Compliance and safety are not the same thing.
A service can meet every regulatory requirement and still cause harm. Compliance sets a floor. Safety asks whether the people using this service (especially those at risk) will be protected when things go wrong.
The question isn't "does this pass the audit?" It's "who could be hurt by this, and how?"

