Last Friday’s session between Andrej Savin (Professor of IT Law, Copenhagen Business School) and Sid Ali Boutellis, Legal Tech Expert, explored the concept of bespoke compliance and its growing importance in an increasingly complex regulatory environment. Savin argued that organisations should move away from treating compliance as a downstream legal check and instead integrate it into strategy, governance, product design, and decision-making from the outset. The session examined how evolving European digital regulation, risk-based compliance frameworks, and organisational culture are reshaping the way businesses approach regulatory obligations.

Why Traditional Compliance Falls Short

Savin described how many organisations continue to treat legal and compliance functions as a final-stage review process. By the time lawyers become involved, products, services, and commercial decisions are often already fixed, limiting the organisation’s ability to make meaningful changes.

This reactive approach can create significant business risks. Savin cited examples including Volkswagen, Boeing, British Petroleum, Enron, and Danske Bank, in which compliance failures resulted in regulatory scrutiny, financial penalties, reputational damage, and loss of stakeholder trust.

Rather than viewing compliance as an obstacle, Savin argued that organisations should recognise it as a strategic asset capable of creating competitive advantage.

What Is Bespoke Compliance?

Savin defined bespoke compliance as a tailored approach that aligns legal and regulatory obligations with the specific needs, risks, and objectives of a business.

Instead of relying on generic, off-the-shelf compliance programmes, organisations should embed compliance considerations into products, processes, and governance structures from the beginning. This enables businesses to address risks proactively while creating value through demonstrable commitments to areas such as cybersecurity, privacy, and responsible AI.

The central principle is simple: compliance should be designed into the organisation rather than added after the fact.

The European Regulatory Perspective

The conversation explored how recent European legislation supports this approach. Savin highlighted major regulatory initiatives, including:

• General Data Protection Regulation (GDPR)
• Digital Services Act (DSA)
• Digital Markets Act (DMA)
• AI Act
• Data Act
• NIS2 Directive

According to Savin, these frameworks collectively represent one of the most significant digital regulatory architectures in the world. Importantly, many of these regulations adopt a risk-based approach that requires organisations to assess and manage their own risks rather than simply comply with prescriptive rules.

He noted that GDPR’s requirement for “data protection by design and by default” provides a clear example of bespoke compliance already embedded within European law.

Risk, Uncertainty, and Regulatory Flexibility

A key theme of the discussion was the distinction between risk and uncertainty.

Savin explained that modern technologies, particularly AI, often create uncertainty rather than traditional risk because organisations cannot always predict outcomes or enforcement approaches. To address this, European regulators have built flexibility into their frameworks through risk-based obligations, standards, guidelines, and conformity assessments.

While this flexibility creates uncertainty, it also allows organisations to tailor compliance programmes to their specific circumstances.

The Role of Standards and ISO Frameworks

The discussion also examined the relationship between bespoke compliance and international standards.

Savin emphasised that standards such as ISO 27001 can play an important role in governance and conformity assessment. However, he cautioned that standardisation alone does not solve compliance challenges.

Instead, standards should be viewed as one component of a broader compliance posture. They can help organisations structure their efforts and demonstrate good practice, but they do not replace risk management or strategic decision-making.

Six Elements of a Sustainable Compliance Framework

Savin outlined six practical elements that organisations can adopt regardless of size, sector, or maturity:

1. Design-stage integration – considering compliance during product and service development.
2. Risk assessment and prioritisation – evaluating the likelihood and impact of potential issues.
3. Firm-specific calibration – tailoring compliance efforts to the organisation’s unique risk profile.
4. Conformity assessment and standardisation – using recognised frameworks where appropriate.
5. Cultural and psychological alignment – creating environments where concerns can be raised safely.
6. Dynamic adaptation – continuously updating compliance approaches as technologies, regulations, and business models evolve.

He stressed that these elements are universally applicable and provide a practical foundation for organisations seeking a more sustainable approach to compliance.

Compliance as Strategy

The session concluded by positioning compliance as a board-level strategic issue rather than an operational exercise.

Drawing on strategic compliance management principles, Savin argued that organisations should actively leverage compliance to build trust, strengthen resilience, and create competitive differentiation. In-house counsel can play a critical role by connecting legal, operational, and strategic priorities across the organisation.

The overarching message was clear: businesses that integrate compliance into their strategic thinking from the outset will be better equipped to navigate uncertainty, respond to evolving regulation, and create long-term value.