EONTA Insights

The governance architecture most institutions are missing

The TLPT framework requires a Control Team that is operationally independent of the Red Team. This is not a testing methodology requirement — it is a governance requirement. The Control Team must include senior representation from risk, compliance, and executive management. Institutions that have assigned TLPT oversight to their IT security function alone have misread the governance architecture the RTS requires.

The threat intelligence phase is the starting point, not the preamble

The RTS requires a Threat Intelligence phase conducted before any testing, producing a documented threat landscape report specific to the institution. This phase typically requires 6–8 weeks and involves engagement with sector threat intelligence providers. Institutions planning TLPT timelines that begin with testing are beginning at the wrong point.

Scope must include critical outsourced functions

DORA TLPT scope must include critical functions regardless of whether they are operated internally or by critical ICT third-party providers. This creates a coordination challenge with outsourced infrastructure providers that most institutions have not yet resolved contractually.

CBEST and iCAST are not equivalent to DORA TLPT

Institutions with existing CBEST (UK) or iCAST (Netherlands) history may assume equivalence where none exists. The ESA RTS introduces specific documentation, notification, and remediation timeline requirements that need separate compliance mapping even for experienced institutions.

EONTA Ireland supports financial institutions in TLPT governance, readiness assessment, and assurance of the TLPT process. We do not conduct threat-led penetration testing — our role is independent assurance of the governance framework around it.

The classification error that creates regulatory exposure

The most consequential error is under-classification: determining that an AI system is not high-risk when regulatory analysis would reach the opposite conclusion. An AI system used to support credit decisions — even where a human reviews the output — may meet the Annex III criteria if the AI output materially influences the human decision. The Act's definition of "intended purpose" includes both primary and reasonably foreseeable uses.

The classification error that creates operational disruption

Over-classification — applying high-risk obligations to systems that fall outside Annex III — creates unnecessary compliance burden. The Act's Article 6(3) exemption mechanism for systems that pose "limited risk to health, safety or fundamental rights" requires documented assessment but is available and frequently under-utilised.

What a defensible classification assessment requires

A classification assessment that will withstand regulatory scrutiny requires: a documented system inventory with functional descriptions; structured mapping against each Annex III category; application of the Article 6(3) exemption analysis where relevant; and documented rationale for each determination signed off at governance level. The assessment must be reviewed when a system's intended purpose changes materially.

Timeline: August 2026 is closer than it appears

The EU AI Act's high-risk obligations for Annex III systems take effect in August 2026. Institutions that have not completed classification by Q1 2026 face a compressed remediation window. Classification is the precondition for every subsequent obligation — conformity assessment, technical documentation, human oversight measures, and registration.

EONTA Ireland's AI governance assurance practice conducts EU AI Act classification assessments producing documented rationale suitable for regulatory review.

The PKI challenge is not algorithm substitution

Financial institution PKI infrastructures — certificate authorities, signing hierarchies, trust stores — are built on RSA and ECC. Migration requires root-of-trust replacement, which in a regulated financial institution touches digital signing of regulatory submissions, interbank authentication, and customer-facing certificate chains. Replacing a root CA in a complex hierarchy is a multi-year programme regardless of algorithm availability.

The SWIFT messaging dependency

SWIFT's PQC migration roadmap anticipates a phased transition to quantum-resistant algorithms across the network. Institutions should monitor this roadmap as an external dependency. An institution that completes internal PKI migration ahead of SWIFT's network-level transition will face an interim period of algorithm mismatch requiring active management.

Harvest-now-decrypt-later is a present-day threat

For data with confidentiality requirements extending beyond 5–10 years — regulatory submissions, customer financial records, interbank communications — the relevant threat is adversarial collection today against quantum decryption capability tomorrow. This is what makes migration timeline urgent, not the arrival of cryptographically relevant quantum computers.

What a complete cryptographic inventory must capture

A PQC-ready inventory must document: every algorithm in use; every certificate and its renewal pathway; every protocol (TLS version and cipher suite); every HSM and its algorithm support roadmap; and every third-party dependency's migration timeline. Without a complete inventory, migration planning produces gaps that will become compliance failures.

EONTA Ireland's PQC readiness assessments produce structured cryptographic inventories and migration roadmaps aligned to NIST FIPS standards and EMEA regulatory expectations.

Gap 1: Workflows de direitos dos titulares que falham na operação

As instituições possuem processos documentados para responder a solicitações de direitos dos titulares de dados. As fiscalizações revelam que os workflows operacionais — o caminho real desde o recebimento da solicitação até a localização dos dados e a resposta — se quebram na interface entre as equipes de compliance e as áreas de negócio. Direitos que não podem ser atendidos dentro dos prazos esperados pela ANPD representam a falha de compliance mais examinada nas revisões do setor financeiro brasileiro em 2025–2026.

Gap 2: Governança de compartilhamento de dados com terceiros sem controles proporcionais

As instituições financeiras brasileiras operam em um ecossistema denso de fintechs, processadoras de pagamento e participantes do Open Finance. Cada relação de compartilhamento de dados exige base legal, DPA em conformidade com a LGPD e monitoramento contínuo. A dimensão contratual foi endereçada pela maioria das instituições; a dimensão do monitoramento — assurance contínua de que terceiros processam os dados conforme acordado — permanece sistematicamente subdesenvolvida.

Gap 3: Transferências internacionais de dados sem mecanismos documentados

Instituições financeiras brasileiras frequentemente transferem dados para entidades e prestadores de serviços na Europa, América do Norte e APAC. O regime de transferências internacionais da LGPD (Artigos 33–36) exige mecanismos legais documentados para cada transferência. As cláusulas padrão da ANPD, publicadas em 2023, fornecem o instrumento contratual; sua implementação consistente em toda a empresa permanece incompleta na maioria das instituições avaliadas.

O que muda com a maturidade da fiscalização da ANPD

A ANPD publicou seu Regulamento de Fiscalização e formalizou seus procedimentos de sanção. As multas administrativas de até 2% do faturamento no Brasil — limitadas a R$ 50 milhões por infração — passaram a ser efetivamente aplicadas. O risco de reputação associado a uma notificação pública da ANPD é considerado pelas instituições financeiras como igualmente significativo ao risco financeiro direto.

EONTA Advisory apoia instituições financeiras brasileiras em diagnóstico LGPD, design de programas de conformidade e governança de dados de terceiros. (English version available on request.)

The MFA requirement expansion that catches Alliance Lite2 users

Control 4.2 under CSCF v2026 extends multi-factor authentication requirements to operator workstation access in ways that specifically affect Alliance Lite2 and Alliance Lite2 Cloud deployments. Institutions that implemented MFA for direct SWIFT interface access but not for the workstation layer of cloud-hosted deployments may find their existing controls non-compliant under the updated mandatory requirements.

Data flow documentation now extends to cloud infrastructure

The v2026 update requires data flow documentation that explicitly maps SWIFT messaging infrastructure components including cloud-hosted elements. Institutions that documented on-premises data flows for v2026 attestation but subsequently migrated components to cloud hosting without updating their mandatory control documentation face a documentation gap that an independent assessor will identify.

The attestation timeline pressure is real

SWIFT's annual attestation deadline creates genuine time pressure. Institutions that identify material control gaps in Q3 or Q4 of the attestation year face a choice between incomplete remediation and delayed attestation — both of which carry relationship and regulatory consequences. Control readiness assessment in Q1–Q2 2026 provides remediation runway.

Third-party assessor independence requirements

SWIFT's framework for independent assessments under CSP requires that the assessor meets specific independence criteria. Institutions engaging their existing IT security advisers or implementation partners for CSP attestation support should confirm those firms meet the independence requirements — a firm that implemented the controls being attested is not independent of those controls.

EONTA Ireland conducts independent SWIFT CSP assessments across EMEA and LATAM. Our assessors meet SWIFT's independence requirements for independent assessment of mandatory and advisory controls.