The cost of compliance is rising. The cost of handling it is falling
EU compliance costs keep rising while AI costs collapse. Since regulations like EUDR and PPWR share the same operational skeleton, AI "digital colleagues" can handle the repetitive work on a shared platform, turning each new rule into a cheap hire rather than a costly project.
The cost of compliance is rising. The cost of handling it is falling
Why the next regulation looks like the last one, and what that means for how you staff it
Two curves are moving in opposite directions, and the gap between them is where the next few years of competitive advantage will be won or lost. The first curve is the cost of running a business in Europe. Stack up the things that are reliably getting more expensive, regulatory compliance, labour, energy, and compound them out to 2030, and even a conservative base case pushes that combined cost burden to roughly 190% of today's level, a 90% increase over five years. Compliance is a meaningful part of that climb: each new regulation adds headcount, documentation, supplier outreach and audit obligations that did not exist the year before. None of the individual increases is dramatic, but compounded, they are.
The second curve runs the other way. The cost of using frontier AI has been falling at a remarkable rate, averaging roughly an order of magnitude or more per year across many tasks, while the capability of those models has climbed steadily over the same period. Work that was technically impossible or economically absurd to automate in 2023 is now routine and cheap. The cost of capable digital labour is, for a growing set of tasks, approaching the floor.
Put the two curves on the same chart and the strategic question writes itself: if the cost of one kind of work is rising and the cost of another is collapsing, which kind of work should absorb your rising obligations? This article is about a specific, concrete answer to that question, using two regulations that are landing right now, and that we are seeing in our conversations with our clients; the EU Deforestation Regulation (EUDR) and the Packaging and Packaging Waste Regulation (PPWR), as the worked example.
“ With the cost of doing business rising while AI grows cheaper and more capable, each new regulation asks how to split the work: let digital colleagues absorb the volume, and keep people on the judgement that actually needs them. ”
Two regulations, one shape
Start with what is actually arriving.
- EUDR prohibits placing seven commodities, cattle, cocoa, coffee, oil palm, rubber, soy and wood, and their derived products on the EU market unless they are deforestation-free, legally produced, and covered by a Due Diligence Statement. After two postponements, the date is now fixed: large and medium operators must comply from 30 December 2026, micro and small operators from 30 June 2027, and the Commission has confirmed there will be no third delay. In practice that means plot-level geolocation for every relevant shipment, evidence that production caused no deforestation after the end-2020 cutoff, and a filed statement.
- PPWR replaces the thirty-year-old Packaging Directive with a single directly applicable regulation across all 27 member states, with most core obligations applying from 12 August 2026. From that date, packaging on the EU market must respect substance limits, a combined heavy-metal ceiling and PFAS restrictions for food-contact packaging, carry an EU Declaration of Conformity backed by a technical file for each packaging type, and producers must register and report packaging volumes under Extended Producer Responsibility schemes in every market they sell into. A detail that catches people out: under PPWR the "manufacturer" is whoever fills the packaging and puts their own brand on it, not whoever physically makes it. Brand an imported box and you inherit the full conformity burden.
The two regulations target completely different harms. One is about forests; the other is about waste. Yet for the company on the receiving end, the shape of the obligation is nearly identical: work out what is in scope across a large catalogue, go to suppliers for data you have never systematically collected, validate that data against a rulebook, document a defensible conclusion, file it, and retain the evidence for years. That is not a deforestation problem or a packaging problem. It is a data-collection-and-validation problem wearing two costumes. And once you see the shape, you start seeing it everywhere.
The pattern underneath
Describe these regimes operationally rather than legally and they decompose into the same handful of stages, there is;
- intake and scoping (which products, suppliers or formats are actually caught).
- supplier engagement (reaching out, often in several languages, to collect structured evidence),
- validation (checking what comes back against thresholds and rules, is this polygon a valid coordinate set, does this material stay under the metal limit, is this test report complete),
- escalation (anything ambiguous, conflicting or high-risk goes to a human, not an automated decision),
- documentation and filing (assembling the statement or declaration and submitting it), and
- there is monitoring and retention (keeping records for the mandated period and watching the rulebook for change).
This is the same arc that NIS2 and DORA third-party risk management already follow: triage incoming supplier attestations, apply rule-based logic, escalate the ambiguous cases, log everything for the auditor. EUDR runs the arc with geolocation data. PPWR runs it with bills of materials and lab reports. The nouns change; the verbs do not.
And it does not stop with these four. CBAM asks importers to collect embedded-emissions data from suppliers and report it, structurally a close cousin of EUDR's geolocation collection. The EU AI Act asks providers of high-risk systems to assemble a technical file, run a conformity assessment and register the result, structurally a close cousin of PPWR's Declaration of Conformity. CSRD, the forthcoming due-diligence rules, and others rhyme with the same pattern. The specific obligations differ and the deadlines move around, but the operational skeleton is shared. That is the single most important thing to internalise, because it changes what you are actually building.
Why this is suited to digital colleagues
This pattern is a near-perfect fit for what we'd call a digital colleague, an AI agent that handles a defined role end to end, works inside your existing systems, and hands off to a human the moment judgement is required. The reason it fits is that the expensive, slow, error-prone part of compliance is almost never the legal interpretation. It is the operational machinery: chasing suppliers, parsing inconsistent documents, applying the same rules consistently across thousands of SKUs or shipments, and producing an audit trail that survives inspection. That work is high in volume and low in required judgement, exactly the profile a digital colleague is built for.
A practical setup mirrors the stages above. A supplier-engagement colleague identifies which records are missing data, contacts the right supplier in their own language, and parses whatever comes back, PDF, spreadsheet, or raw coordinates. A validation colleague does the deterministic checking: confirming a geolocation polygon is well-formed for EUDR, or summing restricted-substance concentrations against the PPWR limits. A documentation colleague assembles the technical file or statement and readies it for filing. A monitoring colleague tracks regulatory change and manages retention. They operate as a team, with the more capable agents orchestrating the simpler ones, and crucially, every one of them is escalation-aware.
That last point is the whole game. The digital colleague is designed to recognise the limits of its own confidence and route anything uncertain, a supplier whose data conflicts with a prior submission, a borderline threshold, an own-brand product that trips PPWR's manufacturer reclassification, to a person. Every step is logged, which is not a nice-to-have: EUDR requires five-year record retention, and PPWR requires technical files to be held for five or ten years depending on packaging type. An automated, time-stamped audit trail is itself part of the compliance product, not overhead bolted onto it.
What this is not is an oracle that decides compliance on its own. The right mental model is a tireless junior analyst who does the first pass on thousands of cases and surfaces the handful that need a senior eye. The legal experts still define the rules and own the judgement calls. The colleague absorbs the volume.
A fair objection is that the data is messy, suppliers store information in incompatible formats, many have never been asked for geolocation or material composition, and availability varies wildly. True. But this is better understood as an argument for when the AI agent should escalate the task to a human colleague, not to avoid automating the bulk of the flow (see confidence scoring the example above).
The platform is the part that makes reuse real
Here is where the "every regulation is the same shape" insight stops being a nice observation and becomes an operating model.
If you build a digital colleague for one regulation as a standalone project, its own integrations, its own hosting, its own monitoring, its own governance, you have bought a point solution. When the next regulation arrives, you build it all again. You pay the platform cost every time, and the much-advertised "reuse" never materialises because there was never a shared foundation to reuse.
The alternative is to treat the agents the way you would treat employees: they need an office. That office is a platform, a shared layer that sits on top of the cloud infrastructure you almost certainly already run, and provides the things every digital colleague needs regardless of which regulation it serves. Orchestration. Connections into your existing systems, behind your firewall. A registry of which agents exist and what they are allowed to touch. Logging, tracing and cost monitoring. Prompt and content management. Security and governance from the start. Build that once, with your first agent, and the second regulation is not a capital project, it is a new hire.
This also resolves the perennial ownership question, because it cleanly splits responsibility. IT owns the platform: it runs the infrastructure, builds and maintains the integrations and APIs, monitors the agents technically, and watches total cost. The business owns the colleagues: it "recruits" new agents for new obligations, manages their prompts and content, owns their KPIs, and carries the cost of each individual agent against the value it delivers. Compliance, sustainability or procurement decides what the digital colleague should do; IT makes sure it can do it safely. Neither side is blocked on the other.
The strategic payoff is straightforward. The first regulation carries the cost of standing up the platform. Every regulation after it draws down that same foundation, so its marginal cost falls. The company that treats EUDR, PPWR and its existing NIS2 work as separate projects pays the platform cost three times. The company that builds the platform once pays it roughly once and configures the rest.
How the investment pays itself back
Compliance is usually framed as pure cost, a tax on selling into the EU. That framing misses where the return lives, and there are four sources of it that compound.
The first is reuse across regimes, described above: the shared platform turns the second and subsequent regulations into configuration rather than construction.
The second is labour leverage. The work being automated is exactly the high-volume, repetitive task that otherwise consumes analyst headcount or expensive external consultants. In adjacent domains, well-scoped agents already handle the clear majority of incoming cases without a human touching them, leaving people free for the genuinely ambiguous ones. That is both cheaper and a better use of scarce expertise, and it does it without growing the headcount line that is rising on the cost curve.
The third is avoided penalty and market-access risk. PPWR penalties bite per non-compliant packaging type and non-conforming goods can be stopped at the border; EUDR carries fines and product seizure. Consistent, auditable, automated checking reduces the error rate that turns into penalties or rejected shipments. Harder to put on a spreadsheet than a headcount saving, but for a business with thousands of SKUs the expected value is real.
The fourth, and most overlooked, is the data asset the process leaves behind. Building EUDR compliance forces you to map your supply chain to plot-level origin. Building PPWR compliance forces a complete inventory of packaging materials and their composition. That information has value far beyond the regulation that prompted it, in procurement, in genuine sustainability reporting, in supplier risk management, and in answering the next regulation before it is even drafted. Compliance done well quietly builds a structured, queryable map of your supply chain that you did not previously have.
The shift in posture
The companies that handle the next decade of EU regulation well will not be the ones with the largest compliance teams. They will be the ones that stop treating each regulation as a surprise.
Once you see that EUDR, PPWR, NIS2 and whatever follows share an operational skeleton, and that the cost of the digital labour to run that skeleton is falling as fast as the cost of the obligations is rising, the strategic question changes. It is no longer "how do we survive this regulation?" It becomes "what reusable capability are we building, and how cheaply can it absorb the next one?"
Seen that way, the relentless arrival of new rules is still a burden, but a burden with declining marginal cost, provided you build for the pattern rather than the instance, and provided you give your digital colleagues somewhere to work. The first regulation is a project. Handled well, every one after it is a hire.