TsunamiDigital
EN HR
Guides 3 min read

Building software for a regulated industry (fintech, healthtech, edtech): what changes

What changes when building software for fintech, healthtech, or edtech. Compliance requirements, certification costs, and planning for regulation.

by Tsunami Digital Team

Building software for a regulated industry is not harder than building for an unregulated one - it is different. What changes is the set of constraints the product must satisfy before it can legally operate. Those affect cost (+30-60%), timeline (+4-8 weeks), and architecture (audit trails, encryption, RBAC, data residency). Plan compliance from day one or pay much more bolting it on later.

What all regulated industries share

  • Audit trails. Every significant action logged, immutably.
  • Encryption. AES-256 at rest, TLS 1.2+ in transit. No exceptions.
  • RBAC. Users see only what their role allows.
  • Data residency. EU data stays in the EU; some sectors require country-level storage.
  • Incident response. Documented plan with 72-hour GDPR notification. See GDPR for custom software.

Fintech: what changes

Regulations: PSD2, AML, KYC, MiFID II, GDPR.

  • KYC verification via Onfido, Jumio, or Sumsub - €2,000-€5,000 integration plus per-verification fees.
  • AML transaction monitoring with rules engine or AI classifier and a compliance dashboard.
  • Licensing (CNB or HANFA in Croatia) takes 6-18 months and €20,000-€100,000+ in legal fees.
  • Strong Customer Authentication (SCA) - two-factor for electronic payments.

Cost impact: +40-60%. A €30,000 unregulated MVP runs €45,000-€50,000 with compliance.

Healthtech: what changes

Regulations: GDPR (health data is special category), MDR, national health data laws.

  • Health data requires explicit consent, stricter access, and DPIAs.
  • Medical device classification. If the software offers diagnostic or clinical decision support, it triggers MDR CE marking - €30,000-€100,000 and 6-12 months. Operational software (scheduling, billing) usually does not.
  • Interoperability via HL7 FHIR is increasingly mandatory.

Cost impact: +30-50% for operational software; +100-200% if MDR applies.

Edtech: what changes

Regulations: GDPR (minors), accessibility (WCAG 2.1 AA / EN 301 549).

  • Under-16 consent must be parental and verifiable - not a checkbox.
  • Accessibility is a legal requirement, not optional - affects UI, contrast, keyboard navigation.
  • Content moderation is required if users can share content.

Cost impact: +20-40% for accessibility; €2,000-€5,000 for the consent flow.

Frequently Asked Questions

Can I build an MVP and add compliance later? For some requirements (accessibility, consent flows), yes. For others (encryption, audit trails), no - retrofitting requires rebuilding the data layer. Build the foundation into the MVP.

Do I need a lawyer? Yes. A technology lawyer familiar with your vertical (€150-€300/hour) saves expensive mistakes. Budget €3,000-€8,000 for a legal review of the spec.

Is regulation the same across the EU? GDPR is EU-wide. Sector rules (fintech licensing, health data) vary by country. Always check national requirements for your target market.

Building for a regulated industry?

Book a free 30-minute call. We will identify the requirements for your vertical, estimate compliance cost, and help you plan a build that is compliant from day one.

Reach out at info@tsunami-digital.com or via the form on our homepage.

All articles