Author: Irina Saavedra
-
ICT Risk Is Now Embedded in SREP: What the EBA’s 2026 Follow-Up Means
The EBA’s 2026 follow-up confirms ICT risk is now fully embedded in SREP under DORA. What this structural shift means for EU financial institutions.
-
DORA TLPT in Practice: A Supervisory Perspective
1. Why TLPT matters under DORA Threat-Led Penetration Testing (TLPT) occupies a distinct place within the DORA framework. It is not intended to be another technical control, nor a more advanced form of penetration testing. Its purpose is fundamentally different. From a supervisory perspective, TLPT is designed to test whether an organisation can withstand, respond…
-
Operational Resilience: Building Sustainable Disruption Readiness
An Operational Resilience Framework (ORF) is a company’s strategic plan to withstand, adapt, and recover from disruptions, ensuring critical services keep running by integrating risk management, business continuity, IT recovery, and crisis management. It shifts focus from just preventing failures to maintaining core functions during events like cyberattacks or natural disasters, often guided by regulations (like in finance) and centered on…
-
AI Governance: Managing Risk Across the AI Lifecycle
AI Governance is the system of rules, policies, standards, and practices ensuring AI is developed and used responsibly, ethically, and legally, focusing on transparency, accountability, fairness, privacy, and security, to manage risks like bias and errors while fostering trust and compliance with regulations like the EU’s AI Act. It establishes frameworks to guide AI’s lifecycle, balancing…
-
DORA: What Financial Institutions Must Prepare For
DORA (Digital Operational Resilience Act) is an EU regulation harmonising ICT risk management for financial entities (banks, insurers, etc.) and critical third-party providers, effective January 2025, requiring robust frameworks for ICT risk management, incident reporting, testing, managing third-party risks, and information sharing to ensure they can withstand, respond to, and recover from digital disruptions like cyberattacks, creating a unified, resilient EU…
-
Data Privacy in Financial Services
Practical guidance on assessing data privacy risks, regulatory obligations, and control gaps across personal data lifecycle stages.
-
Regulatory Readiness: Overview
1. Essential Framework for Regulatory Readiness To build a sustainable readiness program, organizations should adopt a life-cycle approach: 2. Core Pillars of Preparation The most effective readiness plans include these actionable components: 3. Strategic Best Practices for 2025 4. Key Industry-Specific Resources
Regulatory Intelligence 