Regulatory Agencies Inventory and Attributes

The Regulatory Obligations Inventory (not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document) will govern the specific compliance controls, reporting requirements, evidence obligations, and deadlines that the enterprise must fulfill in response to each regulation. Every Regulatory Obligation record will trace back to the Regulation that creates it and, through that regulation, to the Regulatory Agency that issued it.

When published, this relationship completes the second link in the compliance governance hierarchy: Agency → Regulation → Obligation. For every regulatory agency, the enterprise can traverse directly to the specific things it must do to comply. This traversal is what transforms the compliance governance hierarchy from a documentation exercise into an operational compliance management system: from “the GDPR supervisory authority requires X” to “here are the 47 specific obligations Article 13, 14, 17, and 32 of GDPR create for this enterprise, with their deadlines, evidence requirements, and control owners.”