This skill should be used when the user asks to "analyze regulations", "regulatory landscape", "compliance requirements", "legal considerations", "regulatory risk", "industry regulations", "compliance analysis", "regulatory trends", or needs guidance on understanding regulatory environments, compliance requirements, or legal market factors.
Instalação
Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.
This skill should be used when the user asks to "analyze regulations", "regulatory landscape", "compliance requirements", "legal considerations", "regulatory risk", "industry regulations", "compliance analysis", "regulatory trends", or needs guidance on understanding regulatory environments, compliance requirements, or legal market factors.
version
0.6.0
Regulatory Review
Overview
Regulatory review assesses the legal and compliance landscape affecting markets and products. This skill covers frameworks for understanding regulatory requirements, risks, and trends.
Required Frameworks
Framework
Output Section
Required
Condition
Framework Identification
Applicable Frameworks
yes
—
Industry-to-Framework Mapping
Regulatory Mapping
yes
—
Penalty Ranges
Enforcement & Penalties
yes
—
Risk Matrix
Risk Assessment
yes
—
Cross-border Mechanisms
Cross-border Analysis
conditional
Multi-jurisdiction scope in elicitation
Trend Indicators: Load and apply the trend indicator definitions from protocols/TREND-INDICATORS.md.
When the product uses AI/ML in decisions affecting people (hiring, lending, insurance, housing), these specific requirements apply:
Requirement
Source
Detail
Annual bias audit by independent auditor
NYC Local Law 144
Must test for disparate impact across race/ethnicity and gender; publish summary results
10-day candidate notice
NYC Local Law 144
Notify candidates that AEDT is used; describe data collected and data retention policy
High-risk AI conformity assessment
EU AI Act
Employment, education, law enforcement AI classified as high-risk; requires risk management system, data governance, human oversight
Adverse impact analysis
EEOC/Title VII
Four-fifths rule for selection rates across protected categories; document validation studies
Algorithmic fairness assessment
Colorado SB 21-169
Developers and deployers of high-risk AI must provide impact assessments
Industry-Framework Mapping
Use this table to quickly identify primary and secondary regulatory frameworks based on the user's industry:
Industry
Primary Frameworks
Secondary Frameworks
Healthcare/Telehealth
HIPAA, HITECH, FDA 21 CFR
GDPR (EU), State telehealth laws
Fintech/Crypto
Dodd-Frank, SEC, FCA (UK)
MiCA (EU), State MSB licensing, BSA/FinCEN
AI/ML in Employment
NYC Local Law 144, EEOC, EU AI Act
State AI bills, CCPA/CPRA
Children's Apps/Games
COPPA, FTC Act
CCPA minors provisions, App store policies
Medical Devices
FDA 21 CFR, EU MDR
TGA (AU), PMDA (JP), ISO 13485
E-commerce/Supplements
FDA DSHEA, FTC Act, Prop 65
CCPA/CPRA, cGMP (21 CFR 111)
SaaS/Data Processing
GDPR, CCPA/CPRA
ePrivacy, Sector-specific (HIPAA, PCI DSS)
Regulatory Risk Assessment
Risk Categories
Compliance Risk
Failure to meet existing requirements
Likelihood: Based on current gaps
Impact: Fines, operational restrictions
Regulatory Change Risk
New or changing regulations
Likelihood: Based on legislative trends
Impact: Cost of compliance, market access
Enforcement Risk
Increased regulatory scrutiny
Likelihood: Based on enforcement patterns
Impact: Investigations, penalties
Reputational Risk
Public perception of compliance
Likelihood: Based on sensitivity of issues
Impact: Customer trust, brand damage
Risk Matrix
Risk
Likelihood
Impact
Trend
Mitigation
[Risk]
H/M/L
H/M/L
INC/DEC/CONST
[Action]
Regulatory Trend Analysis
Trend Indicators
INC (Increasing regulation)
New legislation proposed/passed
Increased enforcement actions
Growing public/political attention
International coordination
DEC (Decreasing regulation)
Deregulation initiatives
Reduced enforcement
Political shift toward less oversight
CONST (Stable regulation)
Established framework
Predictable enforcement
No major changes pending
Current Global Trends
Area
Direction
Key Developments
Data Privacy
INC
More countries adopting GDPR-style laws
AI/ML
INC
EU AI Act, emerging US frameworks
Crypto/Fintech
INC
Global frameworks emerging
Competition/Big Tech
INC
Antitrust scrutiny increasing
ESG/Sustainability
INC
Disclosure requirements expanding
Cybersecurity
INC
Mandatory breach reporting
Children's Privacy
INC
COPPA 2.0, Kids Online Safety Act, state children's codes
Supplement/Consumer Products
INC
FDA mandatory listing, FTC enforcement of health claims
Compliance Assessment
Gap Analysis Framework
Requirement
Current State
Gap
Priority
Remediation
[Req 1]
Compliant/Partial/Non
Description
H/M/L
Action needed
Compliance Cost Estimation
Component
One-Time
Ongoing Annual
Technology
$X
$X
Personnel
$X
$X
Legal/Consulting
$X
$X
Training
$X
$X
Audit/Certification
$X
$X
Total
$X
$X
Jurisdiction Analysis
Market Entry Considerations
Jurisdiction
Key Regulations
Complexity
Barrier Level
US
Federal + 50 states
High
Medium
EU
GDPR + sector regs
High
High
UK
Post-Brexit regime
Medium
Medium
APAC
Varies widely
Variable
Variable
Cross-Border Considerations
Data localization requirements
Licensing reciprocity
Contractual restrictions
IP protection differences
Cross-Border Data Transfer Mechanisms
When operations span multiple jurisdictions, identify which transfer mechanism applies:
Mechanism
Use When
Key Requirements
Standard Contractual Clauses (SCCs)
Transferring EU/UK data to non-adequate countries
2021 version required; Transfer Impact Assessment mandatory
Adequacy Decisions
Transferring to countries with EU adequacy status
Verify current adequacy status (can be invalidated — see Schrems II)
Binding Corporate Rules (BCRs)
Intra-group transfers within multinational corporations
DPA approval required; lengthy approval process
Data Localization
Country requires data to remain within borders
China, Russia, India (proposed); may require local infrastructure
Consent-based Transfer
Individual explicitly consents to cross-border transfer
Not suitable for systematic/bulk transfers under GDPR
Output Rules
These rules are mandatory for every regulatory review output. They ensure consistency and completeness regardless of the specific industry or prompt:
Use exact section headings from the Output Structure below. Do not rename or skip sections.
Every Risk Matrix row MUST include a Trend column using exactly one of: INC, DEC, or CONST.
Every Trend Analysis bullet MUST use the format: Area: INC/DEC/CONST - [Evidence sentence].
Recommendations MUST include at least one of each: Immediate action, Medium-term action, and Monitoring action.
Compliance Assessment MUST use status symbols: ✓ (compliant), △ (partial), ✗ (non-compliant).
Never use the phrase "This is not legal advice" in the output. The skill disclaimer is in SKILL.md, not in outputs.
Always include a Monitoring Indicators section with at least 3 specific indicators (regulatory body names, legislative tracking sources).
Cross-border data transfer: When a prompt involves operations in multiple jurisdictions, always discuss data transfer mechanisms (SCCs, adequacy decisions, data localization).
Children's data: When the product involves users who may be minors, always address COPPA and parental consent requirements specifically.
Compliance costs: Always provide estimated ranges (not exact figures) broken down by Technology, Personnel, Legal/Consulting, Training, and Audit/Certification.
These proposed or recently enacted regulations are not yet fully in force but will affect multiple industries. Reference them in Trend Analysis and Monitoring Indicators when relevant:
Regulation
Jurisdiction
Status
Expected Impact
COPPA 2.0 (FTC rulemaking)
US
Proposed rule
Expanded age range, stricter consent, limits on data use for marketing to children
Kids Online Safety Act (KOSA)
US
Passed Senate, House pending
Duty of care for platforms serving minors; impact assessments required
EU AI Act implementing rules
EU
Phased implementation 2024-2027
High-risk AI requirements; prohibited practices; GPAI model obligations
Digital Markets Act (DMA)
EU
In force, enforcement ongoing
Gatekeeper obligations; interoperability; data portability for large platforms
State AI employment laws
US (IL, CO, MD, NY+)
Various stages
Bias audits, transparency, impact assessments for AI in hiring/employment
Federal privacy legislation
US
Proposed (APRA and others)
Potential national data privacy standard preempting state laws
India DPDP Act
India
Enacted, rules pending
Consent-based processing, data localization, significant penalty structure
Penalty Reference Ranges
Use these ranges to calibrate risk impact assessments. Cite specific enforcement examples when relevant to the user's industry:
Framework
Maximum Penalty
Notable Enforcement Examples
GDPR
Up to 4% of global annual revenue or EUR 20M
Meta EUR 1.2B (2023, data transfers); Amazon EUR 746M (2021, targeting)
