{ "id": "deployment-topology-regulatory-alignment", "title": "Core banking deployment topology and regulatory alignment — multi-tenant SaaS vs single-tenant in customer cloud account", "description": "Primary-source-cited buyer guide and graph comparing regulatory control implications of multi-tenant vendor-controlled SaaS and single-tenant customer-cloud deployment topologies for core banking software across DORA, EBA outsourcing, PRA/FCA outsourcing, FINMA Circular 2018/3, GDPR, EU cybersecurity certification and FSB concentration-risk materials.", "layout": "cose-radar", "lastReviewed": "2026-05-08", "evidenceCutoff": "2026-05-08", "nodes": [ { "id": "topology-a-multitenant-vendor-saas", "label": "Topology A — multi-tenant SaaS in vendor-controlled cloud", "type": "deployment-topology", "subtype": "multi-tenant-saas", "summary": "Core banking software operated as multi-tenant SaaS in a vendor-controlled cloud environment.", "description": "Vendor controls the application runtime, shared platform layer, release process and most operating evidence. The financial institution remains accountable under DORA, EBA, PRA/FCA or FINMA rules where the service is outsourcing or an ICT third-party arrangement.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ], "tags": [ "deployment-topology", "multi-tenant-saas", "vendor-controlled-cloud" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "topology-b-single-tenant-customer-cloud", "label": "Topology B — single-tenant in customer cloud account", "type": "deployment-topology", "subtype": "single-tenant-customer-cloud", "summary": "Core banking software deployed into a single-tenant customer-controlled cloud or private-cloud boundary.", "description": "The institution controls more of the runtime boundary, cloud account, IAM, logging and regional configuration, while the software vendor may still provide support, release, managed-service or maintenance activities that remain within outsourcing and ICT third-party-risk controls.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ], "tags": [ "deployment-topology", "single-tenant", "customer-cloud" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-outsourcing-classification", "label": "Outsourcing classification", "type": "control", "subtype": "outsourcing-classification", "summary": "Determine whether the arrangement is outsourcing, material outsourcing, or an ICT third-party service supporting a critical or important function.", "description": "Determine whether the arrangement is outsourcing, material outsourcing, or an ICT third-party service supporting a critical or important function. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "outsourcing-classification" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-ctpp-designation", "label": "CTPP designation and oversight", "type": "control", "subtype": "ctpp-designation", "summary": "Assess whether provider reliance contributes to DORA Critical Third-Party Provider designation or oversight exposure.", "description": "Assess whether provider reliance contributes to DORA Critical Third-Party Provider designation or oversight exposure. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "ctpp-designation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-audit-rights", "label": "Access, inspection and audit rights", "type": "control", "subtype": "audit-rights", "summary": "Preserve audit and inspection rights for the institution, appointed auditors and competent authorities.", "description": "Preserve audit and inspection rights for the institution, appointed auditors and competent authorities. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "audit-rights" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-subcontractor-chain", "label": "Subcontractor-chain governance", "type": "control", "subtype": "subcontractor-chain", "summary": "Control, monitor and evidence subcontracting and sub-outsourcing for critical or important ICT services.", "description": "Control, monitor and evidence subcontracting and sub-outsourcing for critical or important ICT services. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "subcontractor-chain" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-exit-strategy", "label": "Exit strategy and portability", "type": "control", "subtype": "exit-strategy", "summary": "Document, test and operationalise exit without undue disruption, regulatory non-compliance or continuity loss.", "description": "Document, test and operationalise exit without undue disruption, regulatory non-compliance or continuity loss. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "exit-strategy" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-data-sovereignty", "label": "Data sovereignty and localisation", "type": "control", "subtype": "data-sovereignty", "summary": "Identify data processing and storage locations, transfer mechanics, foreign outsourcing and certification posture.", "description": "Identify data processing and storage locations, transfer mechanics, foreign outsourcing and certification posture. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "data-sovereignty" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-concentration-risk", "label": "Concentration-risk management", "type": "control", "subtype": "concentration-risk", "summary": "Assess reliance on common providers, non-substitutability and systemic third-party dependencies.", "description": "Assess reliance on common providers, non-substitutability and systemic third-party dependencies. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "concentration-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-operational-resilience", "label": "Operational-resilience boundary", "type": "control", "subtype": "operational-resilience", "summary": "Map governance, ICT risk management, important business services and resilience execution boundaries.", "description": "Map governance, ICT risk management, important business services and resilience execution boundaries. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "operational-resilience" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-primary-source-not-located", "label": "primary-source-not-located", "type": "control", "subtype": "primary-source-not-located", "summary": "Reserved marker for unresolved regulatory or deployment questions where primary-source evidence was not located.", "description": "Reserved marker for unresolved regulatory or deployment questions where primary-source evidence was not located. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ], "tags": [ "control", "primary-source-not-located" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "control-coi-recusal", "label": "Corebanq COI recusal", "type": "control", "subtype": "coi-recusal", "summary": "Corebanq is recused from qualitative ranking; topology analysis is category-level rather than product-specific.", "description": "Corebanq is recused from qualitative ranking; topology analysis is category-level rather than product-specific. Evidence edges identify the primary framework source used for the control.", "url": null, "evidence": [ "https://finray.tech/platforms/corebanq/, accessed 2026-05-08" ], "tags": [ "control", "coi-recusal" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-eu-legislators", "label": "European Parliament and Council", "type": "regulator", "subtype": "eu-legislator", "summary": "EU co-legislators for DORA, GDPR and the Cybersecurity Act.", "description": "EU co-legislators for DORA, GDPR and the Cybersecurity Act.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ], "tags": [ "regulator", "eu-legislator" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-european-commission", "label": "European Commission", "type": "regulator", "subtype": "eu-commission", "summary": "Adopts DORA delegated and implementing regulations under the Level 2 framework.", "description": "Adopts DORA delegated and implementing regulations under the Level 2 framework.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08" ], "tags": [ "regulator", "eu-commission" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-esas", "label": "European Supervisory Authorities", "type": "regulator", "subtype": "esa-coordination", "summary": "Joint EBA, EIOPA and ESMA coordination for DORA CTPP designation and oversight.", "description": "Joint EBA, EIOPA and ESMA coordination for DORA CTPP designation and oversight.", "url": "https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en", "evidence": [ "https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en, accessed 2026-05-08" ], "tags": [ "regulator", "esa-coordination" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-eba", "label": "European Banking Authority", "type": "regulator", "subtype": "banking-regulator", "summary": "EU banking authority issuing outsourcing guidelines and participating in DORA oversight.", "description": "EU banking authority issuing outsourcing guidelines and participating in DORA oversight.", "url": "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08" ], "tags": [ "regulator", "banking-regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-pra", "label": "Prudential Regulation Authority", "type": "regulator", "subtype": "uk-prudential-regulator", "summary": "UK prudential supervisor issuing SS2/21 and operational resilience supervisory statements.", "description": "UK prudential supervisor issuing SS2/21 and operational resilience supervisory statements.", "url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ], "tags": [ "regulator", "uk-prudential-regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-fca", "label": "Financial Conduct Authority", "type": "regulator", "subtype": "uk-conduct-regulator", "summary": "UK conduct regulator maintaining SYSC 8 and cloud outsourcing guidance.", "description": "UK conduct regulator maintaining SYSC 8 and cloud outsourcing guidance.", "url": "https://handbook.fca.org.uk/handbook/SYSC/8/1.html", "evidence": [ "https://handbook.fca.org.uk/handbook/SYSC/8/1.html, accessed 2026-05-08" ], "tags": [ "regulator", "uk-conduct-regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-finma", "label": "Swiss Financial Market Supervisory Authority", "type": "regulator", "subtype": "swiss-regulator", "summary": "Swiss supervisor issuing Circular 2018/3 on outsourcing by banks, insurers and financial institutions.", "description": "Swiss supervisor issuing Circular 2018/3 on outsourcing by banks, insurers and financial institutions.", "url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ], "tags": [ "regulator", "swiss-regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-fsb", "label": "Financial Stability Board", "type": "regulator", "subtype": "standard-setter", "summary": "International standard-setting body issuing the third-party risk management and oversight toolkit.", "description": "International standard-setting body issuing the third-party risk management and oversight toolkit.", "url": "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ], "tags": [ "regulator", "standard-setter" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "reg-enisa", "label": "European Union Agency for Cybersecurity", "type": "regulator", "subtype": "cybersecurity-agency", "summary": "EU cybersecurity agency preparing and publishing certification framework material under the Cybersecurity Act.", "description": "EU cybersecurity agency preparing and publishing certification framework material under the Cybersecurity Act.", "url": "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework", "evidence": [ "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework, accessed 2026-05-08" ], "tags": [ "regulator", "cybersecurity-agency" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "dora", "label": "DORA Regulation (EU) 2022/2554", "type": "regulation", "subtype": "regulation", "summary": "EU digital operational resilience framework covering ICT governance, third-party-risk and CTPP oversight.", "description": "EU digital operational resilience framework covering ICT governance, third-party-risk and CTPP oversight.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ], "tags": [ "regulation", "regulation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "dora-ctpp-criteria-2024-1502", "label": "DORA CTPP designation criteria — Regulation 2024/1502", "type": "regulation", "subtype": "delegated-regulation", "summary": "Specifies criteria for designating ICT third-party providers as critical under DORA Article 31.", "description": "Specifies criteria for designating ICT third-party providers as critical under DORA Article 31.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08" ], "tags": [ "regulation", "delegated-regulation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "dora-ict-risk-rts-2024-1774", "label": "DORA ICT risk-management RTS — Regulation 2024/1774", "type": "regulation", "subtype": "delegated-regulation", "summary": "Specifies ICT risk-management framework elements under DORA.", "description": "Specifies ICT risk-management framework elements under DORA.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng, accessed 2026-05-08" ], "tags": [ "regulation", "delegated-regulation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "dora-contract-policy-rts-2024-1773", "label": "DORA ICT third-party policy RTS — Regulation 2024/1773", "type": "regulation", "subtype": "delegated-regulation", "summary": "Specifies ICT third-party service policy requirements under DORA.", "description": "Specifies ICT third-party service policy requirements under DORA.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng, accessed 2026-05-08" ], "tags": [ "regulation", "delegated-regulation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "dora-register-its-2024-2956", "label": "DORA register-of-information ITS — Regulation 2024/2956", "type": "regulation", "subtype": "implementing-regulation", "summary": "Lays down standard templates for the register of information on ICT third-party arrangements.", "description": "Lays down standard templates for the register of information on ICT third-party arrangements.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng, accessed 2026-05-08" ], "tags": [ "regulation", "implementing-regulation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "dora-subcontracting-rts-2025-532", "label": "DORA subcontracting RTS — Regulation 2025/532", "type": "regulation", "subtype": "delegated-regulation", "summary": "Specifies elements for determining and assessing subcontracting of ICT services supporting critical or important functions.", "description": "Specifies elements for determining and assessing subcontracting of ICT services supporting critical or important functions.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng, accessed 2026-05-08" ], "tags": [ "regulation", "delegated-regulation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "eba-outsourcing-guidelines", "label": "EBA Guidelines on outsourcing arrangements", "type": "regulation", "subtype": "guideline", "summary": "EU outsourcing framework for institutions, payment institutions and electronic money institutions.", "description": "EU outsourcing framework for institutions, payment institutions and electronic money institutions.", "url": "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08" ], "tags": [ "regulation", "guideline" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "pra-ss2-21", "label": "PRA SS2/21 — Outsourcing and third party risk management", "type": "regulation", "subtype": "supervisory-statement", "summary": "PRA expectations for outsourcing and third-party risk management, including cloud outsourcing.", "description": "PRA expectations for outsourcing and third-party risk management, including cloud outsourcing.", "url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ], "tags": [ "regulation", "supervisory-statement" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "pra-ss1-21", "label": "PRA SS1/21 — Operational resilience", "type": "regulation", "subtype": "supervisory-statement", "summary": "PRA expectations for important business services and impact tolerances.", "description": "PRA expectations for important business services and impact tolerances.", "url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss, accessed 2026-05-08" ], "tags": [ "regulation", "supervisory-statement" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "fca-sysc-8", "label": "FCA SYSC 8 outsourcing requirements", "type": "regulation", "subtype": "handbook", "summary": "FCA handbook chapter on outsourcing requirements and regulatory monitoring.", "description": "FCA handbook chapter on outsourcing requirements and regulatory monitoring.", "url": "https://handbook.fca.org.uk/handbook/SYSC/8/1.html", "evidence": [ "https://handbook.fca.org.uk/handbook/SYSC/8/1.html, accessed 2026-05-08" ], "tags": [ "regulation", "handbook" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "fca-fg16-5", "label": "FCA FG16/5 — Cloud and third-party IT outsourcing", "type": "regulation", "subtype": "guidance", "summary": "FCA guidance for firms outsourcing to cloud and other third-party IT services.", "description": "FCA guidance for firms outsourcing to cloud and other third-party IT services.", "url": "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf", "evidence": [ "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf, accessed 2026-05-08" ], "tags": [ "regulation", "guidance" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "finma-circ-2018-3", "label": "FINMA Circular 2018/3 — Outsourcing", "type": "regulation", "subtype": "circular", "summary": "Swiss supervisory requirements for outsourcing at banks, insurers and financial institutions.", "description": "Swiss supervisory requirements for outsourcing at banks, insurers and financial institutions.", "url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ], "tags": [ "regulation", "circular" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "gdpr", "label": "GDPR Regulation (EU) 2016/679", "type": "regulation", "subtype": "regulation", "summary": "EU data-protection regulation, including Chapter V transfer controls.", "description": "EU data-protection regulation, including Chapter V transfer controls.", "url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng, accessed 2026-05-08" ], "tags": [ "regulation", "regulation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "cybersecurity-act", "label": "EU Cybersecurity Act — Regulation (EU) 2019/881", "type": "regulation", "subtype": "regulation", "summary": "Establishes ENISA mandate and the EU cybersecurity certification framework.", "description": "Establishes ENISA mandate and the EU cybersecurity certification framework.", "url": "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng, accessed 2026-05-08" ], "tags": [ "regulation", "regulation" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "enisa-eucs-candidate-scheme", "label": "ENISA Candidate EUCS cloud-services scheme", "type": "regulation", "subtype": "candidate-scheme", "summary": "Draft cloud-services certification scheme under the EU cybersecurity certification framework.", "description": "Draft cloud-services certification scheme under the EU cybersecurity certification framework.", "url": "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en", "evidence": [ "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en, accessed 2026-05-08" ], "tags": [ "regulation", "candidate-scheme" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "fsb-third-party-risk-toolkit", "label": "FSB third-party risk management toolkit", "type": "regulation", "subtype": "toolkit", "summary": "International toolkit for third-party risk management and oversight, including systemic dependencies.", "description": "International toolkit for third-party risk management and oversight, including systemic dependencies.", "url": "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ], "tags": [ "regulation", "toolkit" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "vendor-mambu", "label": "Mambu", "type": "vendor", "subtype": "core-banking-vendor", "summary": "Vendor of a cloud-based composable banking architecture.", "description": "Vendor of a cloud-based composable banking architecture.", "url": "https://docs.mambu.com/docs/", "evidence": [ "https://docs.mambu.com/docs/, accessed 2026-05-08" ], "tags": [ "vendor", "core-banking-vendor" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "vendor-thought-machine", "label": "Thought Machine", "type": "vendor", "subtype": "core-banking-vendor", "summary": "Vendor of Vault Core cloud-native core banking platform.", "description": "Vendor of Vault Core cloud-native core banking platform.", "url": "https://www.thoughtmachine.net/vault-core", "evidence": [ "https://www.thoughtmachine.net/vault-core, accessed 2026-05-08" ], "tags": [ "vendor", "core-banking-vendor" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "vendor-tuum", "label": "Tuum", "type": "vendor", "subtype": "core-banking-vendor", "summary": "Vendor of cloud-native API-first core banking platform.", "description": "Vendor of cloud-native API-first core banking platform.", "url": "https://developer.tuumplatform.com/", "evidence": [ "https://developer.tuumplatform.com/, accessed 2026-05-08" ], "tags": [ "vendor", "core-banking-vendor" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "vendor-saascada", "label": "SaaScada", "type": "vendor", "subtype": "core-banking-vendor", "summary": "Vendor of cloud-native core banking platform.", "description": "Vendor of cloud-native core banking platform.", "url": "https://saascada.com/platform/", "evidence": [ "https://saascada.com/platform/, accessed 2026-05-08" ], "tags": [ "vendor", "core-banking-vendor" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "vendor-finray-technologies", "label": "Finray Technologies Limited", "type": "vendor", "subtype": "core-banking-vendor", "summary": "Finray Technologies Limited; producer of Corebanq.", "description": "Finray Technologies Limited; producer of Corebanq.", "url": "https://finray.tech/", "evidence": [ "https://finray.tech/, accessed 2026-05-08" ], "tags": [ "vendor", "core-banking-vendor" ], "isFinrayProduct": true, "coiNote": "Corebanq recusal applies", "watching": null }, { "id": "vendor-aws-emea", "label": "Amazon Web Services EMEA Sarl", "type": "vendor", "subtype": "designated-ctpp", "summary": "DORA-designated critical ICT third-party provider on the ESAs' first Union list.", "description": "DORA-designated critical ICT third-party provider on the ESAs' first Union list.", "url": "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf", "evidence": [ "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ], "tags": [ "vendor", "designated-ctpp" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "vendor-google-cloud-emea", "label": "Google Cloud EMEA Limited", "type": "vendor", "subtype": "designated-ctpp", "summary": "DORA-designated critical ICT third-party provider on the ESAs' first Union list.", "description": "DORA-designated critical ICT third-party provider on the ESAs' first Union list.", "url": "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf", "evidence": [ "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ], "tags": [ "vendor", "designated-ctpp" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "vendor-microsoft-ireland", "label": "Microsoft Ireland Operations Limited", "type": "vendor", "subtype": "designated-ctpp", "summary": "DORA-designated critical ICT third-party provider on the ESAs' first Union list.", "description": "DORA-designated critical ICT third-party provider on the ESAs' first Union list.", "url": "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf", "evidence": [ "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ], "tags": [ "vendor", "designated-ctpp" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "product-mambu-platform", "label": "Mambu Banking Platform", "type": "product", "subtype": "core-banking-product", "summary": "Cloud-based composable banking platform; vendor public source describes multi-tenant SaaS engine.", "description": "Cloud-based composable banking platform; vendor public source describes multi-tenant SaaS engine.", "url": "https://docs.mambu.com/docs/", "evidence": [ "https://docs.mambu.com/docs/, accessed 2026-05-08", "https://mambu.com/en/insights/articles/15-years-of-innovation, accessed 2026-05-08" ], "tags": [ "product", "core-banking-product" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "product-vault-core", "label": "Thought Machine Vault Core", "type": "product", "subtype": "core-banking-product", "summary": "Cloud-native core banking platform offered as SaaS and bank-hosted public/private/hybrid deployment.", "description": "Cloud-native core banking platform offered as SaaS and bank-hosted public/private/hybrid deployment.", "url": "https://www.thoughtmachine.net/vault-core", "evidence": [ "https://www.thoughtmachine.net/vault-core, accessed 2026-05-08" ], "tags": [ "product", "core-banking-product" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "product-tuum-core", "label": "Tuum Core Banking", "type": "product", "subtype": "core-banking-product", "summary": "API-first core banking solution offered as SaaS; documentation refers to multi-tenant logic.", "description": "API-first core banking solution offered as SaaS; documentation refers to multi-tenant logic.", "url": "https://developer.tuumplatform.com/", "evidence": [ "https://developer.tuumplatform.com/, accessed 2026-05-08", "https://developer.tuumplatform.com/getting-started, accessed 2026-05-08" ], "tags": [ "product", "core-banking-product" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "product-saascada-core", "label": "SaaScada Core Banking Platform", "type": "product", "subtype": "core-banking-product", "summary": "Cloud-native core banking platform; public architecture evidence for multi-tenant SaaS was not located.", "description": "Cloud-native core banking platform; public architecture evidence for multi-tenant SaaS was not located.", "url": "https://saascada.com/platform/", "evidence": [ "https://saascada.com/platform/, accessed 2026-05-08" ], "tags": [ "product", "core-banking-product" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "product-corebanq", "label": "Corebanq", "type": "product", "subtype": "core-banking-product", "summary": "Corebanq is the Finray product; public page lists multi-tenant managed cloud, single-tenant dedicated cloud, and private-cloud/on-premise deployment.", "description": "Corebanq is the Finray product; public page lists multi-tenant managed cloud, single-tenant dedicated cloud, and private-cloud/on-premise deployment.", "url": "https://finray.tech/platforms/corebanq/", "evidence": [ "https://finray.tech/platforms/corebanq/, accessed 2026-05-08" ], "tags": [ "product", "core-banking-product" ], "isFinrayProduct": true, "coiNote": "Corebanq is recused from qualitative ranking on this page.", "watching": null } ], "edges": [ { "source": "dora", "target": "reg-eu-legislators", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ctpp-criteria-2024-1502", "target": "reg-european-commission", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ict-risk-rts-2024-1774", "target": "reg-european-commission", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-contract-policy-rts-2024-1773", "target": "reg-european-commission", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-register-its-2024-2956", "target": "reg-european-commission", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-subcontracting-rts-2025-532", "target": "reg-european-commission", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "reg-eba", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08" ] }, { "source": "pra-ss2-21", "target": "reg-pra", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "pra-ss1-21", "target": "reg-pra", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss, accessed 2026-05-08" ] }, { "source": "fca-sysc-8", "target": "reg-fca", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://handbook.fca.org.uk/handbook/SYSC/8/1.html, accessed 2026-05-08" ] }, { "source": "fca-fg16-5", "target": "reg-fca", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf, accessed 2026-05-08" ] }, { "source": "finma-circ-2018-3", "target": "reg-finma", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "gdpr", "target": "reg-eu-legislators", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng, accessed 2026-05-08" ] }, { "source": "cybersecurity-act", "target": "reg-eu-legislators", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng, accessed 2026-05-08" ] }, { "source": "enisa-eucs-candidate-scheme", "target": "reg-enisa", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en, accessed 2026-05-08" ] }, { "source": "fsb-third-party-risk-toolkit", "target": "reg-fsb", "type": "issued-by", "label": "produced by / issued by", "strength": "full", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] }, { "source": "product-mambu-platform", "target": "vendor-mambu", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://docs.mambu.com/docs/, accessed 2026-05-08", "https://mambu.com/en/insights/articles/15-years-of-innovation, accessed 2026-05-08" ] }, { "source": "product-vault-core", "target": "vendor-thought-machine", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://www.thoughtmachine.net/vault-core, accessed 2026-05-08" ] }, { "source": "product-tuum-core", "target": "vendor-tuum", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://developer.tuumplatform.com/, accessed 2026-05-08", "https://developer.tuumplatform.com/getting-started, accessed 2026-05-08" ] }, { "source": "product-saascada-core", "target": "vendor-saascada", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://saascada.com/platform/, accessed 2026-05-08" ] }, { "source": "product-corebanq", "target": "vendor-finray-technologies", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://finray.tech/platforms/corebanq/, accessed 2026-05-08" ] }, { "source": "dora", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ctpp-criteria-2024-1502", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ctpp-criteria-2024-1502", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ict-risk-rts-2024-1774", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ict-risk-rts-2024-1774", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-contract-policy-rts-2024-1773", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-contract-policy-rts-2024-1773", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-register-its-2024-2956", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-register-its-2024-2956", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-subcontracting-rts-2025-532", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-subcontracting-rts-2025-532", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "pra-ss2-21", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "pra-ss2-21", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "pra-ss1-21", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss, accessed 2026-05-08" ] }, { "source": "pra-ss1-21", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss, accessed 2026-05-08" ] }, { "source": "fca-sysc-8", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://handbook.fca.org.uk/handbook/SYSC/8/1.html, accessed 2026-05-08" ] }, { "source": "fca-sysc-8", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://handbook.fca.org.uk/handbook/SYSC/8/1.html, accessed 2026-05-08" ] }, { "source": "fca-fg16-5", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf, accessed 2026-05-08" ] }, { "source": "fca-fg16-5", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf, accessed 2026-05-08" ] }, { "source": "finma-circ-2018-3", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "finma-circ-2018-3", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "gdpr", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng, accessed 2026-05-08" ] }, { "source": "gdpr", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng, accessed 2026-05-08" ] }, { "source": "cybersecurity-act", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng, accessed 2026-05-08" ] }, { "source": "cybersecurity-act", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng, accessed 2026-05-08" ] }, { "source": "enisa-eucs-candidate-scheme", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework, accessed 2026-05-08", "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en, accessed 2026-05-08" ] }, { "source": "enisa-eucs-candidate-scheme", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework, accessed 2026-05-08", "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en, accessed 2026-05-08" ] }, { "source": "fsb-third-party-risk-toolkit", "target": "topology-a-multitenant-vendor-saas", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] }, { "source": "fsb-third-party-risk-toolkit", "target": "topology-b-single-tenant-customer-cloud", "type": "applies-to", "label": "applies to deployment due diligence", "strength": "partial", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] }, { "source": "dora", "target": "control-outsourcing-classification", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora", "target": "control-ctpp-designation", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora", "target": "control-audit-rights", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora", "target": "control-subcontractor-chain", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora", "target": "control-exit-strategy", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora", "target": "control-data-sovereignty", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora", "target": "control-concentration-risk", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ctpp-criteria-2024-1502", "target": "control-ctpp-designation", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ctpp-criteria-2024-1502", "target": "control-concentration-risk", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-ict-risk-rts-2024-1774", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-contract-policy-rts-2024-1773", "target": "control-outsourcing-classification", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-contract-policy-rts-2024-1773", "target": "control-audit-rights", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-contract-policy-rts-2024-1773", "target": "control-subcontractor-chain", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-contract-policy-rts-2024-1773", "target": "control-exit-strategy", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-register-its-2024-2956", "target": "control-outsourcing-classification", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-register-its-2024-2956", "target": "control-subcontractor-chain", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-register-its-2024-2956", "target": "control-concentration-risk", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-register-its-2024-2956", "target": "control-data-sovereignty", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng, accessed 2026-05-08" ] }, { "source": "dora-subcontracting-rts-2025-532", "target": "control-subcontractor-chain", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "control-outsourcing-classification", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "control-audit-rights", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "control-subcontractor-chain", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "control-exit-strategy", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "control-data-sovereignty", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "control-concentration-risk", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "eba-outsourcing-guidelines", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "pra-ss2-21", "target": "control-outsourcing-classification", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "pra-ss2-21", "target": "control-audit-rights", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "pra-ss2-21", "target": "control-subcontractor-chain", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "pra-ss2-21", "target": "control-exit-strategy", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "pra-ss2-21", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "pra-ss1-21", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss, accessed 2026-05-08" ] }, { "source": "pra-ss1-21", "target": "control-exit-strategy", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss, accessed 2026-05-08" ] }, { "source": "fca-sysc-8", "target": "control-outsourcing-classification", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://handbook.fca.org.uk/handbook/SYSC/8/1.html, accessed 2026-05-08" ] }, { "source": "fca-sysc-8", "target": "control-audit-rights", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://handbook.fca.org.uk/handbook/SYSC/8/1.html, accessed 2026-05-08" ] }, { "source": "fca-sysc-8", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://handbook.fca.org.uk/handbook/SYSC/8/1.html, accessed 2026-05-08" ] }, { "source": "fca-fg16-5", "target": "control-outsourcing-classification", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf, accessed 2026-05-08" ] }, { "source": "fca-fg16-5", "target": "control-audit-rights", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf, accessed 2026-05-08" ] }, { "source": "fca-fg16-5", "target": "control-data-sovereignty", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf, accessed 2026-05-08" ] }, { "source": "finma-circ-2018-3", "target": "control-outsourcing-classification", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "finma-circ-2018-3", "target": "control-audit-rights", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "finma-circ-2018-3", "target": "control-subcontractor-chain", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "finma-circ-2018-3", "target": "control-data-sovereignty", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "finma-circ-2018-3", "target": "control-exit-strategy", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "gdpr", "target": "control-data-sovereignty", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng, accessed 2026-05-08" ] }, { "source": "cybersecurity-act", "target": "control-data-sovereignty", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng, accessed 2026-05-08" ] }, { "source": "cybersecurity-act", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng, accessed 2026-05-08" ] }, { "source": "enisa-eucs-candidate-scheme", "target": "control-data-sovereignty", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework, accessed 2026-05-08", "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en, accessed 2026-05-08" ] }, { "source": "enisa-eucs-candidate-scheme", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework, accessed 2026-05-08", "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en, accessed 2026-05-08" ] }, { "source": "enisa-eucs-candidate-scheme", "target": "control-primary-source-not-located", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework, accessed 2026-05-08", "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en, accessed 2026-05-08" ] }, { "source": "fsb-third-party-risk-toolkit", "target": "control-concentration-risk", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] }, { "source": "fsb-third-party-risk-toolkit", "target": "control-operational-resilience", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] }, { "source": "fsb-third-party-risk-toolkit", "target": "control-exit-strategy", "type": "requires", "label": "requires / informs control", "strength": "full", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] }, { "source": "topology-a-multitenant-vendor-saas", "target": "control-outsourcing-classification", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "topology-a-multitenant-vendor-saas", "target": "control-ctpp-designation", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "topology-a-multitenant-vendor-saas", "target": "control-audit-rights", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "topology-a-multitenant-vendor-saas", "target": "control-subcontractor-chain", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "topology-a-multitenant-vendor-saas", "target": "control-exit-strategy", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "topology-a-multitenant-vendor-saas", "target": "control-data-sovereignty", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "topology-a-multitenant-vendor-saas", "target": "control-concentration-risk", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "topology-a-multitenant-vendor-saas", "target": "control-operational-resilience", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "topology-b-single-tenant-customer-cloud", "target": "control-outsourcing-classification", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "topology-b-single-tenant-customer-cloud", "target": "control-ctpp-designation", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "topology-b-single-tenant-customer-cloud", "target": "control-audit-rights", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "topology-b-single-tenant-customer-cloud", "target": "control-subcontractor-chain", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "topology-b-single-tenant-customer-cloud", "target": "control-exit-strategy", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "topology-b-single-tenant-customer-cloud", "target": "control-data-sovereignty", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "topology-b-single-tenant-customer-cloud", "target": "control-concentration-risk", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "topology-b-single-tenant-customer-cloud", "target": "control-operational-resilience", "type": "requires", "label": "requires buyer due diligence on", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08" ] }, { "source": "product-mambu-platform", "target": "topology-a-multitenant-vendor-saas", "type": "classified-as", "label": "public source describes cloud-based/multi-tenant SaaS", "strength": "full", "evidence": [ "https://docs.mambu.com/docs/, accessed 2026-05-08", "https://mambu.com/en/insights/articles/15-years-of-innovation, accessed 2026-05-08" ] }, { "source": "product-vault-core", "target": "topology-a-multitenant-vendor-saas", "type": "classified-as", "label": "offers SaaS deployment option", "strength": "full", "evidence": [ "https://www.thoughtmachine.net/vault-core, accessed 2026-05-08" ] }, { "source": "product-vault-core", "target": "topology-b-single-tenant-customer-cloud", "type": "classified-as", "label": "offers bank-hosted public/private/hybrid deployment option", "strength": "full", "evidence": [ "https://www.thoughtmachine.net/vault-core, accessed 2026-05-08" ] }, { "source": "product-tuum-core", "target": "topology-a-multitenant-vendor-saas", "type": "classified-as", "label": "public source describes SaaS and multi-tenant logic", "strength": "full", "evidence": [ "https://developer.tuumplatform.com/, accessed 2026-05-08", "https://developer.tuumplatform.com/getting-started, accessed 2026-05-08" ] }, { "source": "product-saascada-core", "target": "control-primary-source-not-located", "type": "classified-as", "label": "cloud-native source located; multi-tenant SaaS architecture source not located", "strength": "partial", "evidence": [ "https://saascada.com/platform/, accessed 2026-05-08" ] }, { "source": "product-corebanq", "target": "topology-a-multitenant-vendor-saas", "type": "classified-as", "label": "public page lists multi-tenant managed deployment", "strength": "full", "evidence": [ "https://finray.tech/platforms/corebanq/, accessed 2026-05-08" ] }, { "source": "product-corebanq", "target": "topology-b-single-tenant-customer-cloud", "type": "classified-as", "label": "public page lists single-tenant dedicated and private-cloud deployment", "strength": "full", "evidence": [ "https://finray.tech/platforms/corebanq/, accessed 2026-05-08" ] }, { "source": "product-corebanq", "target": "control-coi-recusal", "type": "classified-as", "label": "recused from qualitative ranking", "strength": "full", "evidence": [ "https://finray.tech/platforms/corebanq/, accessed 2026-05-08" ] }, { "source": "vendor-finray-technologies", "target": "control-coi-recusal", "type": "classified-as", "label": "recused because Corebanq is Finray product", "strength": "full", "evidence": [ "https://finray.tech/, accessed 2026-05-08" ] }, { "source": "vendor-aws-emea", "target": "control-ctpp-designation", "type": "classified-as", "label": "listed as designated CTPP in first Union list", "strength": "full", "evidence": [ "https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en, accessed 2026-05-08", "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ] }, { "source": "vendor-aws-emea", "target": "control-concentration-risk", "type": "supports", "label": "provider concentration must be assessed", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08", "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ] }, { "source": "vendor-google-cloud-emea", "target": "control-ctpp-designation", "type": "classified-as", "label": "listed as designated CTPP in first Union list", "strength": "full", "evidence": [ "https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en, accessed 2026-05-08", "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ] }, { "source": "vendor-google-cloud-emea", "target": "control-concentration-risk", "type": "supports", "label": "provider concentration must be assessed", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08", "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ] }, { "source": "vendor-microsoft-ireland", "target": "control-ctpp-designation", "type": "classified-as", "label": "listed as designated CTPP in first Union list", "strength": "full", "evidence": [ "https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en, accessed 2026-05-08", "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ] }, { "source": "vendor-microsoft-ireland", "target": "control-concentration-risk", "type": "supports", "label": "provider concentration must be assessed", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08", "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf, accessed 2026-05-08" ] }, { "source": "control-ctpp-designation", "target": "control-concentration-risk", "type": "complementary-to", "label": "CTPP analysis is a concentration-risk control", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08", "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] }, { "source": "control-subcontractor-chain", "target": "control-concentration-risk", "type": "complementary-to", "label": "subcontracting chains can create hidden concentration", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng, accessed 2026-05-08", "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] }, { "source": "control-audit-rights", "target": "control-operational-resilience", "type": "complementary-to", "label": "auditability supports resilience assurance", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss, accessed 2026-05-08" ] }, { "source": "control-exit-strategy", "target": "control-operational-resilience", "type": "complementary-to", "label": "credible exit protects continuity of important services", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08", "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss, accessed 2026-05-08" ] }, { "source": "control-data-sovereignty", "target": "control-audit-rights", "type": "complementary-to", "label": "data location and foreign outsourcing affect inspection rights", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng, accessed 2026-05-08", "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en, accessed 2026-05-08", "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng, accessed 2026-05-08" ] }, { "source": "control-primary-source-not-located", "target": "control-coi-recusal", "type": "complementary-to", "label": "unresolved claims and conflicts are recorded rather than inferred", "strength": "full", "evidence": [ "https://finray.tech/platforms/corebanq/, accessed 2026-05-08", "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf, accessed 2026-05-08" ] }, { "source": "reg-eba", "target": "reg-esas", "type": "complementary-to", "label": "participates in DORA ESA coordination", "strength": "full", "evidence": [ "https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en, accessed 2026-05-08" ] }, { "source": "reg-esas", "target": "dora-ctpp-criteria-2024-1502", "type": "applies-to", "label": "uses criteria for CTPP designation", "strength": "full", "evidence": [ "https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en, accessed 2026-05-08", "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng, accessed 2026-05-08" ] }, { "source": "reg-enisa", "target": "cybersecurity-act", "type": "applies-to", "label": "operates within cybersecurity certification framework", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng, accessed 2026-05-08", "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework, accessed 2026-05-08" ] }, { "source": "reg-fsb", "target": "control-concentration-risk", "type": "applies-to", "label": "toolkit addresses systemic third-party dependencies", "strength": "full", "evidence": [ "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/, accessed 2026-05-08" ] } ], "legend": { "deployment-topology": { "color": "#2563EB", "shape": "round-rectangle", "note": "Deployment pattern being compared; not a product ranking." }, "control": { "color": "#0F766E", "shape": "round-rectangle", "note": "Buyer due-diligence control axis derived from primary regulatory sources." }, "regulation": { "color": "#DC2626", "shape": "diamond", "note": "Binding regulation, delegated or implementing regulation, supervisory statement, circular, guideline or standard-setting toolkit." }, "regulator": { "color": "#7C3AED", "shape": "hexagon", "note": "Regulator, supervisory authority or standard-setting body issuing the cited source." }, "vendor": { "color": "#B45309", "shape": "ellipse", "note": "Vendor or ICT provider node; vendor sources evidence only what the vendor/product publicly says, not regulatory interpretation." }, "product": { "color": "#9333EA", "shape": "round-rectangle", "note": "Publicly referenced product node; no qualitative ranking is encoded." } } }