Non-functional Application Requirements: Compliance

Compliance isn’t just a checkbox. It’s the difference between a thriving business and a company facing €1.2 billion in fines. In 2023, Meta paid that staggering amount for GDPR violations related to improperly transferring user data from the EU to the U.S. Meanwhile, healthcare organizations faced $4.75 million settlements for HIPAA failures, and retailers continued paying for breaches years after they occurred.

Understanding compliance isn’t optional anymore. It’s the foundation of sustainable software development. Whether you’re building a healthcare app, processing payments, or launching a SaaS platform, compliance requirements shape your architecture, influence your cloud provider choices, and directly impact your bottom line.

This article breaks down what compliance really means, why it matters more than ever, and exactly how to implement it using AWS services before you become the next cautionary tale.

What: Understanding Compliance Frameworks and Requirements

Compliance represents your legal and contractual obligation to handle data according to specific regulatory standards. Unlike optional best practices, compliance failures result in mandatory fines, lawsuits, and business shutdowns. Modern applications typically need to comply with multiple frameworks simultaneously. A healthcare SaaS might need HIPAA, GDPR, and SOC 2 compliance all at once.

The Major Compliance Frameworks

1. GDPR (General Data Protection Regulation)

Scope: Any organization processing personal data of EU residents, regardless of company location.

Key Requirements:

• Lawful Basis for Processing: You must have a valid legal reason to process personal data (consent, contract, legitimate interest, etc.)
• Data Subject Rights: Users can request access, deletion, portability, and rectification of their data
• Privacy by Design: Data protection must be built into systems from the start
• Breach Notification: Must notify authorities within 72 hours of discovering a breach
• Data Protection Officer (DPO): Required for organizations processing data at scale

Real-World Violation: In May 2023, Ireland’s Data Protection Commission fined Meta €1.2 billion for transferring EU user data to the U.S. without adequate safeguards. This remains the largest GDPR fine ever imposed. More recently, in 2024, the Dutch DPA fined Uber €290 million for transferring sensitive driver data from the EU to the US without proper transfer mechanisms after they stopped using Standard Contractual Clauses in 2021.

2. HIPAA (Health Insurance Portability and Accountability Act)

Scope: U.S. healthcare providers, health plans, healthcare clearinghouses, and their business associates.

Key Requirements:

• Privacy Rule: Establishes standards for protecting individuals’ medical records and personal health information (PHI)
• Security Rule: Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI)
• Breach Notification Rule: Mandates notification to affected individuals, HHS, and sometimes the media
• Risk Analysis: Organizations must conduct thorough security risk assessments
• Business Associate Agreements (BAAs): Required contracts with any vendor handling PHI

Real-World Violation: In February 2024, Montefiore Medical Center settled with HHS for $4.75 million following a malicious insider cybersecurity investigation. The breach occurred when an employee stole and sold the protected health information of 12,517 patients. This case highlighted that threats don’t just come from external hackers. Insider threats require equally rigorous controls.

3. PCI DSS (Payment Card Industry Data Security Standard)

Scope: Any organization that stores, processes, or transmits cardholder data.

Key Requirements:

• Build and Maintain a Secure Network: Install firewalls and don’t use vendor-supplied defaults
• Protect Cardholder Data: Encrypt transmission and storage of cardholder data
• Maintain a Vulnerability Management Program: Use and regularly update antivirus, develop secure systems
• Implement Strong Access Control Measures: Restrict access on a need-to-know basis
• Regularly Monitor and Test Networks: Track and monitor all access, regularly test security systems
• Maintain an Information Security Policy: Create comprehensive security policies for personnel

Real-World Violation: In 2013, Target suffered one of the most infamous PCI compliance breaches when hackers stole 40 million credit card numbers. Despite having a $1.6 million malware detection tool in place, Target missed critical warnings for three weeks. The result? An $18.5 million multi-state settlement, over $202 million in total costs, and lasting reputational damage.

4. SOC 2 (System and Organization Controls 2)

Scope: Service organizations that store customer data in the cloud.

Key Requirements (Trust Service Criteria):

• Security: Protection against unauthorized access
• Availability: System accessibility as contractually agreed
• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
• Confidentiality: Information designated as confidential is protected
• Privacy: Personal information is collected, used, retained, disclosed, and disposed of properly

Business Impact: Many enterprise organizations won’t even consider vendors without SOC 2 Type II certification. A failed audit can mean losing major deals and damaging your market position.

5. ISO 27001

Scope: Any organization seeking to establish, implement, maintain, and continually improve an information security management system (ISMS).

Key Requirements:

• Risk Assessment: Identify and assess information security risks
• Risk Treatment: Implement controls to address identified risks
• Documentation: Maintain comprehensive documentation of the ISMS
• Internal Audits: Regular internal audits of the ISMS
• Management Review: Senior management oversight and commitment
• Continuous Improvement: Ongoing enhancement of the ISMS

Business Impact: ISO 27001 certification is often required for government contracts and enterprise partnerships, particularly in Europe and internationally.

6. CCPA/CPRA (California Consumer Privacy Act/California Privacy Rights Act)

Scope: Businesses collecting personal information of California residents meeting certain thresholds.

Key Requirements:

• Right to Know: Consumers can request what personal information is collected
• Right to Delete: Consumers can request deletion of their personal information
• Right to Opt-Out: Consumers can opt out of the sale of their personal information
• Right to Correct: Consumers can request correction of inaccurate information (CPRA)
• Right to Limit Use: Consumers can limit use of sensitive personal information (CPRA)

Why: The Critical Importance of Compliance

Security isn’t just a “nice-to-have” feature. It’s essential. Let’s consider why a robust compliance strategy is non-negotiable:

Financial Impact

The numbers tell a compelling story:

• €5.88 billion: Total GDPR fines issued since 2018 through 2025
• €1.2 billion: Single largest GDPR fine (Meta, 2023)
• $4.88 million: Average cost of a data breach globally in 2024 (IBM)
• $174,000: Additional average cost for non-compliant organizations per breach
• 10%: Year-over-year increase in breach costs, the highest total ever recorded

For payment processing, the stakes are equally high:

• $5,000 – $100,000/month: Typical PCI non-compliance penalties
• $50 – $90 per customer: Additional fines per affected individual after a breach
• Revoked merchant license: The ultimate penalty, losing the ability to accept credit cards entirely

Trust and Reputation

A single data breach can erode user trust for years. The reputational damage leads to:

• Customer churn and loss of market share
• Media fallout and public relations crises
• Difficulty attracting enterprise customers
• Challenges in recruiting top talent
• Investor concern and reduced valuations

When TikTok faced its €530 million GDPR fine in 2025 for transferring EU user data to China without adequate safeguards, the damage extended far beyond the financial penalty. The investigation revealed that engineers in China routinely accessed sensitive information of European users. That revelation intensified regulatory scrutiny and user concern globally.

Operational Stability

Insecure, non-compliant applications are more vulnerable to:

• Cyber attacks that cause downtime and data loss
• Ransomware incidents that halt operations
• Regulatory investigations that consume resources
• Mandatory forensic examinations after breaches
• Court-ordered operational changes

The Compound Effect

When compliance is compromised, it’s not just a technical issue. It’s a business crisis. Consider LinkedIn’s 2024 experience: the Irish DPC fined them €310 million for processing user data for behavioral analysis and targeted advertising without a valid legal basis. The company not only paid the fine but was ordered to bring its data processing into compliance, requiring significant technical and operational changes.

When: Embedding Compliance from Day One

In today’s rapid development environments, compliance needs to be part of the design and development process from the outset. The earlier compliance is embedded, the less costly it is to manage and mitigate issues later. This “shift-left” approach focuses on integrating compliance practices throughout the entire development lifecycle.

Key Stages to Integrate Compliance

Design Phase

• Data Flow Mapping: Document what data you collect, where it’s stored, how it flows through your system, and who has access
• Compliance Requirements Analysis: Identify which frameworks apply to your business based on geography, industry, and data types
• Privacy Impact Assessments: Evaluate how new features or systems might affect user privacy
• Architecture Decisions: Choose infrastructure and services that support compliance requirements (e.g., data residency)

Development Phase

• Secure Coding Practices: Implement encryption, input validation, and secure authentication from the start
• Data Minimization: Collect only the data you actually need
• Access Controls: Build role-based access control (RBAC) into your application
• Audit Logging: Implement comprehensive logging of data access and modifications
• Configuration as Code: Use infrastructure as code to ensure consistent, compliant deployments

Testing and QA Phase

• Compliance Testing: Automated checks for compliance with relevant standards
• Penetration Testing: Regular security assessments to identify vulnerabilities
• Data Protection Testing: Verify encryption, access controls, and data handling procedures
• Audit Trail Verification: Ensure all required events are being logged correctly

Deployment and Operations Phase

• Continuous Monitoring: Real-time compliance posture assessment
• Automated Remediation: Immediate response to compliance drift
• Incident Response Plans: Documented procedures for breach notification and handling
• Regular Audits: Scheduled compliance assessments and certifications

The Cost of Delay

Addressing compliance after the fact is exponentially more expensive:

• Design phase fix: ~1x cost
• Development phase fix: ~6x cost
• Testing phase fix: ~15x cost
• Production fix: ~100x cost

By shifting compliance left, you address potential issues early, reducing the risk of costly fixes, regulatory penalties, and reputational damage down the road.

Where: Leveraging AWS Compliance Services

AWS offers a comprehensive suite of services that cover different aspects of application compliance. Let’s explore the key tools and how they work together to create a robust compliance infrastructure.

AWS CloudTrail: Your Audit Log Foundation

CloudTrail is the foundational service for compliance on AWS. It records all API activity across your AWS infrastructure, providing an immutable audit log that’s essential for compliance.

Key Features:

• Comprehensive Logging: Captures API calls from the console, CLI, SDKs, and other AWS services
• Event History: 90 days of management events free, with trails for longer retention
• CloudTrail Lake: Enables SQL-based querying of event data for investigations
• Integrity Validation: Log file integrity validation ensures logs haven’t been tampered with

Compliance Value:

• Satisfies audit logging requirements for HIPAA, PCI DSS, SOC 2, and GDPR
• Provides evidence for security investigations and incident response
• Enables detection of unauthorized access or suspicious activity

# Example: Creating a CloudTrail trail with log file validation
import boto3

cloudtrail = boto3.client('cloudtrail')

response = cloudtrail.create_trail(
    Name='compliance-trail',
    S3BucketName='your-audit-logs-bucket',
    IncludeGlobalServiceEvents=True,
    IsMultiRegionTrail=True,
    EnableLogFileValidation=True,
    KMSKeyId='your-kms-key-arn'  # Encrypt logs at rest
)

AWS Config: Continuous Configuration Assessment

AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of configurations against desired compliance rules.

Key Features:

• Configuration Recording: Tracks resource configurations over time
• Config Rules: Define rules that evaluate configurations against compliance requirements
• Conformance Packs: Collections of rules mapped to compliance standards (PCI DSS, HIPAA, etc.)
• Automatic Remediation: Trigger automated fixes when resources drift from compliance

Pre-Built Conformance Packs:

• AWS Operational Best Practices for PCI DSS 3.2.1
• AWS Operational Best Practices for HIPAA
• AWS Operational Best Practices for GDPR
• AWS Operational Best Practices for CIS AWS Foundations Benchmark

# Example: AWS Config Rule for S3 bucket encryption
Resources:
  S3BucketEncryptionRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-server-side-encryption-enabled
      Description: Checks whether S3 buckets have server-side encryption enabled
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket

AWS Security Hub: Centralized Security Posture Management

Security Hub aggregates findings from multiple AWS security services and third-party tools, providing a comprehensive view of your security and compliance posture.

Key Features:

• Automated Security Checks: Continuous compliance evaluation against industry standards
• Finding Aggregation: Centralized view from GuardDuty, Inspector, Config, and third-party tools
• Security Score: At-a-glance view of overall compliance status
• Cross-Account Visibility: Aggregate findings across your entire AWS organization

Supported Compliance Standards:

• CIS AWS Foundations Benchmark (v1.2.0, v1.4.0, v3.0.0)
• AWS Foundational Security Best Practices
• PCI DSS v3.2.1
• NIST Special Publication 800-53 Revision 5

# Example: Enabling Security Hub with standards
import boto3

securityhub = boto3.client('securityhub')

# Enable Security Hub
securityhub.enable_security_hub(
    EnableDefaultStandards=False
)

# Enable specific standards
securityhub.batch_enable_standards(
    StandardsSubscriptionRequests=[
        {
            'StandardsArn': 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0'
        },
        {
            'StandardsArn': 'arn:aws:securityhub:::ruleset/pci-dss/v/3.2.1'
        }
    ]
)

AWS Audit Manager: Automated Audit Evidence Collection

Audit Manager helps you continuously audit your AWS usage and simplify how you assess risk and compliance with regulations and industry standards.

Key Features:

• Prebuilt Frameworks: Ready-to-use frameworks for GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001, and more
• Automated Evidence Collection: Automatically gathers evidence from CloudTrail, Config, Security Hub
• Custom Frameworks: Create frameworks tailored to your specific compliance needs
• Assessment Reports: Generate audit-ready reports for stakeholders and auditors

Evidence Types Collected:

• Configuration data from API calls
• User activity from CloudTrail logs
• Compliance check results from Security Hub and AWS Config
• Manual evidence uploads for documentation and procedures

# Example: Creating an assessment in Audit Manager
import boto3

audit_manager = boto3.client('auditmanager')

# Create an assessment using the SOC 2 framework
response = audit_manager.create_assessment(
    name='SOC2-Annual-Audit-2025',
    description='Annual SOC 2 Type II audit assessment',
    assessmentReportsDestination={
        'destinationType': 'S3',
        's3BucketName': 'your-audit-reports-bucket'
    },
    scope={
        'awsAccounts': [
            {'id': '123456789012'}
        ],
        'awsServices': [
            {'serviceName': 'S3'},
            {'serviceName': 'EC2'},
            {'serviceName': 'RDS'},
            {'serviceName': 'Lambda'}
        ]
    },
    roles=[
        {
            'roleType': 'PROCESS_OWNER',
            'roleArn': 'arn:aws:iam::123456789012:role/AuditProcessOwner'
        }
    ],
    frameworkId='SOC2-framework-id'  # Use prebuilt SOC 2 framework
)

AWS Artifact: Compliance Documentation Hub

AWS Artifact provides on-demand access to AWS compliance documentation and enables you to manage agreements with AWS.

Key Features:

• Compliance Reports: Access AWS SOC reports, PCI DSS attestation, ISO certifications
• Agreements: Accept and manage AWS Business Associate Agreement (BAA) for HIPAA
• Third-Party Audit Reports: Review independent auditor assessments of AWS
• Self-Service Access: Download reports anytime for audit preparation

Available Reports Include:

• SOC 1, SOC 2, and SOC 3 Reports
• PCI DSS Attestation of Compliance
• ISO 27001, 27017, 27018, and 9001 Certifications
• FedRAMP Documentation
• HIPAA Eligible Services and BAA

AWS Macie: Automated Data Discovery and Protection

Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

Key Features:

• Automated Discovery: Continuously scans S3 buckets for sensitive data
• Classification: Identifies PII, PHI, financial data, and custom data types
• Security Alerts: Generates findings when sensitive data is at risk
• Data Inventory: Provides visibility into what sensitive data exists and where

Compliance Value:

• Supports GDPR data mapping requirements
• Helps maintain HIPAA PHI inventories
• Identifies PCI DSS cardholder data exposure

Layer 1 – CloudTrail (Foundation): Records all API activity
Layer 2 – AWS Config (Configuration): Monitors resource configurations against rules
Layer 3 – Security Hub (Dashboard): Aggregates findings and provides compliance scores
Layer 4 – Audit Manager (Evidence): Collects evidence and generates audit reports

Who: The Roles and Responsibilities in Compliance

Compliance is a shared responsibility. It’s not just within your organization but also with your cloud provider. Understanding AWS’s Shared Responsibility Model is crucial for compliance success.

The AWS Shared Responsibility Model

AWS is responsible for:

• Physical security of data centers
• Infrastructure hardware and software
• Network infrastructure
• Virtualization layer

You are responsible for:

• Data encryption and protection
• Identity and access management
• Network traffic protection
• Application security
• Operating system and platform configuration
• Compliance with specific regulations for your industry

Roles Within Your Organization

Compliance Officers

• Define compliance requirements and policies
• Coordinate with legal and regulatory bodies
• Oversee audit processes and certifications
• Report to executive leadership on compliance posture

Cloud Architects and DevOps Engineers

• Design compliant architectures
• Implement security controls and automation
• Configure AWS compliance services
• Maintain infrastructure as code for consistent deployments

Developers

• Write secure, compliant code
• Implement data protection at the application level
• Follow secure SDLC practices
• Conduct code reviews with security in mind

Security Analysts

• Monitor security alerts and compliance dashboards
• Investigate potential violations
• Respond to incidents
• Conduct risk assessments

Data Protection Officers (where required)

• Ensure GDPR compliance
• Handle data subject requests
• Conduct privacy impact assessments
• Advise on data protection matters

Building a Compliance Culture

Successful compliance requires more than tools and processes. It requires a culture where everyone understands their role:

1. Executive Sponsorship: Compliance initiatives must have visible support from leadership
2. Training Programs: Regular training on compliance requirements and procedures
3. Clear Ownership: Defined responsibilities for each compliance domain
4. Incentive Alignment: Ensure security and compliance goals are reflected in team objectives
5. Continuous Communication: Regular updates on compliance status and changes

Compliance Best Practices: Building a Resilient Application

1. Implement Defense in Depth

Don’t rely on a single control. Layer your compliance measures:

• Network segmentation and encryption
• Application-level access controls
• Data encryption at rest and in transit
• Comprehensive logging and monitoring

2. Automate Everything Possible

Manual compliance processes don’t scale:

• Use AWS Config conformance packs for automated evaluation
• Implement automated remediation for common issues
• Deploy infrastructure as code for consistent, compliant deployments
• Schedule automated compliance reports

3. Maintain Comprehensive Documentation

Auditors will ask for evidence:

• Document all security policies and procedures
• Maintain records of training and awareness programs
• Keep evidence of regular reviews and updates
• Archive audit logs with integrity verification

4. Plan for Breach Notification

Hope for the best, prepare for the worst:

• Create incident response playbooks
• Define notification procedures for each regulation
• Maintain contact information for regulatory authorities
• Practice incident response with tabletop exercises

5. Implement Data Minimization

You can’t lose what you don’t have:

• Collect only the data you need
• Implement data retention policies
• Securely delete data when no longer needed
• Anonymize or pseudonymize where possible

6. Regular Compliance Audits

Don’t wait for the external audit to find issues:

• Conduct internal audits quarterly
• Use AWS Audit Manager for continuous assessment
• Address findings promptly
• Track remediation progress

7. Monitor Third-Party Risk

Your compliance extends to your vendors:

• Require compliance certifications from vendors
• Include compliance requirements in contracts
• Regular assessment of third-party security
• Maintain business associate agreements (BAAs) where required

Conclusion: Compliance as a Competitive Advantage

In an era where data breaches make headlines daily and regulatory scrutiny intensifies, compliance isn’t just about avoiding fines. It’s a competitive differentiator.

Companies that prioritize compliance:

• Win enterprise deals that require SOC 2 and ISO 27001 certifications
• Expand globally with confidence in meeting GDPR and regional requirements
• Build customer trust through demonstrated commitment to data protection
• Reduce risk of costly breaches and regulatory actions
• Operate efficiently with automated compliance processes

AWS provides the tools to make compliance manageable and affordable. By combining CloudTrail for audit logging, AWS Config for continuous monitoring, Security Hub for centralized visibility, and Audit Manager for evidence collection, you can build a compliance program that scales with your business.

Remember: The best time to implement compliance was when you started building. The second best time is now.

Cover Image: AWS re:Invent 2023 – Keynote with Dr. Werner Vogels

This article is part of a series on Non-functional Application Requirements. Read the previous articles:

• Non-functional Application Requirements: An Introduction
• Non-functional Application Requirements: Security

Next up: Accessibility – Designing for Everyone