{ "$defs": { "IsoCountry": { "description": "ISO 3166-1 alpha-2 country code.", "pattern": "^[A-Z]{2}$", "type": "string" }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "ObligationCadence": { "description": "Cadence.", "oneOf": [ { "enum": [ "monthly", "quarterly", "semi_annual", "annual", "biennial", "triennial" ], "type": "string" }, { "const": "one_off", "description": "One-off (e.g. CTA initial BOI report).", "type": "string" }, { "const": "event_triggered", "description": "Event-triggered (e.g. breach within 72h).", "type": "string" }, { "const": "continuous", "description": "Continuous (always-on, e.g. cookie-banner display).", "type": "string" } ] }, "ObligationRegime": { "description": "Obligation regime.", "oneOf": [ { "enum": [ "other" ], "type": "string" }, { "const": "gdpr", "description": "GDPR.", "type": "string" }, { "const": "csrd", "description": "EU CSRD / ESRS.", "type": "string" }, { "const": "nis2", "description": "EU NIS2.", "type": "string" }, { "const": "dsa", "description": "EU DSA (Digital Services Act).", "type": "string" }, { "const": "ai_act", "description": "EU AI Act.", "type": "string" }, { "const": "pay_transparency", "description": "EU 2023/970 Pay Transparency.", "type": "string" }, { "const": "whistleblower", "description": "EU 2019/1937 Whistleblower / DE HinSchG.", "type": "string" }, { "const": "supply_chain", "description": "DE LkSG / EU CSDDD.", "type": "string" }, { "const": "go_bd_retention", "description": "DE GoBD / HGB §257 / AO §147 retention.", "type": "string" }, { "const": "de_transparency", "description": "DE Transparenzregister / GwG.", "type": "string" }, { "const": "us_cta", "description": "US Corporate Transparency Act (FinCEN BOI).", "type": "string" }, { "const": "uk_modern_slavery", "description": "UK Modern Slavery Act.", "type": "string" }, { "const": "us_ca_ccpa", "description": "CA CCPA / CPRA.", "type": "string" }, { "const": "soc2", "description": "SOC 2.", "type": "string" }, { "const": "iso27001", "description": "ISO 27001.", "type": "string" }, { "const": "pci_dss", "description": "PCI DSS.", "type": "string" }, { "const": "hipaa", "description": "HIPAA.", "type": "string" }, { "const": "internal", "description": "Internal policy / contractual.", "type": "string" } ] }, "ObligationStatus": { "description": "Current state of obligation.", "oneOf": [ { "const": "satisfied", "description": "Satisfied for the current cycle.", "type": "string" }, { "const": "due_soon", "description": "Due in <30 days.", "type": "string" }, { "const": "overdue", "description": "Past due / unsatisfied.", "type": "string" }, { "const": "not_applicable", "description": "Not in scope (entity below threshold).", "type": "string" }, { "const": "in_remediation", "description": "Under remediation.", "type": "string" } ] }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" } }, "$id": "https://corpospec.com/schemas/v0.16.0/compliance-obligation.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Compliance-obligation record.", "properties": { "bdr_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to the BDR enacting this obligation (where relevant)." }, "cadence": { "$ref": "#/$defs/ObligationCadence" }, "citation": { "description": "Full citation (e.g. \"GDPR Art. 30\", \"BDSG-neu § 38\", \"26 USC §\n6038\").", "type": "string" }, "control_refs": { "description": "PathRefs to controls (security_control.rs) that operationalise\nthis obligation.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "description": { "type": "string" }, "entity": { "$ref": "#/$defs/PathRef" }, "evidence_refs": { "description": "PathRefs to evidence of recent satisfaction.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "id": { "$ref": "#/$defs/PathRef" }, "jurisdiction": { "$ref": "#/$defs/IsoCountry" }, "last_satisfied_on": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ], "description": "Date last satisfied." }, "next_due": { "$ref": "#/$defs/IsoDate", "description": "Next due date." }, "owner": { "$ref": "#/$defs/PathRef", "description": "Owner (single accountable)." }, "penalty_exposure": { "description": "Penalty exposure if breached (free-form, e.g. \"Up to 4% global\nturnover (GDPR Art. 83(5))\").", "type": [ "string", "null" ] }, "procedure_refs": { "description": "PathRefs to procedures (sop.rs / runbook.rs) that execute it.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "regime": { "$ref": "#/$defs/ObligationRegime" }, "schedule_anchor": { "description": "Day-of-month / day-of-quarter etc. anchors (optional).", "type": [ "string", "null" ] }, "status": { "$ref": "#/$defs/ObligationStatus" }, "title": { "type": "string" } }, "required": [ "id", "entity", "regime", "jurisdiction", "title", "citation", "description", "cadence", "owner", "next_due", "status" ], "title": "ComplianceObligation", "type": "object", "x-corpospec-pillar": "legal" }