This is Part 3 of a four-part series on corporate governance. Read Part 1 (AI and cybersecurity governance) and Part 2 (board accountability).

Regulatory compliance is a strategic board issue for mid‑market and growth companies facing disproportionate cost burdens and complex multi‑jurisdictional regimes. American businesses now spend between $300B and $700B annually on regulatory compliance, with mid‑sized companies often least able to absorb the overhead. Global frameworks such as the EU AI Act, evolving AI and data rules in other regions, federal AI policy, DOJ self-disclosure incentives, SEC/FTC enforcement, and escalating trade and tariff uncertainty have created a fragmented environment that complicates risk management for both public and private companies. In this environment, compliance maturity increasingly affects pricing, diligence, financing, and exit outcomes, making it a core board responsibility rather than a back-office function. This article outlines board‑level priorities for navigating regulatory fragmentation, managing compliance costs, and integrating risk oversight into strategy.

Compliance Costs as a Board-Level Strategic Pressure

Regulatory obligations materially affect capital allocation, growth planning, and investor expectations. Surveys of mid‑market leaders show regulatory and tax changes among their top risks, with nearly half expecting higher overhead due to new requirements and intensified monitoring. The costs of compliance in the U.S. are soaring – estimated at $300-$700 Billion annually) – with mid‑market organizations reporting disproportionate burdens relative to their size. Few companies have fully integrated GRC and financial systems, instead relying on fragmented tools and manual processes that increase error and cost.

For boards, this means compliance is not just avoiding fines: compliance directly impacts margins, competitive positioning, and transaction‑readiness. For middle-market companies, the question is how to spend intelligently enough to protect the business while preserving growth and financing flexibility.

Board action points

  • Treat compliance as a recurring agenda item tied to strategy, capital expenditures, and M&A readiness.
  • Require management to quantify compliance costs (internal headcount, external advisers, systems) and benchmark them over time.
  • Direct integration efforts between finance, risk, legal, and IT to reduce duplicative tooling and manual reporting.

Data and AI Regulation: Global Fragmentation and High-Penalty Regimes

The Proliferation of Data Privacy/Protection Laws

Boards are by now familiar with complex data privacy and data protection requirements. The EU’s GDPR has been the benchmark regime for modern data protection since 2018. Supranational, national, and state data privacy rules are becoming more prescriptive and more punitive. These laws often apply broadly to organizations that process personal data of people in their jurisdictions, even if the companies doing the processing are located outside of the regulating jurisdiction. Privacy laws are proliferating, with enforcement spanning public regulators to private lawsuits. The strictest privacy regime in the U.S. is California’s CCPA/CPRA framework, enforced by the California Privacy Protection Agency. Other U.S. states have enacted prescriptive rules on sensitive data, minors, targeted advertising, geolocation, and automated decision-making; state AGs are actively enforcing comprehensive privacy laws in 20 states.

Key Penalty Regimes

The specter of outsized penalties is perhaps the greatest deterrent and encouragement for boards to fully assess their obligations under data protection and privacy rules. GDPR penalties are up to €10 million or 2% of global annual turnover for less severe infringements, and up to €20 million or 4% of global annual turnover for more serious violations. The California regimes have built-in inflation adjustments for penalties and specific statutory authorization for private rights of action. Last year, state attorneys general reached a $1.55MM settlement for violations of the CCPA and a $1.375B settlement for violations of the Texas Data Privacy and Security Act. Outside of the US and Europe, privacy enforcement is also penalty driven. The UK GDPR preserves a GDPR-style penalty model with maximum fines of the higher of £17.5 million or 4% of worldwide turnover. Quebec’s Law 25 provides for administrative penalties up to CAD $10 million or 2% of worldwide turnover, and penal fines can go up to CAD $25 million or 4% of worldwide turnover. Brazil’s LGPD is another example: fines can reach up to 2% of Brazilian revenue, capped at BRL 50 million per infraction; the ANPD can also order the suspension of processing activity, which was part of the penalty for Meta in 2024, together with daily fines for non-compliance.

So what are boards to do? The first step is understanding what matters most in all privacy regimes: what are the high risks to people’s privacy and what are we doing to mitigate those risks? The next step is to identify the enforcement priorities of the regulators in the jurisdictions in which the company is doing business or has a footprint. The answers to those questions will guide the board.

U.S. Federal AI Policy Is Moving Toward a Unified Baseline

While the U.S. still lacks a comprehensive federal AI statute, federal policy is no longer static. In March 2026, the White House released a National Policy Framework for Artificial Intelligence setting out legislative recommendations for a more unified federal approach, including a national baseline for AI governance, targeted rules for high-risk uses, and preemption of certain state AI laws the Administration views as unduly burdensome.

The SEC continues to treat AI-washing and related disclosure misstatements as classic enforcement issues, while FINRA has flagged AI and GenAI supervision, communications, recordkeeping, and fair dealing as compliance concerns for member firms. The FTC, meanwhile, continues to apply its unfair and deceptive practices authority to AI-related conduct, reinforcing that claims about AI performance, privacy, and consumer impact must be accurate and supportable.

The practical effect is that companies should expect continued state fragmentation in the near term with a future federal standard in some areas. Boards should treat this as a signal to build AI governance programs that can absorb the expected federal baseline while still satisfying stricter state, sectoral, and international rules.

EU AI Act and Related AI Frameworks

Much like the GDPR for privacy, the EU AI Act has become the reference point for AI regulation, with a tiered penalty regime that rivals or exceeds GDPR. Prohibited AI systems can trigger fines up to €35 million or 7% of worldwide annual turnover, whichever is higher. Violations of general regulatory requirements for high‑risk and GPAI systems can lead to penalties up to €15 million or 3% of global turnover. And, providing false or misleading information to authorities can result in fines up to €7.5 million or around 1-1.5% of worldwide turnover, depending on final implementing measures. Other jurisdictions are advancing their own approaches, from sectoral AI guidance in U.S. states to principles‑based or sandbox‑style frameworks in APAC markets.

Board takeaway: Boards should treat data privacy and AI compliance as design problems.

These divergences create overlapping but non‑identical obligations around transparency, risk assessment, data governance, and documentation. For PE‑ and VC‑backed companies, data and AI‑heavy business models will face compliance expectations well before a strategic exit or an IPO, as potential acquirers and institutional investors increasingly diligence data and AI governance practices alongside financial metrics. For boards, this means that data and AI governance is a strategic operating issue: policies, testing, documentation, and vendor controls should be built so they can satisfy strict state, federal, and international requirements.

Board Action Points

  • Require senior management to regularly map operations, advertising reach, data-sharing arrangements, vendor/customer location (including subcontractors), by operating entity--then overlay applicable data privacy/AI laws and conduct required or suggested assessments (e.g., EU Data Privacy Impact Assessments (DPIA), Cal. DMRAs - data mapping/risk assessments).
  • Direct management to assess extraterritorial reach (e.g., EU operations or customers that may pull non‑EU entities into scope) and integrate into product design, data architecture, and market entry.
  • Require an AI compliance map identifying where AI is used, which systems may be “high‑risk” under the EU AI Act or equivalents, plus record‑keeping obligations.
  • Audit online tracking technologies, consent mechanisms, data practices (collection/usage/sharing/deletion), and vendor relationships.
  • Link AI governance (see Article 1 of this series) explicitly to EU AI/national/state AI compliance, beyond ethical guidelines and risk-management frameworks.

Trade Policy, Tariffs, and Supply Chain Governance

Trade and tariff policy volatility is a structural governance concern in 2026 rather than a temporary disruption. More than half of surveyed supply‑chain leaders expect “high” or “very high” policy uncertainty in 2026, with 90% anticipating trade barriers will rise or remain elevated. Executives forecast moderate to sharp increases in transportation, labor, and customs/compliance costs, further tightening margins and complicating sourcing decisions. Global economic assessments project that elevated tariffs and policy uncertainty will increasingly weigh on trade flows and investment decisions in 2026, even as the overall economy remains relatively resilient.

For boards of companies of all sizes and sectors, trade policy is now part of enterprise risk management, because tariff shocks can change supplier economics, working capital needs, and the viability of a business line. Boards—especially of companies with cross‑border operations or import/export‑heavy business models—must fold trade and tariff risk into strategic planning, capital allocation, and disclosure.

Board takeaway: Trade risk belongs in the same risk register as cyber, AI, and liquidity.

Board action points

  • Require management to run scenario analyses on key tariff and trade‑policy paths (e.g., renewed or expanded tariffs on specific regions or sectors) and identify moves that improve resilience under multiple outcomes.
  • Integrate supply‑chain governance into board and committee charters, including oversight of re-shoring decisions, supplier diversification, and contractual risk allocation for tariff changes.
  • Ensure that major contracts address tariff pass‑through mechanisms, change‑in‑law clauses, and dispute‑resolution forums suitable for cross‑border disputes.

Managing Compliance Risk for Mid-Market and Private Companies

Mid‑market and private companies face the same regulatory currents as large public issuers but with fewer resources and less internal specialization. Budget constraints can make it difficult to hire dedicated compliance officers, leading to additional assignments for finance or HR leaders. Patchwork systems, including spreadsheets, point solutions, and manual workflows, can increase the risk of missed deadlines or inconsistent records across jurisdictions and business units. Further, heightened scrutiny is coming from institutional investors, lenders, and strategic acquirers who increasingly assess compliance maturity as a prerequisite for favorable terms or premium valuations.

The expectation of private company compliance maturity is increasingly seen in sponsor diligence, lender underwriting, acquirer negotiations, and closing conditions. For PE‑backed portfolio companies, sponsors now often expect board‑level visibility into compliance posture and remediation plans, particularly in areas such as data privacy, anti‑corruption, sanctions/export controls, and sector‑specific regimes.

For mid-market and private companies, compliance maturity affects access to capital and strategic partners. Boards should insist on quarterly compliance health reports that show not just open items, but how remediation timelines and costs are trending against budget and benchmarks. That visibility creates the accountability needed to turn compliance from a cost center into a value protector.

Board takeaway: Quarterly compliance health check-ups turn cost centers into value drivers.

Board action points

  • Direct management to prioritize a short list of company‑critical regulatory regimes based on industry, geography, and business model. These might include AI, data protection, employment/benefits, financial services, export controls, or HIPAA/PHI.
  • Encourage the use of scalable GRC (governance, risk, compliance) tools or managed‑service models for small to mid-market businesses or where full in‑house teams are not feasible, with clear reporting channels to the board.
  • Build compliance metrics and key risk indicators (KRIs) into regular board reporting, such as number of open regulatory findings, time to remediation, and training completion rates.

DOJ Raises the Stakes for Self-Disclosure

Beyond routine compliance, companies now face heightened expectations around self‑disclosure of potential misconduct, particularly from the Department of Justice. DOJ’s 2026 Corporate Enforcement and Voluntary Self-Disclosure Policy creates stronger incentives for timely self-reporting, cooperation, and remediation in criminal matters. For boards, the message is clear: companies need incident-identification and escalation processes that can distinguish a technical issue from conduct that may require immediate legal review, voluntary disclosure, or remediation under DOJ’s framework. That matters not only for cyber incidents, but also for AI-related fraud, sanctions, export-control, false-statement risk, and compliance deficiencies.

Board Takeaway: Self-disclosure readiness is part of board-level risk architecture.

Integrating Compliance into Enterprise Risk Management

Regulatory risk is deeply interconnected with technology, talent, supply chain, and geopolitical risk, requiring boards to move away from siloed oversight. Effective integration can include unified dashboards and reporting that combine financial, operational, and compliance metrics to support real‑time governance and faster escalation. In addition, cross‑functional risk committees at management level can tie emerging regulations to product design, market entry, pricing, and capital planning decisions. Regular joint sessions between audit, risk, and compensation committees will align risk incentives, internal controls, and executive pay with compliance priorities. Finally, a single escalation pathway for regulatory issues ensures that AI, cyber, trade, AML, sanctions, and other regulatory concerns are not handled in separate silos and can be assessed quickly for disclosure or self-reporting obligations and remediation.

Board implementation roadmap:

  1. Map existing regulatory exposures and assign clear ownership at the management and committee level.
  2. Integrate compliance into the enterprise risk register, with heat maps and scenario analyses reflecting necessary sector‑specific rules (such as AI, trade).
  3. Invest in data and reporting infrastructure that reduces manual compliance work and improves accuracy.
  4. Review disclosure and stakeholder‑communication practices to ensure that material regulatory risks, responses, and processes are clearly articulated.

Conclusion

Boards that master 2026 will reframe regulation from disconnected obligations into a resilience compliance architecture—one that proactively absorbs changes and enables strategic advantage. That means designing data and AI governance for the strictest rules, monitoring enforcement priorities, maintaining escalation paths for timely self-disclosure where it will pay off, and embedding regulatory risk into business planning. The result: compliance as a source of resilience rather than a drag on value. Part 4, the series finale, explores talent and succession planning to drive enterprise value.