Compliance: From unpleasant obligation to structural necessity with LEAN management

E-commerce is a mature market that no longer allows for improvisation. In this scenario, Compliance (corporate conformity) 2026 is not a marketing lever, but a structural necessity to ensure business continuity. The new rules (regardless of how fair and balanced we consider them) are a given and we must manage them with a solid and pragmatic approach.

 

The sea of regulations: the impossibility of improvisation

The volume of European regulations concerning transparency, security, and responsibility is vast and constantly evolving. This complexity, alone, makes a structured approach essential. Without going into detail, among the regulations that define the new frontiers of the sector, we find:

• Product and sustainability: EPR, ESPR, GPSR, and the digital product passport.
• Accessibility and consumers: GDPR, ADA and accessibility, Children’s Product Certificate (CPC), the PPWR (Packaging and Packaging Waste Regulation), and the Omnibus Directive.
• Digital Single Market: Regulation 2018/302/EU (prohibition of geoblocking) and the Digital Markets Act (DMA).
• IT Security: new directives like NIS 2.
• etc... etc... etc ... 😵‍💫🤢

For your benefit, we have drafted the definitive (or almost) list of compliance fronts with a criticality indicator and an idea of the sanctions. 

 

1. Sustainability and life cycle (green deal)

Compliance	Brief description	Risk	Penalties and consequences
EPR (Waste/Packaging)	Financial responsibility for end-of-life disposal.	High	Sales block on Marketplaces (Amazon/eBay block the account), variable national fines.
ESPR (Ecodesign)	Design requirements (durability, recycling).	Medium/High	Product withdrawal from the market, ban on sales in the EU.
DPP (Digital Passport)	Digital traceability of materials and supply chain.	High	Customs blocks incoming goods; ban on placing on the market.
PPWR (Packaging)	Reduction of empty space and non- recyclable materials.	Medium	Administrative sanctions for each non-compliant unit, obligation to re-label.
Green Claims	Stop to vague terms ("Eco", "Bio") without evidence.	Critical	Fines up to 4% of annual turnover; reputational damage (naming and shaming).
EUDR (Deforestation)	Ban on products from deforested land (wood, coffee, etc.).	Critical	Fines up to 4% of EU turnover; confiscation of goods and revenues.
REACH (Chemicals)	Limits on hazardous substances (e.g.,  lead, nickel).	Critical	Criminal liability for the administrator, heavy fines (tens of  thousands of €), destruction of goods.

 

2. Safety and consumers

Compliance	Brief description	Risk	Penalties and consequences
GPSR (General Safety)	Obligation of a responsible person in the EU and risk analysis.	Critical	Immediate withdrawal (Recall), monetary sanctions, civil liability for damages.
CPC (Children - USA/Global)	Safety certificate for children's products.	High	Customs seizure, product destruction, federal (USA) or local fines.
Omnibus Directive	Transparency of discounts and genuine reviews.	High	Fines up to 4% of national turnover (or €2M if not calculable).
Legal Guarantee	Coverage of defects for 2 years (including sw).	Medium	AGCM sanctions (up to €5M in IT for unfair practices), refund obligation.
Right of Withdrawal	14 days for return without reason.	Medium	Extension of withdrawal period to 12 months; administrative sanctions.

 

3. Data, platform, and accessibility

Compliance	Brief description	Risk	Penalties and consequences
EAA  (Accessibility  2025)	Website navigable by disabled people.	High	Fines up to 5% of turnover (depending  on the EU country), order to remake the site.
GDPR & Cookie	Privacy, data consent, and security.	Critical	Up to €20M or 4% of global turnover; data processing block (business closure).
DSA (Digital Services)	Content moderation and seller traceability.	High	Up to 6% of global turnover; service suspension.
DMA  (Gatekeeper)	Antitrust for big tech (not for direct SMEs).	N/A (SMEs)	Up to 10% of turnover (Concerns Amazon/Google, not the individual e-commerce).
Geo-blocking	Ban on discrimination based on EU nationality.	Medium	Administrative sanctions, nullity of contractual clauses.
CRA (Cyber Resilience)	Security of connected products (IoT).	High	Up to €15M or 2.5% of turnover; ban on selling vulnerable products.

 

4. Tax and payments

Compliance	Brief description	Risk	Penalties and consequences
VAT OSS	Centralized VAT for EU sales.	High	International tax assessments, penalties from 30% to 120% of evaded tax + interest.
PSD2 / SCA	Strong payment authentication.	High	High transaction failure rate (lost revenue), banking penalties.

Please Note: Percentage penalties (e.g., 4% of turnover) usually refer to the total annual worldwide turnover. Besides fines, the most feared sanction is often the "market block" (inability to sell).

 

Probability of control" vs "Economic damage", here are the 3 current "final bosses":

1. GDPR/Omnibus: Controls are automated or start from competitor reports. Fines are a percentage of turnover.
2. EPR (Packaging/WEEE): Marketplaces (Amazon leading the way) are preemptively blocking those without registration numbers. The damage is the immediate block of turnover.
3. EUDR (Deforestation): If you are in the sector (wood, coffee, cocoa), without compliance, customs will not clear anything. It is a physical block of the supply chain.

 

Compliance in the LEAN philosophy: non-value added, but necessary

The key issue is how to integrate compliance structures efficiently. The LEAN philosophy offers the ideal approach: attentive to value and waste prevention. From this perspective, compliance is not considered "waste," but falls under non-value added, yet necessary activities (e.g., regulations, security controls). The goal is not to eliminate it, but to drastically reduce its cost and complexity through:

• Integration into the flow: Compliance is “absorbed” into the operational flow, not superimposed. Legal requirements are translated into clear and visual standards (visual management) and simplified to become a natural part of the process.
• Automation and "Upstream" shifting: Utilizing automation (e.g., digital compliance) and moving controls “upstream” in the process to reduce bureaucracy.

Cultural Change: Responsibility is shared with the teams rather than concentrated in formal audits. The ideal result is “compliance by design,” not “compliance by policing.” By automating it, compliance becomes a way to keep the workflow “clean and stable.”

In essence: culture, good habits, and not imposition.

 

Beyond asymmetry: dialogue as a factor of stability

In this view, compliance is part of a “socio-technical system,” a dialogue between companies and institutions to ensure security, sustainability, and fairness. However, in reality, the parties often experience an asymmetry of perception: the institution sees the company as a potential transgressor, and the company sees the institution as a dull bureaucrat or an obstacle. In a sense, both “defend themselves” instead of “co-creating.” This topic, to be honest, is not unique to the “compliance” front: consider, for example, the sadly conflictual attitude that exists between businesses and the Revenue Agency

To address this issue and translate principles into real practices, it is essential to equip oneself with a conscious and reliable partner. An ally who has a holistic view of regulation and is capable of transforming the normative obligation into a structural and solid management, positioning the company as a cyber-resilient and prepared operator.

 

CONTACT US FOR INITIAL CHAT

— 18 November 2025