⏱ 5 min read
Key Takeaways
- →Executive summary
- →The regulation-to-architecture traceability matrix
- →Applying these patterns in practice
Recommended Reading
Executive summary
Risk and compliance visualization works when it answers real governance questions: where regulated data flows, what controls apply, what changes were approved, and what evidence exists. W3C PROV defines provenance as information about entities, activities, and people involved in producing data—useful as conceptual grounding for “evidence lineage.” ArchiMate for architecture governance
ArchiMate provides the cross-layer modeling language to connect drivers/requirements to capabilities and systems; regulatory frameworks like GDPR (record of processing activities requirements) and operational resilience rules like DORA (financial sector ICT resilience) provide concrete compliance drivers that can be represented as modeled requirements and constraints. ArchiMate training
Security frameworks such as NIST SP 800-53 offer control catalogues that can be mapped to architecture elements to visualize coverage and gaps.
- Modeling approach: requirements/controls linked to architecture layers
- Viewpoints: executive, risk officer, audit, engineering
- Pitfalls and anti-patterns
- GDPR Article 30.
- ArchiMate standard framing.
The regulation-to-architecture traceability matrix
Regulatory compliance is not a checkbox exercise — it is a continuous traceability challenge. Regulators (GDPR, ISO 27001, PCI-DSS, NIS2, DORA) define requirements. Architecture must demonstrate how those requirements are met through specific controls implemented in specific technology components. ArchiMate modeling standards
ArchiMate models this traceability chain explicitly. External regulations are modeled as Constraints or Requirements. Each regulation maps to one or more security Controls (modeled as Application Functions or Course of Action elements). Each control is realized by a specific Architecture Element — the TLS Gateway that implements encryption, the IAM Platform that implements access management, the SAST Pipeline that implements secure coding verification. ArchiMate tutorial for enterprise architects
The compliance status is tracked as a tagged value on each control-to-element link: Compliant, Partial, Non-Compliant, In Progress. A dashboard view aggregates these statuses to show the overall compliance posture per regulation — the CISO can see at a glance that GDPR is 92% compliant but NIS2 is only 67% compliant, with specific gaps identified.
Automated compliance gap detection
The most powerful use of this model is automated gap detection. A validation script traverses the regulation → control → element chain and flags any broken link: a regulation without a mapped control (gap in policy), a control without a implementing element (gap in implementation), or an element with a non-compliant status tag (gap in execution).
// jArchi: Compliance gap detection
var gaps = [];
$("constraint").forEach(function(reg) {
var controls = reg.outRels("association-relationship");
if (controls.size() === 0) {
gaps.push("NO CONTROL: " + reg.name);
}
});
$("application-function").filter(function(ctrl) {
return ctrl.prop("Control_Type") !== undefined;
}).forEach(function(ctrl) {
var status = ctrl.prop("Compliance_Status") || "Unknown";
if (status !== "Compliant") {
gaps.push("NON-COMPLIANT: " + ctrl.name + " (" + status + ")");
}
});
gaps.forEach(function(g) { console.log(g); });
console.log("Total gaps: " + gaps.length);
Applying these patterns in practice
The value of ArchiMate modeling is realized not through comprehensive coverage of every element type, but through disciplined application of a few core patterns that answer recurring stakeholder questions. Three patterns account for the majority of architecture communication needs. ArchiMate layers explained
The Layered View pattern shows how business processes depend on applications, and how applications depend on infrastructure. Build this view by placing Business Processes at the top, Application Components in the middle, and Technology Nodes at the bottom. Connect them with Serving and Realization relationships. This single view demonstrates cross-layer traceability — when a server is decommissioned, trace upward to see which applications and business processes are affected.
The Cooperation View pattern shows how application components interact through interfaces and data flows. Place the core application in the center and its integration partners around it, connected by Flow relationships labeled with the data exchanged. This view reveals integration dependencies that are otherwise buried in technical documentation.
The Motivation View pattern connects strategic goals to architecture decisions. Stakeholder concerns drive Goals, Goals are realized by Outcomes, Outcomes are enabled by Capabilities, and Capabilities are realized by Application Components. This chain answers the question executives always ask: "Why are we building this?"
If you'd like hands-on training tailored to your team (Sparx Enterprise Architect, ArchiMate, TOGAF, BPMN, SysML, Apache Kafka, or the Archi tool), you can reach us via our contact page.
Frequently Asked Questions
What is enterprise architecture?
Enterprise architecture is a discipline that aligns an organisation's strategy, business operations, information systems, and technology infrastructure. It provides a structured framework for understanding how an enterprise works today, where it needs to go, and how to manage the transition.
How is ArchiMate used in enterprise architecture practice?
ArchiMate is used as the standard modeling language in enterprise architecture practice. It enables architects to create consistent, layered models covering business capabilities, application services, data flows, and technology infrastructure — all traceable from strategic goals to implementation.
What tools are used for enterprise architecture modeling?
Common enterprise architecture modeling tools include Sparx Enterprise Architect (Sparx EA), Archi, BiZZdesign Enterprise Studio, LeanIX, and Orbus iServer. Sparx EA is widely used for its ArchiMate, UML, BPMN and SysML support combined with powerful automation and scripting capabilities.