Most compliance tools hand you a checklist. Tick the boxes. Move on.
We took a different approach. We built a formal compliance ontology — a W3C OWL knowledge graph covering 10 EU regulations, 976 concepts, and 1,000 relationships. Queryable via SPARQL. Linked to the EU's own legislation identifiers.
Here's why we did it, what we found, and why checklists will never be enough.
Regulations Don't Exist in Isolation
GDPR doesn't care that you're also subject to DORA. The AI Act doesn't coordinate with NIS2. Each regulation was written independently, by different teams, on different timelines — but they all land on your desk at the same time.
When we modeled these regulations as a connected ontology, we mapped every cross-regulation relationship. We found 70 overlapping obligations across 15 regulation pairs — connections that are invisible when you treat each regulation as a separate checklist.
Some of the most significant:
- GDPR and Swiss FADP share 19 overlapping obligations — but FADP adds personal criminal liability of up to CHF 250,000. Not the company. The individual.
- AI Act and GDPR share 8 overlapping obligations — particularly around transparency and automated decision-making. If you comply with one but miss the other, you have a gap.
- DORA and NIS2 share 7 overlapping obligations — both require incident reporting, but DORA says 24 hours while NIS2 says 72. Different timelines, different authorities, same company.
You'd need to manually compare hundreds of obligations across every regulation to find these. A SPARQL query on our ontology finds them in seconds.
What Is a Compliance Ontology?
An ontology is a formal model of knowledge — not a flat list, but a connected graph with defined relationships and logical rules.
In our case, every regulation contains articles. Every article creates obligations. Every obligation has conditions that determine who it applies to, exemptions that might remove it, penalties for non-compliance, and authorities that enforce it. And critically — obligations from different regulations connect to each other through formal cross-references.
When GDPR's transparency requirements overlap with the AI Act's disclosure obligations, that relationship isn't a note in a spreadsheet. It's a formally modeled edge in the knowledge graph, with defined semantics, queryable via SPARQL.
Our compliance ontology in numbers:
- 976 concepts — regulations, articles, obligations, conditions, exemptions, penalties, authorities
- 10 EU regulations — GDPR, AI Act, DORA, NIS2, CRA, AML, FADP, CSRD, UK GDPR, UK DPA 2018
- 516 obligations — each with formal applicability conditions
- 696 rule conditions — machine-evaluated against a company's profile
- 1,000 relationships — connecting every concept to its context
- 46 enforcement authorities — mapped to jurisdictions across the EU, UK, and Switzerland
Why W3C OWL and SPARQL?
We chose the W3C Web Ontology Language (OWL) because compliance knowledge needs formal semantics, not labels in a spreadsheet.
OWL gives us formal logic. "This obligation applies when a company processes special category data OR is a public authority" isn't a comment — it's a logical restriction that a reasoner can evaluate. The ontology doesn't guess. It derives.
SPARQL gives us queryability. "Show me every obligation that triggers when a company expands to Switzerland" is a single query, not a week-long research project. Cross-regulation analysis that would take a consultant days takes our ontology seconds.
ELI gives us interoperability. We link every regulation to its official EU European Legislation Identifier — the same reference system used by EUR-Lex. Our GDPR entry links to Regulation (EU) 2016/679 in the EU's official legislation database. Our AI Act links to Regulation (EU) 2024/1689. Standards-based, machine-readable, interoperable.
This also means partners can integrate our ontology into their own systems. Download the OWL. Load it into Protege. Run SPARQL queries. Build on top of it.
What the Ontology Can Do That Checklists Can't
Cross-regulation analysis. A fintech company in Germany using AI for credit scoring falls under GDPR, DORA, the AI Act, AML, and potentially NIS2. A SPARQL query on our ontology identifies all five regulations and maps the specific obligations that apply — including the 70 places where they overlap or conflict.
Country expansion impact. Expanding to Switzerland? The ontology identifies 19 obligations shared between GDPR and FADP — and flags where FADP is stricter, including personal criminal liability that GDPR doesn't have. One query. Two regulations. Every difference surfaced.
Regulatory cascade detection. Deploying AI doesn't just trigger the AI Act. Our knowledge graph shows it creates obligations under GDPR (automated decision-making, Article 22) and DORA (if you're in financial services — AI counts as critical ICT). One business decision, three regulatory cascades, all mapped in the ontology.
Temporal compliance tracking. The AI Act's full enforcement begins August 2025. The AML Regulation applies from July 2027. The CRA from December 2027. Our ontology tracks validFrom dates on every concept, so you can query what's active now versus what's coming.
Enforcement authority mapping. 46 authorities across EU, UK, and Switzerland — each linked to the specific obligations they enforce and the jurisdictions they cover. A SPARQL query can tell you which regulator enforces which obligation in which country.
The Difference Between an Ontology and "AI-Powered Compliance"
Most tools that claim to use AI for compliance are running an LLM over regulation PDFs. That's search, not intelligence.
When you ask an LLM "does DORA apply to my company?" you get a confident answer. But you can't audit the reasoning. You can't trace it back to a specific article. You can't prove it to a regulator.
When you query our ontology, the answer is derived from formal logic — 516 obligations, 696 conditions, 1,000 relationships. Every result traces back to a specific regulation article, a specific condition, a specific rule. Deterministic. Auditable. Explainable.
You can't tell a regulator "our AI thought it didn't apply." You need to show the reasoning. A knowledge graph gives you the reasoning. An LLM gives you a confident guess.
What This Means in Practice
Every compliance check on ComplyOne is powered by this ontology. When you run an assessment, you're not answering a generic questionnaire — you're being evaluated against 516 obligations with 696 conditions that determine exactly which ones apply to your company, in your sector, in your jurisdiction.
The result isn't a score. It's a map of your regulatory landscape — which obligations apply, which are mandatory, where the penalties are highest, and where different regulations overlap.
976 concepts. 10 regulations. One connected knowledge graph. Working behind the scenes in under two minutes.
ComplyOne's compliance ontology is available for licensing to partners, GRC platforms, and law firms. Contact us to discuss OWL export access and SPARQL integration.
See the knowledge graph in action at complyone.io/knowledge-graph.