Skip to content

Regulatory Obesity: The Compliance Burden No One Tracks

A single product sold globally — a Bluetooth speaker, a cotton t-shirt, a wooden chair — can now be subject to twenty or more regulatory frameworks before it reaches a customer. In the United States: FCC, UL, CPSC, Prop 65, TPPA, and state PFAS laws. In the European Union: CE Marking, RoHS, REACH, WEEE, GPSR, and CSDDD. In the United Kingdom: UKCA, UK REACH, and UK-specific safety regulations. In China: GB standards, CCC certification, and data security requirements. In Australia: RCM, modern slavery reporting, and packaging regulations. In the Middle East: Gulf Conformity Mark, Saudi SABER, UAE ECAS. In Africa: a growing patchwork of national standards and the emerging AfCFTA trade framework.

The technical term is regulatory obesity — and it is not limited to any one region. The number of rules a business must comply with has grown faster than the business's ability to discover, understand, and document compliance with them. The rules themselves are not the problem — product safety, environmental protection, worker rights, and supply chain transparency are legitimate policy objectives. The problem is that the rules do not coordinate across borders, they do not share data formats, and they do not come with a notification system.

The Global Growth of Regulation

The regulatory burden is growing on every continent, in different forms, at different speeds, but in the same direction: more rules, more enforcement, more documentation.

Europe: The Regulatory Engine

The European Union has been the most prolific regulator of the past decade. Since 2016, the EU has adopted GDPR, MDR, EUDR, CSRD, CSDDD, CBAM, GPSR, PPWR, the Cyber Resilience Act, and the AI Act — a regulatory output unmatched by any other jurisdiction. The EU's regulatory model is increasingly being exported: the CSDDD concept of mandatory human rights and environmental due diligence has influenced legislation in Germany (LkSG), France (LdV), Norway (Transparency Act), and the Netherlands (Child Labour Due Diligence Act). The EU's approach to product regulation — GPSR, Digital Product Passport, Ecodesign — is being watched closely by regulators in Asia, Latin America, and Africa.

United States: The State-Level Patchwork

The US has taken a different path. In the absence of comprehensive federal regulation in many areas, individual states have filled the gap — creating a compliance environment that is arguably more complex than the EU's centralized model because it requires tracking up to 50 different regulatory regimes.

California's Proposition 65 requires chemical warnings on products sold in California. Because California is the largest US consumer market, the warning functionally appears on products sold nationally — but the obligation is California-specific, and the enforcement mechanism (citizen lawsuits) is unique to California. The result is that a business must comply with California law to sell nationally, but the law is enforced through private litigation, not government inspection.

Maine and Minnesota have passed the most sweeping PFAS restrictions in the country. California, New York, Vermont, Washington, and Colorado have product-specific PFAS bans. Each state has a different phase-in timeline, a different set of covered product categories, and different reporting requirements. A product sold nationally must comply with all of them. At the federal level, the EPA has designated PFOA and PFOS as hazardous substances under CERCLA and issued drinking water standards — but there is no comprehensive federal PFAS product regulation. The state-level patchwork is the de facto national standard.

United Kingdom: Post-Brexit Divergence

Since leaving the EU, the UK has established its own regulatory framework — UKCA marking (replacing CE), UK REACH (separate from EU REACH), and UK-specific product safety, chemical, and environmental regulations. The frameworks currently mirror the EU's — the UK retained EU law at the point of departure — but the UK and EU systems are legally separate and will diverge over time. The HSE, not ECHA, manages UK REACH. The UK FSA, not EFSA, is the food safety authority. The transition period for CE marking acceptance in Great Britain runs through December 2027; after that, UKCA becomes mandatory.

The practical effect for businesses is tripled compliance: one product sold in the US, EU, and UK now requires three separate certificates (CPC/GCC, CE DoC, UKCA DoC) citing three different sets of regulations — even though the technical standards are substantively identical.

China: Standards as Trade Barriers

China's regulatory system operates through a different mechanism: the GB (Guobiao) national standard system, combined with mandatory CCC (China Compulsory Certification) for specific product categories, and increasingly stringent data security and cross-border data transfer regulations under the Personal Information Protection Law (PIPL), Data Security Law (DSL), and Cybersecurity Law (CSL).

The CCC mark is required for 16 categories of products sold in China — including electrical products, automotive components, toys, and fire protection equipment. Unlike the EU's CE self-declaration model, CCC certification requires testing at China-designated laboratories and factory inspection by Chinese certification bodies. The process is more controlled and less accessible to foreign manufacturers than any Western certification scheme.

China's data regulations create a separate compliance burden for any business that collects data from Chinese users or transfers data out of China. The PIPL imposes restrictions on cross-border data transfers, requires data localization for certain categories of data, and imposes penalties of up to 50 million RMB or 5% of annual revenue — exceeding GDPR penalty levels.

Australia and New Zealand

Australia's regulatory environment combines federal product safety regulation (ACCC), mandatory modern slavery reporting under the Modern Slavery Act 2018, packaging regulations under the Australian Packaging Covenant Organisation (APCO), and the RCM (Regulatory Compliance Mark) for electrical and electronic products — a single mark that covers EMC, electrical safety, and radio communications. The Australian Modern Slavery Act requires entities with over AUD $100 million in revenue to report annually on modern slavery risks in their supply chains — an obligation that cascades to suppliers through contractual requirements.

New Zealand has its own modern slavery legislation under development, its own product safety framework, and mutual recognition arrangements with Australia for certain product categories — reducing but not eliminating the compliance burden for businesses selling in both markets.

Middle East: Certification as Market Access

The Gulf Cooperation Council (GCC) states — UAE, Saudi Arabia, Qatar, Kuwait, Oman, and Bahrain — operate a unified conformity marking system under the Gulf Conformity Mark (G-Mark) for low-voltage electrical equipment and children's toys. Saudi Arabia's SABER platform requires online product certification for all imported consumer goods. The UAE's Emirates Conformity Assessment Scheme (ECAS) covers electrical products, cosmetics, and food.

The compliance model in the Gulf is distinct from Western systems: it relies heavily on mandatory third-party certification, with limited self-declaration pathways, and the certification bodies are typically designated by the national standards authority. Market access is certification-dependent: no G-Mark, no import. No SABER certificate, no customs clearance.

Africa: Emerging Regulatory Infrastructure

Africa is the least harmonized and most rapidly changing regulatory environment. The African Continental Free Trade Area (AfCFTA) aims to eliminate tariffs on 90% of goods and harmonize standards across the continent — but as of 2026, national standards remain the operative compliance requirement, and they vary widely between countries.

South Africa has the most developed regulatory infrastructure on the continent: NRCS (National Regulator for Compulsory Specifications) for product safety, SABS (South African Bureau of Standards), mandatory B-BBEE (Broad-Based Black Economic Empowerment) reporting, and packaging regulations. Kenya, Nigeria, and Ghana all have mandatory product certification schemes for specific product categories. For businesses entering the African market, the challenge is not the stringency of the regulations — it is the discoverability. National standards are often published only in local languages, not digitized in searchable databases, and not cross-referenced with international equivalents.

Latin America: The Certification Barrier

Latin America's regulatory framework is built around mandatory third-party certification — the INMETRO system in Brazil, NOM standards in Mexico, IRAM certification in Argentina. These systems require product testing at nationally accredited laboratories and factory inspection by national certification bodies. For foreign manufacturers, this means the cost of market entry includes in-country testing and certification that cannot be substituted by CE, FCC, or any other international certification.

Brazil's ANVISA regulates cosmetics, food, and medical products through a pre-market registration system that is more stringent than the FDA's post-market approach. Mexico's NOM standards cover over 2,000 product categories, and compliance is verified at the border — no NOM certificate, no entry. The certification process is time-consuming (typically 3-6 months for new product categories) and expensive (\(5,000-\)25,000 per product family) — a significant barrier for SMEs.

The Three Sources of Regulatory Weight

The compliance burden does not come from a single source. It accumulates from three directions — governmental regulation, non-governmental and industry standards, and private platform requirements. Most businesses are only tracking the first.

1. Government Regulation

This is the visible layer — the product safety, chemical, environmental, and data regulations listed above. The volume is staggering: a 2024 study by Thomson Reuters Regulatory Intelligence tracked over 56,000 regulatory updates across 190 countries in a single year. A single regulation — the EU's CSRD — requires disclosure against over 1,100 individual data points under the ESRS. The cost of regulatory discovery — the time and expertise required to determine which regulations apply — now exceeds the cost of testing and certification for many SMEs.

2. NGO and Industry Standards

Voluntary standards that function as mandatory through commercial pressure: ISO 27001 (information security), SMETA (social audit), GOTS (organic textiles), FSC (forest products), SQF and BRC (food safety), RSPO (sustainable palm oil), Fairtrade. These are not laws. No government requires them. But every major retailer and procurement department does — and a supplier without them is automatically deselected from shortlists before a human buyer reviews the application.

In 2024, Sedex reported over 75,000 members across 180 countries. The Global Food Safety Initiative (GFSI) benchmarks standards used by hundreds of thousands of food facilities worldwide. The ISO Survey 2023 reported 71,549 valid ISO 27001 certifications globally. These numbers are not driven by regulation — they are driven by B2B procurement requirements that treat voluntary certifications as commercial prerequisites.

3. Private Platform Requirements

The newest and fastest-growing layer. Amazon's compliance enforcement system — automated document requests, ASIN suppression, and 72-hour deadlines — has made compliance documentation a listing requirement for millions of sellers. Walmart, Target, and Costco have supplier compliance portals that require product safety certificates, social audit reports, and sustainability disclosures to be uploaded and verified. Enterprise procurement platforms (SAP Ariba, Coupa, Jaggaer) integrate compliance verification into the supplier onboarding workflow — automatically flagging suppliers with expired or missing documentation.

A supplier that has all its government-mandated compliance in order but cannot upload the documents to the retailer's procurement portal is non-compliant from the buyer's perspective. The regulatory obligation is satisfied. The commercial obligation is not.

The SME Discovery Problem

Large corporations have compliance departments, regulatory affairs teams, and external counsel to track regulatory changes across jurisdictions. Small and medium enterprises do not. An SME importing furniture into the US, EU, and UK needs to comply with the Lacey Act, CPSC, TSCA Title VI, CA TPPA, and Prop 65 (US); GPSR, EUDR, REACH SVHC, and EU PPWR (EU); and UKCA, UK REACH, and UK-specific safety regulations (UK) — plus retailer-specific requirements for each market.

The regulatory obligations are real. The discoverability infrastructure is missing.

At Sustalium, we built the Global Compliance Map to solve this. Enter a country and product category, and the map identifies every framework that applies — governmental, industry-standard, and commercially mandated — across 190 countries. No manual research across fifty agency websites. No discovering a regulation through its enforcement letter.

The compliance burden will not decrease. Europe's regulatory pipeline is full, US states continue to legislate, China tightens its standards, and emerging markets build their regulatory infrastructure. The businesses that survive regulatory obesity will not be the ones that hire more compliance staff — they will be the ones that build the infrastructure to know what applies before enforcement tells them.

The Multi-Market Reality: One Product, Many Rulebooks

To make the regulatory burden concrete, consider three real product scenarios:

A wooden chair sold globally. One product. The compliance stack: Lacey Act declaration (US), CPSC GCC or CPC (US), TSCA Title VI formaldehyde certification for any composite wood components (US), CA TPPA packaging certificate (US), Prop 65 warning if applicable (US), EUDR due diligence with geolocation data (EU), GPSR compliance (EU), REACH SVHC communication (EU), UKCA Declaration of Conformity (UK), UK Timber Regulation compliance (UK). That is ten frameworks for one chair, across three markets — and it does not count additional requirements for Australia (biosecurity import conditions for wood products), China (GB standards for furniture), or Saudi Arabia (SABER registration).

A cosmetic moisturizer in three markets. FDA MoCRA facility registration and product listing (US), EU CPSR and CPNP notification (EU), UK CPSR and SCPN notification (UK), plus packaging compliance in each market. Three separate safety assessments. Three separate product notifications. Three separate Responsible Person designations — one in the US, one in the EU, one in the UK. The moisturizer is the same formulation in every market. The regulatory paperwork is different.

A Bluetooth speaker with a lithium battery. FCC Certification and FCC ID (US), CE Mark under RED and RoHS (EU), UKCA under UK Radio Equipment Regulations (UK), CCC certification (China), G-Mark (Gulf), RCM (Australia), INMETRO (Brazil), NOM (Mexico), plus UN 38.3 testing for the lithium battery (required globally for transport), plus country-specific e-waste registrations (25 US states, every EU Member State, UK, Australia, multiple Canadian provinces). One speaker. Nine certification schemes. Lithium battery testing that costs \(1,000-\)3,000 but the administrative cost of registering e-waste compliance across 30+ jurisdictions dwarfs the testing cost.

The multiplication effect is what makes regulatory obesity commercially dangerous. The testing for a single market is manageable. The testing for three markets adds 50-70% to the single-market cost through multi-standard lab sessions. But the certification management — tracking which certificates exist for which products in which markets, when each certificate expires, which standards were cited, which laboratory performed the testing — multiplies with each market and each standard. A business with 10 products in 5 markets is potentially managing 50 sets of compliance documentation. Spreadsheets break. PDF folders break. The infrastructure has to scale.


Last updated: July 1, 2026