Skip to content

Home

WCAG: Web Content Accessibility Guidelines

If you run a website, app, or digital service, you're probably already required to comply with WCAG — even though it isn't a law itself. The Web Content Accessibility Guidelines (WCAG) are the global standard for digital accessibility, and they've been incorporated into legal frameworks across the EU, UK, US, Canada, and Australia. You don't have a choice about whether to follow them; you only have a choice about whether you comply proactively or reactively after a complaint.

Developed by the W3C's Web Accessibility Initiative, WCAG covers visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities. It's the closest thing to a universal accessibility rulebook the world has.

EU AI Act: Risk Classification & Compliance

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive horizontal regulation of artificial intelligence — and its compliance deadlines are no longer theoretical. The bans on unacceptable-risk AI systems hit in February 2025, and the big one (high-risk AI obligations) arrives in August 2026.

Here's what most people miss: the AI Act doesn't regulate AI technology — it regulates what you do with it. The same AI model can be treated four different ways depending on how it's deployed. That distinction is the whole game.

GDPR Compliance Software: Tools for Data Privacy

The ICO's June 2026 guidance on IoT products explicitly states that manufacturers must conduct DPIAs before processing personal data from connected devices, and that consent must be obtained for any tracking technologies used. With penalties under PECR now aligned to UK GDPR levels — up to £17.5 million or 4% of global turnover — the cost of manual compliance management is no longer just administrative.

Compliance teams managing GDPR manually spend roughly 60% of their time on record-keeping alone — ROPA maintenance, DPIA documentation, consent logs, breach reports. That is time most product companies don't have.

GDPR compliance software automates these workflows. On the Sustalium platform, we built the GDPR module specifically for product companies — not tech firms — because the data flows are different when you're managing IoT data, supplier records, and customer shipments rather than SaaS user accounts.

What to Ask Suppliers Before They Get You Fined

If your supplier uses forced labor, the goods are seized at the US border — and you are the importer of record. If your supplier discharges untreated wastewater, your CSRD disclosure is inaccurate, your CSDDD due diligence is incomplete, and your buyer drops you. If your supplier's SMETA audit is expired by six weeks, the procurement system deselects you automatically — and the buyer does not ask why. The legal violation is the supplier's. The commercial and legal consequence is yours.

The regulatory frameworks that impose cascading liability — making a buyer legally responsible for what happens in their supply chain — are multiplying globally. The German Supply Chain Act (LkSG), the EU's CSDDD, the US Uyghur Forced Labor Prevention Act (UFLPA), the UK and Australian Modern Slavery Acts, the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act — each of these creates a legal obligation for the buyer to know what is happening in their supply chain and to act on what they find. And each of them starts with the same operational question: what do you ask your suppliers — and what documentation do you demand — before you place the order?

Conflict Minerals: Automate 3TG Due Diligence

Conflict minerals regulations in both the US (Dodd-Frank Section 1502) and the EU (Regulation 2017/821) require companies to trace the sourcing of tin, tantalum, tungsten, and gold (3TG) through their supply chains, conduct due diligence, and file compliant disclosures. With supply chains spanning multiple tiers and continents, manual CMRT collection and verification is error-prone and resource-intensive.

Conflict minerals software automates the collection of Conflict Minerals Reporting Templates (CMRTs), conducts reasonable country of origin inquiries (RCOI), and generates compliant disclosures for SEC and EU filing.

EU PPWR: Packaging Waste Compliance Guide

You've probably heard that the EU's new Packaging and Packaging Waste Regulation is a big deal. It is. But here's what most coverage gets wrong: it doesn't just set recycling targets — it rewrites the entire rulebook for how products are packaged, sold, and disposed of across the single market. And unlike the old directive (which let member states go their own way), this one applies directly in all 27 countries. One rulebook. One timeline. One enforcement framework.

If your company puts anything in a box, you need to understand what's coming.

Battery Regulation Software: Automate EU 2023/1542

If you make or import batteries for the EU market, you've got a February 2027 deadline that's coming faster than it looks. The EU Battery Regulation (2023/1542) isn't just an update to the old directive — it's a complete rewrite covering carbon footprint declarations, recycled content targets, the Digital Battery Passport, and supply chain due diligence for cobalt, lithium, and nickel.

Here's the problem: the regulation treats batteries differently by type (portable, LMT, SLI, industrial, EV), each with its own deadlines and requirements. Battery compliance software won't write your LCA for you, but it'll keep you from missing one of the five parallel timelines.

Regulatory Obesity: The Compliance Burden No One Tracks

A single product sold globally — a Bluetooth speaker, a cotton t-shirt, a wooden chair — can now be subject to twenty or more regulatory frameworks before it reaches a customer. In the United States: FCC, UL, CPSC, Prop 65, TPPA, and state PFAS laws. In the European Union: CE Marking, RoHS, REACH, WEEE, GPSR, and CSDDD. In the United Kingdom: UKCA, UK REACH, and UK-specific safety regulations. In China: GB standards, CCC certification, and data security requirements. In Australia: RCM, modern slavery reporting, and packaging regulations. In the Middle East: Gulf Conformity Mark, Saudi SABER, UAE ECAS. In Africa: a growing patchwork of national standards and the emerging AfCFTA trade framework.

The technical term is regulatory obesity — and it is not limited to any one region. The number of rules a business must comply with has grown faster than the business's ability to discover, understand, and document compliance with them. The rules themselves are not the problem — product safety, environmental protection, worker rights, and supply chain transparency are legitimate policy objectives. The problem is that the rules do not coordinate across borders, they do not share data formats, and they do not come with a notification system.

NIS2 Compliance Software: Automate Cybersecurity

NIS2 isn't just GDPR's cybersecurity cousin — it's a fundamentally different beast. The Directive (2022/2555) expands mandatory cybersecurity far beyond the original NIS, covering everything from energy and transport to digital infrastructure and public administration. Penalties hit €10 million or 2% of global turnover, and management faces personal liability.

If you're in a "highly critical" sector (energy, transport, health, digital infrastructure), the compliance bar is higher than you think. NIS2 compliance software won't make your network secure, but it'll document the risk management measures and incident reporting that regulators look for.

CSRD Compliance Software: Automate ESRS Reporting

If you're in scope for CSRD (250+ employees, €50M+ turnover, or €25M+ balance sheet), you're looking at 1,100+ datapoints across ESRS standards. That's not a number you spreadsheet your way through. The first wave of companies reporting on 2024 data already found that manual processes don't scale when you need auditable, double-materiality-assessed sustainability reports with XBRL tagging.

CSRD compliance software won't decide what's material for you, but it'll handle the data collection, validation, and ESRS tagging that makes the difference between a report that passes assurance and one that doesn't.