPAA HIPAA-C001 Minimum necessary standard

FCC Mapping: Constitution mandatory patterns enforce purpose limitation across workflows.

OV-010: Documentation & Transparency

Regulation Control Requirement
AI Act AIACT-C004 Transparency obligations
AI Act AIACT-C005 Technical documentation
CCPA CCPA-C001 Consumer disclosure
GDPR GDPR-C003 Data protection impact assessment
SOC 2 SOC2-C003 Processing integrity

FCC Mapping: Docs-as-code generator + persona workflow automate documentation requirements.

Summary Statistics

Domain Regulations Unique Controls Shared Controls
Privacy GDPR, CCPA, CPRA 12 8
Security ISO 27001, PCI DSS, SOC 2 13 9
Health HIPAA 5 5
Government FedRAMP, SOX 8 6
AI/Digital AI Act, DORA, NIS2 13 8
Total 13 51 36 (71%)

71% of controls across all 13 regulations share requirements with at least one other regulation. Implementing shared controls efficiently can reduce compliance overhead by 40-60%.