Regulation
Compliance outgrew the spreadsheet
For most companies, compliance still lives in a spreadsheet held together by one overworked person. It breaks in four predictable places.
New to the topic? Start with What sovereign compliance actually means.
If you are responsible for compliance at a mid-sized European company, there is a fair chance your entire programme lives in a spreadsheet. One tab lists the laws you believe apply. Another lists controls. A folder holds policy documents someone wrote eighteen months ago. Holding it all together is a single person who usually has another full-time job as well. This is not negligence; for most companies it is the only realistic option. It also breaks in four predictable places.
Four places the spreadsheet gives way
The first is scoping. Working out which laws actually apply, DORA, NIS2, GDPR, the AI Act, sector rules, national transpositions, consumes weeks, and the answer depends on a company’s size, sector, activities, and location. Most teams either over-scope out of caution or miss something and learn about it the hard way. The second is translation. A law is not a checklist; someone has to read Article 30 of DORA, determine the real requirement, and turn it into a control that can be implemented and evidenced. The third is drafting. A policy that merely restates the law is useless, because it has to tell people what to do and trace back to the requirement it satisfies, or an auditor will reject it.
The fourth is the one that breaks people. You finish, and then a law changes.
- Definition
- Why change is the hardest part
- A spreadsheet does not know that requirement 47 came from Article 30, that Article 30 was just amended, or that three of your policies now need revisiting. That web of connections has to live in one person’s head, and across five moving regulations, no one can hold it. Every amendment sends the work back towards the start.
From a static list to a connected model
The alternative is to stop treating compliance as a list and start treating it as a connected model, which is the problem COMPLY.Reg was built to solve. It begins from a company’s profile, its activities, sector, size, and jurisdiction, and works out which regulations and which individual requirements apply. Clear-cut cases are decided by rules; genuinely ambiguous ones are worked through by AI within the EU, and anything the system is unsure of is referred to a person rather than guessed. From there it reads each law into structured requirements, with the article reference and the conditions, exceptions, and deadlines attached, and proposes the controls that satisfy them, mapping a control once even when it covers several regulations. Every proposal is exactly that, a proposal a person on the customer’s side approves before it counts.
Keeping current without starting over
The payoff shows when a law changes. Because the platform already knows which requirements came from that law, which controls those requirements drive, and which policies contain those controls, it can show what a change affects and carry it through, with a full audit trail of what changed and why. It also tracks the progress of draft EU legislation, so a new requirement is less likely to arrive as a surprise the week it takes effect. None of this replaces professional judgment, and it is not meant to; what it removes is the re-typing, so the person responsible spends their time deciding rather than rebuilding a spreadsheet that was never going to keep pace with the law.