Skip to content
← Blog & Education · workflow 6 min read

Regulatory Change Management — an obligation register that keeps up when the rules change

Regulations don't hold still. Talarity's Regulatory Change Management gives you a living register of the obligations that apply to you, a log of every change against them, an impact-assessment workflow, and a horizon-scan watchlist for what's coming — so a new rule is a tracked item, not a fire drill.

By The Talarity team · July 1, 2026

Your compliance obligations are a moving target. GDPR guidance gets updated, PCI DSS moves to a new version, a US state passes a privacy law, the EU AI Act’s deadlines land. Most teams find out from a consultant’s newsletter, scramble to figure out what it affects, and hope nothing slipped. The obligations themselves live in a spreadsheet that was accurate the day someone made it.

Talarity’s Regulatory Change Management replaces that with a living register: the obligations that apply to you, the changes logged against each one, an impact-assessment workflow to work a change to closure, and a horizon-scan watchlist for what’s on the way. When a rule changes, it becomes a tracked item with an owner and a status — not a fire drill.

Your obligation register

The Obligations tab is the register: every obligation you’re on the hook for, with its compliance status, priority, and last-updated date. It’s searchable and filterable by status and priority, so it stays usable whether you track a dozen obligations or hundreds.

The Obligations tab for "Talarity Retail Group": a searchable, filterable table of regulatory obligations — EU AI Act, SOC 2, CCPA/CPRA, PCI DSS v4.0, GDPR — each with a compliance-status badge (Identified / In Compliance / Analyzing / Gap) and a priority badge (High / Medium / Critical), plus Edit and Delete actions.

Registering an obligation

Adding an obligation captures what a reviewer or auditor will ask for: its source (regulator, standard, guidance, internal, or contract), jurisdiction, the specific citation, the framework it belongs to, a review cadence, and its effective date — plus an impact summary and tags.

The "New Regulatory Obligation" form filled in for "DORA — ICT Third-Party Risk Management": name, description, source type (Regulator), status (Analyzing), priority (High), jurisdiction (EU), and citation (Reg. (EU) 2022/2554).

Every obligation, and the changes against it

Open any obligation to see its full profile — status, priority, source, jurisdiction, citation, framework, next review date, and owner — and, below that, the regulatory changes recorded against it. This is the point of the register: when a regulation moves, the change is attached to the obligation it affects, so the history lives in one place.

The obligation detail for "PCI DSS v4.0 — Protect Stored Cardholder Data": a Gap status, Critical priority, source/jurisdiction/citation/framework/next-review fields, owner "Dana Whitfield", and a "Recent changes (1)" section listing "PCI DSS v4.0 becomes mandatory (retires v3.2.1) — Impact Assessed".

Logging a regulatory change

The Changes tab is the running log of regulatory changes you’ve recorded — each typed as new, amended, rescinded, a guidance update, or an enforcement action, with a priority and a status. When you log a change, you link it to the obligation it affects (which is why it appeared on the PCI DSS obligation above), so each regulation’s history stays with the obligation.

The Changes tab: four regulatory changes — an EU AI Act amendment (Remediation In Progress), a CPRA enforcement action (Unreviewed), an EDPB guidance update (In Review), and PCI DSS v4.0 becoming mandatory (Impact Assessed) — each with a change-type, status badge, priority, and an Assess action.

Assessing a change’s impact

A logged change isn’t done until you’ve worked out what it means for you. Assess moves a change through the workflow — from unreviewed to in-review, impact-assessed, remediation-in-progress, and finally closed with a disposition (compliant, remediation required, no action, or exempt) — and captures your impact-assessment notes at each step. It’s the audit trail that shows you didn’t just notice the change, you acted on it.

The "Assess Change" modal for the PCI DSS v4.0 change: current status "Remediation In Progress", a "Move to status" dropdown set to "Impact Assessed", and impact-assessment notes describing the review of the checkout data-flow against the new v4.0 requirements.

Horizon scanning — what’s coming

Not every regulation is in force yet. The Horizon Scan tab is your watchlist for upcoming regulation — the rules you’re tracking before they bind you, each with a monitoring status (watching, tracking, preparing, in-force) and a relevance rating. When a horizon item becomes real, Promote turns it into a tracked obligation in one step, carrying its name, framework, jurisdiction, and source across so you don’t re-key anything.

The Horizon Scan tab: four upcoming items — DORA (Tracking), the SEC Climate Disclosure Rule (Preparing), a 2026 wave of US state privacy laws (Watching), and the EU AI Act GPAI Code of Practice (Tracking) — each with a status badge, relevance, and Edit / Promote actions.

What you walk away with

  • A living obligation register — status, priority, citation, framework, jurisdiction, cadence, and owner — instead of a stale spreadsheet.
  • Changes tracked against the obligations they affect, so each regulation’s history is in one place.
  • An impact-assessment workflow that moves a change from noticed to closed with a disposition and a written record — the audit trail a manual process never leaves.
  • A horizon-scan watchlist for upcoming regulation, with one-click promotion to a tracked obligation when it lands.

When the next regulation changes, you won’t be starting from a blank page. You’ll be updating a register you already keep.

Loading…

See Talarity in action.

A 30-minute walkthrough or a 7-day trial — your call.