Regulatory Agencies Inventory and Attributes on International Foundation for Information Technology (IF4IT)

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

About This Inventory

The Regulatory Agencies Inventory governs every body — governmental, quasi-governmental, supranational, self-regulatory, or standards-setting — whose requirements create formal compliance obligations for the enterprise. Each Noun Instance is a single, uniquely identified Regulatory Agency with its own Semantic ID, its own type classification, its own geographic scope, its own compliance priority, and its own Enterprise Compliance Owner. The inventory applies across all jurisdictions where the enterprise operates, at every level of the geographic hierarchy from global standards bodies through national regulators through state and local authorities.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

The following terms are used throughout this document with specific meanings.

Term	Definition
Regulatory Agency	Any body — governmental, quasi-governmental, supranational, self-regulatory, or standards-setting — whose requirements create formal compliance obligations for the enterprise. The governing classification test is consequence, not legal form: if non-compliance creates legal, financial, operational, or market-access consequences for the enterprise, the body qualifies as a Regulatory Agency for purposes of this inventory.
Government Agency	A statutory government body with direct legislative authority to regulate specific industries or activities — federal, national, state, provincial, regional, or local. Examples: U.S. Securities and Exchange Commission (SEC), UK Financial Conduct Authority (FCA), German Federal Financial Supervisory Authority (BaFin).
Quasi-Governmental / SRO	A non-government body granted regulatory authority by statute or government delegation. Also known as a Self-Regulatory Organization (SRO). Examples: Financial Industry Regulatory Authority (FINRA), Public Company Accounting Oversight Board (PCAOB).
Supranational Body	A body that operates above the nation-state level with authority over member countries through treaty, political union, or international agreement. Examples: European Union (as the source of GDPR, DORA, and the AI Act), Basel Committee on Banking Supervision, International Organization of Securities Commissions (IOSCO).
Standards Body	An organization that publishes standards adopted as de facto or mandatory requirements through government incorporation, market mandate, or contractual obligation. Examples: International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Internet Engineering Task Force (IETF).
Industry Self-Regulatory Body	A body whose requirements govern market access without statutory backing, where non-compliance results in market exclusion rather than legal sanction. Examples: PCI Security Standards Council (PCI SSC), SWIFT, International Air Transport Association (IATA).
Compliance Governance Hierarchy	The three-level structure connecting regulatory authority to enterprise compliance obligations: Regulatory Agency (who regulates) → Regulation (what they require) → Regulatory Obligation (what the enterprise must specifically do). The Regulatory Agencies Inventory is the root of this hierarchy.
Jurisdiction Level	The geographic scope of a regulatory agency’s authority: Global, Supranational, National / Federal, State / Provincial, Regional, or Local / Municipal.
Regulatory Domain	The subject matter area a regulatory agency governs — the category of enterprise activity subject to its requirements. Examples: Data Privacy, Cybersecurity and Operational Resilience, Financial Services, Healthcare.
Enforcement Intensity	An assessment of how aggressively a regulatory agency is currently enforcing its requirements, reflecting actual enforcement actions and penalty frequency in the recent period.
Conflicting Jurisdictions	Two or more regulatory agencies whose requirements overlap or directly conflict, creating compliance tension the enterprise must actively manage. Example: GDPR’s right to erasure conflicts with financial regulators’ record-keeping requirements.
DORA	The EU Digital Operational Resilience Act, effective January 2025, requiring financial institutions to document, assess, and continuously monitor third-party vendor dependencies and technology resilience, with direct regulatory oversight of critical third-party providers.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

The Regulatory Agencies Inventory governs every body whose requirements create formal compliance obligations for the enterprise — regardless of whether that body is a government agency, a quasi-governmental self-regulatory organization, a supranational institution, a standards-setting body, or an industry self-regulatory organization. A Regulatory Agency qualifies for a record when its requirements create consequences for the enterprise if unmet: legal penalties, financial sanctions, license revocation, market access denial, or reputational harm from public enforcement action. Every entry is a Noun Instance of the Regulatory Agency Noun Type, with its own Semantic ID, its own type classification, its own geographic scope, and its own governed attribute set.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Enterprise Architecture depends on this inventory as the regulatory constraint layer of the Enterprise Model. Without it, EA cannot systematically answer which regulatory bodies constrain technology choices, data architecture decisions, or market entry strategies. A technology investment in a new jurisdiction requires knowing which regulatory agencies have authority there before the investment is made, not after the architecture is deployed. This inventory provides the governed answer.

Application Portfolio Management (APM) depends on this inventory to understand the regulatory compliance dimensions of portfolio rationalization decisions. Which applications handle data types subject to which regulatory agencies? Which rationalization candidates are the only systems providing regulatory reporting capabilities? Which new application investments require compliance capabilities mandated by a specific regulatory body before market entry is permitted? These questions cannot be answered without connecting applications to the regulatory agencies that govern them — a connection the Enterprise Model makes possible through this inventory and the Regulations Inventory downstream.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

The Regulatory Agencies Inventory is the root of the IF4IT compliance governance hierarchy. It connects directly to two inventories that derive from it: the Regulations Inventory (not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document), which governs the specific laws, regulations, and standards published by each agency; and the Regulatory Obligations Inventory (not yet published), which governs the specific compliance controls, reporting requirements, and evidence obligations the enterprise must fulfill. Every Regulation references the Regulatory Agency that published it; every Regulatory Obligation references the Regulation from which it derives. The governance chain flows from root to leaf: Agency → Regulation → Obligation.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

The Regulatory Agencies Inventory is one of 39 recognized Noun Types in the IF4IT Enterprise Inventory Management taxonomy. The full taxonomy, its governance principles, and the Inventory of Inventories are documented in the IF4IT Enterprise Inventory Management Best Practices document.

The six most closely related Noun Types to Regulatory Agency, with their named relationships: (1) Regulation — a Regulation is published or enforced by a Regulatory Agency; the Regulatory Agencies Inventory is the parent of the Regulations Inventory. The Regulations Inventory is not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document. (2) Regulatory Obligation — a Regulatory Obligation is derived from a Regulation issued by a Regulatory Agency; the Regulatory Agencies Inventory is the grandparent of the Regulatory Obligations Inventory. Not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document. (3) Data and Information Type — specific data types are subject to a Regulatory Agency’s jurisdiction; the Data and Information Inventory and Attributes is published. (4) Integration — Integrations carrying regulated data types are subject to the Regulatory Agency governing those types; the Integrations Inventory and Attributes is published. (5) Vendor — Vendors may be regulated entities or supply services subject to regulatory oversight; the Vendors Inventory and Attributes is published. (6) Legal Entity — a Legal Entity within the enterprise is the registered, regulated party formally subject to a Regulatory Agency’s jurisdiction; the Legal Entities Inventory is not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Section A — Sourcing and Harvesting

Before building the Regulatory Agencies Inventory from scratch, assess whether regulatory agency records already exist in any form in the enterprise. Common sources include: legal and compliance department regulatory registers and universe-of-applicability assessments (typically maintained for board risk reporting); GRC platform configurations (existing GRC tools often contain a partial list of regulatory agencies configured for monitoring); external legal counsel engagement letters and regulatory intelligence subscriptions (reveal which agencies the enterprise is already tracking); and existing compliance program documentation (policies, procedures, and audit reports typically reference the regulatory agencies whose requirements they address).

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

What Is a Regulatory Agency in This Inventory

The Regulatory Agencies Inventory uses a deliberately broad definition of “regulatory agency” that extends well beyond the traditional conception of government regulators. The inventory governs every body — governmental, quasi-governmental, supranational, self-regulatory, or standards-setting — whose requirements create formal compliance obligations for the enterprise. This breadth is not a design decision made for theoretical completeness. It reflects the practical reality of the modern enterprise compliance landscape, where the most consequential compliance obligations may come from non-government bodies with no statutory authority.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Descriptive attributes capture the core identity of each Regulatory Agency Noun Instance — its official name, common abbreviation, and what it governs and why the enterprise is subject to its jurisdiction.

Attribute Name

Maturity

Description and Notes

Semantic ID

Crawl

Description — A unique, permanent, human-readable identifier assigned to every Regulatory Agency following the enterprise naming convention. Encodes the jurisdiction code and short agency name in its structure.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Classification attributes position each Regulatory Agency within the enterprise’s regulatory landscape taxonomy — its type, geographic scope, regulatory domain, and enforcement model. Together these five geographic attributes (Geographic Region, Country, Locale, Jurisdiction Level, and Jurisdiction) form a complete geographic identification system for the global regulatory landscape.

Attribute Name

Maturity

Description and Notes

Agency Type

Crawl

Description — The governance character of this regulatory body — classified by the nature of its authority and the source of its regulatory power. The governing test is consequence, not legal form: classify based on whether non-compliance creates legal, financial, operational, or market-access consequences for the enterprise, not based on whether the body is technically a government entity.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Ownership and Stakeholder attributes establish the internal accountability structure for each regulatory relationship — who monitors requirements, who interprets them, and who communicates with the agency.

Attribute Name

Maturity

Description and Notes

Enterprise Compliance Owner

Crawl

Description — The named individual or function within the enterprise accountable for monitoring this agency’s requirements and ensuring the enterprise’s compliance posture with respect to this agency is maintained.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Lifecycle and Status attributes track the current operational status of each Regulatory Agency and the key dates associated with the enterprise’s regulatory relationship with it.

Attribute Name

Maturity

Description and Notes

Agency Status

Crawl

Description — The current operational status of this regulatory body.

Benefit(s) — Enables the inventory to distinguish active regulatory agencies from those that have been restructured, dissolved, or are in the process of being established. A dissolved agency’s historical requirements may still need to be managed for legacy compliance purposes.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Governance attributes document the review cadence and monitoring approach governing each regulatory relationship — ensuring the enterprise maintains awareness of regulatory changes proportional to the agency’s compliance priority.

Attribute Name

Maturity

Description and Notes

Review Cadence

Walk

Description — How often this agency record is formally reviewed — confirming active status, updated contact information, current enforcement posture, and pending requirement changes.

Benefit(s) — Ensures governance attention is proportional to agency importance and rate of regulatory change. Data protection authorities in active enforcement phases warrant quarterly review; inactive standards bodies may warrant annual review.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Strategic attributes capture the enterprise’s assessed compliance priority and strategic importance for each regulatory relationship — driving governance investment proportional to consequence.

Attribute Name

Maturity

Description and Notes

Compliance Priority

Crawl

Description — The enterprise’s assessed priority for compliance with this agency’s requirements — reflecting the consequence severity of non-compliance.

Benefit(s) — Drives governance investment proportional to compliance consequence. Critical agencies warrant immediate response to new requirements, dedicated legal counsel, and executive-level accountability. Low priority agencies can be managed through periodic self-assessment.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Assessment and Health attributes capture the evaluated risk profile and current compliance posture of the enterprise’s relationship with each regulatory agency.

Attribute Name

Maturity

Description and Notes

Assessed Risk

Crawl

Description — The overall risk rating for the enterprise’s regulatory exposure to this agency — the combined assessment of likelihood and impact of a compliance failure, enforcement action, or penalty from this agency.

Benefit(s) — Surfaces high-risk regulatory relationships for priority governance attention. Drives the depth of compliance program investment, monitoring intensity, and legal counsel engagement for each agency.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Technical attributes capture technology-specific characteristics of this regulatory agency’s requirements relevant to the enterprise’s technology portfolio.

The IF4IT has not yet identified standard attributes in this category for the Regulatory Agencies Inventory. This does not mean no such attributes exist — organizations building this inventory are encouraged to identify and define attributes in this category that are relevant to their specific context and governance needs.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Operational attributes capture the practical contact, registration, and submission information required to operate within each regulatory agency’s governance framework.

Attribute Name

Maturity

Description and Notes

Agency Website

Walk

Description — The official website of the regulatory agency — the authoritative source for regulations, guidance, enforcement actions, consultation documents, and contact information.

Benefit(s) — Provides the immediate navigation point for regulatory research. The official website is the primary source for new regulations, guidance updates, and enforcement action announcements.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Security attributes capture security-specific requirements or certifications associated with this regulatory agency’s oversight.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Data and Information attributes capture the specific data handling requirements associated with this regulatory agency’s jurisdiction.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Geographic and Jurisdictional attributes capture the sub-national scope and regulatory conflicts associated with this agency’s jurisdiction.

Attribute Name

Maturity

Description and Notes

Primary Language

Walk

Description — The primary language in which this agency publishes its regulations, guidance, enforcement actions, and official communications.

Benefit(s) — Relevant for enterprises that must comply with requirements published in languages other than their primary operating language. A regulation published only in German, French, or Mandarin requires translation before the enterprise’s compliance team can act on it — creating lead time requirements and potential misinterpretation risk.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Temporal and Effective Date attributes capture validity windows and regulatory change timelines for this agency’s requirements.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Contractual and Legal attributes capture the penalty exposure and enforcement history associated with this regulatory agency.

Attribute Name

Maturity

Description and Notes

Maximum Penalty

Walk

Description — The maximum financial penalty this agency can impose for a single violation or compliance failure — expressed in the agency’s reporting currency and the regulatory basis for the maximum.

Benefit(s) — Provides immediate financial exposure context for risk assessment and board reporting. The maximum penalty is the upper bound of the enterprise’s financial exposure from this regulatory relationship and a key input to the Assessed Risk rating.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Vendor and Supplier attributes capture third-party relationships governed by or relevant to this regulatory agency’s requirements.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

IT Environment attributes capture the operating environments subject to or relevant to this regulatory agency’s requirements.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Skills and Competencies attributes capture the expertise required within the enterprise to effectively manage compliance with this regulatory agency.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Provenance and Audit attributes capture metadata about the Regulatory Agency record itself — how it was created, when it was last updated, and the reliability of its content.

Attribute Name

Maturity

Description and Notes

Record Created Date

Walk

Description — The date on which this Regulatory Agency record was first created in the inventory.

Benefit(s) — Supports audit and compliance reporting.

Source — Manual.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Risk attributes capture the broader risk factors beyond the Assessed Risk rating for this regulatory agency relationship.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Compliance and Regulatory attributes capture the specific compliance obligations and status for this regulatory agency beyond what is captured in the Assessment and Health category.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Financial attributes capture the cost and budget implications of compliance with this regulatory agency’s requirements.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Relationship attributes connect each Regulatory Agency to related Noun Instances in other inventories — the regulations, obligations, data types, integrations, vendors, and child agencies it governs or supervises.

Every attribute in this category is Derived from or Calculated from records in other inventories, with the exception of Parent Agency which is manually populated at Walk maturity. Do not create data entry fields for Derived or Calculated attributes.

Attribute Name

Maturity

Description and Notes

Related Regulations

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

The Regulations Inventory (not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document) will govern the specific laws, regulations, directives, and standards published or enforced by each regulatory agency. Every Regulation record will reference the Regulatory Agency that issued it through an Issuing Agency attribute carrying the agency’s Semantic ID. The Regulatory Agencies Inventory will reflect this relationship in the Related Regulations attribute, derived from all Regulation records referencing this agency.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

The Regulatory Obligations Inventory (not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document) will govern the specific compliance controls, reporting requirements, evidence obligations, and deadlines that the enterprise must fulfill in response to each regulation. Every Regulatory Obligation record will trace back to the Regulation that creates it and, through that regulation, to the Regulatory Agency that issued it.

When published, this relationship completes the second link in the compliance governance hierarchy: Agency → Regulation → Obligation. For every regulatory agency, the enterprise can traverse directly to the specific things it must do to comply. This traversal is what transforms the compliance governance hierarchy from a documentation exercise into an operational compliance management system: from “the GDPR supervisory authority requires X” to “here are the 47 specific obligations Article 13, 14, 17, and 32 of GDPR create for this enterprise, with their deadlines, evidence requirements, and control owners.”

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Data protection authorities govern personal data. Financial regulators govern financial records. Healthcare regulators govern patient data. Export control authorities govern technical data. Every regulatory domain in this inventory corresponds to data types in the Data and Information Inventory that are subject to that domain’s requirements. The Data and Information Inventory and Attributes is published and available.

The Related Data and Information Types attribute in this inventory is derived from the Data and Information Inventory: all data types whose Regulatory Obligations attribute references obligations from this agency. When this relationship is established, the enterprise can answer: which data types are in scope for a regulatory audit from this agency? Which systems handling those data types must comply with this agency’s requirements? This is the data governance layer of the compliance governance hierarchy — connecting regulatory authority to the specific data the authority governs.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Integrations carry data across system boundaries — and many of those data types are subject to regulatory requirements. A GDPR supervisory authority governs integrations that carry EU personal data. A financial regulator governs integrations that transmit financial records. A healthcare regulator governs integrations that move patient data. The Related Integrations attribute in this inventory connects regulatory agencies to the integrations that carry the data types they govern. The Integrations Inventory and Attributes is published and available.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Some regulatory agencies have direct oversight authority over vendor relationships — not just over the enterprise’s own operations. DORA requires financial institutions to maintain a register of critical ICT third-party providers and conduct structured risk assessments of those providers. The UK FCA Critical Third Parties regime allows direct regulatory supervision of systemically important technology providers. GDPR requires documented processor agreements and Data Protection Impact Assessments for vendors processing personal data. The Related Vendors attribute connects regulatory agencies to the vendor relationships they govern. The Vendors Inventory and Attributes is published and available.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

Each regulatory agency has jurisdiction over specific legal entities — the specific registered legal persons that are subject to its requirements. The Legal Entities Inventory (not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document) will govern all legal entities that make up the enterprise, including subsidiaries, joint ventures, and regulated entities. When published, it will reference the Regulatory Agency Semantic IDs for the agencies that have formal jurisdiction over each legal entity.

Regulatory Agencies Inventory and Attributes

Mon, 01 Jan 0001 00:00:00 +0000

The Regulatory Agencies Inventory and Attributes document is one of many Noun Type inventories in the IF4IT Enterprise Inventory Management taxonomy. Each inventory in the taxonomy governs a distinct class of enterprise asset, relationship, or organizational construct — and each contributes its records and relationships to the Enterprise Model that connects them all. The full catalog of recognized Noun Types, the principles that govern inventory design and federation, the Inventory of Inventories, and guidance for building, connecting, and maturing a complete enterprise inventory program are documented in the IF4IT Enterprise Inventory Management Best Practices document. Practitioners who find value in the Regulatory Agencies Inventory are encouraged to explore the broader taxonomy — each additional inventory that is built and governed strengthens the Enterprise Model and expands the range of questions that AI-assisted enterprise analysis can answer. The IF4IT welcomes contributions from practitioners who develop attribute categories, attribute definitions, or governance approaches not covered in this document — your real-world experience is how this framework matures.