**DRAFT — pending editorial expansion.** This article is a working draft published as scaffolding for the NINtec content programme. The current version covers the substantive perspective in compressed form; the published version will expand each section to the 2,000+ word depth the topic warrants. Editorial review is required before promotion.
Claude in regulated industries is not a different model — it is a different deployment posture. HIPAA, GDPR, PCI DSS, MiFID II, GxP, NIS2, DORA each impose specific obligations that propagate through architecture, contract terms, and operational discipline. Most teams underestimate which obligations apply until audit; this piece covers the mapping for the most common frameworks NINtec deploys against.
HIPAA: BAA, audit logs, minimum-necessary
HIPAA Business Associate Agreements (BAA) are the contractual foundation for healthcare workloads. Anthropic offers BAA terms with enterprise customers. The BAA propagates through to your Claude deployment via NINtec's enterprise contract — the BAA-aligned data-handling provisions, audit-log retention, and breach-notification timelines are operationalised in the architecture.
Audit logs at HIPAA-grade retain every PHI-touching action with caller identity, timestamp, and outcome. Retention is typically 6 years from the date of the action, or longer per specific state law. Logs are exportable to your SIEM and protected against tampering. Minimum-necessary PHI handling is a prompt-design discipline — Claude prompts use the smallest possible PHI footprint per task.
GDPR: lawful basis, purpose limitation, cross-border
GDPR Article 6 lawful-basis analysis is per-deployment, not per-vendor. The architecture phase identifies which lawful basis applies — typically explicit consent for special-category data, contract-performance for routine processing, legitimate-interest for narrowly-scoped use cases. Purpose limitation discipline prevents Claude from being repurposed beyond the consented use.
Cross-border-transfer mechanics matter when EU personal data flows through Claude. Anthropic's enterprise terms include the Standard Contractual Clauses required for transfers to non-adequate jurisdictions. AWS Bedrock and GCP Vertex AI offer EU-region Claude deployments where data residency is paramount; we route accordingly.
PCI DSS: tokenisation, scope reduction, audit
Production Claude deployments rarely put cardholder data in front of Claude — and that is the right architecture. Tokenisation segregates cardholder data from Claude prompts; Claude operates on tokens and metadata, not card numbers. This dramatically reduces the PCI DSS scope of the Claude deployment itself.
Where Claude touches PCI-DSS-relevant workflows — narrative generation, fraud-narrative drafting, customer-support copilots — the deployment integrates audit logs at PCI-grade retention and the deployment infrastructure passes the relevant Reports on Compliance.
MiFID II: best execution, surveillance, audit
MiFID II Article 17 algorithmic-trading provisions do not generally apply to Claude — Claude is not autonomous-trading software in any production deployment we have shipped. Where Claude generates post-trade narratives, drafts research notes, or supports investment professionals, the deployment integrates the surveillance and best-execution audit trail your compliance team requires.
DORA: ICT risk, third-party concentration, TLPT
The Digital Operational Resilience Act creates ICT risk and third-party concentration obligations on EU financial entities. NINtec's enterprise contract template includes the DORA-required provisions on subcontracting consent, audit rights, exit strategy, and data location. Threat-Led Penetration Testing (TLPT) on Claude deployments is supported where the financial entity's threat-intelligence framework requires it.
GxP: validated systems, 21 CFR Part 11, electronic records
Pharmaceutical Claude deployments fall under GxP validation discipline (GCP, GMP, GLP, GVP) and 21 CFR Part 11 electronic-records requirements. Validation cycles are jointly executed with the client's quality and regulatory teams. Audit trails, electronic-signature controls, and computer-system-validation discipline are integrated from architecture phase, not retrofitted.
How NINtec operates regulated engagements
Regulated-industry engagements run on the standard six-phase delivery method with explicit compliance-control mapping in the architecture phase. Industry Specialist-certified engineers staff regulated engagements. Procurement-ready commercial templates accelerate negotiation. Most regulated implementations run 14–22 weeks from engagement to first production region.