Navigating Regulatory Compliance in Science

“We are ISO 27001 certified, are we DORA compliant?” Not so fast. ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you're a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down: 1. Regulatory vs. Voluntary Framework ↳ ISO 27001 – A voluntary international standard for information security management. ↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance. 2. Scope and Focus ↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls. ↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity. 3. Key Compliance Gaps 🔸 Incident Reporting ↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard. ↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis. 🔸 Security Testing ↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk. ↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning. 🔸 Third-Party Risk Management: ↳ ISO 27001 – Covers supplier risk but with general security controls. ↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions. 4. How financial institutions and ICT providers can address the delta? ✅ Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you're not still at this stage now that DORA has been mandatory since January 17, 2025.) ✅ Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines. ✅ Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing. ✅ Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA. ✅ Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience. 💡 ISO 27001 is just the tip of the iceberg - beneath the surface lie significant gaps that only DORA addresses. 👇 What’s the biggest challenge in aligning with DORA? Let’s discuss. ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.

🔄 Mastering KYC Renewals 🔄 (Part 2) ⚠️ Risk management during KYC renewals is where many compliance teams stumble. It’s not just about updating records, it’s about catching early warning signs before they turn into regulatory or reputational disasters. spektr’s latest guide dives deep into how to make KYC renewals a proactive, risk-driven process that enhances compliance, rather than slowing operations down. 🚨 A one-size-fits-all renewal process is inefficient and risky. High-risk customers need continuous scrutiny, while low-risk ones should flow through with minimal friction. Many organizations struggle with outdated workflows that apply the same checks to all clients, wasting resources and missing critical red flags. spektr’s guide explains how to build a risk-based, scalable renewal framework. 👌 Key takeaways from the report: 📌 Real-time risk detection Instead of waiting for scheduled reviews, integrate adverse media, beneficial ownership changes, and transaction anomalies into your renewal triggers. 📌 Risk-based reviews that actually work High-risk cases escalate automatically, medium-risk customers go through threshold-based reviews, and low-risk clients are auto-validated, reducing manual workload. 📌 Regulatory agility AML regulations are evolving fast. The guide outlines key upcoming changes (EU AML Directives V & VI, U.S. AML Act 2024) and how to adapt policies seamlessly. 📌 Seamless compliance Move beyond rigid, one-off reviews. The right framework ensures renewals are smooth, risk-aligned, and audit-ready at all times. 📌 Case study: catching risks before it's too late A fintech discovered a high-risk beneficial owner change months after it happened, leaving them exposed to regulatory scrutiny. spektr’s approach prevents these blind spots by enabling real-time risk assessment. 💡 Why does this matter? Traditional KYC renewal processes are reactive and inefficient. By shifting to a proactive, risk-based model, compliance teams can mitigate threats before they escalate, without creating unnecessary customer friction. 📥 This is Part 2 of the KYC Renewals guide, focusing on risk-based frameworks and regulatory agility. For those who missed Part 1, we covered efficiency, automation, and customer experience in renewals. The full guide is available right there! ⬇ Are you passionate about an AML-related topic? 🤔 Would you like to write about it and reach over 24k compliance professionals? 🔥 If so, just send me a message to work out the details! 🙂 #compliance #financialcrime #moneylaundering #aml Alba Mikkel

Finally! The EU MDCG has delivered the regulatory clarity we've been waiting for Digital Health and Apps Stores in the EU. The new MDCG 2025-4 Guidance on Medical Device Software Apps officially confirms what many of us have been advocating: Apple and Google are now explicitly classified as Medical Device Software Distributors under EU MDR & IVDR Article 14 because of their Apps Stores. This means both tech giants bear legal liability for medical device software apps distributed through their platforms. No more regulatory grey zone. 𝐖𝐡𝐚𝐭 𝐓𝐡𝐢𝐬 𝐂𝐡𝐚𝐧𝐠𝐞𝐬: For Platform Operators: - Legal responsibility to ensure proper MDR/IVDR compliance before allowing medical device apps on their stores - Obligation to verify manufacturer compliance documentation - Potential liability for non-compliant medical device software distribution For SaMD Developers: - Clearer regulatory pathway with defined distributor responsibilities - no loss of connection to their patients - Reduced compliance uncertainty when launching digital therapeutics - should they use app stores or not? - Platform operators now share accountability in the medical device supply chain - closing the gap on traceability to better protect people from harmful and faulty Digital Health apps. The guidance specifically addresses section 3.2, establishing that major app stores cannot simply act as neutral platforms when distributing medical device software. They're now active participants in the regulatory framework. This development fundamentally shifts how digital health solutions reach patients. Every digital therapeutics company, SaMD developer, and health app creator now operates under a framework where Apple and Google must actively ensure medical device compliance. 𝐓𝐡𝐞 𝐑𝐞𝐚𝐥𝐢𝐭𝐲 𝐂𝐡𝐞𝐜𝐤: While this provides much-needed clarity, implementation will be complex. How will these platforms verify compliance? What review processes will they establish? The next 12 months will be critical as both sides adapt to these new obligations. Would we see the same interpretation in the EU, UK, or AUS? At Complear, we've been preparing for this regulatory evolution. We're developing digital tools to help both platforms and manufacturers navigate these new distributor obligations efficiently. We are witnessing a new era of software accountability, with even Big Tech platforms having to comply with everyone else's rules, and assume their critical role in medical device distribution of Digital Health. #MDCG #MedicalDevices #SaMD #DigitalHealth #MDR #IVDR #RegulatoryCompliance

Met with a first-time MedTech CEO who's facing a 9-month product launch delay due to regulatory issues that could have been avoided This scenario is playing out across the industry right now as the EU MDR transition periods are closing and FDA is increasing scrutiny on submissions I've noticed a concerning trend: 𝘤𝘰𝘮𝘱𝘢𝘯𝘪𝘦𝘴 𝘢𝘳𝘦 𝘣𝘶𝘪𝘭𝘥𝘪𝘯𝘨 𝘢𝘮𝘢𝘻𝘪𝘯𝘨 𝘮𝘦𝘥𝘪𝘤𝘢𝘭 𝘵𝘦𝘤𝘩𝘯𝘰𝘭𝘰𝘨𝘪𝘦𝘴 𝘣𝘶𝘵 𝘵𝘳𝘦𝘢𝘵𝘪𝘯𝘨 𝘳𝘦𝘨𝘶𝘭𝘢𝘵𝘰𝘳𝘺 𝘴𝘵𝘳𝘢𝘵𝘦𝘨𝘺 𝘢𝘴 𝘢𝘯 𝘢𝘧𝘵𝘦𝘳𝘵𝘩𝘰𝘶𝘨𝘩𝘵 𝘳𝘢𝘵𝘩𝘦𝘳 𝘵𝘩𝘢𝘯 𝘢 𝘧𝘰𝘶𝘯𝘥𝘢𝘵𝘪𝘰𝘯𝘢𝘭 𝘦𝘭𝘦𝘮𝘦𝘯𝘵 𝘰𝘧 𝘱𝘳𝘰𝘥𝘶𝘤𝘵 𝘥𝘦𝘷𝘦𝘭𝘰𝘱𝘮𝘦𝘯𝘵 𝗟𝗲𝘁 𝗺𝗲 𝘀𝗵𝗮𝗿𝗲 𝘄𝗵𝗮𝘁 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝘄𝗼𝗿𝗸𝘀: The most successful device launches we've supported have regulatory and quality considerations built into the design process from 𝗗𝗔𝗬 𝗢𝗡𝗘 When your competitors are scrambling to fix regulatory issues, you're already in the market generating revenue One client saved a ton of money in development costs and launched 8 months earlier simply by having our team review their design inputs before finalizing specifications We're seeing smart MedTech leaders shift from the reactive "we'll deal with FDA/EU MDR when we get there" approach to proactive regulatory planning that becomes a competitive advantage Quality and regulatory shouldn't be the department of "no", they should be your pathway to "yes, faster" Are you building regulatory strategy into your product development from the beginning or are you risking costly delays by treating it as a checkbox exercise? If you're leading a MedTech company with upcoming submissions or facing regulatory challenges, I'd be happy to share our regulatory roadmap template. Just drop a comment or message me directly

Just finished reading the new Global Investor Commission on Mining 2030 report and it’s a clear signal where capital is heading. Investors aren’t walking away from mining. They’re doubling down, but with clear conditions. Over 120 financial institutions representing US $18 trillion in assets have backed the Commission, calling for every mine and processing facility to be independently assessed against credible standards by 2035, with transparent assurance, full disclosure, and no tolerance for tailings harm. The document sets a high bar. It pushes for every tailings facility to operate with zero harm to people and the environment within a decade, and for companies to show clear, funded mine closure and rehabilitation plans. It even goes further, proposing a new investment ecosystem where responsible operators are rewarded and integrating mining into sustainable finance taxonomies, developing sustainability-linked debt instruments, and creating an international performance framework that rates companies on social, environmental, and governance delivery. Behind the policy language is a practical truth, investors know the world still needs mining. The report mentions the industry supports activity in 151 countries, and that demand for minerals will triple from around 10 million to more than 30 million tonnes by 2050 under net-zero scenarios. The challenge isn’t whether mining happens it’s whether the capital backing it can trust the operators doing it. That’s the shift, the industry’s future cost of capital will hinge on proof, not promises. If these expectations become embedded in investor mandates, capital will flow toward miners who can demonstrate discipline, data, and delivery and away from those who can’t. For more of my takes on the resource industry sign up to my weekly newsletter www.kamoacap.com #Mining #Exploration #Resources #CapitalMarkets #Sustainability

Donald Trump may have paused his trade war with everyone else, but he continues to target his strongest opponent, China. And that fight is about much more than toys and mobile phones. America’s tech and military supremacy hang in the balance. China has a hammerlock on the global supply of the critical minerals and rare earths that are essential to computing, electronics and military hardware. In short, they’re the fertilizer of national security. According to research from our team at RBC Thought Leadership, Canada has a big opportunity to fill the void, and provide the U.S. with more critical minerals and rare earths elements. I’m grateful to my colleague, Vivan Sorab, for unearthing some critical points about where we’re at: ➡️ China controls 61% of global production of Rare Earth Elements, and 92% of refining capacity.  ➡️ China controls 82% of global graphite production, and 91% of refining capacity. ➡️ China controls 98% of primary gallium production and 89% of refining capacity. ➡️ China has 60 mineral smelters; the U.S. has two. ➡️ China imposed new export controls on rare earth elements on April 4, as part of its response to Trump’s tariff threats. ➡️ the restrictions apply to seven rare earth elements, including defence-critical rare earths like samarium, terbium, and scandium, as well as their compounds and certain derivative products like magnets. Certain magnets are critical to military equipment, among others uses. ➡️ this is in addition to China’s export restrictions on gallium and germanium — both key inputs to defence technologies like night-vision goggles and technology-industry components like semiconductor chips and fibre optic cables.  ➡️ China has also banned exports of antimony, which is a key input to ammunition, explosives, and infrared sensors. ➡️ a typical artillery tank requires more than 20 different critical minerals for its navigation, communications, and combat systems. ➡️ an F-35 jet relies on almost 1,000 pounds of rare earth elements.  ➡️ after the China ban, Canada stepped in to supply 53% of U.S. gallium needs in 2024, up from 9% in 2021. Much of this came from gallium recycling at Neo Performance Materials’ site in Peterborough, Ontario.  ➡️ also after the ban, Canada supplied 20% of U.S. germanium oxide imports in 2023, through Teck’s Trail zinc smelting facility in B.C.  ➡️ a rare earths processing facility at the Saskatchewan Research Council is being mobilized to process key rare earth metals, including terbium and dysprosium, which are part of China’s newest export controls. Read more from Vivan and our colleague Shaz Merwat in The New Great Game, their recent report on the geopolitical fight for mineral dominance. https://lnkd.in/gWUypBgy Jay Khosla Public Policy Forum Natural Resources Canada (NRCan) Energy and Electrification | Énergie et de l’Électrification Janice Stein Jonathan Hausman Stephen Lecce

MDR Annex II: Ultimate Guide for Organizing Your Technical Documentation Missing crucial regulatory strategies is like building a skyscraper out of paper. There will be a result, but it will not meet expectations. Here is one of my paper-skyscraper experiences: I underestimated how important it is to properly organize a Technical Documentation. Back then, my folders were chaotic—mixing risk management files, clinical data, and product descriptions without a clear structure. This is where Annex II of the EU MDR comes into play. It provides a clear structure for your technical documentation, breaking it into 6 key chapters. Here’s a breakdown of Annex II and how to use it effectively: 1. Device Description and Specification ↳ Define the device’s intended purpose and classification. ↳ Include key design features and technical characteristics. ↳ Think of this as your product’s “business card.” 2. Information to Be Supplied by the Manufacturer ↳ Includes all device labels for single-unit, sales, and transport packaging. ↳ Labels must be provided in the languages accepted by Member States. ↳ Instructions for use (IFU) must also comply with language requirements. 3. Design and Manufacturing Information ↳ Describe development and manufacturing processes ↳ Use flowcharts for clarity and simplicity. ↳ Show alignment between production and quality standards. 4. General Safety and Performance Requirements (GSPRs) ↳ Create a checklist linking evidence to Annex I requirements. ↳ Use a matrix to map compliance for each GSPR. ↳ Highlight key tests and documents supporting each claim. 5. Benefit-Risk Analysis and Risk Management ↳ Follow ISO 14971 principles for risk management. ↳ Show links between risks, mitigations, and residual risks. ↳ Document how benefit outweighs any residual risk. 6. Verification and Validation Data ↳ Provide clinical evaluations and performance testing results. ↳ Include usability studies to show real-world safety. ↳ Prove the device works as intended for its purpose. Why Follow Annex II? When a Technical Documentation is well-organized: → Auditors can quickly find what they need. → Your team works more efficiently during submission preparation. → Regulatory delays are minimized, and certification is faster. For my first project, I learned the hard way. Today, I always organize a Technical Documentation based on Annex II’s chapters—and it’s made all the difference. P.S. Are you organizing your Technical Documentation according to Annex II? Or do you follow a different structure? ---------------------------------- MedTech regulatory challenges can be complex, but smart strategies, cutting-edge tools, and expert insights can make all the difference. I’m Tibor, passionate about leveraging AI to transform how regulatory processes are automated and managed. Let’s connect and collaborate to streamline regulatory work for everyone! #automation #regulatoryaffairs #medicaldevices

What's striking about China's new export controls on rare earths is that they are structured to mimic U.S. extraterritorial controls on AI chips and semiconductor manufacturing equipment. The assertion of jurisdiction over third-country exports, the requirement for a re-export license, the small percentage of Chinese content that triggers a re-export license requirement, and the presumption of denial for military uses are all quite similar to U.S. export controls. Even some of the wording is similar to Commerce Department regulations. This suggests that China is again seeking leverage via rare earths, with the intent of getting the U.S. to relax its own controls on chip technology and manufacturing gear. Having seen the U.S. trade off export controls as part of the London agreement earlier this year, China’s move could be testing the Trump administration's willingness to make another such trade at the planned summit meeting later this month. At a minimum, it shows that China can mimic U.S. export controls in a way that is painful for Western companies.

[🇨🇳 𝐂𝐡𝐢𝐧𝐚 𝐈𝐧𝐭𝐫𝐨𝐝𝐮𝐜𝐞𝐬 𝐄𝐱𝐭𝐫𝐚𝐭𝐞𝐫𝐫𝐢𝐭𝐨𝐫𝐢𝐚𝐥 𝐄𝐱𝐩𝐨𝐫𝐭 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐬 𝐀𝐟𝐟𝐞𝐜𝐭𝐢𝐧𝐠 𝐍𝐨𝐧-𝐂𝐡𝐢𝐧𝐞𝐬𝐞 𝐂𝐨𝐦𝐩𝐚𝐧𝐢𝐞𝐬 𝐎𝐯𝐞𝐫𝐬𝐞𝐚𝐬] For example, an EU company that manufactures a product in the EU incorporating certain Chinese-origin goods must obtain a license from China’s Ministry of Commerce to export it legally. This mirrors the US-style extraterritorial export control rules. China will require a Chinese export license for exports 𝐟𝐫𝐨𝐦 𝐨𝐮𝐭𝐬𝐢𝐝𝐞 𝐂𝐡𝐢𝐧𝐚 (𝐞.𝐠., 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐄𝐔) if: 🛑 The product is made abroad and contains, integrates, or mixes Chinese-origin items listed in MOFCOM Announcement No. 61 (foreign-made rare-earth magnets and certain semiconductor materials), and the value share of those Chinese items is ≥ 0.1%. 🚫 Applications involving military users, entities on MOFCOM’s control or concern lists (including subsidiaries with ≥50% ownership), or for WMD, terrorism, or military end-uses are “in principle not approved.” ❗️These rules will apply starting 𝟏 𝐃𝐞𝐜𝐞𝐦𝐛𝐞𝐫 𝟐𝟎𝟐𝟓.❗️License application must be made in Chinese, here: https://lnkd.in/d7YbP4kt. Separately, export controls on Chinese companies are effective ❗️𝐢𝐦𝐦𝐞𝐝𝐢𝐚𝐭𝐞𝐥𝐲❗️. These cover exports of technologies related to rare-earth mining, separation, metal smelting, magnet manufacturing, and recycling. “Export” includes transfers from China to abroad and the provision of controlled technologies to foreign persons anywhere (inside or outside China) by any means—such as licensing, investment, training, consulting, R&D, testing, or exhibitions. China controls about 70 per cent of rare-earth mining, 90 per cent of separation and processing, and 93 per cent of magnet manufacturing. ▪️Ministry of Commerce Announcement No. 61: https://shorturl.at/p2YCP ▪️Ministry of Commerce Announcement No. 62: https://shorturl.at/FgkYb