Regulatory Agencies Inventory and Attributes

The Regulatory Agencies Inventory is the root of the IF4IT compliance governance hierarchy. It connects directly to two inventories that derive from it: the Regulations Inventory (not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document), which governs the specific laws, regulations, and standards published by each agency; and the Regulatory Obligations Inventory (not yet published), which governs the specific compliance controls, reporting requirements, and evidence obligations the enterprise must fulfill. Every Regulation references the Regulatory Agency that published it; every Regulatory Obligation references the Regulation from which it derives. The governance chain flows from root to leaf: Agency → Regulation → Obligation.

The Regulatory Agencies Inventory connects to the Data and Information Inventory and Attributes through the Related Data and Information Types relationship attribute. Data protection authorities govern specific classes of personal data. Financial regulators govern financial records. Healthcare regulators govern patient data. Connecting regulatory agencies to the data types they govern enables the enterprise to answer: which data types are in scope for a specific regulatory audit? Which integrations carrying regulated data are subject to which agencies’ requirements? The Data and Information Inventory and Attributes is published and available.

The Regulatory Agencies Inventory connects to the Integrations Inventory and Attributes through the Related Integrations relationship attribute. Integrations that carry data types governed by a specific regulatory agency are subject to that agency’s requirements for data handling, security, retention, and cross-border transfer. Connecting regulatory agencies to the integrations that carry regulated data enables compliance impact analysis at the data flow level. The Integrations Inventory and Attributes is published and available.

The Regulatory Agencies Inventory connects to the Vendors Inventory and Attributes through the Related Vendors relationship attribute. Some regulatory agencies — particularly in financial services under DORA and the UK FCA Critical Third Parties regime — have direct oversight authority over critical third-party providers. Other agencies require documented due diligence on vendors processing regulated data. Connecting regulatory agencies to relevant vendor relationships enables vendor governance to be grounded in regulatory obligations. The Vendors Inventory and Attributes is published and available.

The Regulatory Agencies Inventory is itself hierarchically self-referential through the Parent Agency and Related Child Agencies relationship attributes. The European Data Protection Board supervises 27 national data protection authorities. The Basel Committee on Banking Supervision supervises national banking regulators. The FSOC supervises its member financial regulators. This hierarchy is essential for understanding how requirements propagate through the regulatory landscape — and which agency’s interpretation is authoritative when requirements at different levels of the hierarchy appear to conflict.