Streaming Sovereignty
Self Assessment Checklist for Financial Services Industry
Executive Summary
This self-assessment checklist helps FSI organizations identify gaps between regulatory requirements (DORA, NIS2, GDPR, AI Act) and current platform capabilities across five critical areas.
| Key Findings | Implications |
|---|---|
| Legacy Streaming Architectures | Requires urgent remediation for DORA compliance. |
| Governance Gap | Real-time data often lacks the oversight required by regulators. |
| Sovereignty Risk | Vendor-managed clouds often fail data residency tests. |
1. Data Governance Requirements
Role-Based Access Control
REQ 1.1
Requirement
Role-based access control at streaming application level with enterprise identity integration
Regulatory Basis
DORA/NIS2, GDPR Art 32, EBA
Can you define access policies at namespace and tenant levels?
✕
Does the platform integrate with enterprise SSO via SAML 2.0 and OIDC?
✕
Are preset roles available (Viewer, Editor, Owner, Admin)?
✕
Common Gap: Vendor clouds lack streaming-aware access controls. DIY Kafka requires complex manual ACL configuration.
Status:
Compliant
Gap
Not Assessed
Comprehensive Audit Trails
REQ 1.2
Requirement
All user events, pipeline changes, and data access captured with sufficient retention
Regulatory Basis
DORA, GDPR Art 30, NIS2
Are all user events captured and recorded?
✕
Can admins view, filter, search, and export logs?
✕
Can audit logs stream to enterprise SIEM systems?
✕
Common Gap: Generic platforms log infrastructure events only, not streaming operations.
Status:
Compliant
Gap
Not Assessed
Data Lineage Tracking
REQ 1.3
Requirement
Track data lineage for streaming pipelines at table and column level
Regulatory Basis
GDPR, EBA, EU AI Act
Can you trace data from source through transformation to downstream?
✕
Does lineage identify PII flows through streaming transformations?
✕
Status:
Compliant
Gap
Not Assessed
Schema Governance
REQ 1.4
Requirement
Integration with data catalogs for metadata management and schema visibility
Regulatory Basis
GDPR, operational risk
Does the platform provide built-in catalog integrations?
✕
Is schema evolution governed and tracked?
✕
Status:
Compliant
Gap
Not Assessed
Encryption and Certificate Management
REQ 1.5
Requirement
Pluggable TLS certificates for custom encryption meeting enterprise policies
Regulatory Basis
GDPR, DORA/NIS2
Can you use custom SSL certificates for internal/external communications?
✕
Does the platform support enterprise certificate authorities?
✕
Status:
Compliant
Gap
Not Assessed
Data Retention and Lifecycle Management
REQ 1.6
Requirement
Configurable retention policies; support for targeted deletion
Regulatory Basis
GDPR Art 5, Art 17
Can you configure retention policies for streaming data?
✕
Can the platform support right-to-erasure through architectural patterns?
✕
Status:
Compliant
Gap
Not Assessed
Multi-Tenant Data Isolation
REQ 1.7
Requirement
Hard isolation between tenants with RBAC at namespace level
Regulatory Basis
DORA, GDPR
Can multiple independent applications run in shared environments?
✕
Are isolation boundaries enforced at platform level?
✕
Status:
Compliant
Gap
Not Assessed
2. Sovereignty and Deployment Requirements
On-Premises / Private Cloud Deployment
REQ 2.1
Requirement
Deployment on customer-owned infrastructure with complete data sovereignty
Regulatory Basis
DORA/EBA, GDPR
Can the platform be deployed fully on-premises or in private cloud?
✕
Does deployment provide complete data sovereignty?
✕
Status:
Compliant
Gap
Not Assessed
BYOC with Customer-Controlled Data Plane
REQ 2.2
Requirement
BYOC where data processing occurs in customer's cloud account
Regulatory Basis
DORA, EBA
Is BYOC built on Zero Trust principles?
✕
Does data processing occur entirely in your cloud account?
✕
Status:
Compliant
Gap
Not Assessed
Proof of Data Residency
REQ 2.3
Requirement
Regional selection and checkpoint residency controls
Regulatory Basis
GDPR Schrems II, national residency laws
Do checkpoints remain in designated regions?
✕
Can you prove data residency at application level?
✕
Status:
Compliant
Gap
Not Assessed
No Vendor Components Processing Customer Data
REQ 2.4
Requirement
Customer controls all compute, storage, networking; no data through vendor
Regulatory Basis
DORA, EBA
Do you control all compute, storage, and networking?
✕
Does any customer data flow through vendor systems?
✕
Status:
Compliant
Gap
Not Assessed
Air-Gapped Deployment Support
REQ 2.5
Requirement
Installation offline with no internet; internal registries supported
Regulatory Basis
Critical infrastructure mandates
Can the platform be installed without internet access?
✕
Can the platform operate without outbound telemetry?
✕
Status:
Compliant
Gap
Not Assessed
Multi-Cloud Portability and Exit Strategy
REQ 2.6
Requirement
Deployment across multiple clouds and on-premises; exit strategy
Regulatory Basis
DORA, EBA
Can you deploy across AWS, Azure, GCP, and on-premises?
✕
Is a documented exit strategy available meeting DORA?
✕
Status:
Compliant
Gap
Not Assessed
3. Security and Zero Trust Requirements
Zero Trust Architecture
REQ 3.1
Requirement
Least-privilege, identity-based auth, fine-grained authorization
Regulatory Basis
NIS2, DORA, EBA
Is the platform built on Zero Trust principles?
✕
Are credentials short-lived and automatically rotated?
✕
Status:
Compliant
Gap
Not Assessed
Enterprise SSO Integration
REQ 3.2
Requirement
SSO integration via SAML 2.0 and OIDC
Regulatory Basis
NIS2/EBA, GDPR
Does the platform support SAML 2.0 and OIDC?
✕
Can you enforce enterprise authentication policies?
✕
Status:
Compliant
Gap
Not Assessed
Secrets Management
REQ 3.3
Requirement
Centralized storage with namespace-scoped secrets
Regulatory Basis
NIS2/DORA, EBA
Does platform supports short-lived token patterns?
✕
Does platform integrate with external secrets management?
✕
Status:
Compliant
Gap
Not Assessed
Private Network Connectivity
REQ 3.4
Requirement
Direct private connections to cloud providers; no public exposure
Regulatory Basis
NIS2, EBA
Can you connect privately to AWS, Azure, and GCP?
✕
Is public internet exposure eliminated for streaming?
✕
Status:
Compliant
Gap
Not Assessed
Real-Time Security Monitoring
REQ 3.5
Requirement
Built-in monitoring with real-time observability and SIEM integration
Regulatory Basis
DORA, NIS2
Does platform provide security-focused monitoring?
✕
Can audit logs stream to enterprise SIEM?
✕
Status:
Compliant
Gap
Not Assessed
Pluggable TLS Certificates
REQ 3.6
Requirement
Custom SSL certificate generation for all communications
Regulatory Basis
Enterprise CA policies, NIS2/DORA
Can you use custom certificates for all communications?
✕
Are enterprise certificate authorities supported?
✕
Status:
Compliant
Gap
Not Assessed
4. AI/ML Governance Requirements
Governed Streaming Pipelines for ML
REQ 4.1
Requirement
Real-time stream processing foundation for governed feature pipelines
Regulatory Basis
EU AI Act Article 10, EBA
Can streaming pipelines feed ML feature stores in real time?
✕
Can you document training data provenance for EU AI Act?
✕
Status:
Compliant
Gap
Not Assessed
Data Lineage for ML Pipelines
REQ 4.2
Requirement
Lineage tracks data from source to downstream; provenance trail
Regulatory Basis
EU AI Act Art 10, model risk management
Does lineage capture streaming flows to ML systems?
✕
Is lineage documentation sufficient for regulatory audits?
✕
Status:
Compliant
Gap
Not Assessed
Sovereign AI Deployment
REQ 4.3
Requirement
Self-managed/BYOC ensures ML pipelines remain in customer infra
Regulatory Basis
Sensitive financial data concerns
Can ML pipelines run entirely in customer-controlled infrastructure?
✕
Are there external service dependencies for AI workloads?
✕
Status:
Compliant
Gap
Not Assessed
5. Operational Excellence Requirements
Centralized Monitoring Dashboard
REQ 5.1
Requirement
Visual dashboards for resource usage, health, and operations
Regulatory Basis
DORA Art 10, NIS2
Does platform provide centralized monitoring dashboards?
✕
Is monitoring sufficient for regulatory reporting?
✕
Status:
Compliant
Gap
Not Assessed
Automated State Management for DR
REQ 5.2
Requirement
Snapshots, checkpoint/savepoint resume; decoupled store
Regulatory Basis
DORA Art 11, EBA
Can you create and restore from snapshots?
✕
Is state management decoupled from compute for recovery?
✕
Status:
Compliant
Gap
Not Assessed
Elastic Auto-Scaling
REQ 5.3
Requirement
Automatic scaling based on workload, SLO rules, or schedules
Regulatory Basis
DORA reliable operation
Does platform provide automatic workload-based scaling?
✕
Can you define SLO rules or schedules for scaling?
✕
Status:
Compliant
Gap
Not Assessed
Professional Support with SLAs
REQ 5.4
Requirement
Enterprise support with defined SLAs from platform experts
Regulatory Basis
DORA/EBA documented arrangements
Are SLAs defined and contractually guaranteed?
✕
Does support come from experts with deep platform expertise?
✕
Status:
Compliant
Gap
Not Assessed
Declarative Configuration Management
REQ 5.5
Requirement
Kubernetes Operator for declarative management; CI/CD integration
Regulatory Basis
DORA change management
Can you manage platform declaratively via Kubernetes Operator?
✕
Is configuration drift prevented through synchronized state?
✕
Status:
Compliant
Gap
Not Assessed
Gap Assessment Summary
| Category | Total | Compliant | Gap | Not Assessed |
|---|---|---|---|---|
| Data Governance | 7 | 0 | 0 | 7 |
| Sovereignty | 6 | 0 | 0 | 6 |
| Security & Zero Trust | 6 | 0 | 0 | 6 |
| AI/ML Governance | 3 | 0 | 0 | 3 |
| Operational Excellence | 5 | 0 | 0 | 5 |
| TOTAL | 27 | 0 | 0 | 27 |
Let’s talk
Schedule a session to walk through your checklist results.
