Regulatory Compliance
BlueUP designs its platforms with regulatory compliance as a foundational requirement. It is not an afterthought: every architectural decision responds to a specific regulatory requirement.
Covered Regulations
DORA: Regulation (EU) 2022/2554
Digital Operational Resilience Act for the EU financial sector. Mandatory since January 2025.
| DORA Requirement | How we comply |
|---|---|
| ICT incident management (Art. 17) | Automatic classification (Minor/Significant/Major) per DR (EU) 2024/1772 Art. 8 |
| Supervisor notification | ITS 2025/302 chain: Initial Report (≤4h), Intermediate (≤72h), Final (≤1 month) |
| Operational resilience | Local spooling during network outages with autonomous reconnection and backpressure |
| Resilience testing | Circuit breaker with controlled degradation (CLOSED → OPEN → HALF_OPEN) |
| ICT risk management | Two-level alerts: WARNING (5 min) and CRITICAL (2h) with CSIRT escalation |
SEPBLAC: Law 10/2010
Prevention of Money Laundering and Terrorist Financing. Supervised by Spain's Executive Service (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias. Unidad de inteligencia financiera de España (FIU), receptor oficial de las comunicaciones de operativa sospechosa de las entidades obligadas.SEPBLAC).
| SEPBLAC Requirement | How we comply |
|---|---|
| Special Examination (Art. 18) | 10-state workflow with immutable cryptographic audit trail |
| SEPBLAC Communication | Automatic F19/CXI form generation |
| Due diligence | 360° KYC profiles with 8-factor risk analysis |
| Sanctions screening | Verification against EU, OFAC and UN lists with fuzzy matching (Dice coefficient) |
| Segregation of duties | Four-Eyes principle — high-risk approvals require two distinct persons |
GDPR: Regulation (EU) 2016/679
| GDPR Requirement | How we comply |
|---|---|
| Data minimization | Ontological pre-validation at the Edge — only structured, necessary data leaves |
| Privacy by design (Art. 25) | End-to-end mTLS encryption, configurable PII masking |
| Data residency | Google Cloud Europe infrastructure. Data never leaves authorized jurisdiction |
| Right of access | Immutable audit trail with full traceability |
AI Act: Regulation (EU) 2024/1689
| AI Act Requirement | How we comply |
|---|---|
| Transparency | Auditable LLM reasoning logs (Langfuse/Arize Phoenix) |
| Human oversight | Human-in-the-Loop for decisions affecting PII or financial data |
| Data governance | Sovereign processing with vLLM/Ollama — data never leaves controlled infrastructure |
Resources and application by industry
- DORA 2026 Whitepaper — Technical guide to Regulation (EU) 2022/2554.
- DORA Calculator — 18-question self-assessment with downloadable report.
- DORA 2026: practical guide — Deadlines, perimeter and obligations by entity type.
Operational application by regulated industry:
Need a compliance assessment?
We analyze your current situation and show you how BlueUPALM can cover your regulatory obligations.
Self-assess your DORA/SEPBLAC maturity
Answer 18 questions and get your per-pillar score with recommendations, in 2 minutes.