
When Work Becomes a Capability
Most operational capabilities are built on purpose; a few are never decided at all. Why answering authority requests can stay undesigned for decades — and why that is starting to change.
Perspectives on secure data request handling, compliance, and the regulatory landscape.

Most operational capabilities are built on purpose; a few are never decided at all. Why answering authority requests can stay undesigned for decades — and why that is starting to change.

The FATF's 2026 report on public–private partnerships quietly assumes organizations already have the operational capability it asks them to use. A reflection on the layer between policy and governance.

You can't see an orphaned capability directly — only the traces it leaves. A field guide of six recognitions for spotting work that everyone does and no one owns.

The police can ask a company for data, but a request isn't an order. When you have to comply, when you may share voluntarily, and how to stay within the GDPR.

What are asset freezing and confiscation, and what can government authorities do? Under new EU rules, property can be confiscated even without a conviction. A guide for companies.

When police, prosecutors or the FIU request customer data, an EU financial firm must comply without breaching the GDPR. What the law requires, and how to handle it.

From 10 July 2027, crypto-asset service providers (CASPs) become obliged entities under the AMLR. What Article 75 allows CASPs to share, who can take part, and what is still unsettled.

A fraudulent payment is often recoverable for a short time after it leaves the account, while the money is still in the regulated system. The key is acting fast.

The EU e-Evidence Regulation lets authorities in one EU country demand user data directly from providers in another. What it requires, who is in scope, and the 18 August 2026 deadline