What Regulators Demand and Vendors Can't Deliver.

DORA is now law. Since January 17, 2025, approximately 22,000 European financial entities must comply with the Digital Operational Resilience Act. This regulation harmonizes ICT risk management, third-party oversight, and operational resilience requirements across the EU's entire financial services sector.

The penalties for non-compliance are substantial. Financial institutions face fines up to 10% of annual turnover or EUR 10 million. Senior managers carry personal liability up to EUR 1 million. In November 2025, European regulators designated 19 critical ICT third-party providers, including AWS, Google, and Microsoft, for direct supervisory oversight, signaling that cloud-dependent infrastructure now faces direct regulatory scrutiny.

DORA is not isolated. The NIS2 Directive strengthens cybersecurity requirements across critical sectors. The EU AI Act, effective August 2, 2025, imposes additional compliance obligations on high-risk AI systems in financial services, with fines up to EUR 35 million or 7% of global turnover. GDPR enforcement continues to intensify, with EUR 1.2 billion in fines issued across Europe in 2024 alone according to DLA Piper's GDPR Fines Survey.

This convergence of regulations creates a clear message: data sovereignty is no longer optional for financial services. As we mention in Data Sovereignty Is Existential Most Platforms Treat It Like a Feature, regulators demand governed streaming, deployment freedom, and Zero Trust security. Most streaming platform vendors deliver one or two of these capabilities. Financial institutions need all three.

This playbook provides a decision framework for evaluating streaming platforms against sovereignty requirements. It explains what regulators actually demand, why vendor-managed platforms struggle to comply, and what FSI organizations should require from their streaming infrastructure.

Understanding Data Sovereignty for FSI

Data sovereignty for financial services means maintaining complete control over where data resides, how it flows, who can access it, and how it is governed, while meeting regulatory requirements for audit, resilience, and third-party risk management.

What Data Sovereignty Actually Means in 2026

Data sovereignty extends beyond data residency. While data residency focuses on geographic location, sovereignty encompasses:

• Infrastructure control: Who owns and operates the systems processing your data
• Audit access: Whether regulators can inspect systems and data flows
• Third-party oversight: How dependencies on external providers are managed
• Exit capability: Whether you can migrate without losing functionality or facing prohibitive costs

For FSI organizations, sovereignty is a regulatory requirement, not a preference. DORA Article 28 mandates that financial entities ensure their ICT service providers comply with regulatory standards, conduct due diligence, and maintain exit strategies.

Why FSI Faces Unique Sovereignty Requirements

Financial services operates under heightened scrutiny because failures create systemic risk. A major bank's inability to process payments affects not just the institution but the broader economy. Regulators design requirements to prevent concentration of risk in single providers and ensure resilience across the sector.

The November 2025 designation of 19 critical ICT providers reflects this concern. When AWS, Google, or Microsoft experience outages, the impact cascades across thousands of financial institutions. Regulators now require enhanced oversight, incident reporting, and resilience testing for these concentrated dependencies.

Tier 1 vs Tier 2 Sovereignty Requirements

Not all financial institutions face identical requirements. Sovereignty needs scale with systemic importance.

Tier 1 FSI (G-SIBs, Central Banks):

The 29 Global Systemically Important Banks and central banks face the strictest requirements:

• Complete infrastructure control, often requiring on-premises deployment
• Unrestricted audit access for regulators
• Domestic or regional data residency with no exceptions
• Annual resolution planning with detailed recovery procedures
• Zero tolerance for vendor lock-in

Tier 2 FSI (Regional Banks, Payment Processors, Asset Managers):

Institutions with significant but not systemic importance require:

• Compliant third-party management under DORA Article 28
• Clear exit strategies and data portability guarantees
• Proportionate resilience testing based on operational complexity
• Full audit trail capability for regulatory reporting
• Option for on-premises or hybrid deployment

The Sovereignty Spectrum

Deployment models exist on a spectrum from least to most sovereign:

Model	Control Level	FSI Suitability
Vendor-Managed SaaS	Low	Often insufficient for Tier 1
BYOC (Bring Your Own Cloud)	Medium-High	Suitable for most FSI
On-Premises	Highest	Required for G-SIBs, central banks

The appropriate model depends on regulatory requirements, risk appetite, and operational capability. Many Tier 2 institutions find BYOC provides adequate sovereignty while reducing operational burden compared to full on-premises deployment.

Key takeaway: Sovereignty is not binary. FSI organizations must match deployment models to their specific regulatory requirements and systemic importance.

Why Most Streaming Platforms Fail Sovereignty Requirements

The streaming data category has evolved beyond core messaging and processing into complete platforms offering governance, observability, and AI support. However, most vendors struggle to deliver the specific sovereignty capabilities FSI organizations require.

The Streaming Governance Gap

Enterprise-grade governance for batch data is mature. Databricks Unity Catalog, for example, provides automatic lineage tracking, dynamic access policies, and comprehensive audit trails for batch workloads. The tooling is established and well-understood.

Streaming governance is different. In real-time streaming environments, tracking data origin, movement, and transformation is exceptionally difficult. Unlike batch systems that log discrete jobs with clear timestamps, streaming data flows continuously without persistent checkpoints.

Aspect	Batch Processing	Stream Processing
Data Flow	Discrete jobs with clear boundaries	Continuous, potentially infinite
Lineage Tracking	Logged at job level	Requires real-time metadata capture
Audit Trail	Post-hoc reconstruction possible	Must be captured in motion
Compliance Window	Hours to days	Milliseconds to seconds

DORA mandates real-time lineage and incident reporting. Financial entities cannot wait for batch analysis to understand what happened. When an incident occurs, regulators expect immediate visibility into data flows, access patterns, and system states.

This creates a gap. Most streaming platforms were designed for throughput and latency, not governance. Governance features are often added later, resulting in incomplete coverage or architectural limitations.

Vendor-Managed Platforms and DORA Compliance Gaps

Vendor-managed streaming platforms (fully managed SaaS offerings) present specific challenges for DORA compliance. For a visual breakdown of what "managed" actually costs you in control, see The Control Illusion: What Vendor-Managed Platforms Hide

Audit Rights (DORA Article 28)

ICT providers must accept regular security audits from financial entities and their regulators. Vendor-managed platforms may limit inspection access due to multi-tenant architecture, proprietary systems, or operational concerns. Financial entities cannot audit what the vendor controls.

Subcontracting Requirements

DORA requires financial entities to assess risks from subcontractors in the ICT supply chain. Cloud platforms have complex dependency chains: the streaming vendor depends on the cloud provider, which depends on hardware vendors, network providers, and data center operators. This opacity creates compliance complexity.

Exit Strategies

DORA mandates clear exit strategies. Proprietary vendor platforms create steep migration costs and risk of losing functionality when switching providers. Vendor lock-in is a compliance risk, not just a commercial concern.

The Control Illusion

Some vendor-managed platforms offer "enterprise" or "dedicated" tiers that appear to provide more control. These often include:

• Dedicated compute resources
• Enhanced security features
• Premium support
• Compliance certifications

These features improve security posture but do not fundamentally change the sovereignty model. The vendor still controls the infrastructure. Regulators still cannot directly audit systems. Exit costs remain high. For a deeper analysis of why these platforms are engaging in "Zero Trust theater," read Zero Trust Theater: Why Most Streaming Platforms Are Pretenders

For Tier 1 FSI, dedicated tiers are insufficient. For Tier 2 FSI, they may create a false sense of compliance that fails under regulatory scrutiny.

Specific Vendor Limitations

Cloud-Native Managed Services:

Cloud provider managed streaming services are tightly coupled to their ecosystems:

• Single cloud lock-in by design
• Limited multi-cloud or hybrid capability
• Governance tools may lag behind standalone vendors
• Exit paths require significant re-architecture

Standalone Managed Platforms:

Standalone streaming vendors offer more features but introduce different concerns:

• Deep expertise required for operation and scaling
• Essential connectors and governance features often gated behind premium tiers
• Premium pricing for compliance-critical capabilities
• Privacy and compliance requirements remain a major challenge to scaling

The Vendor Lock-in Problem

Proprietary features create migration difficulty. When a vendor's governance model, schema registry, or connector ecosystem differs from open standards, switching providers means rebuilding, not migrating.

For FSI, this creates regulatory risk. If a vendor relationship deteriorates, costs change unexpectedly, or regulatory requirements shift, the institution may face years of migration work and millions in costs.

Key takeaway: Vendor-managed platforms offer convenience but create sovereignty trade-offs that FSI organizations must evaluate carefully against regulatory requirements.

The Three Pillars of FSI Streaming Sovereignty

True sovereignty for FSI streaming infrastructure requires three capabilities simultaneously. Most vendors deliver one or two. Financial institutions need all three.

Pillar 1: Governed Streaming

Governed streaming means real-time data lineage, schema enforcement, and compliance monitoring purpose-built for streaming workloads, not batch governance retrofitted.

Why It Matters:

FSI has enterprise-grade governance for batch data, but streaming data is mostly ungoverned. Real-time fraud detection, compliance monitoring, and payment processing require streaming-native governance: catalogs, RBAC, data lineage, and audit trails designed for real-time data flows.

Core Requirements:

Capability	Purpose
Real-time data lineage	Track data from source through processing to destination
Schema enforcement	Ensure data contracts are maintained as data flows
Role-based access control	Granular permissions for streaming pipelines
Audit trails	Who accessed what data, when, and why
Multi-tenancy	Secure workspace isolation for teams and business units

DORA Mandate:

DORA requires real-time incident reporting and data lineage capabilities for approximately 22,000 EU financial entities. When regulators ask what happened, "we'll run a batch analysis" is not an acceptable answer.

The Gap:

Batch-first governance platforms like Unity Catalog were designed for discrete jobs. Applying them to continuous streaming creates gaps in coverage. Streaming-native governance must capture metadata in motion, not after the fact.

Pillar 2: Deployment Freedom

Deployment freedom means the ability to deploy streaming infrastructure where regulatory, security, and architectural requirements demand, whether that is vendor-managed cloud, BYOC, or on-premises.

Why It Matters:

Financial services firms cannot always use vendor-managed cloud platforms. DORA requires audit access, exit strategies, and third-party risk management that many SaaS offerings cannot satisfy. Different FSI segments have different requirements:

• Tier 1 FSI (central banks, G-SIBs) often require on-premises deployment
• Tier 2 FSI typically needs BYOC for balance of control and convenience
• Regulatory requirements vary by jurisdiction and institution type

Deployment Options:

BYOC (Bring Your Own Cloud):

BYOC enables organizations to run the data plane within their own cloud VPC while the vendor operates the control plane. This provides:

• Data never leaves customer-controlled infrastructure
• Customer owns cloud account and network configuration
• Vendor access limited to management functions
• Compliance with data residency requirements
• Reduced operational burden compared to full self-management

On-Premises:

On-premises deployment provides complete infrastructure control:

• No external data exposure
• Full audit access for regulators
• Maximum sovereignty for Tier 1 requirements
• Higher operational complexity and internal expertise requirements

The Problem with Cloud-Only:

Vendors offering only managed cloud deployment automatically disqualify themselves for Tier 1 FSI use cases. Cloud-only also limits options for institutions facing emerging regulatory requirements or future changes in sovereignty needs.

Key Requirement:

The platform must provide consistent functionality across deployment models. An institution should not lose governance, security, or operational capabilities when choosing BYOC or on-premises over managed cloud.

Pillar 3: Zero Trust Security

Zero Trust security means identity-centric protection with continuous verification, not perimeter-based defense that assumes internal networks are trusted. For an in-depth analysis of how most streaming platforms fail to deliver genuine Zero Trust security, read Zero Trust Theater: Why Most Streaming Platforms Are Pretenders.

Why It Matters:

The perimeter-based defense model that served financial institutions for decades is now insufficient. When attackers breach the perimeter (often through social engineering or compromised credentials), they move freely within trusted networks. The 2025 Verizon Data Breach Investigations Report confirms that individuals remain the weak link, whether clicking malware or being socially engineered to provide credentials.

Zero Trust Principles for FSI:

Based on the NIST Zero Trust Architecture (SP 800-207):

Principle	Implementation
Never trust, always verify	Every access request authenticated and authorized
Assume breach	Security designed to limit lateral movement
Least-privilege access	Users and systems access only what they need
Continuous validation	Ongoing verification, monitoring, and validation

 

FSI-Specific Requirements:

• Multi-factor authentication for all access
• Fine-grained access controls for streaming data
• Secrets management for credentials and keys
• Private network connections (PrivateLink, VPC peering)
• Comprehensive audit logging
• Real-time anomaly detection

The Problem with Bolt-On Security:

Some platforms add security features incrementally as market demands shift. This results in inconsistent coverage, architectural limitations, and gaps that sophisticated attackers exploit. Zero Trust must be embedded throughout the platform architecture, not layered on afterward.

Key takeaway: FSI streaming sovereignty requires governed streaming, deployment freedom, and Zero Trust security simultaneously. Achieving one or two is insufficient for regulatory compliance.

Sovereign AI for FSI

Artificial intelligence is transforming financial services, but AI workloads in regulated industries face unique sovereignty requirements. The data that trains models, the models themselves, and the decisions they produce must all remain within compliance boundaries.

Why AI Workloads Require Sovereign Streaming Data

Financial crime costs the global economy up to $2 trillion annually according to UN estimates. Between $800 billion and $2 trillion is laundered globally each year, representing 2-5% of global GDP. Yet only 0.1% of illicit funds are ultimately recovered, and only 1% of suspicious transaction reports are actually investigated.

The gap exists partly because legacy systems cannot process data fast enough. AI-enabled real-time monitoring delivers alerts or blocks actions within 2 seconds on average. Legacy systems require several minutes for the same decisions. When detecting fraud or money laundering, those minutes matter.

Real-time AI for fraud detection, AML, and credit scoring requires:

• Streaming data infrastructure for continuous processing
• Sovereignty-compliant data handling throughout the AI pipeline
• Governance for both training data and model outputs
• Audit trails covering model decisions and their rationale

EU AI Act Implications

The EU AI Act, effective August 2, 2025, classifies AI systems used in credit scoring, fraud detection, and financial decision-making as high-risk. These systems must:

• Document data origins, transformations, and quality metrics
• Provide explainability for decisions
• Undergo bias audits and fairness testing
• Maintain audit trails of model versions and training data

Violations carry fines up to EUR 35 million or 7% of global annual turnover.

For FSI, this means AI governance requirements now extend to streaming data pipelines. The data flowing into models must be traceable. The models themselves must be versioned and auditable. The decisions they produce must be explainable.

FSI AI Use Cases Requiring Sovereign Streaming

Real-Time Fraud Detection:

Transaction-level analysis in milliseconds, behavioral pattern recognition, cross-channel fraud correlation. Data cannot leave the jurisdiction for processing. Decisions must be logged with complete rationale.

Anti-Money Laundering (AML):

Real-time transaction monitoring across complex networks. Pattern detection for structuring, layering, and integration. Integration with external data sources (telecommunications signals, device telemetry). The average laundering operation spans 5-7 years before discovery; real-time streaming shortens detection windows.

Credit Scoring:

Real-time credit decisioning with alternative data integration. Fair lending compliance monitoring. Explainability requirements for adverse actions under Consumer Duty obligations.

The Real-Time Imperative

Sovereign streaming provides the foundation for compliant AI in regulated industries: real-time data access, governance throughout the pipeline, and audit trails that satisfy both AI Act and existing financial services regulations.

Key takeaway: AI in FSI requires sovereign streaming infrastructure that maintains compliance from data ingestion through model training to decision output.

Evaluating Streaming Platforms for Sovereignty

FSI organizations evaluating streaming platforms for sovereignty should apply a structured decision framework. This section provides practical evaluation criteria for security, compliance, and architecture leaders. For a scored, requirement-by-requirement assessment tool, use the Sovereignty Evaluation Framework.

What Must Be Controlled by the Customer

At minimum, FSI organizations should control:

Element	Why It Matters
Data plane	Where data is stored and processed
Network configuration	How data moves between components
Encryption keys	Who can decrypt sensitive data
Access policies	Who can read, write, or administer
Audit logs	Complete record of system activity

If the vendor controls any of these elements in ways that limit customer visibility or regulatory access, the platform may not meet sovereignty requirements.

Where Auditability Breaks Down

Auditability failures typically occur at these points:

Multi-tenant isolation: In shared infrastructure, can regulators audit your specific data flows without accessing other customers' data? Can you prove isolation?

Subcontractor chains: Does the vendor disclose all subprocessors? Can you assess risk from fourth parties (the vendor's vendors)?

Proprietary systems: Are critical components built on proprietary technology that cannot be inspected or understood independently?

Incident response: When incidents occur, does the vendor provide raw data or only filtered reports? Can regulators access systems directly?

Deployment Flexibility Checklist

Requirement	Question to Ask
BYOC option	Can the data plane run in our VPC/subscription?
On-premises option	Can we deploy entirely within our data centers?
Consistent features	Are governance, security, and operational features identical across deployment models?
Exit path	Can we migrate to another platform or self-managed open source without losing functionality?
Multi-cloud	Can we run across multiple cloud providers simultaneously?

 

For a quick assessment of your current platform against these requirements, use the Streaming Sovereignty Checklist.

Red Flags in Vendor Assessments

Governance gated by tier: If essential governance features (lineage, audit trails, RBAC) require premium pricing, the vendor treats compliance as upsell rather than baseline requirement.

Cloud-only deployment: Vendors offering only managed cloud cannot serve Tier 1 FSI and limit future flexibility for Tier 2.

Proprietary lock-in: Significant proprietary extensions to open-source foundations (Kafka, Flink) create exit barriers that conflict with DORA requirements.

Vague subcontracting: Inability or unwillingness to disclose the full ICT supply chain indicates potential DORA Article 28 compliance gaps.

Limited audit access: Restrictions on security audits, penetration testing, or regulatory inspection rights suggest sovereignty limitations.

Decision Framework

For Tier 1 FSI (G-SIBs, Central Banks):

1. Require on-premises or fully isolated deployment
2. Verify complete audit access for regulators
3. Confirm zero proprietary lock-in
4. Ensure full governance capabilities in air-gapped environments
5. Validate exit path to self-managed open source

For Tier 2 FSI (Regional Banks, Payment Processors):

1. BYOC deployment with data plane in customer VPC
2. Governance and audit capabilities at baseline tier
3. Clear exit strategy with defined migration path
4. Contractual terms aligned with DORA Article 28
5. Option to move to on-premises if requirements change

Key takeaway: Evaluate streaming platforms against specific sovereignty requirements, not generic feature lists. What works for a technology company may not meet FSI regulatory obligations.

How Ververica Delivers FSI Sovereignty

Ververica provides the only streaming platform that delivers all three sovereignty pillars: governed streaming, deployment freedom, and Zero Trust security, without compromise.

Founded by the Creators of Apache Flink

Ververica was founded by the original creators of Apache Flink. This heritage provides technical authority that licensed technology cannot match. The engineering team that built Flink from its foundation continues to develop the Ververica platform, delivering optimizations and capabilities that reflect more than a decade of hands-on development.

This matters for FSI because depth of expertise translates to better support for complex, regulated workloads. When compliance requirements change or edge cases emerge, Ververica's team understands the technology at its core.

Full Deployment Spectrum

Ververica offers genuine deployment flexibility:

Deployment	Description	FSI Fit
Managed Cloud	Fully managed service	Development, non-sensitive workloads
BYOC	Data plane in customer VPC	Tier 2 FSI production workloads
On-Premises	Complete customer control	Tier 1 FSI, air-gapped environments

Critical distinction: Ververica provides identical functionality across all deployment models. Governance, security, and operational capabilities do not degrade when moving from managed to BYOC to on-premises. This consistency enables FSI organizations to choose deployment based on regulatory requirements, not feature availability.

VERA Engine Performance

The VERA engine, Ververica's optimized Flink runtime, delivers:

• 2x performance compared to open-source Flink
• 40% lower total cost of ownership
• Elastic scaling across millions of cores

Performance matters for FSI because real-time processing cannot tolerate latency spikes during peak loads. Fraud detection, payment processing, and compliance monitoring require consistent sub-second response times regardless of volume.

Zero Vendor Lock-in

Ververica maintains 100% compatibility with Apache Flink. Applications developed on Ververica run on standard Flink without modification. This provides:

• Exit path to self-managed open source at any time
• No proprietary extensions that create migration barriers
• Alignment with DORA exit strategy requirements
• Future flexibility as requirements evolve

Enterprise Governance

Ververica's governance capabilities are built for regulated industries:

• Catalogs: Centralized metadata management for streaming jobs, tables, and connectors
• RBAC: Role-based access control for streaming pipelines and data
• Audit Trails: Who accessed what streaming data, when, and why
• Data Lineage: Track data flow from source through processing to destination in real time
• Multi-Tenancy: Secure workspace isolation for teams and business units

These capabilities are available at baseline, not gated behind premium tiers.

Zero Trust Architecture

Ververica embeds Zero Trust principles throughout the platform:

• Continuous verification for all access requests
• Fine-grained access controls at data and job level
• Secrets management integration
• Private network connections
• Comprehensive audit logging
• Anomaly detection and alerting

Enterprise Proven

Ververica serves mission-critical workloads at scale:

• Major banks processing real-time payments and fraud detection
• Alibaba processing billions of events per second
• Intesa Sanpaolo, ING, Netflix, Uber, Airbus, Booking.com
• 35,000+ jobs running on single clusters
• 10+ petabytes ingested per day
• 10 trillion records ingested per day at enterprise scale

Compliance Ready

Ververica maintains certifications aligned with FSI requirements:

• SOC 2 Type II
• ISO 27001
• GDPR compliance by design

Key takeaway: Ververica delivers governed streaming, deployment freedom, and Zero Trust security simultaneously, with the technical depth and enterprise scale FSI requires.

Conclusion: The Path to Sovereignty

Data sovereignty is no longer optional for financial services. DORA, NIS2, GDPR, and the EU AI Act create overlapping requirements that demand governed streaming, deployment freedom, and Zero Trust security. Most streaming platform vendors deliver one or two of these capabilities. FSI organizations need all three.

The vendor landscape presents a clear pattern. Cloud-only platforms cannot serve Tier 1 FSI. Vendor-managed platforms face audit, subcontracting, and exit challenges under DORA. Proprietary lock-in conflicts with regulatory requirements for clear exit strategies. Premium pricing for compliance features treats sovereignty as an upsell rather than a baseline requirement.

Next Steps for FSI Organizations

1. Assess current sovereignty posture: Evaluate existing streaming infrastructure against the three-pillar framework
2. Map regulatory requirements: Identify which DORA, NIS2, and AI Act provisions apply to your organization
3. Evaluate vendor sovereignty: Apply the decision framework to current and prospective vendors
4. Plan deployment path: Determine whether managed, BYOC, or on-premises best fits your requirements
5. Build exit capability: Ensure contracts and architecture support migration if needed

The Three Pillars, One Platform

Ververica delivers governed streaming, deployment freedom, and Zero Trust security on a single platform built by the creators of Apache Flink. No vendor lock-in. No sovereignty compromises. No compliance gaps.

Take the Next Step

Ready to achieve FSI sovereignty? Choose your path:

Your Need	Action
Assess your sovereignty posture	Schedule a consultation
See the platform in action	Request a demo
Learn about FSI solutions	Explore financial services use cases
Get technical details	Read the documentation
Talk to an expert	Contact us

 

The Three Pillars, One Platform

Ververica delivers governed streaming, deployment freedom, and Zero Trust security on a single platform built by the creators of Apache Flink. No vendor lock-in. No sovereignty compromises. No compliance gaps.

See How Ververica Delivers Sovereignty for Financial Services for the full technical details, deployment models, and real-world FSI case studies.