Skip to content
TECHNOMATON | Docs SAI Certified Trainers

Finance and Fintech

Compliance requirements for the financial sector and fintech.

Sector Profile

AttributeValue
AI Act impactCRITICAL (High-Risk)
NIS2 categoryEssential (Annex I — Banking)
GDPR impactHIGH
Other regulationsPSD2, DORA, AML, MiFID II

AI Act for Finance

High-Risk AI Systems (Annex III)

SystemClassificationObligations
Credit scoringHIGH-RISKFull obligations
Fraud detectionHIGH-RISKDPIA, explainability
AML screeningHIGH-RISKHuman oversight
Algorithmic tradingMEDIUMMonitoring, testing
Customer service chatbotMEDIUMTransparency
Risk assessmentHIGH-RISKDocumentation

Credit Scoring Specifics

NIS2 + DORA for Finance

DORA = Lex Specialis

The financial sector is subject to DORA (Digital Operational Resilience Act), which is lex specialis and supersedes NIS2 for ICT risk management in the financial sector.

RequirementNIS2DORA
ICT Risk ManagementYesYes (more detailed)
Incident Reporting24-72h4h initial, 72h full
TestingPenetration testingTLPT (Threat-Led)
Third-party riskVendor auditICT concentration risk
ResilienceBusiness continuityOperational resilience

DORA Timeline

  • 17 January 2025: DORA fully applicable (NOW!)
  • 30 April 2025: ICT third-party registers submitted to ESAs
  • Ongoing: Supervision by national competent authorities

Key DORA Requirements

AreaRequirementPriority
ICT Risk FrameworkDocumented risk managementCritical
Incident classificationCriteria for major incidentsCritical
TLPTThreat-led penetration testingCritical
ICT third-partyRegister of all ICT providersCritical
Exit strategiesPlan for replacing critical vendorsHigh
Resilience testingAnnual testing, stress scenariosHigh

GDPR for Finance

Specific Areas

AreaRequirementLegal basis
KYC dataCustomer identificationLegal obligation (AML)
Transaction dataPayment historyContract
Credit historyScoring, risk assessmentLegitimate interest + consent
Marketing dataCross-selling, offersConsent
Fraud dataFraud preventionLegitimate interest

Retention Periods

Data typeRetentionLegal basis
KYC/AML data10 years after relationship endsAML legislation
Transaction records10 yearsAccounting regulations
Credit decisions5 yearsInternal rules
Marketing consentUntil revokedGDPR
Fraud alerts5 yearsLegitimate interest

DSAR in Finance

PSD2 Specifics

Open Banking

RequirementDescription
SCAStrong Customer Authentication
API accessTPP (Third Party Provider) access
Consent managementGranular consents for data sharing
Fraud monitoringReal-time transaction monitoring

AI in PSD2

Checklist for Finance

Immediate (Weeks 1-2)

  • AI inventory (credit scoring, fraud, AML)
  • DORA gap assessment
  • ICT third-party register

Short-term (Months 1-3)

  • High-risk AI DPIA
  • Incident classification criteria
  • ICT risk framework update

Medium-term (Months 3-6)

  • TLPT planning
  • Credit scoring explainability
  • Vendor exit strategies

Long-term (Months 6-12)

  • Full DORA compliance
  • AI Act high-risk compliance
  • Operational resilience testing

Typical Costs

ItemEstimate
DORA compliance programEUR 100-200k
AI compliance (credit scoring)EUR 30-50k
TLPT (threat-led pen testing)EUR 50-100k
ICT risk frameworkEUR 30-50k
Third-party due diligenceEUR 20-40k
Total Y1EUR 230-440k

Resources