Cross-section

Compliance software markets

Federal regulations whose compliance burden created a vendor ecosystem — with my rating of how well each market actually meets the need it was built to serve. The interesting half is the markets where vendors haven't delivered: where regulated parties default to spreadsheets, where the price-to-value ratio is broken, where the rule moved and the software didn't catch up. The default sort is worst-first for that reason.

Sort and filter the table below. Each row's expansion summarizes the compliance burden, the vendor market, and why I rated it the way I did; built rows link out to a per-market page that carries the underlying evidence.

Filter the table

Coverage rating

Compliance software markets — rated

FMCSA ELD mandate
49 CFR Part 395 Subpart B
Trucking
FMCSA · 2017
Strong
  • The compliance burden: Property-carrying commercial motor carriers must record duty status electronically from the vehicle's engine control module and produce the record on demand at roadside inspection.
  • The market shape: Mature post-2017 mandate; Samsara IPO'd 2021, Motive S-1'd 2025, Geotab anchors the international fleet tier, Garmin eLog anchors owner-operators. A carrier using one of the major vendors can plausibly say "we comply because the software works."
  • Why Strong: Mature market, vendors profitable and publicly traded, compliance is straightforward at the carrier level. The active FMCSA certification overhaul is supply-side instability on which vendors stay on the registered list, not compliance impossibility — a different shape than the persistent UX / cost / failure pain that defines Partial.
  • Read the full ELD reference →
Pilot Professional Development
14 CFR Part 121 Subpart N
Aviation
FAA · 2020
Partial
  • The compliance burden: Part 121 carriers must run a documented leadership-and-mentoring curriculum for newly-upgraded captains and track every mentored flight against the regulatory hour minimums.
  • The market shape: Splits between training-record systems (ATMS, CAE) and dedicated mentoring platforms (MentorSMART, Qooper); most carriers stitch together two or three vendors plus in-house build.
  • Why Partial: The mandate is clear and the vendors exist, but the experience is fragmented across systems and most large carriers carry a build-vs-buy tax that the small ones can't afford.
  • Read the full pilot-mentoring reference →
HIPAA Privacy & Security Rules(not yet written)
45 CFR Parts 160/164
Healthcare
HHS OCR · 2003
Partial
  • The compliance burden: Covered entities and their business associates must implement the Security Rule's administrative, physical, and technical safeguards over electronic PHI, plus the Privacy Rule's use-and-disclosure controls and breach-notification obligations.
  • The market shape: Massive EHR market (Epic, Cerner/Oracle Health, Meditech) plus a sprawling adjacency of HIPAA-compliance-management vendors. Mature in scale.
  • Why Partial: The market exists at every price point but the user experience is the standing complaint — clinician burnout, interoperability gaps, and security-control fatigue. Compliance is achievable; ergonomics are not.
Sarbanes-Oxley §404 (internal controls)(not yet written)
15 U.S.C. § 7262
Finance
SEC / PCAOB · 2004
Partial
  • The compliance burden: Public companies must establish, document, and annually attest to the effectiveness of internal control over financial reporting; auditors must independently attest to the same.
  • The market shape: GRC vendors (AuditBoard, Workiva, Diligent, MetricStream, ServiceNow GRC) reach enterprise scale; the mid-market is patchy and expensive.
  • Why Partial: Mature top of market, but most companies still run a meaningful chunk of SOX in Excel because the tooling doesn't reach the smaller-public-company tier ergonomically.
GDPR (EU General Data Protection Regulation)(not yet written)
Reg. (EU) 2016/679
Privacy
EDPB / DPAs · 2018
Weak
  • The compliance burden: Controllers and processors handling EU personal data must obtain lawful basis, honor data-subject rights, document processing activities, and notify breaches — with the supervisory authority's interpretation as the operational ground truth.
  • The market shape: Large active Consent Management Platform market (OneTrust, TrustArc, Cookiebot, Didomi, Usercentrics); rolled in here because most US companies serving EU users buy a US-and-EU CMP as one purchase.
  • Why Weak: Most CMPs ship cookie banners that meet the letter and miss the spirit. Regulators (CNIL, DPC) routinely fine implementations the CMPs sold as compliant.
US state privacy patchwork (CCPA + 15 analogues)(not yet written)
Cal. Civ. Code §§ 1798.100–.199.100 + state analogues
Privacy
State AGs / CPPA · 2020
Weak
  • The compliance burden: Businesses meeting per-state thresholds must honor opt-out-of-sale / opt-out-of-sharing rights, recognize Global Privacy Control signals, maintain data-subject access-request workflows, and post the correct disclosures per-state.
  • The market shape: Same CMPs as the GDPR row plus DSAR platforms (Transcend, DataGrail, Securiti). Vendors treat the state patchwork as one buying motion configured per customer's footprint.
  • Why Weak: Same banner-quality problem as GDPR, compounded by state-by-state variation that vendors paper over with config flags rather than substantively distinct implementations. Enforcement is uneven; many regulated parties default to "configure once, hope for the best."
Bank Secrecy Act / KYC-AML(not yet written)
31 U.S.C. § 5311 et seq.
Finance
FinCEN · 1970
Partial
  • The compliance burden: Financial institutions must verify customer identity, monitor transactions for suspicious activity, file SARs and CTRs on triggered events, and maintain a documented AML program with a designated officer.
  • The market shape: NICE Actimize, Oracle FCCM, SAS, Verafin, ComplyAdvantage, Quantexa, Featurespace. Enterprise-scale market with deep integrations into core banking systems.
  • Why Partial: High false-positive rates and overwhelming alert volumes are the persistent complaint from BSA officers. The vendors deliver compliance; the operational experience is exhausting.
OSHA Recordkeeping (Forms 300/301/300A)(not yet written)
29 CFR Part 1904
Employment
OSHA · 1971
Weak
  • The compliance burden: Most employers must log recordable injuries on Form 300, document each incident on Form 301, post the annual summary as Form 300A, and (for covered establishments) submit electronically via the OSHA Injury Tracking Application by March 2.
  • The market shape: EHS software exists (Intelex, Cority, VelocityEHS, Enablon) but is priced for enterprise. Most small employers keep the logs in Excel or on paper.
  • Why Weak: The price-to-value ratio is broken for the long tail of regulated employers, and the ITA submission portal itself is widely criticized for usability.
Section 508 / WCAG accessibility testing(not yet written)
29 U.S.C. § 794d
Accessibility
GSA / Access Board · 1998
Weak
  • The compliance burden: Federal agencies (and many state, education, and federally-funded entities) must ensure that information and communication technology procured, developed, maintained, or used by the agency meets WCAG 2.1 AA as the technical baseline.
  • The market shape: Automated testing tools (axe, WAVE, Pa11y, Siteimprove, Level Access) plus manual-audit shops. The automated category catches a meaningful but small fraction of real WCAG issues.
  • Why Weak: Most "we passed an automated scan" claims do not survive lawsuit-grade scrutiny. Manual audit is still the only path to substantive compliance, which means the software market is solving the cheap part of the problem.
FDA 21 CFR Part 11 (electronic records)(not yet written)
21 CFR Part 11
Life sciences
FDA · 1997
Partial
  • The compliance burden: Regulated life-sciences entities that use electronic records or signatures in lieu of paper must implement the Part 11 control set — validation, audit trails, identity management, copy controls — so that records are trustworthy for FDA inspection.
  • The market shape: Veeva Vault dominates the regulated eDMS market; MasterControl and Sparta cover the QMS adjacency. Mature at the top.
  • Why Partial: Small biotech often pays Veeva prices it can barely afford because the alternative is failing an audit. The market works but is gated on price.
TCPA (call consent / Do Not Call)(not yet written)
47 U.S.C. § 227
Privacy
FCC · 1991
Weak
  • The compliance burden: Businesses placing telemarketing or auto-dialed calls / texts must obtain the right level of prior consent, scrub the DNC list, and authenticate caller identity (STIR/SHAKEN) on outbound calls.
  • The market shape: Twilio, Five9, Convoso, Numeracle, TransUnion TruContact layer consent-tracking and call-authentication on top of dialer platforms.
  • Why Weak: Enforcement-through-private-litigation means most regulated parties pay lawyers more than they pay vendors. The vendors handle the easy half; the hard half (which calls land you in court) is not yet a productized answer.
CMMC (DoD Cybersecurity Maturity Model)(not yet written)
48 CFR Part 252 / 32 CFR Part 170
Cybersecurity
DoD · 2025
Failing
  • The compliance burden: DoD contractors and subcontractors handling FCI / CUI must achieve the level (1, 2, or 3) of CMMC assessment that matches their contract scope; Level 2 requires a third-party assessment by a C3PAO.
  • The market shape: Tool vendors (Hyperproof, Vanta CMMC module, Risk Cognizance) exist, but most of the market is still consulting-led. C3PAO supply is short; the third-party-assessor backlog is long.
  • Why Failing: Multiple rule revisions (CMMC 1.0 → 2.0 → final rule) left vendors retooling repeatedly. Below Tier 1, contractors are pricing the certification at orders of magnitude above what they can absorb.
SEC Pay-vs-Performance disclosure(not yet written)
17 CFR § 229.402(v)
Finance
SEC · 2023
Partial
  • The compliance burden: Registrants must disclose "compensation actually paid" to the principal executive officer and other named executive officers alongside specified performance measures, in tabular form in the proxy statement.
  • The market shape: Equity-comp administrators (E*TRADE Corporate Services, Shareworks/Morgan Stanley, Carta) and proxy filers (DFIN, Donnelley, Workiva) added PvP modules. Coverage is there for large filers.
  • Why Partial: Smaller filers struggle to compute compensation-actually-paid without consultant help; the rule's edge cases (mid-year retirements, performance-share grants) are still unevenly handled by tooling.
FMCSA Drug & Alcohol Clearinghouse(not yet written)
49 CFR Part 382 Subpart G
Trucking
FMCSA · 2020
Partial
  • The compliance burden: Employers of CDL drivers must query the FMCSA Clearinghouse pre-employment and annually for every driver, report drug-and-alcohol-program violations, and resolve queries before allowing safety-sensitive duties.
  • The market shape: The Clearinghouse itself is a federal system that works; the vendor market around it (DISA, Foley, J.J. Keller, USIS) sells query-management and pre-employment-check workflows.
  • Why Partial: Usable but expensive at owner-operator scale, and the per-query consent dance is a workflow most carriers redo manually for each new hire.
FedRAMP / StateRAMP(not yet written)
OMB M-22-18 / 40 U.S.C. § 11331 (FISMA)
Cybersecurity
GSA FedRAMP PMO · 2011
Partial
  • The compliance burden: Cloud service offerings sold to US federal agencies must achieve a FedRAMP Authorization to Operate at the appropriate impact level (Low / Moderate / High), with a 3PAO assessment and continuous monitoring obligations.
  • The market shape: Compliance-automation vendors (Vanta, Drata, Hyperproof, Risk Cognizance) and 3PAOs (Coalfire, A-LIGN, Schellman, Kratos) reach enterprise scale.
  • Why Partial: The software helps; the regulatory process is what consumes time and budget. 12–18 month ATOs and $500K–$2M Moderate price tags are the standing complaint.
Reg BI / Adviser Act communications surveillance(not yet written)
17 CFR § 240.17a-4 / 17 CFR § 275.204-2
Finance
SEC · 1934
Partial
  • The compliance burden: Broker-dealers and registered investment advisers must retain business communications in tamper-evident form, surveil them for prohibited content, and produce them on regulatory demand — across email, SMS, encrypted messaging, and voice.
  • The market shape: Smarsh, Global Relay, Theta Lake, Hearsay (now Yext) anchor the capture market that scaled hard with the 2022–2024 SEC off-channel-communications enforcement wave (firms fined $1B+ for WhatsApp / iMessage / Signal use).
  • Why Partial: Mature and expensive, but doesn't fully solve the BYOD-encrypted-app capture problem — regulated personal devices remain a structural gap.
AI safety / model evaluations under emerging AI rulemaking(not yet written)
Reg. (EU) 2024/1689 / NIST AI RMF
AI safety
EU AI Office / NIST · 2024
Failing
  • The compliance burden: Providers and deployers of high-risk AI systems under the EU AI Act (and parties referencing the NIST AI RMF in US procurement) must run model evaluations, document risk-management measures, and substantiate intended-use restrictions — against requirements that are still being clarified.
  • The market shape: Barely formed. Robust Intelligence acquired by Cisco in 2024; Lakera, Patronus, HumanIntelligence, Calypso, Haize Labs are early. Few enterprise references; little consensus on what "an evaluation" even is.
  • Why Failing: Rule scope still moving (EU AI Act in phased rollout through 2027; US executive-order landscape repeatedly rescinded and replaced). Customers genuinely don't know what to buy; vendors don't know what they're selling against.

Regulations whose rule has been narrowed, vacated, or paused

A second list, separate from the rated roster above. These are rules under which a vendor market had formed or was forming when a court vacated the rule, the agency narrowed it, an injunction blocked it, or the agency withdrew it. The vendors retooled; the regulated parties are now operating against a different shape of obligation than the product roadmap assumed. These markets are in legal limbo — not stably ratable in the four-band scheme — so they sit here with a status pill in place of the rating chip.

Corporate Transparency Act / Beneficial Ownership Reporting
31 U.S.C. § 5336
Finance
FinCEN · 2024
Narrowed 2025
  • What changed: The March 2025 interim final rule narrowed scope from ~32M domestic reporting companies to foreign reporting companies only (a >99% reduction in covered filers).
  • The market then: FincenFetch, FileForms, and a long tail of CPA-tool add-ons ramped for the original scope through late 2024.
  • The market now: Software exists but the demand it was built for evaporated. Most vendors are repositioning toward adjacent KYB / entity-management use cases.
FCC 2024 TCPA one-to-one consent rule
47 CFR § 64.1200(f)(9) (as adopted)
Privacy
FCC · 2024
Vacated 2025
  • What changed: The FCC's December 2023 order requiring "one-to-one" prior express written consent for telemarketing was set to take effect January 27, 2025; the Eleventh Circuit vacated it (Insurance Marketing Coalition Ltd. v. FCC) on January 24, 2025, holding the FCC exceeded its statutory authority.
  • The market then: Consent-management vendors (ActiveProspect TrustedForm, Jornaya LeadiD, Verisk Convoso) had retooled to enforce the one-to-one rule.
  • The market now: Confused. State-law analogues partially fill the gap; vendors are selling a "one-to-one optional" toggle while customers wait to see whether the FCC re-issues the rule under a tighter statutory theory.
DOL Retirement Security Rule (2024 fiduciary)
29 CFR Part 2510.3-21
Finance
DOL EBSA · 2024
Blocked 2024
  • What changed: The "Retirement Security Rule" expanding the ERISA fiduciary definition to most retirement-account advice was set to take effect September 23, 2024; two Texas district courts stayed enforcement nationwide in July 2024. (The 2016 fiduciary rule met a similar fate via the Fifth Circuit in 2018.)
  • The market then: Compliance vendors (fi360, Morningstar Fiduciary, Broadridge) built around the expanded fiduciary definition through early 2024.
  • The market now: Vendors have now built for two distinct ERISA fiduciary rules in eight years that neither took effect. Investment is understandably cautious.
SEC Climate Disclosure Rule
17 CFR § 229.1500
Finance
SEC · 2024
Withdrawn 2025
  • What changed: Adopted March 6, 2024; stayed by the SEC itself in April 2024 pending litigation; the SEC voted in 2025 to stop defending the rule and effectively withdrew it.
  • The market then: Climate-disclosure / sustainability-reporting vendors (Persefoni, Watershed, Sweep, Workiva ESG, OneTrust ESG) built around the rule's expected scope and timeline.
  • The market now: Reorienting around state-level analogues (California SB 253 / SB 261) and EU CSRD. Federal-level demand has collapsed; the international and state-level demand is steady but not what the vendor go-to-market plans assumed.

About this list

What's on this page. Federal regulations (and, where the vendor market treats them as one buying motion, multi-state analogues) whose compliance burden created a software market. A row earns its place when the rule is on the books, the regulated parties need software to track / report / attest, a vendor ecosystem exists or is forming, and the market is either stably ratable or in active legal limbo. Procedural-only rules and rules with no software market are out of scope.

How I rate coverage. The four bands are calibrated qualitative judgments, not a numeric score.

  • Strong — the regulated party can plausibly say "we comply because the software works." Mature ecosystem, multiple competing vendors, low friction. ELD qualifies.
  • Partial — vendors exist and the market has scale, but the experience is fragmented, expensive, or hated by users. The default rating for a mature-but-frustrating market.
  • Weak — the software isn't worth what it costs. Many regulated parties default to spreadsheets and manual processes; the vendor side is solving the easy half.
  • Failing — the market is dysfunctional. Rule churn, court reversals, supply shortages, or scope ambiguity. Regulated parties have no good options.

These are my judgments, not neutral metrics. The ratings reflect what I see in vendor financials, public complaints from regulated parties, and the gap between what the rule asks for and what the software delivers. The per-market pages carry the underlying evidence; a visitor who disagrees with a rating should read the per-market page and decide for themselves.

The sidecar table. Rules that were narrowed, vacated, blocked, or withdrawn while a vendor market existed or was forming sit in a separate table below the rated roster. Those markets are in legal limbo and don't fit the four bands; the sidecar reads as a forensic record of where the vendor market reacted to rulemaking on a longer cadence than the rulemaking itself moved.

Per-market pages. Two per-market pages are linked at launch: the FMCSA ELD mandate and FAA pilot professional development. The remaining rows are unbuilt at v1 and carry an inline "(not yet written)" tag; the row's expansion summary is what the index itself owns. When a per-market page ships, that row's regulation name flips to a link.

What's intentionally excluded. Vendor-by-vendor ranking inside any single market — that's what every other "best [X] software" site already does and is not the editorial point. A numeric grade per row — the four bands are qualitative on purpose. Non-software compliance markets (consulting-only, training-only). State-level laws as individual rows except where the vendor market treats them as one buying motion. Speculation about pending or proposed rules; a rule earns a row only when it has been adopted (even if it's later been narrowed or vacated — those go in the sidecar).

Disagree with a rating? The ratings are subjective and I'd rather hear when I've called one wrong. Send a correction.

Last updated: 2026-05-28.

Last refreshed 2026-05-28 by Triton — new page.