Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Regulations are the sin that takes down founders who've never shipped a regulated product before. Cohen frames cluelessness because the team often does not know what they do not know — FCC, CE, UL, FDA, CPSC, RoHS, REACH, ITAR, DOT — and discovers in month 11 of a 12-month project that they need a 12-week certification window and a $40k testing budget. The cure is to identify regulatory requirements in month 1, not month 11.
Why regulations bite, and how to plan around them.
Use these three in order. Each builds on the one before.
Explain in one paragraph why regulations are the vice of cluelessness rather than the vice of laziness.
Walk me through what FCC Part 15 certification involves for a Bluetooth product — what tests, what timeline, what cost.
Given a connected medical device targeting EU + US launch, what's the regulatory critical path, and how would you sequence it relative to product development?
THE PATTERN COHEN OBSERVES:
Month 1: Team building product. Cool idea.
Month 6: Product working in lab.
Month 11: "Wait, do we need FCC certification for the radio?"
Month 12: Found out FCC cert takes 8-12 weeks + $15k + you'd need to lock
the BOM. Also need CE for EU. Also UL for safety. Also RoHS.
Maybe FDA if marketed as medical device.
Launch slipped 6 months.
Cohen's framing:
This isn't a regulatory problem. It's a vice of cluelessness.
The team is unaware that regulatory work exists as a discipline.
HARDWARE TRACK:
Major US regulatory bodies for consumer hardware:
- FCC: anything with radios (BLE, WiFi, cellular, RF transmitters)
- CPSC: consumer product safety (kids' products especially)
- UL: safety listing (often required by retailers to stock product)
- FDA: medical devices (Class I/II/III determines burden)
- DOT: anything with batteries that ships (Li-ion = HAZMAT class 9)
- ITAR: defense-relevant tech (encryption above certain strength)
Major EU regulatory bodies:
- CE marking: composite of multiple directives
- RoHS: restriction of hazardous substances (no Pb solder)
- REACH: chemical registration
- WEEE: end-of-life electronics disposal
Typical timelines:
- FCC Part 15 (intentional radiator): 8-12 weeks
- CE: 4-8 weeks
- UL listing: 12-16 weeks
- FDA 510(k): 6-9 months
- FDA PMA (Class III): 1-2 years
Typical costs (per product, per cert):
- FCC unintentional radiator: $5-10k
- FCC intentional radiator: $15-30k
- CE: $10-20k
- UL: $20-40k
- FDA 510(k): $50-200k
PLAN ACCORDINGLY OR DIE.
SOFTWARE ANALOGUE:
Software has its own regulatory landscape, ignored equally often:
- GDPR (EU privacy): applies to anyone serving EU users
- CCPA (California privacy): applies to anyone serving CA users
- SOC 2 (security audit): required by enterprise buyers
- HIPAA (health data): required for health-data SaaS
- PCI-DSS (payment data): required to process cards
- COPPA (kids): if any user might be under 13
- DPF (US-EU data transfer): required for US-hosted SaaS w/ EU users
- Accessibility (ADA, EAA): increasingly enforced
Typical timelines:
- SOC 2 Type I: 3-6 months
- SOC 2 Type II: 12 months
- HIPAA setup: 4-8 weeks for BAA + controls
- GDPR DPIA: 4-12 weeks per high-risk feature
Typical costs:
- SOC 2 audit: $20-50k/year
- HIPAA compliance: $30-100k initial
- GDPR cookie / DPIA tooling: $5-20k/year
THE LESSON:
Whether hardware or software, identify regulatory requirements:
- During preliminary planning (Module 4)
- With a regulatory specialist consulted before commit
- With certification timing baked into the schedule
- With budget line items for testing fees
Sin #7 is preventable. It requires asking the question early.