Blog

What an MCP gateway is, and why compliance work needs one

Generic chat and RAG hallucinate regulatory citations and leave no audit trail. An MCP gateway adds routing, multi-source fan-out, tier auth, and deterministic citation validation on top of point MCP servers. Here's what each layer does and when you actually need it.

Jeffrey von Rotz, Founder & CEO9 min read
mcp compliance mcp-gateway citations regulatory-intelligence

A compliance officer asks an AI assistant whether a new vendor arrangement triggers a data protection impact assessment. The assistant answers in confident prose, cites "Article 35 GDPR," and moves on. The article is real. But the assistant did not read it — it produced the most probable next tokens given the prompt, and the citation happened to land. Ask a slightly different version of the question and you can get a different article, or a real article number attached to a claim the article does not make.

That gap — between text that looks sourced and text that is sourced — is the entire problem with using generic chat and retrieval bots for regulatory work. This post explains the layer we built to close it: the MCP gateway. What MCP is, why compliance breaks generic AI, what a gateway adds over a single MCP server, and when you actually need one.

What MCP is, in one section#

MCP — the Model Context Protocol — is an open standard for connecting an AI client to external tools and data. Before MCP, every integration between a model and a data source was a one-off: custom glue code, a custom auth scheme, a custom response shape. MCP standardizes the handshake. A server declares the tools it offers and the shape of their inputs and outputs; a client discovers those tools at connection time and calls them in a uniform way.

The important consequence for compliance is that the model stops being the source of truth and becomes the orchestrator. The model decides which tool to call and how to phrase the result; the tool returns real data from a real corpus. When you ask "what does the law say about X," a well-built MCP setup does not answer from the model's training memory. It calls a server that reads the actual provision and returns it.

A single MCP server wraps one data source. One server for one country's legislation. One server for a CVE database. One for a security-framework catalog. That is the unit. It works well when your question lives entirely inside that one source.

Why compliance breaks generic RAG and chat#

Two failure modes, and both are disqualifying for audit-facing work.

Hallucinated citations. A language model is a probability machine over text. It will write "Article 28(1)" or "C-311/18 Schrems II" because those tokens are statistically likely after your prompt, not because it checked. Retrieval-augmented generation helps — it puts real documents in the context window — but it does not eliminate the failure: the model can still mis-attribute a claim to the wrong chunk, cite a provision that was retrieved but does not support the point, or blend two sources into a citation that belongs to neither. We have watched models invent article numbers that are off by one from the correct provision, which is worse than a random number because it survives a casual sniff test.

For most uses, a wrong citation is an annoyance. For a DPIA, a regulator-facing gap analysis, or an incident report under a breach-notification regime, a fabricated citation is the kind of error that destroys the credibility of the whole document. The breach-notification duty in GDPR Article 33, for instance, runs on a 72-hour clock — a report that mis-cites its own legal basis is not a defensible filing.

No audit trail. The second failure is quieter and worse. Ask a generic assistant the same compliance question on Monday and on Thursday and you can get two different answers, two different sets of citations, two different risk conclusions. There is no record of which provision grounded which claim, no way to reproduce the answer a year later when an auditor asks why you concluded what you concluded. Compliance is not a one-shot question-answering task. It is a record you have to stand behind. "Our assistant said so" is not an answer a regulator accepts, and it is not an answer your own future self can reconstruct.

These two problems are why we treat accuracy as strictly more important than availability. A compliance platform that sometimes guesses is worse than one that sometimes says "I can't ground that." We would rather return no answer than a wrong one.

What a gateway adds over point MCP servers#

A single MCP server solves the "read one corpus" problem. It does not solve the problems above, because real compliance questions almost never live in one corpus. A vendor-risk question touches data protection, network-and-information-security obligations, and often a sector regulator. A cross-border question spans several national legislations at once. Stitching together a dozen point servers by hand — handling auth for each, deciding which to call, merging and de-duplicating their answers, checking that the citations are real — is the work. The gateway is where we did that work once so you don't repeat it per question.

Four layers sit on top of the downstream fleet.

Routing. A single question rarely names its own sources. "Are we covered for this processing activity in Sweden?" has to be resolved into which corpora can answer it — Swedish law, EU regulation, the relevant sector regulator — before any server is called. The gateway reads the query, detects jurisdiction and framework and sector signals, and dispatches to the matching downstream MCPs. You ask one question; the gateway figures out the address book. Our fleet currently spans 107 law MCPs covering 119 jurisdictions, a security-framework corpus with 262 frameworks, and an EU-regulations corpus of 61 regulations across 4,054 articles — far too many for a human to route by hand on every query.

Fan-out. Coverage is the product. Most real obligations are not single-source. A gateway sends one logical question to many servers in parallel and merges the results into a single response, so a question that implicates GDPR, NIS2, and a national sector regulator returns all three in one answer rather than forcing you to ask three times and reconcile by hand. This is also where the multi-pass discipline lives: for any output that produces citations, the gateway evaluates the primary regime, then horizontal regimes, then the sector-specific routing, rather than answering from whichever corpus replied first.

Tier auth. Not every caller should reach every tool or run unlimited queries. The Ansvar gateway authenticates via OAuth 2.1 and reads a tier claim from the token — free, premium, team, company. The tier controls which tools appear in the tool list and how much quota each call draws. The free tier runs 100 searches a day against a single jurisdiction; paid tiers open multi-jurisdiction fan-out, premium corpora like case law and agency guidance, and the workflow and risk-scoring tools. Enforcement happens at the gateway, in one place, instead of being re-implemented per server. See /pricing for the tier matrix and /coverage for the full corpus inventory.

Citation validation. This is the layer that makes the gateway a compliance tool rather than a convenience proxy. Every regulatory claim the gateway returns is anchored to a real provision in a real corpus, and the gateway validates citations deterministically: an article reference either resolves to a provision that exists and says what is claimed, or it does not. When it does not, the gateway refuses — it does not paper over the gap with model-generated text. A claim that cannot be grounded after all routing and fan-out passes is marked unresolved, not invented. That refusal discipline is the opposite of how a generic chatbot behaves, and it is the property an auditor cares about.

How the layers fit together#

mermaid
flowchart TB
  A[Your AI client<br/>Claude / Copilot / Cursor] -->|OAuth 2.1 MCP| B[Gateway]
  B --> C{Routing:<br/>detect jurisdiction,<br/>framework, sector}
  C -->|tier check| D[Fan-out:<br/>parallel calls to<br/>matching MCPs]
  D --> E[Law MCP]
  D --> F[EU regulations]
  D --> G[Sector regulator]
  E & F & G --> H[Citation validation:<br/>does this provision<br/>exist and say this?]
  H -->|grounded| I[Cited answer<br/>back to your agent]
  H -->|cannot ground| J[Marked unresolved<br/>— no fabrication]

Your client does the language work. The gateway does the routing, fan-out, auth, and validation. The downstream MCPs hold the data. The model never invents a citation, because the model never sources the citation — the corpus does.

What stays on your side#

A point worth making explicitly: there is no server-side model. The gateway does not run an LLM and does not forward your queries to a third-party model provider. Your own MCP client — Claude, Copilot in VS Code or Studio, Cursor, or any OAuth 2.1 MCP client — does the reasoning on your side and calls the gateway only for grounded data and workflow orchestration. The gateway and its corpora run on EU infrastructure (Hetzner).

For a compliance team this matters for two reasons. Your prompts and documents are not handed to an outside model by us — your client controls that relationship. And the data residency story is simple: regulatory corpora and the routing layer stay in the EU.

When you actually need a gateway#

You do not always need one. The honest test:

A single MCP server is enough when your question lives in exactly one corpus you already know — reading the text of one article in one country's legislation, or checking one CVE in one vulnerability database. One source, one server, no routing decision to make.

You need a gateway the moment a question crosses corpora. Three patterns make this concrete:

  • Cross-regime obligations. A vendor-management or incident-response question that touches data protection, NIS2, and a sector regulator at once. No single server holds the answer; routing and fan-out are the work.
  • Cross-border questions. "How does this obligation differ across the four countries we operate in?" is a fan-out problem by definition — four corpora, one merged, cited answer.
  • Citation-producing workflows. A gap analysis, a DPIA, a threat model, a tender review — anything whose output is a document that must carry validated citations from multiple sources. The validation layer is exactly what keeps that document audit-defensible.

If you are running gap analysis, AI Act readiness, or STRIDE threat modeling against more than one framework, you are in gateway territory whether you build it yourself or use ours.

Try it#

If your AI client speaks MCP, connecting takes about two minutes. Point it at https://gateway.ansvar.eu/mcp, complete the OAuth 2.1 flow, and ask your agent a real compliance question — one that spans more than one regime, so the routing and fan-out earn their keep. The free tier gives you 100 searches a day against a single jurisdiction to feel out the citation behavior; Premium (€249 per seat per month) opens multi-jurisdiction fan-out and the premium corpora.

The quickstart walks through the client setup, and how it works covers the routing and citation layers in more depth. The thing to test first is the refusal behavior: ask a question the corpus genuinely cannot answer, and watch the gateway decline to fabricate a citation rather than oblige you with a confident wrong one. That refusal is the feature. It is the difference between a tool you can put in front of a regulator and a tool you cannot.

Frequently asked

What is an MCP gateway?
MCP (Model Context Protocol) is an open standard that lets an AI client call external tools and data sources in a uniform way. A single MCP server exposes one data source — say, one country's legislation. An MCP gateway sits in front of many MCP servers and presents them as one connection: it authenticates the caller, routes each query to the right downstream servers, fans a single question out to many sources in parallel, validates the citations that come back, and enforces per-tier quotas. Your AI client connects once and reaches the whole fleet instead of wiring up dozens of servers by hand.
Why can't I just use ChatGPT or a RAG bot for compliance questions?
Two reasons that matter for audit. First, a language model generates plausible text, including plausible-looking citations — article numbers and case references that do not exist or do not say what the model claims. For compliance work a fabricated citation is disqualifying. Second, neither a raw model nor a typical RAG pipeline gives you a reproducible, source-anchored trail: ask the same question twice and you can get two answers, with no record of which provision actually grounded each claim. A gateway forces every regulatory claim back to a real provision in a real corpus, and refuses the ones it cannot ground.
When do I need a gateway instead of a single MCP server?
Use a single MCP server when your question lives in exactly one corpus you already know — for example, reading the text of one article in one country's law. You need a gateway the moment a question crosses corpora: an obligation that touches GDPR, NIS2, and a sector regulator at once; a cross-border question spanning several jurisdictions; or any workflow whose output must carry validated citations from multiple sources. Routing, fan-out, and citation validation are exactly the parts you would otherwise rebuild by hand around every point server.
Is the Ansvar gateway hosted in the EU?
Yes. The gateway and its downstream corpora run on Hetzner infrastructure in the EU. There is no server-side model: the gateway does not run an LLM of its own and does not send your queries to a third-party model provider. Your own MCP client — Claude, Copilot, Cursor, or any OAuth 2.1 MCP client — does the language work on your side, and calls the gateway only for grounded regulatory data and workflow orchestration.