Regulatory Agencies Inventory and Attributes - Glossary of Terms and Phrases
Regulatory Agencies Inventory and Attributes
Glossary of Terms and Phrases
The following terms are used throughout this document with specific meanings.
| Term | Definition |
|---|---|
| Regulatory Agency | Any body — governmental, quasi-governmental, supranational, self-regulatory, or standards-setting — whose requirements create formal compliance obligations for the enterprise. The governing classification test is consequence, not legal form: if non-compliance creates legal, financial, operational, or market-access consequences for the enterprise, the body qualifies as a Regulatory Agency for purposes of this inventory. |
| Government Agency | A statutory government body with direct legislative authority to regulate specific industries or activities — federal, national, state, provincial, regional, or local. Examples: U.S. Securities and Exchange Commission (SEC), UK Financial Conduct Authority (FCA), German Federal Financial Supervisory Authority (BaFin). |
| Quasi-Governmental / SRO | A non-government body granted regulatory authority by statute or government delegation. Also known as a Self-Regulatory Organization (SRO). Examples: Financial Industry Regulatory Authority (FINRA), Public Company Accounting Oversight Board (PCAOB). |
| Supranational Body | A body that operates above the nation-state level with authority over member countries through treaty, political union, or international agreement. Examples: European Union (as the source of GDPR, DORA, and the AI Act), Basel Committee on Banking Supervision, International Organization of Securities Commissions (IOSCO). |
| Standards Body | An organization that publishes standards adopted as de facto or mandatory requirements through government incorporation, market mandate, or contractual obligation. Examples: International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Internet Engineering Task Force (IETF). |
| Industry Self-Regulatory Body | A body whose requirements govern market access without statutory backing, where non-compliance results in market exclusion rather than legal sanction. Examples: PCI Security Standards Council (PCI SSC), SWIFT, International Air Transport Association (IATA). |
| Compliance Governance Hierarchy | The three-level structure connecting regulatory authority to enterprise compliance obligations: Regulatory Agency (who regulates) → Regulation (what they require) → Regulatory Obligation (what the enterprise must specifically do). The Regulatory Agencies Inventory is the root of this hierarchy. |
| Jurisdiction Level | The geographic scope of a regulatory agency’s authority: Global, Supranational, National / Federal, State / Provincial, Regional, or Local / Municipal. |
| Regulatory Domain | The subject matter area a regulatory agency governs — the category of enterprise activity subject to its requirements. Examples: Data Privacy, Cybersecurity and Operational Resilience, Financial Services, Healthcare. |
| Enforcement Intensity | An assessment of how aggressively a regulatory agency is currently enforcing its requirements, reflecting actual enforcement actions and penalty frequency in the recent period. |
| Conflicting Jurisdictions | Two or more regulatory agencies whose requirements overlap or directly conflict, creating compliance tension the enterprise must actively manage. Example: GDPR’s right to erasure conflicts with financial regulators’ record-keeping requirements. |
| DORA | The EU Digital Operational Resilience Act, effective January 2025, requiring financial institutions to document, assess, and continuously monitor third-party vendor dependencies and technology resilience, with direct regulatory oversight of critical third-party providers. |
Copyright for the International Foundation for Information Technology (IF4IT): 2008 - Present
Legal Disclaimers