As tech firms face a wave of regulation, and the potential for more lawsuits and larger fines, the old strategy of “move fast and break things” is unsustainable.
Regulators are targeting tech companies with more regulation and stringent enforcement across jurisdictions from California to the EU to India.
With more topics being regulated in more ways, tech companies must rethink their compliance strategy to deal with regulation at scale. Their previous approach of focused, dedicated action for specific regulatory issues will no longer work.
To ensure that innovation continues, tech firms must make this new approach a part of their innovation cycle, rather than bolting it to existing processes.
This task is given increasing urgency by the rapidly developing regulation of AI.
Regulators are broadening their focus. They are moving beyond privacy and competition to areas such as content moderation (for example, the UK’s Online Safety Act, passed in October), protection of minors (Utah legislation passed in March aims to protect under-16s on social media), and tech companies’ payment activities (the US Consumer Financial Protection Bureau wants to regulate tech firms’ payments businesses and digital wallets).
Regulatory bodies now insist on transparency and accountability. The EU’s Digital Markets Act mandates stringent audits, enhanced transparency reports, and the appointment of a compliance officer by the company’s board—an indication of the heightened accountability expected in the tech industry. All of tech could soon be regulated like the medtech and fintech subsectors, with scheduled reporting and regulatory examination.
The advent of AI is bringing a new wave of regulation. President Biden’s executive order on AI safety and security in November and the EU’s proposed AI Act signal the onset of a wave of global regulation. Many other jurisdictions around the world are gearing up to introduce similar legislation.
Enforcement and intervention have intensified. The ten largest fines under Europe’s General Data Protection Regulation, totaling approximately €3.8 billion ($4.1 billion), were all levied on tech companies, and cumulative fines under that regulation now exceed €4.4 billion. (See the exhibit.) Enforcement on competition issues in particular is ramping up. Microsoft had to significantly amend its $69 billion acquisition deal with Activision Blizzard, finalized in October, after regulatory intervention; Adobe abandoned its $20 billion acquisition of Figma at the end of 2023 after declaring there was “no clear path to receive necessary regulatory approvals.”
Leaders of any tech company, not just Big Tech, must recognize that the landscape has transformed—and will continue to evolve rapidly. Although traditional approaches like lobbying, voluntary standards, and cooperation with regulators offer some benefits, they fall short.
Companies must build efficient and effective compliance processes, addressing regulation at scale while keeping costs under control and maintaining the ability to innovate at pace:
These strategies ensure that new products are compliant at release and stay compliant over time. Companies that have not invested in a holistic compliance function need to catch up and make sure that they are taking all key laws and regulations into account.
Tech firms are learning—as many other regulated companies already have—that they must build multiple compliance teams: a centralized enterprise team to lead the strategy and business-aligned teams to integrate compliance into daily operations. The skills in their current legal teams will not be sufficient.
Tech firms also need to build the appropriate systems. These include tools to track controls, testing, and incidents to ensure that employees can effectively manage compliance risk.
Culture needs to change as well. Compliance capabilities have to be integrated into a tech company’s thinking, which is not easy. Change begins with a proactive approach to risk management and strong leadership support for compliance. Tech firms must prevent bureaucratic compliance processes from stifling innovation.
Compliance works best if the whole company buys into it, understanding that the organization needs a social license to operate. This requires a culture where risk is no longer someone else’s problem; staff should proactively spot and address potential problems.
Build a modern compliance program that supports rather than hinders change. This journey often takes two to four years to complete, but companies that successfully navigate it will avoid legal pitfalls and gain a significant competitive advantage. Those that fail to do so risk distraction from regulatory inquiries, forced product changes, lawsuits, and fines. Acting now lets you focus on what all tech firms need—innovation.
The authors thank Bernhard Gehra and Matthew Barton for their invaluable contributions.
ABOUT BOSTON CONSULTING GROUP
Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we work closely with clients to embrace a transformational approach aimed at benefiting all stakeholders—empowering organizations to grow, build sustainable competitive advantage, and drive positive societal impact.
Our diverse, global teams bring deep industry and functional expertise and a range of perspectives that question the status quo and spark change. BCG delivers solutions through leading-edge management consulting, technology and design, and corporate and digital ventures. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, fueled by the goal of helping our clients thrive and enabling them to make the world a better place.
© Boston Consulting Group 2024. All rights reserved.
For information or permission to reprint, please contact BCG at email@example.com. To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com. Follow Boston Consulting Group on Facebook and X (formerly Twitter).