Originally published on LinkedIn · October 2025.
Drawing on 30 years of security experience across 15+ countries, here is something the executive protection and supply chain security communities need to discuss together: contractual compliance language carries operational weight that most organizations underestimate.
Compliance Is Not Security
Let’s start here. Compliance is not security. Compliance is the minimum bar set by a third party — a regulator, a customer, an industry body. Security is what you actually need. Sometimes those overlap. Often they don’t.
When a contract says a supplier “must comply with all applicable laws and regulations,” many organizations treat that as a checkbox — obtain the license, keep the insurance current, done. They miss the full implication.
When Standards Become Mandatory
When a contract references specific standards — HIPAA, CCPA/GDPR, NIST 800-161, ISO 27001, ASIS guidelines — those documents transition from optional references to mandatory compliance frameworks. You MUST comply. You WILL be audited. You WILL suffer consequences for non-compliance.
This applies directly to EP providers and their supply chains. If your EP contract flows down these requirements to your vendors, subcontractors, and technology providers — every one of them is now on the hook. Do they know that? Have you verified it?
The Questions You Need to Answer
- Have both legal teams identified all applicable laws and regulations?
- Do your policies and procedures actually support every provision in the contract?
- What is the compliance deadline, and is your budget adequate to meet it?
- Are all personnel — employees and contractors — trained on these requirements?
- Does your pricing model account for the cost of real compliance?
That last question matters more than people want to admit. Real compliance costs money. If your contract pricing was set before you understood the full compliance burden, you have a problem that compounds at every renewal.
The Bottom Line
Are you ready for a great auditor or breach investigator to show up? If you can answer yes — with documentation, trained people, and tested processes behind it — you are doing it right. If your answer is “I think so” or “probably”, that is the same answer as no.
Understanding applicable standards before they are contractually mandated is a competitive differentiator. It means you are not scrambling when the contract lands. It means you are ready.