Financial institutions, fintech, insurance, fund managers. You face strict regulatory constraints on business continuity, incident handling, third-party risk. We build software that fits into your compliance framework without generating non-conformities.
The entire EU financial sector must have an ICT risk management framework, an incident reporting process, a resilience testing program, structured third-party risk management. Software must support these requirements.
DORA prevails where there is overlap, but NIS2 still applies to non-financial ICT suppliers in the sector and to some essential banks. Coordinating the two regimes requires an integrated compliance approach.
Many Italian financial institutions have peripheral COBOL systems around core banking: reporting, nightly batches, legacy branch systems. The programmers are retiring; knowledge risk is at its peak.
The sector doesn't tolerate unplanned downtime. Multi-zone or multi-region architectures, tested DR plan, 24/7 monitoring are baseline requirements. Custom software must be designed consistently with these.
Reporting to the Bank of Italy, EBA, CONSOB with hard deadlines and specific formats. Software must support prudential reporting flows and DORA incident-notification requirements.
AI for document automation (KYC, tier-one AML checks, contract reading), RAG on internal knowledge base (operating procedures, regulations). Strict AI Act constraints for high-risk applications: credit scoring, automated decisions, biometrics.
See the pillar
Progressive modernization of peripheral systems (COBOL, AS/400, legacy management systems) without touching the regulated core banking. Strangler pattern, knowledge recovery from the senior team, integration with core systems via documented APIs.
See the pillar 
DORA-compliant software with integrated ICT risk management framework, designed business continuity, structured audit trail for incident reporting, third-party risk management. ISO 27001-compatible for those certified or on the path.
See the pillar Operational resilience, incident management, third-party risk for finance.
For ISO 27001-certified companies or those on the path to certification.
NIS2 technical controls implemented in the software.
Privacy in the architectural decisions, not as a feature bolted on later.
For those running COBOL in production with no up-to-date documentation.
Retrieval-augmented generation on internal documents with governed access.
Technical requirements for those building or using high-risk AI.
Digital Operational Resilience Act, applied since January 17, 2025 to the entire EU financial sector. ICT risk management, incident reporting, resilience testing, third-party risk.
Applicable to essential banks and to non-financial ICT suppliers in the sector. Coordination with DORA for overlap cases.
High-risk requirements for AI in credit scoring, fraud detection with automated decisions, customer classification. Transparency, explainability, human oversight.
Customer financial data, profiling, retention. Regulatory stratification that requires compliance coordination.
Yes, we build DORA-compliant software for fintechs, paytechs, fund managers, small-to-mid insurers. For systemic institutions (central banks, large insurers) we collaborate as technical specialists alongside their internal teams or dedicated system integrators. Organizational DORA compliance always remains with the client.
We don't work directly on core banking (systems typically supplied by specialized vendors: Temenos, Murex, Avaloq, custom). We work on peripheral systems: reporting, dashboards, integration, vertical custom software, AI layers on top of the core. The separation is explicit and contractually framed.
Typical ranges: €60,000-150,000 for audit + knowledge recovery + first migrated module. €200,000-600,000 for full migration of mid-sized systems. The knowledge-recovery phase from the senior team (including post-retirement consultants) is critical for success.
We provide technical evidence on the software we deliver: architectural documentation, threat model, audit logs, security testing evidence, business continuity plan. We support the client's technical due diligence with this evidence. Contract negotiation and management of the third-party ICT supplier register remains with the client's Legal/Compliance.
A real conversation with the people who'll build the software. No automated quotes, no sales bots.
Let's talk