StrategyAdvanced8 min read

Regulatory Strategy

Regulatory strategy is the deliberate management of how government rules — federal, state, local, international — shape your business, including the proactive work to influence, navigate, and sometimes outrun those rules. The KnowMBA POV: regulatory strategy is the most under-discussed CEO function. Investors pretend it doesn't exist; founders treat it as 'something legal handles'; business school curricula barely mention it. Yet every $10B+ company has a regulatory strategy that determines what they're allowed to build, who they can sell to, what they must disclose, and what they must pay. Uber's regulatory strategy ('move fast, fight cities, normalize the model before regulators react') was a 10x more important driver of their valuation than their app design. Crypto companies that ignored regulatory strategy are bankrupt or in jail. AI companies that ignore it now will be in 5 years. Treating regulation as 'compliance' instead of 'strategy' is the single most expensive mistake mid-stage CEOs make.

Also known asGovernment Affairs StrategyCompliance StrategyRegulatory AffairsPolicy StrategyRegulatory Engagement

Challenge a friend Browse library

The Trap

The dominant trap is treating regulation as a binary compliance question ('are we legal?') instead of a strategic continuum ('how do we shape what becomes legal?'). Companies that see regulation only as compliance spend zero on government affairs until they get sued, by which point the rules are written against them. The opposite trap is over-investing in regulatory engagement before you have product-market fit — burning cash on Washington consultants when you should be building product. The third and most dangerous trap is the 'permissionless innovation' fallacy — assuming that because the internet was unregulated for 20 years, your industry will be too. AI, crypto, gig economy, biotech, drones, and dozens of other categories are all proving that regulators eventually catch up, and the companies that prepared win.

What to Do

(1) Map the regulatory landscape that affects your business: federal agencies, state regulators, international bodies, industry self-regulators. Most companies don't even know who their regulators ARE until they get a letter. (2) Build relationships before you need them — meet regulators when you have nothing to ask for, so when you do need to ask, they've heard of you. (3) Hire a senior policy person earlier than feels reasonable; in regulated industries, this is the second or third executive hire after CEO and CTO. (4) Engage in industry self-regulation and trade associations to shape rules before they're written; rules written without you in the room are written against you. (5) Build compliance infrastructure proportional to regulatory exposure; in some industries (financial services, healthcare, AI) compliance is 5-15% of total operating cost. (6) Pre-position for likely regulation by adopting voluntary practices — companies that 'self-regulate' often get exempted or lighter treatment in formal rules.

Formula

Regulatory Risk Exposure = Probability of New Rule × Cost of Compliance × Time to Adapt. Companies in fast-moving regulatory environments (AI, crypto, healthcare, energy) should budget 3-8% of revenue for regulatory engagement and compliance.

In Practice

Uber's regulatory strategy from 2010-2018 was a deliberate, aggressive playbook: launch in cities without permission, build user demand fast enough that regulators feared political backlash from shutting it down, then negotiate from a position of installed-base strength. They lost local battles (banned in Austin, fined in many cities, criminal investigations in others) but won the war — by 2018, ride-sharing was legal in most major U.S. and global cities, often through legislation Uber itself had drafted with state legislatures. The strategy was extraordinarily expensive: estimated $500M+ in legal/regulatory costs and tens of millions in lobbying. But the alternative — going city-by-city seeking permission, as legacy taxi companies did — would have left Uber as a small player in 5 cities. The regulatory strategy was arguably more important to Uber's ~$80B IPO valuation than the technology was. Lyft followed the same playbook and benefited from the trail Uber blazed.

Pro Tips

01
The single biggest regulatory mistake mid-stage CEOs make is hiring their first government affairs person too late — usually after the first major regulatory crisis. By then, you're playing defense, paying premium rates, and have no relationships. The right time to hire your first GR/policy person is when you cross $50M ARR (or earlier in highly regulated industries). The hire is expensive ($300K+) and looks unjustified on the org chart — until the day it pays for itself 100x over.
02
Regulatory capture is real and works in both directions. Industries can capture their regulators (favorable rules), but regulators can also capture industries (compliance becomes its own profit center for the largest players, who can afford it, while smaller competitors get squeezed out). Whichever side you're on, expect this dynamic — and use it. Banks lobby for capital requirements that shut out fintechs; pharma lobbies for FDA processes that take 10 years and $2B (which they can afford and startups can't).
03
International regulatory divergence is the new normal. The EU is regulating AI, GDPR, DMA, DSA on completely different timelines and standards than the U.S., with China running yet another playbook. A company that thinks 'we'll just comply with U.S. rules' loses Europe (or pays GDPR-style fines), and vice versa. Build a regulatory strategy that contemplates 3-5 jurisdictions from day one if you sell internationally — retrofitting after expansion is brutally expensive.

Myth vs Reality

Myth

“Regulation is just a cost center”

Reality

Smart regulation is a moat. The largest companies in regulated industries (banks, insurers, drugmakers, telecoms, utilities) explicitly use regulatory complexity to keep competitors out. They lobby FOR more rules they can comply with that startups cannot. Goldman Sachs supports stricter capital requirements; Pfizer supports longer FDA approval timelines; Comcast supports complex telecom regulation. Compliance scale becomes a barrier to entry.

Myth

“Move fast and break things; regulators will catch up later and we'll deal with it”

Reality

This worked for the early internet because regulators were 20 years behind the technology. It does not work for AI, crypto, gig economy, biotech, drones, autonomous vehicles, or any other modern domain — regulators are now within 3-5 years of new technologies and willing to retroactively penalize companies that broke unwritten rules. SBF, Elizabeth Holmes, the WeWork IPO collapse, and dozens of crypto bankruptcies are all examples of the move-fast-and-break-things era ending.

Try it

Run the numbers.

Pressure-test the concept against your own knowledge — answer the challenge or try the live scenario.

🧪

Knowledge Check

You're CEO of a $100M ARR AI startup. You're seeing early signals of EU AI Act enforcement and proposed U.S. AI legislation. Your VP Engineering says 'let's just keep building and worry about it when laws actually pass.' Your first move?

Industry benchmarks

Is your number good?

Calibrate against real-world tiers. Use these ranges as targets — not absolutes.

Compliance + Regulatory Spend as % of Revenue

Total compliance, legal, government affairs, and regulatory infrastructure spend

Heavily Regulated (Banks, Pharma, Health Insurance)

5-15%

Moderately Regulated (Fintech, Healthcare, Energy)

2-5%

Lightly Regulated (Most Software, Consumer)

0.5-2%

Unregulated (Pre-Regulatory Frontier — Risky)

< 0.5%

Source: Hypothetical: synthesized from Deloitte and Thomson Reuters compliance cost surveys

Real-world cases

Companies that lived this.

Verified narratives with the numbers that prove (or break) the concept.

🚗

Uber

2010-2018

mixed

Uber's regulatory strategy was the defining example of 'launch first, ask permission never' for the 2010s. The playbook: enter cities without taxi commission approval, build rider and driver demand fast (often subsidized at huge cost), make any city ban politically toxic by mobilizing users and drivers as constituents, then negotiate from installed-base strength. The cost was enormous: hundreds of millions in legal fees, criminal investigations of executives, fines in dozens of cities, and the eventual ouster of CEO Travis Kalanick partly due to regulatory misconduct (Greyball scandal — using software to evade regulators). But strategically, Uber won: by 2018, ride-sharing was legal in most major global cities, often via state-level legislation Uber itself had drafted. Without the aggressive regulatory strategy, Uber would have been a small player in a few permissive cities. Modern companies cannot easily replicate this — regulators learned from Uber and now move faster against new entrants.

Cities Entered Pre-Permission

100+

Estimated 2014-2018 Legal/Reg Spend

$500M+

Cities Where Ride-Sharing Legalized 2014-2018

Most major global cities

Travis Kalanick Departure

2017 (regulatory + culture)

Aggressive regulatory strategy can create entire markets, but it requires (1) deep capital to absorb losses during the regulatory war, (2) a product users will rally to defend, and (3) a regulatory environment that is still catching up to the technology. By 2024, none of those conditions reliably hold for most new categories — the move-fast playbook has a much shorter runway than it did a decade ago.

Source ↗

🏠

Airbnb

2008-Present

success

Airbnb pursued a more nuanced regulatory strategy than Uber: launch broadly, then methodically negotiate city-by-city for legitimacy through compromise (occupancy taxes, registration requirements, night-cap limits). Airbnb deliberately positioned itself as a 'good actor' in cities — paying tens of millions in tourism taxes, providing data to municipal regulators, and supporting reasonable rules. This bought regulatory legitimacy that Uber didn't have. The downside: heavily restricted operations in places like NYC (where rules now make most short-term rentals illegal), Berlin, and Barcelona. The upside: most other major cities accepted Airbnb's framework. Airbnb's regulatory strategy probably preserved 5-10x more long-term enterprise value than the cost of compliance. The IPO (2020, $47B initial valuation) priced in low regulatory risk premium specifically because of this track record.

Cities With Tax Agreements

1,000+

Annual Hotel/Tourism Tax Collected

$2B+ (cumulative)

Major Cities With Strict Restrictions

NYC, Berlin, Barcelona, Amsterdam

IPO Valuation (2020)

$47B initial, ~$100B peak

Cooperative regulatory strategy (compromise, transparency, voluntary self-regulation) often wins more long-term value than confrontational strategy. Airbnb gave up some short-term growth in restrictive cities but earned regulatory trust globally. The 'good actor' positioning is itself a moat — cities prefer regulating companies that help them, not companies that defy them.

Source ↗

Decision scenario

The First Government Affairs Hire Decision

You're CEO of a $75M ARR AI infrastructure company. The EU AI Act is in enforcement; U.S. federal AI legislation is being drafted; California is moving on AI safety bills. Your CFO says 'we don't have budget for a senior policy hire — that's a $400K+ all-in cost.' Your General Counsel says 'we should hire one urgently.'

Annual Revenue

$75M ARR

Current Compliance Headcount

0 dedicated

Active Regulatory Threats

EU, US Federal, California

Estimated Risk if Major Action

$30-100M

Decision 1

$400K is real money for a $75M company (~0.5% of revenue). But the regulatory exposure is in the tens of millions and growing. The decision is between investing now (predictable cost) or waiting for a crisis (much larger unpredictable cost).

Defer the hire — focus capital on growth. Have General Counsel handle regulatory matters as needed.Reveal

Six months later, the EU AI Office sends a Request for Information about your data practices. Your General Counsel (an excellent commercial lawyer with no AI policy expertise) scrambles, hires outside policy counsel at $1,500/hour, and assembles a response over 90 stressful days. Total cost: $1.2M in outside fees plus enormous CEO/exec time. Worse, you have no ongoing relationships at the EU AI Office, and your response is read as adversarial. Six months later, you face a full investigation. The deferred hire decision will cost an estimated $5-15M in incremental legal/remediation costs over 24 months — ~25-50x the original hire cost.

Initial Savings: +$400K (year 1)Outside Counsel Cost (24 mo): −$5-15MCEO/Exec Time on Reg Crisis: 200+ hoursRegulatory Posture: Reactive, adversarial

Make the hire now: bring in a Chief Trust Officer or VP Policy with EU AI Act expertise. Build proactive relationships with EU and U.S. regulators starting Q1.Reveal

The hire ($400K all-in) starts in 60 days, immediately begins building regulatory relationships, joins industry trade associations, and codifies internal AI governance practices. When the EU AI Office RFI arrives 6 months later, your CTO (Chief Trust Officer) handles it in-house with prepared documentation, proactive prior outreach, and a relationship that frames the response as cooperative. Cost to respond: $200K (in-house, plus minimal outside counsel). The investigation never escalates. Net 24-month savings vs. reactive path: $5M+. You also avoid the strategic damage of being seen as a bad actor.

Initial Investment: −$400K/yearReg Crisis Response Cost: $5M+ avoidedRegulator Relationships: Built proactivelyIndustry Posture: Constructive actor

Related concepts