Compliance

Compliance refers to a software system’s adherence to applicable laws, regulations, industry standards, and internal policies. As a non-functional requirement, compliance defines not what a system does but the conditions under which it must operate, specifically:

governing how data is collected, stored, transmitted, and deleted;
how access is controlled;
what audit trails must be maintained;
and how the system is developed and documented.

Compliance obligations can have wide-ranging implications for software architecture, influencing decisions around data residency, encryption, logging, access control, and the auditing of changes to sensitive data.

Compliance obligations may be imposed externally by governments or regulatory bodies (such as GDPR for data privacy, HIPAA for healthcare information, PCI DSS for payment card data, or SOX for financial reporting), mandated by industry consortia (such as ISO standards or WCAG accessibility guidelines), or established internally through organizational policy and contractual agreements.

Unlike many non-functional requirements that can be traded off against cost or performance, compliance requirements are typically non-negotiable. Failure to meet them can carry significant legal, financial, or reputational consequences. This makes compliance a first-class concern in regulated industries such as finance, healthcare, and government. In these contexts, compliance must be considered from the earliest stages of system design rather than retrofitted later.

Whether a system meets its compliance obligations is verified through compliance testing.