{ "schema_version": "0.1.0", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "title": "Core banking deployment topology and regulatory alignment — multi-tenant SaaS vs single-tenant in customer cloud account", "cluster": "corebanq", "last_reviewed": "2026-05-08", "evidence_cutoff": "2026-05-08", "publisher": { "name": "Finray Technologies Ltd", "url": "https://finray.tech", "legal_form": "Cyprus Limited Company", "registry": "Cyprus Companies Registry HE 445903" }, "license": "https://creativecommons.org/licenses/by/4.0/", "citation_attribution": "Finray Intelligence; finray.tech", "review_methodology": "https://finray.tech/intelligence/methodology/", "related_surfaces": { "editorial_html": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "editorial_markdown": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.md", "graph_dataset_json": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "site_manifest": "https://finray.tech/agents.json", "llms_txt": "https://finray.tech/llms.txt", "llms_full_txt_intelligence": "https://finray.tech/intelligence/llms-full.txt" }, "citations_count": 65, "citations": [ { "primary_source_url": "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-european-commission", "label": "European Commission", "type": "regulator", "subtype": "eu-commission", "role": "Adopts DORA delegated and implementing regulations under the Level 2 framework." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-eu-legislators", "label": "European Parliament and Council", "type": "regulator", "subtype": "eu-legislator", "role": "EU co-legislators for DORA, GDPR and the Cybersecurity Act." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://handbook.fca.org.uk/handbook/SYSC/8/1.html", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-fca", "label": "Financial Conduct Authority", "type": "regulator", "subtype": "uk-conduct-regulator", "role": "UK conduct regulator maintaining SYSC 8 and cloud outsourcing guidance." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-pra", "label": "Prudential Regulation Authority", "type": "regulator", "subtype": "uk-prudential-regulator", "role": "UK prudential supervisor issuing SS2/21 and operational resilience supervisory statements." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-eba", "label": "European Banking Authority", "type": "regulator", "subtype": "banking-regulator", "role": "EU banking authority issuing outsourcing guidelines and participating in DORA oversight." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-esas", "label": "European Supervisory Authorities", "type": "regulator", "subtype": "esa-coordination", "role": "Joint EBA, EIOPA and ESMA coordination for DORA CTPP designation and oversight." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certification-framework", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-enisa", "label": "European Union Agency for Cybersecurity", "type": "regulator", "subtype": "cybersecurity-agency", "role": "EU cybersecurity agency preparing and publishing certification framework material under the Cybersecurity Act." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-finma", "label": "Swiss Financial Market Supervisory Authority", "type": "regulator", "subtype": "swiss-regulator", "role": "Swiss supervisor issuing Circular 2018/3 on outsourcing by banks, insurers and financial institutions." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "reg-fsb", "label": "Financial Stability Board", "type": "regulator", "subtype": "standard-setter", "role": "International standard-setting body issuing the third-party risk management and oversight toolkit." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://certification.enisa.europa.eu/publications/candidate-eucs-scheme-v10_en", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "enisa-eucs-candidate-scheme", "label": "ENISA Candidate EUCS cloud-services scheme", "type": "regulation", "subtype": "candidate-scheme", "role": "Draft cloud-services certification scheme under the EU cybersecurity certification framework." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "dora-ctpp-criteria-2024-1502", "label": "DORA CTPP designation criteria — Regulation 2024/1502", "type": "regulation", "subtype": "delegated-regulation", "role": "Specifies criteria for designating ICT third-party providers as critical under DORA Article 31." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "dora-contract-policy-rts-2024-1773", "label": "DORA ICT third-party policy RTS — Regulation 2024/1773", "type": "regulation", "subtype": "delegated-regulation", "role": "Specifies ICT third-party service policy requirements under DORA." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "dora-ict-risk-rts-2024-1774", "label": "DORA ICT risk-management RTS — Regulation 2024/1774", "type": "regulation", "subtype": "delegated-regulation", "role": "Specifies ICT risk-management framework elements under DORA." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "dora-subcontracting-rts-2025-532", "label": "DORA subcontracting RTS — Regulation 2025/532", "type": "regulation", "subtype": "delegated-regulation", "role": "Specifies elements for determining and assessing subcontracting of ICT services supporting critical or important functions." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "dora-register-its-2024-2956", "label": "DORA register-of-information ITS — Regulation 2024/2956", "type": "regulation", "subtype": "implementing-regulation", "role": "Lays down standard templates for the register of information on ICT third-party arrangements." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "gdpr", "label": "GDPR Regulation (EU) 2016/679", "type": "regulation", "subtype": "regulation", "role": "EU data-protection regulation, including Chapter V transfer controls." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "cybersecurity-act", "label": "EU Cybersecurity Act — Regulation (EU) 2019/881", "type": "regulation", "subtype": "regulation", "role": "Establishes ENISA mandate and the EU cybersecurity certification framework." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "dora", "label": "DORA Regulation (EU) 2022/2554", "type": "regulation", "subtype": "regulation", "role": "EU digital operational resilience framework covering ICT governance, third-party-risk and CTPP oversight." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://handbook.fca.org.uk/handbook/SYSC/8/1.html", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "fca-sysc-8", "label": "FCA SYSC 8 outsourcing requirements", "type": "regulation", "subtype": "handbook", "role": "FCA handbook chapter on outsourcing requirements and regulatory monitoring." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "pra-ss1-21", "label": "PRA SS1/21 — Operational resilience", "type": "regulation", "subtype": "supervisory-statement", "role": "PRA expectations for important business services and impact tolerances." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "pra-ss2-21", "label": "PRA SS2/21 — Outsourcing and third party risk management", "type": "regulation", "subtype": "supervisory-statement", "role": "PRA expectations for outsourcing and third-party risk management, including cloud outsourcing." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "eba-outsourcing-guidelines", "label": "EBA Guidelines on outsourcing arrangements", "type": "regulation", "subtype": "guideline", "role": "EU outsourcing framework for institutions, payment institutions and electronic money institutions." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "fca-fg16-5", "label": "FCA FG16/5 — Cloud and third-party IT outsourcing", "type": "regulation", "subtype": "guidance", "role": "FCA guidance for firms outsourcing to cloud and other third-party IT services." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "finma-circ-2018-3", "label": "FINMA Circular 2018/3 — Outsourcing", "type": "regulation", "subtype": "circular", "role": "Swiss supervisory requirements for outsourcing at banks, insurers and financial institutions." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "fsb-third-party-risk-toolkit", "label": "FSB third-party risk management toolkit", "type": "regulation", "subtype": "toolkit", "role": "International toolkit for third-party risk management and oversight, including systemic dependencies." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-outsourcing-classification", "label": "Outsourcing classification", "type": "control", "subtype": "outsourcing-classification", "role": "Determine whether the arrangement is outsourcing, material outsourcing, or an ICT third-party service supporting a critical or important function." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-ctpp-designation", "label": "CTPP designation and oversight", "type": "control", "subtype": "ctpp-designation", "role": "Assess whether provider reliance contributes to DORA Critical Third-Party Provider designation or oversight exposure." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-audit-rights", "label": "Access, inspection and audit rights", "type": "control", "subtype": "audit-rights", "role": "Preserve audit and inspection rights for the institution, appointed auditors and competent authorities." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-subcontractor-chain", "label": "Subcontractor-chain governance", "type": "control", "subtype": "subcontractor-chain", "role": "Control, monitor and evidence subcontracting and sub-outsourcing for critical or important ICT services." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-exit-strategy", "label": "Exit strategy and portability", "type": "control", "subtype": "exit-strategy", "role": "Document, test and operationalise exit without undue disruption, regulatory non-compliance or continuity loss." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-data-sovereignty", "label": "Data sovereignty and localisation", "type": "control", "subtype": "data-sovereignty", "role": "Identify data processing and storage locations, transfer mechanics, foreign outsourcing and certification posture." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-concentration-risk", "label": "Concentration-risk management", "type": "control", "subtype": "concentration-risk", "role": "Assess reliance on common providers, non-substitutability and systemic third-party dependencies." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-operational-resilience", "label": "Operational-resilience boundary", "type": "control", "subtype": "operational-resilience", "role": "Map governance, ICT risk management, important business services and resilience execution boundaries." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-primary-source-not-located", "label": "primary-source-not-located", "type": "control", "subtype": "primary-source-not-located", "role": "Reserved marker for unresolved regulatory or deployment questions where primary-source evidence was not located." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://finray.tech/platforms/corebanq/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-coi-recusal", "label": "Corebanq COI recusal", "type": "control", "subtype": "coi-recusal", "role": "Corebanq is recused from qualitative ranking; topology analysis is category-level rather than product-specific." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-outsourcing-classification", "label": "Outsourcing classification", "type": "control", "subtype": "outsourcing-classification", "role": "Determine whether the arrangement is outsourcing, material outsourcing, or an ICT third-party service supporting a critical or important function." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-ctpp-designation", "label": "CTPP designation and oversight", "type": "control", "subtype": "ctpp-designation", "role": "Assess whether provider reliance contributes to DORA Critical Third-Party Provider designation or oversight exposure." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-audit-rights", "label": "Access, inspection and audit rights", "type": "control", "subtype": "audit-rights", "role": "Preserve audit and inspection rights for the institution, appointed auditors and competent authorities." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-subcontractor-chain", "label": "Subcontractor-chain governance", "type": "control", "subtype": "subcontractor-chain", "role": "Control, monitor and evidence subcontracting and sub-outsourcing for critical or important ICT services." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-exit-strategy", "label": "Exit strategy and portability", "type": "control", "subtype": "exit-strategy", "role": "Document, test and operationalise exit without undue disruption, regulatory non-compliance or continuity loss." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-data-sovereignty", "label": "Data sovereignty and localisation", "type": "control", "subtype": "data-sovereignty", "role": "Identify data processing and storage locations, transfer mechanics, foreign outsourcing and certification posture." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-concentration-risk", "label": "Concentration-risk management", "type": "control", "subtype": "concentration-risk", "role": "Assess reliance on common providers, non-substitutability and systemic third-party dependencies." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-operational-resilience", "label": "Operational-resilience boundary", "type": "control", "subtype": "operational-resilience", "role": "Map governance, ICT risk management, important business services and resilience execution boundaries." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "control-primary-source-not-located", "label": "primary-source-not-located", "type": "control", "subtype": "primary-source-not-located", "role": "Reserved marker for unresolved regulatory or deployment questions where primary-source evidence was not located." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://developer.tuumplatform.com/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "vendor-tuum", "label": "Tuum", "type": "vendor", "subtype": "core-banking-vendor", "role": "Vendor of cloud-native API-first core banking platform." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://docs.mambu.com/docs/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "vendor-mambu", "label": "Mambu", "type": "vendor", "subtype": "core-banking-vendor", "role": "Vendor of a cloud-based composable banking architecture." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://finray.tech/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "vendor-finray-technologies", "label": "Finray Technologies Limited", "type": "vendor", "subtype": "core-banking-vendor", "role": "Finray Technologies Limited; producer of Corebanq." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://saascada.com/platform/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "vendor-saascada", "label": "SaaScada", "type": "vendor", "subtype": "core-banking-vendor", "role": "Vendor of cloud-native core banking platform." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "vendor-aws-emea", "label": "Amazon Web Services EMEA Sarl", "type": "vendor", "subtype": "designated-ctpp", "role": "DORA-designated critical ICT third-party provider on the ESAs' first Union list." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "vendor-google-cloud-emea", "label": "Google Cloud EMEA Limited", "type": "vendor", "subtype": "designated-ctpp", "role": "DORA-designated critical ICT third-party provider on the ESAs' first Union list." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "vendor-microsoft-ireland", "label": "Microsoft Ireland Operations Limited", "type": "vendor", "subtype": "designated-ctpp", "role": "DORA-designated critical ICT third-party provider on the ESAs' first Union list." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.thoughtmachine.net/vault-core", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "vendor-thought-machine", "label": "Thought Machine", "type": "vendor", "subtype": "core-banking-vendor", "role": "Vendor of Vault Core cloud-native core banking platform." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://developer.tuumplatform.com/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "product-tuum-core", "label": "Tuum Core Banking", "type": "product", "subtype": "core-banking-product", "role": "API-first core banking solution offered as SaaS; documentation refers to multi-tenant logic." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://developer.tuumplatform.com/getting-started", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "product-tuum-core", "label": "Tuum Core Banking", "type": "product", "subtype": "core-banking-product", "role": "API-first core banking solution offered as SaaS; documentation refers to multi-tenant logic." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://docs.mambu.com/docs/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "product-mambu-platform", "label": "Mambu Banking Platform", "type": "product", "subtype": "core-banking-product", "role": "Cloud-based composable banking platform; vendor public source describes multi-tenant SaaS engine." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://finray.tech/platforms/corebanq/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "product-corebanq", "label": "Corebanq", "type": "product", "subtype": "core-banking-product", "role": "Corebanq is the Finray product; public page lists multi-tenant managed cloud, single-tenant dedicated cloud, and private-cloud/on-premise deployment." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://mambu.com/en/insights/articles/15-years-of-innovation", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "product-mambu-platform", "label": "Mambu Banking Platform", "type": "product", "subtype": "core-banking-product", "role": "Cloud-based composable banking platform; vendor public source describes multi-tenant SaaS engine." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://saascada.com/platform/", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "product-saascada-core", "label": "SaaScada Core Banking Platform", "type": "product", "subtype": "core-banking-product", "role": "Cloud-native core banking platform; public architecture evidence for multi-tenant SaaS was not located." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.thoughtmachine.net/vault-core", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "product-vault-core", "label": "Thought Machine Vault Core", "type": "product", "subtype": "core-banking-product", "role": "Cloud-native core banking platform offered as SaaS and bank-hosted public/private/hybrid deployment." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "topology-a-multitenant-vendor-saas", "label": "Topology A — multi-tenant SaaS in vendor-controlled cloud", "type": "deployment-topology", "subtype": "multi-tenant-saas", "role": "Core banking software operated as multi-tenant SaaS in a vendor-controlled cloud environment." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "topology-b-single-tenant-customer-cloud", "label": "Topology B — single-tenant in customer cloud account", "type": "deployment-topology", "subtype": "single-tenant-customer-cloud", "role": "Core banking software deployed into a single-tenant customer-controlled cloud or private-cloud boundary." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "topology-a-multitenant-vendor-saas", "label": "Topology A — multi-tenant SaaS in vendor-controlled cloud", "type": "deployment-topology", "subtype": "multi-tenant-saas", "role": "Core banking software operated as multi-tenant SaaS in a vendor-controlled cloud environment." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "topology-b-single-tenant-customer-cloud", "label": "Topology B — single-tenant in customer cloud account", "type": "deployment-topology", "subtype": "single-tenant-customer-cloud", "role": "Core banking software deployed into a single-tenant customer-controlled cloud or private-cloud boundary." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "topology-a-multitenant-vendor-saas", "label": "Topology A — multi-tenant SaaS in vendor-controlled cloud", "type": "deployment-topology", "subtype": "multi-tenant-saas", "role": "Core banking software operated as multi-tenant SaaS in a vendor-controlled cloud environment." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } }, { "primary_source_url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en", "accessed_date": "2026-05-08", "finray_reviewed": true, "license": "CC-BY-4.0", "supports_node": { "id": "topology-b-single-tenant-customer-cloud", "label": "Topology B — single-tenant in customer cloud account", "type": "deployment-topology", "subtype": "single-tenant-customer-cloud", "role": "Core banking software deployed into a single-tenant customer-controlled cloud or private-cloud boundary." }, "review_record": { "reviewer": "Finray Intelligence", "page": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment/", "graph": "https://finray.tech/intelligence/deployment-topology-regulatory-alignment.json", "review_date": "2026-05-08" } } ], "generated_at": "2026-05-10T23:11:06.768Z" }