A Technical Evaluation Framework for Streaming Platform Sovereignty Compliance
How to Use This Checklist
For each requirement, answer the assessment questions using Yes, No, or Partially. The compliance status updates automatically based on your answers. Use this during vendor evaluations to identify sovereignty gaps systematically.
| Response | Meaning |
|---|---|
| Yes | Requirement fully met with native platform capabilities |
| Partially | Requirement partially met, may need workarounds or compensating controls |
| No | Requirement not met; represents a sovereignty gap |
1. Deployment and Infrastructure
Full Deployment Flexibility
REQ 1.1
Requirement
Platform supports on-premises, BYOC, and managed cloud with identical capabilities
Regulatory Basis
DORA Art 28, national data residency laws
Can the platform be deployed fully on-premises in your own data center?
✕
Does it support Bring-Your-Own-Cloud where data never leaves your VPC?
✕
Can you migrate between deployment models without re-architecting applications?
✕
Does it support deployment in your private cloud environment with no vendor access?
✕
Vendor Red Flag: "Our cloud deployment meets all compliance requirements." Any vendor that cannot demonstrate production on-premises deployments is not sovereignty-ready.
Status:
Compliant
Partial
Gap
Not Assessed
No Vendor Lock-In Architecture
REQ 1.2
Requirement
Open-source foundations with compatible APIs and portable workloads
Regulatory Basis
DORA exit strategies, ICT concentration risk
Is the platform built on open-source foundations (Apache Flink, Kafka)?
✕
Can workloads be migrated to another vendor or self-managed infrastructure?
✕
Are APIs compatible with open-source equivalents?
✕
Vendor Red Flag: Proprietary APIs, proprietary data formats, or "enterprise-only" features that prevent migration.
Status:
Compliant
Partial
Gap
Not Assessed
Multi-Cloud and Hybrid Support
REQ 1.3
Requirement
Equivalent features across AWS, Azure, GCP with hybrid deployment
Regulatory Basis
DORA ICT concentration risk
Does the platform support AWS, Azure, and GCP with equivalent features?
✕
Is there a single management plane for hybrid deployments?
✕
Can workloads span on-premises and cloud environments?
✕
Can you failover between deployment environments without data loss?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Air-Gapped Deployment Capability
REQ 1.4
Requirement
Platform operates without internet connectivity after deployment
Regulatory Basis
Critical infrastructure mandates
Can the platform operate without internet connectivity after deployment?
✕
Does licensing require phone-home validation?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Infrastructure-as-Code Support
REQ 1.5
Requirement
Repeatable, auditable deployments via Terraform, Helm, or Kubernetes Operators
Regulatory Basis
DORA compliance, change management
Does the platform support Terraform, Pulumi, or equivalent IaC tools?
✕
Is Kubernetes-native deployment supported (Helm, Operators)?
✕
Can all configurations be version-controlled?
✕
Status:
Compliant
Partial
Gap
Not Assessed
2. Data Governance
Real-Time Data Lineage
REQ 2.1
Requirement
Automatic lineage capture as data flows through pipelines, including transformations
Regulatory Basis
BCBS 239, DORA, GDPR
Does the platform capture lineage automatically as data flows through pipelines?
✕
Is lineage available in real-time or only via batch export?
✕
Can you trace any output record back to its source records?
✕
Does lineage capture transformations, not just data movement?
✕
Common Gap: Many platforms offer lineage only for specific deployment types (e.g., SQL-based pipelines) but not DataStream API workloads.
Status:
Compliant
Partial
Gap
Not Assessed
Schema Registry and Evolution
REQ 2.2
Requirement
Native schema management with compatibility enforcement and approval workflows
Regulatory Basis
GDPR, operational risk management
Is schema management integrated natively or via external dependency?
✕
Can schema changes trigger approval workflows?
✕
Does it support catalog integrations for metadata management and schema visibility?
✕
Does it enforce compatibility rules (backward, forward, full)?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Data Classification and Tagging
REQ 2.3
Requirement
Field-level classification with policy enforcement through transformations
Regulatory Basis
GDPR, PCI DSS
Can data be classified at field level within streams?
✕
Can policies be enforced based on classifications (masking, routing)?
✕
Is there automatic PII detection capability?
✕
Can policies be enforced based on classifications (masking, routing)?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Comprehensive Audit Trails
REQ 2.4
Requirement
All data access events logged with identity, configuration changes captured
Regulatory Basis
DORA, SOX, GDPR Art 30
Are all data access events logged with user identity?
✕
Can audit logs be exported to SIEM systems?
✕
Are configuration changes captured with before/after state?
✕
Common Gap: Generic platforms log infrastructure events only, not streaming operations and data access.
Status:
Compliant
Partial
Gap
Not Assessed
Data Retention and Deletion
REQ 2.5
Requirement
Enforceable retention policies at streaming layer with selective deletion
Regulatory Basis
GDPR Art 5, Art 17 (right to erasure)
Can retention policies be set at topic/stream level?
✕
Can deletion be verified and audited?
✕
Are deletion requests propagated to downstream systems?
✕
Is selective deletion supported and auditable?
✕
Status:
Compliant
Partial
Gap
Not Assessed
3. Security and Zero Trust
Identity-Based Access Control
REQ 3.1
Requirement
Enterprise IdP integration with MFA, short-lived credentials, mutual TLS
Regulatory Basis
DORA/NIS2, Zero Trust principles
Does the platform integrate with enterprise IdP (SAML, OIDC)?
✕
Is MFA supported and enforceable?
✕
Are short-lived credentials supported (not long-lived API keys)?
✕
Can service-to-service communication use mutual TLS?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Fine-Grained Authorization
REQ 3.2
Requirement
Permissions at topic, stream, and consumer group level with RBAC/ABAC
Regulatory Basis
Zero Trust: least privilege, DORA
Can permissions be set at topic, stream, or consumer group level?
✕
Can authorization policies be attribute-based (ABAC) or role-based (RBAC)?
✕
Is there separation between read, write, and admin permissions?
✕
Are row-level and column-level access controls available?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Encryption Everywhere
REQ 3.3
Requirement
TLS for all communication, BYOK, field-level encryption, key rotation
Regulatory Basis
Zero Trust: assume breach, GDPR, NIS2
Can you bring your own encryption keys (BYOK)?
✕
Is field-level encryption available for sensitive data elements?
✕
Can encryption keys be rotated without downtime?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Network Isolation
REQ 3.4
Requirement
VPC/private network operation with Private Link and control/data plane isolation
Regulatory Basis
Zero Trust: micro-segmentation, NIS2
Can the platform run entirely within your VPC/private network?
✕
Are Private Link/Private Endpoints supported?
✕
Is ingress/egress controllable at network policy level?
✕
Can traffic between components be isolated (control plane vs. data plane)?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Security Monitoring and Threat Detection
REQ 3.5
Requirement
Real-time anomaly detection, SIEM integration, security alerting
Regulatory Basis
DORA real-time monitoring, NIS2
Can security events be streamed to SIEM in real time?
✕
Are there built-in alerts for security-relevant events?
✕
Is there integration with vulnerability scanning tools?
✕
Does the platform provide anomaly detection for data patterns?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Vendor and Support Access Controls
REQ 3.6
Requirement
Controllable vendor access with break-glass procedures and geographic restrictions
Regulatory Basis
DORA, supervisory expectations
Can vendor support access be completely disabled in self-managed deployments?
✕
Is there a documented break-glass procedure for emergency vendor access?
✕
Is support provided from jurisdictions compatible with your regulatory requirements?
✕
Are all support access events logged with full attribution?
✕
Can you restrict support personnel by geographic location?
✕
Status:
Compliant
Partial
Gap
Not Assessed
4. AI/ML Governance
Model Versioning and Registry
REQ 4.1
Requirement
Model registry integration with version-to-training-data linkage and audit trail
Regulatory Basis
SR 11-7 principles, EU AI Act
Does the platform provide native model registry or support external registries?
✕
Can model versions be linked to training data versions?
✕
Can you query historical model predictions with the model version used?
✕
Is there an audit trail for model deployment and rollback?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Real-Time Model Monitoring
REQ 4.2
Requirement
Continuous data drift detection, performance metrics, and automated alerts
Regulatory Basis
Model risk management, EU AI Act
Can the platform detect data drift in input features in real time?
✕
Are model performance metrics computed continuously?
✕
Is there support for A/B testing and canary deployments?
✕
Can automated alerts trigger on drift thresholds?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Explainability and Interpretability
REQ 4.3
Requirement
Feature importance extraction, individual prediction explanations, audit storage
Regulatory Basis
EU AI Act, fair lending regulations
Can individual predictions be explained (SHAP, LIME, or equivalent)?
✕
Does the platform support feature importance extraction?
✕
Can explanations be generated in real-time for streaming predictions?
✕
Are explanations captured and stored for audit?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Bias Detection and Fairness
REQ 4.4
Requirement
Fairness metrics across protected classes with continuous monitoring
Regulatory Basis
EU AI Act, fair lending laws
Can the platform compute fairness metrics across protected classes?
✕
Is bias monitoring continuous or periodic?
✕
Are fairness constraints enforceable in model serving?
✕
Can bias alerts trigger automated model rollback?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Training Data Governance
REQ 4.5
Requirement
Versioned training data capture from streaming pipelines with quality gates
Regulatory Basis
EU AI Act Art 10, model risk management
Can training data be captured from streaming pipelines with versioning?
✕
Is there lineage from training data to model version?
✕
Is there support for feature stores with governance?
✕
Can data quality checks gate training pipelines?
✕
Status:
Compliant
Partial
Gap
Not Assessed
5. Operational Excellence
High Availability Architecture
REQ 5.1
Requirement
Multi-AZ deployment, automatic failover, zero-downtime upgrades
Regulatory Basis
DORA, FSI availability targets
Does the platform support multi-AZ deployment?
✕
Is automatic failover supported without data loss?
✕
Can upgrades be performed with zero downtime?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Disaster Recovery
REQ 5.2
Requirement
Checkpoint-based recovery with tested RTO/RPO and non-disruptive DR testing
Regulatory Basis
DORA Art 11, EBA
Is checkpoint-based recovery supported from durable storage?
✕
Can DR be tested without impacting production?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Autoscaling and Performance
REQ 5.3
Requirement
Automatic scaling based on throughput without job restart or data loss
Regulatory Basis
DORA reliable operation
Does the platform autoscale based on throughput metrics?
✕
Can resource limits be set to control costs?
✕
Can scaling happen without job restart or data loss?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Incident Management Integration
REQ 5.4
Requirement
ITSM integration with automatic incident creation and severity classification
Regulatory Basis
DORA 4-hour incident reporting
Does the platform integrate with ITSM tools (ServiceNow, Jira)?
✕
Is incident severity automatically classified?
✕
Are runbooks supported for automated remediation?
✕
Can incidents be automatically created from alerts?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Resilience Testing Support
REQ 5.5
Requirement
Production-like test environments, chaos engineering, penetration testing
Regulatory Basis
DORA threat-led penetration testing
Can production-like environments be created for testing?
✕
Is chaos engineering supported (fault injection)?
✕
Can DR scenarios be tested with synthetic data?
✕
Does the vendor provide penetration testing reports?
✕
Status:
Compliant
Partial
Gap
Not Assessed
Sovereignty Audit Summary
Scoring Guide
22-26 Strong sovereignty posture, suitable for regulated FSI workloads
16-21 Moderate gaps, may require compensating controls
10-15 Significant gaps, not recommended without remediation
0-9 Not suitable for FSI sovereignty requirements
| Category | Total | Compliant | Partial | Gap | Not Assessed |
|---|---|---|---|---|---|
| Deployment & Infrastructure | 5 | 0 | 0 | 0 | 5 |
| Data Governance | 5 | 0 | 0 | 0 | 5 |
| Security & Zero Trust | 6 | 0 | 0 | 0 | 6 |
| AI/ML Governance | 5 | 0 | 0 | 0 | 5 |
| Operational Excellence | 5 | 0 | 0 | 0 | 5 |
| TOTAL | 26 | 0 | 0 | 0 | 26 |
Let’s talk
Schedule a session to walk through your checklist results.
