Everyone talks about how AI will lower the cost of regulatory compliance. Almost nobody asks why that cost exists in the first place.
The European Commission estimates the administrative regulatory burden on European businesses at roughly €150 billion per year. The usual reflex is to solve it with better tools, faster processes and more automation.
But what if the real question is a different one: why did it get so expensive to begin with?
Every new regulation becomes a new project
The pattern is easy to recognise. A new regulation arrives. A new working group is set up. A new checklist is produced. A new project is launched.
GDPR got its own. NIS2 got its own. DORA got its own. And none of them talk to each other.
That’s precisely where the cost is built up.
Most regulations essentially ask the same questions. Do you know what you have? Who has access to what? Can you handle an incident? Can you show that you follow your own rules? And yet every new regulation is still treated as something entirely new. Separate tools. Separate people. Separate documentation.
Instead of asking: what of this do we already do, and where are the gaps?
The cost isn’t the regulations’ fault. It’s the structure’s
It’s easy to blame Brussels. The regulations are numerous, they overlap, they come close together. But it’s not just the regulation that builds the cost. It’s how we choose to handle it.
An organisation that treats six regulations as one governance question has one piece of work. An organisation that treats them as six separate projects has six. And when a seventh arrives in a few years, it becomes seven.
Most businesses already have a quality function. Management systems. Improvement routines. Structures that actually work in daily operations. But compliance work has often been decoupled from all of that. It lives its own life alongside ordinary operations, with its own budget, its own meetings and its own KPIs.
This isn’t a technical problem. It’s a governance problem.
AI automates what’s already there
Here’s the uncomfortable point. AI can speed things up enormously. But only if there’s something organised to speed up.
If there’s no red thread between decisions, risks and actions, you’re just automating chaos faster. Checklists get generated faster. Reports get written faster. But the result is the same isolated silos as before, now with an AI label on them.
AI is a multiplier. If what’s being multiplied is broken, the result is just more broken, in larger volume.
The organisational debt behind compliance cost
In software development, we talk about technical debt. Every shortcut taken today creates a cost tomorrow. The system works but becomes hard to change, hard to maintain, hard to trust.
The same logic applies to governance. Every time a regulation has been solved with a separate project, the organisation has added to its governance debt. Every time a decision was made without traceability, every time a risk was accepted without documentation, the debt has grown.
It doesn’t show up immediately. But it’s there. And it becomes visible when the next regulation arrives and the whole exercise starts over from zero.
It’s the same systemic change that never arrives. The same gaps, the same patterns, new projects. And the cost just keeps climbing.
Start with what you already have
The solution doesn’t start with more tools. It starts with an honest inventory of what already exists.
What quality work do you do today? Which management systems are in place? Which processes for risk management, incident handling and supplier follow-up already work? Of everything the regulations require, how much is genuinely new and how much is the same old questions in new packaging?
Once you have that picture, the next step becomes obvious: build one governance structure that answers to all the regulations at once. One risk process. One incident flow. One documentation standard. One management report.
Then AI does what it does best. It accelerates a system that actually works. Rather than automating chaos faster.
Governance isn’t a line item
There’s a pattern in how leadership teams think about compliance that makes the problem worse. It’s seen as a cost to minimise, an obligation to get through, a burden to carry.
But the cost of regulatory compliance is, in practice, the cost of poor governance. Those who build good governance find that compliance becomes largely a side effect. Those who build poor governance find that every new regulation becomes a separate, expensive project.
The difference isn’t in how much you invest. It’s in where you invest.
Are you automating chaos or order?
If you can pick one thing to look at in your organisation right now, pick this: does compliance live its own life in silos per regulation, or is it a natural part of the quality work you already do?
The answer determines what AI will do for you. If there’s orderly governance, AI becomes an accelerator. If there isn’t, AI becomes an amplifier of what’s already broken.
Need help building a governance structure that handles several regulations at once? Contact us for a complimentary assessment.
More insights
Related articles
Security that isn't communicated is security that doesn't exist
The right risk picture isn't enough if leadership can't act on it. How to reach decisions upward and behaviour downward.
Alone with the responsibility. The security coordinator who never got a mandate.
One person. No mandate. No resources. That's the reality for information security coordinators in Swedish municipalities.