Compliance Risk Map: All Your Regulatory Risks in One Place

Compliance risk mapping is a structured methodology for identifying, classifying, and prioritising all regulatory obligations applicable to an organisation across multiple legal frameworks — including GDPR, NIS2, DORA, the EU AI Act, AML Law 10/2010, and sector-specific regulations — and assessing the organisation's current compliance status against each. The output is typically a compliance risk register and heat map that enables management to allocate resources efficiently, address the highest-risk gaps first, and maintain a consolidated view of multi-regulatory exposure rather than managing obligations in isolated silos. This methodology is aligned with international compliance standards such as ISO 37301.

Our compliance team combines deep knowledge of the European regulatory landscape with practical experience managing the compliance function in companies across all sectors and sizes.

A Regulatory Landscape That Has Outpaced Traditional Compliance

The European regulatory environment has undergone unprecedented densification in the last five years. GDPR, NIS2, DORA, AI Act, AMLA, the Corporate Sustainability Reporting Directive — each of these regulations is itself a substantial compliance project. For companies operating across multiple sectors or countries, the accumulation of overlapping obligations creates management complexity that traditional compliance models are not designed to handle efficiently.

The Compliance Map as a Management System

The compliance risk map is the response to this complexity — not a static document, but a living management system that provides management with consolidated visibility of the applicable regulatory universe, prioritised by risk level and continuously updated. The difference between an organisation with a good compliance map and one without it is measured not only in avoided sanctions: it is also measured in compliance spend efficiency, the capacity to anticipate regulatory changes, and the quality of information reaching the board for governance decisions.

The Multi-Regulatory Gap Analysis

The multi-regulatory gap analysis is the instrument that turns the map into a real management tool. Knowing that the company is 80% compliant with GDPR but has a critical gap in third-party risk management under NIS2, that the AI Act applies through two systems not identified as high-risk, and that the AML programme does not cover obligations under the new Directive — this allows compliance resources to be prioritised where real risk is highest, rather than over-investing in visible compliance while underestimating areas of greatest enforcement exposure.

Regulatory Synergies as Efficiency Driver

Synergies between regulations are a significant efficiency source that fragmented compliance management wastes. AI Act impact assessments and GDPR DPIAs can be designed as an integrated process when they affect the same system. NIS2 cybersecurity controls and GDPR technical security requirements are largely satisfied by the same measures. The incident register for DORA and for NIS2 can be unified. Identifying and leveraging these synergies is a central component of the remediation plans we develop, with direct impact on reducing compliance costs — and on ensuring that data protection, AI Act compliance, and enterprise risk management are managed as an integrated system rather than independent silos.

The Board Compliance Dashboard

The compliance dashboard for the board is the final product of the system. A board cannot manage regulatory risk it cannot see: the heat map, presented regularly with changes from the prior period and upcoming regulatory changes with significant impact, gives the board the information it needs to exercise its oversight function without requiring immersion in the technical detail of each regulation. This communication is also documented evidence that the board has fulfilled its regulatory compliance oversight responsibility — directly relevant in any regulatory investigation or corporate due diligence process where a counterparty assesses the organisation’s compliance governance.

The Criminal Liability Dimension

Corporate criminal liability under Article 31 bis of the Spanish Penal Code requires companies to demonstrate that they had an effective compliance programme capable of preventing the offence. The compliance risk map is the documentary foundation of this defence: it shows that the organisation systematically identified the regulatory and criminal risks relevant to its activity, assessed their probability and impact, and implemented controls proportionate to those risks. A company that faces a criminal investigation without a documented, functioning compliance framework has structurally weakened its legal position. Our criminal compliance team works alongside the compliance risk mapping function to ensure the criminal dimension of the risk register is addressed with appropriate rigour.

Compliance Budget Planning

The prioritised compliance budget is one of the most valuable operational outputs of the mapping process. Compliance spend without a risk map defaults to visible compliance — prioritising certifications, audits, and documentation that look like compliance but may not address the areas of highest real risk. The gap analysis by regulation, with estimates of remediation effort, required external resources, and technology implementation costs, provides the basis for a compliance budget that is defensible to the board and rationally allocated across risk priorities.

Ongoing Regulatory Monitoring

The compliance risk map is only as valuable as it is current. European regulatory production has been at a historically high level throughout the 2020s, and the pace is not slowing. Our regulatory monitoring service — integrated with the compliance map — provides structured alerts on new obligations, interpretive guidance from supervisory authorities, and relevant enforcement decisions. The NIS2 compliance and DORA compliance services are coordinated through the same monitoring infrastructure, ensuring that sector-specific obligations are captured within the consolidated risk view.

Sectors Most Affected by Multi-Regulatory Complexity

Financial services: combining DORA, GDPR, AML/CFT, MiFID II, PSD2, and the AI Act creates compliance challenges that cannot be managed in isolated teams. A consolidated compliance map is the only management tool that provides the board with a coherent picture of regulatory exposure across all these frameworks simultaneously.

Healthcare and life sciences: GDPR (health data, Art. 9 special category), NIS2, AI Act (medical device AI), MDR/IVDR, and AEMPS sector regulation create a multi-framework environment where every product launch and digital initiative triggers obligations across multiple authorities. Compliance silos in this sector regularly create gaps at the intersections.

Technology and SaaS companies: GDPR, AI Act (for AI-enabled products), NIS2 (for digital infrastructure providers), and ePrivacy (for digital services with cookies and analytics) create a compliance matrix that must be addressed systematically from product design stage rather than retrofitted after launch.

Retail and e-commerce: GDPR (customer data, marketing consent, loyalty programmes), ePrivacy (cookies, tracking), consumer protection (EU Omnibus Directive), and AI-powered personalisation or pricing create multi-regulatory obligation sets that are frequently underestimated by e-commerce operators until the first regulatory inquiry.

Worked Example: Compliance Map for a FinTech

A Spanish FinTech (55 employees, EUR 8 million revenue) operating a digital lending platform sought compliance risk mapping ahead of a Series B funding round. The investors’ due diligence required documented compliance status across all applicable regulations.

BMC identified 7 applicable regulatory frameworks: GDPR, NIS2 (important entity in financial market infrastructure), DORA (payment institution), AI Act (high-risk credit scoring system), AML/CFT (obliged entity as credit intermediary), ePrivacy, and LSSICE. Gap analysis revealed 3 critical gaps, 6 high gaps, 11 medium gaps. The compliance investment estimate (EUR 180,000 over 12 months) was presented to investors as a use-of-funds line item; the risk heat map satisfied the due diligence requirement and the Series B round closed on schedule.

Common Mistakes We Fix

1. Managing compliance in departmental silos. Data protection in legal, cybersecurity in IT, AML in operations — with no consolidated view. The result is overlapping effort where frameworks share requirements, and gaps where no single team feels ownership.

2. Prioritising visible compliance over risk-based compliance. Certifications and policies that look like compliance without addressing the highest-probability, highest-impact risks. Regulators inspect substance, not appearance.

3. Not updating the compliance map when the business changes. New products, markets, acquisitions, and technology integrations change the compliance risk profile. A map that is not updated regularly becomes a misleading comfort rather than a risk management tool.

4. Treating compliance as a cost centre. Without a quantified risk assessment, compliance investment cannot be prioritised. The compliance risk map enables decisions based on expected risk reduction — the same logic applied to any other risk management investment.

5. Not preparing for regulatory investigations proactively. Investigations are more manageable when the organisation can produce a documented programme, a gap analysis, and evidence of good-faith remediation. Without this documentation, a compliance gap looks like negligence; with it, the same finding can be contextualised as a known and managed risk.

How We Work

Phase 1 — Regulatory scope assessment (2-3 weeks): identification of all applicable regulatory frameworks based on sector, activities, size, and geographic scope.

Phase 2 — Gap analysis and heat map (3-4 weeks): assessment of current compliance status against each identified obligation, producing the risk heat map with probability and impact ratings for the board.

Phase 3 — Remediation roadmap and ongoing monitoring: prioritised action plan with timelines, responsibility assignments, and investment estimates; ongoing regulatory monitoring to capture new obligations and update the map quarterly.

The compliance risk map is delivered as both a board-ready governance document and a working operational management tool.

The Criminal Liability Dimension

Corporate criminal liability under Article 31 bis of the Spanish Penal Code requires companies to demonstrate that they had an effective compliance programme capable of preventing the offence. The compliance risk map is the documentary foundation of this defence: it shows that the organisation systematically identified the regulatory and criminal risks relevant to its activity, assessed their probability and impact, and implemented controls proportionate to those risks. A company that faces a criminal investigation without a documented, functioning compliance framework has structurally weakened its legal position. Our criminal compliance team works alongside the compliance risk mapping function to ensure the criminal dimension of the risk register is addressed with appropriate rigour.

The Board Compliance Dashboard

A board cannot manage regulatory risk it cannot see. The compliance dashboard translates the risk map’s technical content into board-level reporting: a heat map updated quarterly showing which regulatory risks are red (critical, immediate action required), amber (significant, remediation in progress), yellow (moderate, managed), and green (compliant). The dashboard also shows upcoming regulatory changes with impact assessments — allowing the board to allocate resources to emerging obligations before they become enforcement risks.

This communication is also documented evidence that the board has fulfilled its regulatory compliance oversight responsibility — directly relevant in any regulatory investigation or corporate due diligence process where a counterparty assesses the organisation’s compliance governance quality.

Compliance Budget Planning

The prioritised compliance budget is one of the most valuable operational outputs of the mapping process. Compliance spend without a risk map defaults to visible compliance — prioritising certifications, audits, and documentation that look like compliance but may not address the areas of highest real risk. The gap analysis by regulation, with estimates of remediation effort, required external resources, and technology implementation costs, provides the basis for a compliance budget that is defensible to the board and rationally allocated across risk priorities.

Companies that approach compliance budgeting from a risk map perspective consistently spend less than those that budget by regulatory framework independently — because the synergies between frameworks (shared controls, integrated assessments, unified documentation) are only visible in a consolidated view. The compliance risk map directly enables this efficiency.

Regulatory Synergies as an Efficiency Driver

Synergies between regulations are a significant efficiency source that fragmented compliance management wastes. AI Act impact assessments and GDPR DPIAs can be designed as an integrated process when they affect the same system. NIS2 cybersecurity controls and GDPR technical security requirements are largely satisfied by the same measures. The incident register for DORA and for NIS2 can be unified. Identifying and leveraging these synergies is a central component of the remediation plans we develop, with direct impact on reducing compliance costs.

The compliance risk map quantifies these synergies: for each remediation project, we identify which other regulatory obligations are simultaneously satisfied by the same control implementation. A single endpoint detection and response (EDR) deployment may satisfy NIS2 Art. 21 malware detection requirements, GDPR Art. 32 technical security measures, DORA ICT risk management controls, and ISO 27001 Annex A controls simultaneously. Without the consolidated map, this cross-regulatory efficiency is invisible.

Geographic Coverage

We design and maintain compliance risk maps for companies across all Spanish territories. For multinational organisations, we coordinate with EU counsel to extend the map to cover compliance obligations in other member states, producing a single consolidated group compliance view. Our regulatory monitoring service covers EU-level regulatory developments and national transpositions across all major EU jurisdictions, updated monthly with an alert service for significant changes.

For companies with operations in the Basque Country and Navarra (Haciendas Forales), the Canary Islands (IGIC and specific ZEC obligations), or Ceuta and Melilla (IPSI), the compliance risk map must account for the specific tax and regulatory frameworks applicable in these territories alongside the national and EU frameworks — creating an additional compliance dimension that national-level mapping exercises typically overlook.

Compliance Risk Mapping in M&A and Investment Transactions

Compliance risk maps are increasingly used as due diligence instruments in M&A transactions and capital rounds. Acquirers, investors, and their advisers use the compliance risk map to:

• Identify regulatory risks that are not reflected in the financial statements (unquantified GDPR or DORA exposure, pending AEPD investigations, AML programme gaps that could trigger SEPBLAC scrutiny).
• Assess the remediation cost to bring the target to a compliant state — a direct input to valuation adjustments and purchase price conditions.
• Identify representations and warranties that should be included in the purchase agreement regarding the completeness and accuracy of the compliance programme.
• Evaluate whether any regulatory authorisations held by the target are at risk due to compliance gaps (banking licences, investment firm authorisations, insurance operating licences).

We prepare compliance risk maps on behalf of sellers — as a pre-sale exercise to identify and remediate compliance gaps before buyer due diligence — and on behalf of buyers, as an independent compliance due diligence exercise that informs the acquisition decision and the purchase agreement negotiation. In both roles, the compliance risk map is the foundation of the compliance dimension of the transaction.

ISO 37301 and International Compliance Standards

The compliance risk map methodology is aligned with ISO 37301:2021 (Compliance Management Systems — Requirements with guidance for use), which is the international standard for compliance management. ISO 37301 requires organisations to:

• Identify and assess compliance obligations (equivalent to the regulatory scope assessment phase of the compliance risk map).
• Assess the risks of non-compliance (equivalent to the gap analysis and heat map).
• Implement controls to address compliance risks (equivalent to the remediation roadmap).
• Monitor and evaluate compliance performance (equivalent to the ongoing monitoring service).

For organisations seeking ISO 37301 certification — which is increasingly required in regulated sectors and in supplier qualification processes — the compliance risk map provides the documented compliance obligation register and risk assessment that the certification process requires. We design compliance risk maps that simultaneously serve as operational management tools and as ISO 37301 certification documentation.

The Compliance Function in Corporate Governance

The compliance risk map is the instrument that connects the compliance function to the board of directors. Under the Spanish corporate governance framework (LSC, CNMV Good Governance Code), the board is responsible for overseeing the company’s compliance with applicable regulations and for ensuring that the compliance management system is adequate. The compliance dashboard — derived from the risk map — is the standard mechanism for discharging this oversight obligation.

For companies subject to CSRD (Corporate Sustainability Reporting Directive), the compliance function’s oversight of the organisation’s material regulatory risks is a disclosed element of the annual sustainability report under ESRS G1 (Business Conduct). The compliance risk map provides the evidentiary foundation for this disclosure.