Skip to main content
Skip to content
Ververica

Streaming Sovereignty Self Assessment Checklist for Financial Services Industry

Executive Summary

This self-assessment checklist helps FSI organizations identify gaps between regulatory requirements (DORA, NIS2, GDPR, AI Act) and current platform capabilities across five critical areas.

Key Findings Implications
Legacy Streaming Architectures Requires urgent remediation for DORA compliance.
Governance Gap Real-time data often lacks the oversight required by regulators.
Sovereignty Risk Vendor-managed clouds often fail data residency tests.

1. Data Governance Requirements

Role-Based Access Control
REQ 1.1
Requirement
Role-based access control at streaming application level with enterprise identity integration
Regulatory Basis
DORA/NIS2, GDPR Art 32, EBA
Can you define access policies at namespace and tenant levels?
 
Yes
 
No
Does the platform integrate with enterprise SSO via SAML 2.0 and OIDC?
 
Yes
 
No
Are preset roles available (Viewer, Editor, Owner, Admin)?
 
Yes
 
No
Common Gap: Vendor clouds lack streaming-aware access controls. DIY Kafka requires complex manual ACL configuration.
Status:
 
Compliant
 
Gap
 
Not Assessed
Comprehensive Audit Trails
REQ 1.2
Requirement
All user events, pipeline changes, and data access captured with sufficient retention
Regulatory Basis
DORA, GDPR Art 30, NIS2
Are all user events captured and recorded?
 
Yes
 
No
Can admins view, filter, search, and export logs?
 
Yes
 
No
Can audit logs stream to enterprise SIEM systems?
 
Yes
 
No
Common Gap: Generic platforms log infrastructure events only, not streaming operations.
Status:
 
Compliant
 
Gap
 
Not Assessed
Data Lineage Tracking
REQ 1.3
Requirement
Track data lineage for streaming pipelines at table and column level
Regulatory Basis
GDPR, EBA, EU AI Act
Can you trace data from source through transformation to downstream?
 
Yes
 
No
Does lineage identify PII flows through streaming transformations?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Schema Governance
REQ 1.4
Requirement
Integration with data catalogs for metadata management and schema visibility
Regulatory Basis
GDPR, operational risk
Does the platform provide built-in catalog integrations?
 
Yes
 
No
Is schema evolution governed and tracked?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Encryption and Certificate Management
REQ 1.5
Requirement
Pluggable TLS certificates for custom encryption meeting enterprise policies
Regulatory Basis
GDPR, DORA/NIS2
Can you use custom SSL certificates for internal/external communications?
 
Yes
 
No
Does the platform support enterprise certificate authorities?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Data Retention and Lifecycle Management
REQ 1.6
Requirement
Configurable retention policies; support for targeted deletion
Regulatory Basis
GDPR Art 5, Art 17
Can you configure retention policies for streaming data?
 
Yes
 
No
Can the platform support right-to-erasure through architectural patterns?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Multi-Tenant Data Isolation
REQ 1.7
Requirement
Hard isolation between tenants with RBAC at namespace level
Regulatory Basis
DORA, GDPR
Can multiple independent applications run in shared environments?
 
Yes
 
No
Are isolation boundaries enforced at platform level?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed

2. Sovereignty and Deployment Requirements

On-Premises / Private Cloud Deployment
REQ 2.1
Requirement
Deployment on customer-owned infrastructure with complete data sovereignty
Regulatory Basis
DORA/EBA, GDPR
Can the platform be deployed fully on-premises or in private cloud?
 
Yes
 
No
Does deployment provide complete data sovereignty?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
BYOC with Customer-Controlled Data Plane
REQ 2.2
Requirement
BYOC where data processing occurs in customer's cloud account
Regulatory Basis
DORA, EBA
Is BYOC built on Zero Trust principles?
 
Yes
 
No
Does data processing occur entirely in your cloud account?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Proof of Data Residency
REQ 2.3
Requirement
Regional selection and checkpoint residency controls
Regulatory Basis
GDPR Schrems II, national residency laws
Do checkpoints remain in designated regions?
 
Yes
 
No
Can you prove data residency at application level?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
No Vendor Components Processing Customer Data
REQ 2.4
Requirement
Customer controls all compute, storage, networking; no data through vendor
Regulatory Basis
DORA, EBA
Do you control all compute, storage, and networking?
 
Yes
 
No
Does any customer data flow through vendor systems?
 
No
 
Yes
Status:
 
Compliant
 
Gap
 
Not Assessed
Air-Gapped Deployment Support
REQ 2.5
Requirement
Installation offline with no internet; internal registries supported
Regulatory Basis
Critical infrastructure mandates
Can the platform be installed without internet access?
 
Yes
 
No
Can the platform operate without outbound telemetry?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Multi-Cloud Portability and Exit Strategy
REQ 2.6
Requirement
Deployment across multiple clouds and on-premises; exit strategy
Regulatory Basis
DORA, EBA
Can you deploy across AWS, Azure, GCP, and on-premises?
 
Yes
 
No
Is a documented exit strategy available meeting DORA?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed

3. Security and Zero Trust Requirements

Zero Trust Architecture
REQ 3.1
Requirement
Least-privilege, identity-based auth, fine-grained authorization
Regulatory Basis
NIS2, DORA, EBA
Is the platform built on Zero Trust principles?
 
Yes
 
No
Are credentials short-lived and automatically rotated?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Enterprise SSO Integration
REQ 3.2
Requirement
SSO integration via SAML 2.0 and OIDC
Regulatory Basis
NIS2/EBA, GDPR
Does the platform support SAML 2.0 and OIDC?
 
Yes
 
No
Can you enforce enterprise authentication policies?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Secrets Management
REQ 3.3
Requirement
Centralized storage with namespace-scoped secrets
Regulatory Basis
NIS2/DORA, EBA
Does platform supports short-lived token patterns?
 
Yes
 
No
Does platform integrate with external secrets management?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Private Network Connectivity
REQ 3.4
Requirement
Direct private connections to cloud providers; no public exposure
Regulatory Basis
NIS2, EBA
Can you connect privately to AWS, Azure, and GCP?
 
Yes
 
No
Is public internet exposure eliminated for streaming?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Real-Time Security Monitoring
REQ 3.5
Requirement
Built-in monitoring with real-time observability and SIEM integration
Regulatory Basis
DORA, NIS2
Does platform provide security-focused monitoring?
 
Yes
 
No
Can audit logs stream to enterprise SIEM?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Pluggable TLS Certificates
REQ 3.6
Requirement
Custom SSL certificate generation for all communications
Regulatory Basis
Enterprise CA policies, NIS2/DORA
Can you use custom certificates for all communications?
 
Yes
 
No
Are enterprise certificate authorities supported?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed

4. AI/ML Governance Requirements

Governed Streaming Pipelines for ML
REQ 4.1
Requirement
Real-time stream processing foundation for governed feature pipelines
Regulatory Basis
EU AI Act Article 10, EBA
Can streaming pipelines feed ML feature stores in real time?
 
Yes
 
No
Can you document training data provenance for EU AI Act?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Data Lineage for ML Pipelines
REQ 4.2
Requirement
Lineage tracks data from source to downstream; provenance trail
Regulatory Basis
EU AI Act Art 10, model risk management
Does lineage capture streaming flows to ML systems?
 
Yes
 
No
Is lineage documentation sufficient for regulatory audits?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Sovereign AI Deployment
REQ 4.3
Requirement
Self-managed/BYOC ensures ML pipelines remain in customer infra
Regulatory Basis
Sensitive financial data concerns
Can ML pipelines run entirely in customer-controlled infrastructure?
 
Yes
 
No
Are there external service dependencies for AI workloads?
 
No
 
Yes
Status:
 
Compliant
 
Gap
 
Not Assessed

5. Operational Excellence Requirements

Centralized Monitoring Dashboard
REQ 5.1
Requirement
Visual dashboards for resource usage, health, and operations
Regulatory Basis
DORA Art 10, NIS2
Does platform provide centralized monitoring dashboards?
 
Yes
 
No
Is monitoring sufficient for regulatory reporting?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Automated State Management for DR
REQ 5.2
Requirement
Snapshots, checkpoint/savepoint resume; decoupled store
Regulatory Basis
DORA Art 11, EBA
Can you create and restore from snapshots?
 
Yes
 
No
Is state management decoupled from compute for recovery?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Elastic Auto-Scaling
REQ 5.3
Requirement
Automatic scaling based on workload, SLO rules, or schedules
Regulatory Basis
DORA reliable operation
Does platform provide automatic workload-based scaling?
 
Yes
 
No
Can you define SLO rules or schedules for scaling?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Professional Support with SLAs
REQ 5.4
Requirement
Enterprise support with defined SLAs from platform experts
Regulatory Basis
DORA/EBA documented arrangements
Are SLAs defined and contractually guaranteed?
 
Yes
 
No
Does support come from experts with deep platform expertise?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed
Declarative Configuration Management
REQ 5.5
Requirement
Kubernetes Operator for declarative management; CI/CD integration
Regulatory Basis
DORA change management
Can you manage platform declaratively via Kubernetes Operator?
 
Yes
 
No
Is configuration drift prevented through synchronized state?
 
Yes
 
No
Status:
 
Compliant
 
Gap
 
Not Assessed

Gap Assessment Summary

Category Total Compliant Gap Not Assessed
Data Governance 7 0 0 7
Sovereignty 6 0 0 6
Security & Zero Trust 6 0 0 6
AI/ML Governance 3 0 0 3
Operational Excellence 5 0 0 5
TOTAL 27 0 0 27

Let’s talk

Schedule a session to walk through your checklist results.