Compliance

Regulations change.Your responsibility does not.

DORA, AI Act, CRA and NIS2 create a new operational reality for European banks. Qunigma is designed from the ground up for these requirements.

Regulatory map

● Active
NIS2
Oct 2024
● Active
DORA
Jan 2025
⚠ Upcoming
AI Act Annex III
Aug 2026
⚠ Upcoming
CRA
Sep 2026
Active since 17.01.2025

DORA 2025

Digital Operational Resilience Act

Penalties
Up to 2% of annual turnover

DORA requires financial institutions to demonstrate digital operational resilience, including ICT risk management, system testing, and incident reporting within strictly defined time windows.

ArticleRequirementQunigma Status
Art. 8ICT and NHI asset inventory✓ Automatic, NHI Security
Art. 19Incident reporting 4h / 24h / 72h✓ Pre-built reporting packs
Art. 25Third-party and ICT provider risk✓ Third-party NHI monitoring
Art. 26TLPT penetration testing✓ Honeypot LLM as TLPT-ready
Deadline: 02.08.2026

AI Act Annex III

EU Artificial Intelligence Act, High-Risk Systems

Penalties
Up to 3% of turnover or €15M

AI systems classified as high-risk (including credit scoring, risk assessment) must meet rigorous cybersecurity, quality management, and risk management requirements.

ArticleRequirementQunigma Status
Art. 9AI risk management system✓ MTTAV real-time risk scoring
Art. 15Accuracy, robustness and cybersecurity✓ Memory Guard SHA-256
Art. 17Quality management system✓ Immutable audit trail and logs
Art. 72Incident reporting to supervisory authority✓ Integrated with DORA Art. 19
Deadline: 11.09.2026

CRA

Cyber Resilience Act

Penalties
Up to €15M or 2.5% of turnover

CRA introduces mandatory cybersecurity requirements for products with digital elements, including the obligation to disclose vulnerabilities within 24 hours and ensure security updates throughout the product lifecycle.

ArticleRequirementQunigma Status
Art. 14Vulnerability disclosure within 24 hours✓ VDP (Vulnerability Disclosure Program)
Art. 13Manufacturer obligations, secure configuration✓ Secure-by-default architecture
Art. 10Essential cybersecurity requirements✓ MTTAV Engine covers full scope
Art. 23Reporting actively exploited vulnerabilities✓ Integrated with ENISA and CERT
Active since 17.10.2024

NIS2

Network and Information Security Directive 2

Penalties
Up to €10M or 2% of global turnover

NIS2 extends the scope of mandatory cybersecurity measures to "important entities" in the financial sector, including supply chain management, network security, and mandatory incident reporting.

ArticleRequirementQunigma Status
Art. 21Network security risk management measures✓ MTTAV real-time protection
Art. 23Incident reporting (24h preliminary)✓ Pre-built NIS2 reporting packs
Art. 21(2)(d)Supply chain security✓ NHI Security, third-party monitoring
Art. 21(2)(j)HR security and training✓ Security awareness module

Map your blind spots before they are exploited.

AI Security Readiness Analysis

MTTAV Gap Analysis Template, complete and bring to tomorrow's board meeting.

Technical Specification for CTO

Full integration documentation for CTO and Chief Architect.

ROI Matrix: DORA & AI Act

Business case for CFO: TCO vs. regulatory and security risk.

Compliance | Qunigma, DORA, AI Act, CRA, NIS2