n8n-flow

Regulatory change monitor with n8n

Difficulty

intermediate

Setup time

90min

For

legal-ops · in-house-counsel · compliance · dpo

Legal Ops

Stack

An n8n flow that watches a curated set of regulatory feeds (EU AI Act updates, GDPR enforcement decisions, US state privacy laws, SEC rule proposals, NYC LL 144 and other AI-employment laws, sector-specific rules), classifies each item by relevance to the firm’s specific exposure profile, scores urgency, and posts a structured digest to the legal team’s Slack channel — daily aggregate, plus immediate alerts for high_urgency items. Replaces the in-house counsel’s “RSS-feed-and-newsletter graveyard” with a filtered queue that surfaces only what the firm actually needs to act on.

When to use

The firm operates across multiple regulatory regimes (privacy, employment, sector-specific) and the in-house team can’t manually read every regulator’s updates.
Compliance work is event-driven enough that “we missed this rule change because nobody saw it” is a real failure mode.
The firm has documented its regulatory exposure profile (which jurisdictions, which sectors, which data types) — the relevance filter requires that profile.

When NOT to use

Replacing the firm’s general counsel reading. The flow is decision support; the counsel still reads the high-urgency items and sets the firm’s response. The flow filters; counsel acts.
Producing legal advice on the rule changes. The flow summarizes. Counsel interprets and decides response.
Highly specialized practice areas that need dedicated practitioner-tier monitoring (M&A regulatory clearance work, complex tax). Specialized practice has bespoke sources beyond what a feed-monitor catches.
Geographies the exposure profile doesn’t cover. Adding a geography requires the profile to be updated; the flow doesn’t auto-discover what the firm cares about.

Setup

Import the flow from apps/web/public/artifacts/regulatory-change-monitor-n8n/regulatory-change-monitor-n8n.json.
Wire credentials. Anthropic (Claude classification), Slack (digest destination), HTTP fetcher (no auth needed for public RSS / API feeds).
Author the firm’s exposure profile. Per regulatory area, document: applicable jurisdictions, sectors, data types, penalty exposure, named counsel owner. Template in _README.md.
Configure the feed sources. The bundled flow polls 8 default feeds (EU Commission AI Act page, NYC consumer affairs LL 144 page, EDPB guidelines, SEC rule proposals, ICO enforcement, EDPS guidelines, FTC press releases, state-AG privacy enforcement aggregator). Add or remove per the firm’s exposure.
Tune the urgency thresholds. Defaults: enforcement decision against a peer firm → high; rule proposal in scope-jurisdiction → medium; consultation paper → low. Tune per the counsel’s preference for noise vs miss.
Dry-run for two weeks. Compare the flow’s classifications to the counsel’s manual read of the same period. Tune the relevance filter and urgency rules.

What the flow does

Six nodes. Per-feed polling, then per-item classification, then digest assembly.

Cron Hourly — fires every hour to poll feeds (the daily digest assembles at 8am office TZ).
Fetch Feeds — HTTP requests to each configured feed URL. Parse RSS / Atom / JSON per feed format. Dedupe by item GUID against the prior 30 days of seen items.
Classify — Claude call per new item. Returns {relevant_to_profile, jurisdictions_implicated, regulatory_areas, urgency, summary, recommended_owner}. Items with relevant_to_profile: false are dropped from the digest but logged to the audit table.
Store — write each classified item to the regulatory_items table.
Immediate Alert — for urgency: high items, post immediately to #legal-alerts with the classification + link.
Daily Digest — at 8am office TZ, assemble the 24-hour items into a digest grouped by regulatory area, posted to #legal-team.

Cost reality

LLM tokens — typically 1-2k input + 0.5k output per classified item. With ~20-50 new items per day across feeds, ~$0.20-0.60/day in model cost.
n8n executions — hourly cron + per-item processing. Within Starter plan for most firms.
Counsel time — the win. Hand-monitoring is 30-60 minutes/day per counsel for thorough coverage; reviewing the daily digest is 5-10 minutes plus immediate-alert response time.
Setup time — 90 minutes including the exposure profile authoring (45 minutes is the profile).

Success metric

Counsel’s “missed-it” incidents per quarter — incidents where a regulator-led inquiry surfaces a rule change the firm should have known about. Should drop to zero on monitored areas.
Digest signal-to-noise ratio — share of digest items the counsel marks as “relevant” vs “ignore.” Should be 70-85% relevant; below 50% means the relevance filter or exposure profile needs tuning.
Time from rule publication to counsel response posture — for monitored areas, should drop from “weeks” (passive newsletter monitoring) to under 24 hours (the digest catches it on first poll).

vs alternatives

vs commercial regulatory-monitoring services (LexisNexis State Net, Bloomberg Government, FiscalNote, Thomson Reuters Regulatory Intelligence). Pick those if budget supports the platform play and you want managed coverage with practitioner-grade summaries. The flow is the lightweight middle ground at lower cost and with the relevance filter calibrated to your profile.
vs in-house counsel reading newsletters. The default and the source of misses.
vs no monitoring. Predictable failure mode at smaller firms; works until it doesn’t.

Watch-outs

Feed source drift. Guard: feed health-check on every hourly poll. Failed-fetch items surface as “feed source X has been down for N hours” warnings on the daily digest, not silently dropped.
Relevance filter false negatives. Guard: the audit table logs ALL classified items, including relevant_to_profile: false. Counsel reviews the false-negative bucket weekly; misses are signal to update the profile or the classifier prompt.
Urgency over-flagging. Guard: immediate-alert posts to #legal-alerts only; the daily digest absorbs medium and low urgency. Tuning the urgency thresholds is the lever if alerts overwhelm.
Jurisdiction-mapping miss. Guard: each item is annotated with jurisdictions_implicated based on the regulator’s authority + the rule’s stated scope. Items where jurisdiction is ambiguous get tagged “ambiguous — counsel to confirm” rather than guessed.
Stale exposure profile. Guard: the profile carries last_updated and triggers a “profile review reminder” on the digest if older than 6 months.
Feed-content staleness vs publication date. Guard: the digest sorts by publication date, not fetch date. Old items in the feed re-pop if the feed itself was down for a stretch.

Stack

The bundle lives at apps/web/public/artifacts/regulatory-change-monitor-n8n/:

regulatory-change-monitor-n8n.json — the flow export
_README.md — credentials, exposure profile schema, default feed list, dry-run procedure

Tools: n8n, Claude, Slack.

Edit this page on GitHub

Files in this artifact

Download all (.zip)

# Regulatory change monitor — n8n flow

Polls a curated set of regulatory feeds hourly, classifies each new item against the firm's exposure profile with Claude, and posts immediate Slack alerts on `high_urgency` items plus a daily 8am digest. Replaces the in-house counsel's "RSS-feed-and-newsletter graveyard" with a relevance-filtered queue.

## Import

1. Import `regulatory-change-monitor-n8n.json`.
2. Provision the database tables (DDL below).
3. Wire credentials (Anthropic, Slack, Postgres).
4. Author the firm's exposure profile.
5. Seed the feed list.
6. Dry-run for two weeks before flipping `active: true`.

## Database tables

```sql
-- The feeds the flow polls.
CREATE TABLE regulatory_feeds (
    feed_id          TEXT PRIMARY KEY,
    feed_url         TEXT NOT NULL,
    feed_format      TEXT NOT NULL CHECK (feed_format IN ('rss', 'atom', 'json')),
    description      TEXT,
    active           BOOLEAN NOT NULL DEFAULT true,
    last_etag        TEXT,
    last_polled_at   TIMESTAMPTZ
);

-- One row per classified item.
CREATE TABLE regulatory_items (
    item_id              BIGSERIAL PRIMARY KEY,
    feed_id              TEXT NOT NULL REFERENCES regulatory_feeds (feed_id),
    item_guid            TEXT NOT NULL,
    title                TEXT NOT NULL,
    link                 TEXT NOT NULL,
    summary_raw          TEXT,
    summary_classified   TEXT,
    published_at         TIMESTAMPTZ,
    relevant_to_profile  BOOLEAN NOT NULL,
    jurisdictions        TEXT[],
    regulatory_areas     TEXT[],
    urgency              TEXT NOT NULL CHECK (urgency IN ('low','medium','high')),
    recommended_owner    TEXT,
    classified_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    UNIQUE (feed_id, item_guid)
);

CREATE INDEX reg_items_urgency_idx ON regulatory_items (urgency, classified_at DESC);
CREATE INDEX reg_items_relevant_idx ON regulatory_items (relevant_to_profile, classified_at DESC);
```

## Credentials

- `PLACEHOLDER_REG_DB_CRED_ID` — Postgres write access to the two tables above.
- `PLACEHOLDER_ANTHROPIC_CRED_ID` — Anthropic API key (Sonnet 4.6).
- `PLACEHOLDER_SLACK_CRED_ID` — `chat:write` scope, bot in `#legal-alerts` and `#legal-team`.

## Firm exposure profile

The classifier prompt expects a system message with the firm's exposure profile. Maintain this as a Markdown file (e.g. `firm-exposure-profile.md`) and inject it into the Claude system message at flow runtime (the bundled flow has it in the prompt; for the production version, load from disk and prepend).

```yaml
profile_version: 2026.1
last_updated: 2026-04-15

jurisdictions_in_scope:
  - EU-GDPR
  - UK-GDPR
  - CCPA-CPRA
  - VCDPA  # Virginia
  - CDPA   # Colorado
  - CPA    # Connecticut
  - LGPD   # Brazil
  - US-Federal  # SEC, FTC, DOJ
  - NY-state    # NYC LL 144, NYDFS

regulatory_areas:
  - data-privacy
  - ai-employment-law
  - ai-act-eu
  - securities
  - consumer-protection
  - sector-specific:financial-services

sectors:
  - saas
  - financial-services-adjacent  # firm processes financial data but is not a regulated bank

data_types_processed:
  - eu-personal-data
  - california-personal-information
  - us-employee-data
  - us-customer-data
  - financial-transaction-data

penalty_exposure_thresholds:
  - GDPR Art. 83: 4% global revenue (any GDPR-related rule change is at minimum medium urgency)
  - NYC LL 144: $500-$1500/day per untracked AI hiring tool (any LL 144 change is at minimum medium urgency)
  - SEC: variable (rule changes affecting financial-data processing are at minimum medium urgency)

named_counsel_owners:
  - data-privacy: Privacy Counsel ([email protected])
  - ai-employment-law: Employment Counsel + DPO
  - securities: Securities Counsel
  - consumer-protection: General Counsel
  - financial-services: External regulatory counsel

urgency_rules:
  high:
    - Enforcement decision against a peer firm in our jurisdictions
    - Final rule with effective date within 90 days
    - Court ruling that materially changes interpretation in our jurisdictions
    - Direct firm-mention or industry-segment-mention in a regulator's press release
  medium:
    - Rule proposal in scope-jurisdiction
    - Guidance document from a regulator we track
    - Enforcement decision against any firm in our regulatory area but outside our jurisdictions
  low:
    - Consultation paper / call for evidence
    - Conference / speech by regulator on topics in scope
    - Academic or trade-association commentary
```

## Default feed seed

Seed `regulatory_feeds` with these to start:

```sql
INSERT INTO regulatory_feeds (feed_id, feed_url, feed_format, description) VALUES
  ('eu-commission-ai-act', 'https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai/feed', 'rss', 'EU Commission AI Act updates'),
  ('edpb-news', 'https://www.edpb.europa.eu/news/news_en?type=All', 'rss', 'European Data Protection Board news'),
  ('ico-news', 'https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/feed/', 'rss', 'UK ICO press releases and enforcement'),
  ('sec-rules', 'https://www.sec.gov/rules-regulations/rss/proposed', 'rss', 'SEC proposed rules'),
  ('ftc-press', 'https://www.ftc.gov/news-events/news/press-releases/feed', 'rss', 'FTC press releases'),
  ('nyc-consumer-affairs', 'https://www.nyc.gov/site/dca/about/dca-news.page', 'rss', 'NYC Department of Consumer and Worker Protection (LL 144 source)'),
  ('cppa-news', 'https://cppa.ca.gov/news/feed.xml', 'rss', 'California Privacy Protection Agency news'),
  ('edps-news', 'https://www.edps.europa.eu/news_en?language=en', 'rss', 'European Data Protection Supervisor');
```

Add or remove based on the firm's exposure profile. Each feed should be one the firm would otherwise ask a counsel to monitor manually; if no one would otherwise monitor it, drop it.

## Daily digest (separate workflow)

The bundled flow handles the per-item path. The daily 8am digest is a separate small workflow:

1. Cron at 8am office TZ.
2. Postgres query: items with `relevant_to_profile = true AND classified_at > NOW() - INTERVAL '24 hours'`.
3. Group by `regulatory_areas` and order by urgency.
4. Compose digest Markdown.
5. Post to `#legal-team`.

The digest workflow is small enough to assemble from this README; not bundled separately.

## Dry-run procedure

1. Provision tables on a non-production DB.
2. Wire credentials with a test Slack workspace.
3. Run for 2 weeks. Counsel reviews the daily digest + immediate alerts.
4. Counsel marks each digest item as relevant / not-relevant.
5. After 2 weeks: tune the exposure profile (add/remove jurisdictions, areas, urgency rules) based on the false-positive and false-negative patterns.
6. Promote to production.

## Known limits

- Feed-format support: RSS / Atom only via `rss-parser`. JSON-feed support requires a different parser node; not bundled.
- Duplicate detection on `(feed_id, item_guid)` via the unique constraint. Some feeds re-issue items with different GUIDs on minor edits — re-classification is the cost.
- Hourly polling cadence; for sub-hour latency on high-urgency feeds, add a webhook-triggered flow (not bundled).
- The classifier sees only the item title + summary + link. For deep-content classification, fetch the link content and inject it before classification (more tokens, more cost; usually not necessary).
- The audit-trail of profile changes is the git history of the profile file; the flow doesn't track in-DB.

{
  "name": "Regulatory change monitor",
  "nodes": [
    {
      "parameters": {
        "rule": {
          "interval": [{ "field": "hours", "hoursInterval": 1 }]
        }
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000001",
      "name": "Cron Hourly",
      "type": "n8n-nodes-base.scheduleTrigger",
      "typeVersion": 1.2,
      "position": [240, 400]
    },
    {
      "parameters": {
        "operation": "executeQuery",
        "query": "SELECT feed_id, feed_url, feed_format, last_etag, last_polled_at FROM regulatory_feeds WHERE active = true;"
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000002",
      "name": "List Feeds",
      "type": "n8n-nodes-base.postgres",
      "typeVersion": 2.4,
      "position": [460, 400],
      "credentials": {
        "postgres": {
          "id": "PLACEHOLDER_REG_DB_CRED_ID",
          "name": "Postgres — regulatory feeds + items"
        }
      }
    },
    {
      "parameters": {
        "method": "GET",
        "url": "={{ $json.feed_url }}",
        "sendHeaders": true,
        "headerParameters": {
          "parameters": [
            { "name": "Accept", "value": "application/rss+xml, application/atom+xml, application/json" },
            { "name": "If-None-Match", "value": "={{ $json.last_etag || '' }}" },
            { "name": "User-Agent", "value": "ooligo-regulatory-monitor/1.0 (legal-ops@firm)" }
          ]
        },
        "options": {
          "response": { "response": { "responseFormat": "text", "neverError": true } },
          "timeout": 30000
        }
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000003",
      "name": "Fetch Feed",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [680, 400],
      "notesInFlow": true,
      "notes": "GET each feed. Use If-None-Match for conditional fetch. Some feeds reject empty If-None-Match; the conditional fallthrough to a 200 is fine."
    },
    {
      "parameters": {
        "jsCode": "// Parse the feed body, dedupe against the regulatory_items table.\n// Returns one item per new entry.\nconst Parser = require('rss-parser');\nconst parser = new Parser({ timeout: 10000 });\n\nconst feedMeta = $('List Feeds').item.json;\nconst body = $input.first().json.body || '';\n\nlet feed;\ntry {\n  feed = await parser.parseString(body);\n} catch (e) {\n  return [{ json: { feed_id: feedMeta.feed_id, status: 'parse_error', error: e.message } }];\n}\n\n// For each item, return a flat record. Dedupe happens against the DB in the next node.\nconst items = (feed.items || []).map(item => ({\n  json: {\n    feed_id: feedMeta.feed_id,\n    item_guid: item.guid || item.link || item.title,\n    title: item.title || '',\n    link: item.link || '',\n    summary: (item.contentSnippet || item.content || '').slice(0, 4000),\n    published_at: item.isoDate || item.pubDate || new Date().toISOString(),\n  }\n}));\n\nreturn items;"
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000004",
      "name": "Parse + Map Items",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [900, 400]
    },
    {
      "parameters": {
        "method": "POST",
        "url": "https://api.anthropic.com/v1/messages",
        "sendHeaders": true,
        "headerParameters": {
          "parameters": [
            { "name": "Content-Type", "value": "application/json" },
            { "name": "x-api-key", "value": "={{ $credentials.anthropicApi.apiKey }}" },
            { "name": "anthropic-version", "value": "2023-06-01" }
          ]
        },
        "sendBody": true,
        "specifyBody": "json",
        "jsonBody": "={\n  \"model\": \"claude-sonnet-4-6\",\n  \"max_tokens\": 800,\n  \"system\": \"You classify regulatory feed items against the firm's exposure profile (loaded as a separate system message). Return ONLY valid JSON with: relevant_to_profile (boolean), jurisdictions_implicated (array of jurisdiction codes from the profile), regulatory_areas (array of areas from the profile), urgency (low|medium|high based on rules in the profile), summary (1-3 sentence neutral summary, NOT legal advice), recommended_owner (counsel role from the profile). Do NOT return prose; only JSON.\",\n  \"messages\": [\n    { \"role\": \"user\", \"content\": \"Item title: {{ $json.title }}\\nItem link: {{ $json.link }}\\nItem summary: {{ $json.summary }}\\nFeed source: {{ $json.feed_id }}\\nPublished: {{ $json.published_at }}\" }\n  ]\n}",
        "options": {
          "response": { "response": { "responseFormat": "json" } },
          "timeout": 30000
        }
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000005",
      "name": "Classify Item",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [1120, 400],
      "credentials": {
        "anthropicApi": { "id": "PLACEHOLDER_ANTHROPIC_CRED_ID", "name": "Anthropic API key" }
      }
    },
    {
      "parameters": {
        "jsCode": "// Parse classification, decide alert vs digest, write to DB.\nconst llm = $input.first().json;\nconst item = $('Parse + Map Items').item.json;\nconst text = llm.content?.[0]?.text || '';\n\nlet cls;\ntry {\n  cls = JSON.parse(text.match(/\\{[\\s\\S]*\\}/)[0]);\n} catch (e) {\n  cls = { relevant_to_profile: false, urgency: 'low', summary: 'Classification failed: ' + e.message, jurisdictions_implicated: [], regulatory_areas: [], recommended_owner: 'unknown' };\n}\n\nconst alertNow = !!cls.relevant_to_profile && cls.urgency === 'high';\n\nreturn [{\n  json: {\n    feed_id: item.feed_id,\n    item_guid: item.item_guid,\n    title: item.title,\n    link: item.link,\n    summary_raw: item.summary,\n    summary_classified: cls.summary,\n    published_at: item.published_at,\n    relevant_to_profile: !!cls.relevant_to_profile,\n    jurisdictions: cls.jurisdictions_implicated || [],\n    regulatory_areas: cls.regulatory_areas || [],\n    urgency: cls.urgency || 'low',\n    recommended_owner: cls.recommended_owner || 'unknown',\n    alert_now: alertNow,\n    classified_at: new Date().toISOString(),\n  }\n}];"
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000006",
      "name": "Decide Alert + Persist",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [1340, 400]
    },
    {
      "parameters": {
        "operation": "insert",
        "schema": "public",
        "table": "regulatory_items",
        "columns": "feed_id, item_guid, title, link, summary_raw, summary_classified, published_at, relevant_to_profile, jurisdictions, regulatory_areas, urgency, recommended_owner, classified_at",
        "additionalFields": { "options": { "queryReplacement": "" } }
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000007",
      "name": "Persist Item",
      "type": "n8n-nodes-base.postgres",
      "typeVersion": 2.4,
      "position": [1560, 320],
      "credentials": {
        "postgres": { "id": "PLACEHOLDER_REG_DB_CRED_ID", "name": "Postgres — regulatory feeds + items" }
      }
    },
    {
      "parameters": {
        "conditions": {
          "options": { "caseSensitive": true, "typeValidation": "strict" },
          "conditions": [
            { "leftValue": "={{ $json.alert_now }}", "rightValue": true, "operator": { "type": "boolean", "operation": "true" } }
          ],
          "combinator": "and"
        },
        "options": {}
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000008",
      "name": "Alert Now?",
      "type": "n8n-nodes-base.if",
      "typeVersion": 2,
      "position": [1560, 480]
    },
    {
      "parameters": {
        "method": "POST",
        "url": "https://slack.com/api/chat.postMessage",
        "authentication": "predefinedCredentialType",
        "nodeCredentialType": "slackApi",
        "sendBody": true,
        "specifyBody": "json",
        "jsonBody": "={\n  \"channel\": \"#legal-alerts\",\n  \"text\": \":rotating_light: HIGH-URGENCY regulatory item — {{ $json.title }}\",\n  \"blocks\": [\n    { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \":rotating_light: *HIGH-URGENCY regulatory item*\\n*{{ $json.title }}*\\n{{ $json.summary_classified }}\\n*Jurisdictions:* {{ $json.jurisdictions.join(', ') }}\\n*Areas:* {{ $json.regulatory_areas.join(', ') }}\\n*Owner:* {{ $json.recommended_owner }}\\n<{{ $json.link }}|Open source>\" } }\n  ]\n}",
        "options": {}
      },
      "id": "6a6a6a6a-0001-0000-0000-000000000009",
      "name": "Slack Immediate Alert",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [1780, 480],
      "credentials": {
        "slackApi": { "id": "PLACEHOLDER_SLACK_CRED_ID", "name": "Slack bot token (chat:write)" }
      }
    }
  ],
  "connections": {
    "Cron Hourly": { "main": [[{ "node": "List Feeds", "type": "main", "index": 0 }]] },
    "List Feeds": { "main": [[{ "node": "Fetch Feed", "type": "main", "index": 0 }]] },
    "Fetch Feed": { "main": [[{ "node": "Parse + Map Items", "type": "main", "index": 0 }]] },
    "Parse + Map Items": { "main": [[{ "node": "Classify Item", "type": "main", "index": 0 }]] },
    "Classify Item": { "main": [[{ "node": "Decide Alert + Persist", "type": "main", "index": 0 }]] },
    "Decide Alert + Persist": {
      "main": [
        [
          { "node": "Persist Item", "type": "main", "index": 0 },
          { "node": "Alert Now?", "type": "main", "index": 0 }
        ]
      ]
    },
    "Alert Now?": {
      "main": [
        [{ "node": "Slack Immediate Alert", "type": "main", "index": 0 }],
        []
      ]
    }
  },
  "settings": {
    "executionOrder": "v1",
    "timezone": "America/New_York",
    "saveExecutionProgress": true,
    "saveManualExecutions": true
  },
  "active": false,
  "versionId": "1"
}