Regulatory Agencies Inventory and Attributes

Some regulatory agencies have direct oversight authority over vendor relationships — not just over the enterprise’s own operations. DORA requires financial institutions to maintain a register of critical ICT third-party providers and conduct structured risk assessments of those providers. The UK FCA Critical Third Parties regime allows direct regulatory supervision of systemically important technology providers. GDPR requires documented processor agreements and Data Protection Impact Assessments for vendors processing personal data. The Related Vendors attribute connects regulatory agencies to the vendor relationships they govern. The Vendors Inventory and Attributes is published and available.

When this relationship is established, vendor governance and regulatory compliance governance are connected through the Enterprise Model. A vendor relationship that is material under DORA can be identified through this connection; the compliance evidence requirements for that vendor relationship flow from the regulatory agency through the regulation to the specific vendor governance obligations. This integration of regulatory and vendor governance is one of the most significant practical benefits of building the Enterprise Model across inventory boundaries.