Innovation, Agility and Resilience - DNA of the fittest!

Strategy, AI, Digital transformation, Operational Resilience, Cyber Security, Process automation, Risk management and Compliance are your focus domains for value creation. AI supported disruption and geopolitical uncertainty - new reality. Agile organizations see all that as opportunities. People, Processes and Planet are changing at a faster pace as any time before. Sustainability, Artificial Intelligence and new business models are shaping the future. Without efficient utilization of "Digital" most businesses are at risk. Quick fix, systematic transformation or independent sparring partner to CX team - your call. We provide tailored Advisory Services for your Sustainable Growth.

AREM

End User Computing (EUC) evolution in the AI era – Risk and Controls

End-user computing (EUC) refers to systems in which non-programmers can create working applications.[1] EUC is a group of approaches to computing that aim to better integrate end users into the computing environment. These approaches attempt to realize the potential for high-end computing to perform problem-solving in a trustworthy manner.[2][3] (Source: Wikipedia).

EUC was an important topic from 2010 and onward. It was mentioned briefly latter also as a subject of regulatory focus (eg. EBA-GL-2017-05 – ICT RISK ASSESSMENT UNDER SREP; EBA/GL/2019/04 – EBA Guidelines on ICT and security risk management). EUC was used as a buzz word until today, however it has matured and is not separately emphasised or regulated.

It is expected that “A financial institution’s processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function’s end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution should maintain a register of these applications that support critical business functions or processes.” Source: EBA/GL/2019/04

EUC is disappearing as a buzz word.

What is the status of EUC and AI consumption from end users today in organisations and how will this domain evolve in the future?

End user applications and ICT devices in 2025 offer many functionalities that allow users to process large amount of data locally. Users can create complex rules, automations, embed AI capabilities and even write data back to corporate databases if allowed. Many decisions, reports and vital data is analysed, processed and distributed by end users – “developed or managed by the business function’s end users outside the ICT organisation” (plan, develop, test, use, update, leave) where corporate ICT risk management framework does not “see” or have the visibility.

By adding new AI capabilities to existing tools and introducing new AI supported architectures and concepts, managing risk and retaining control has to be, not only adjusted on the regular basis, but embedded in any change and use case.

Some risks related to “consumption” of ICT capabilities by the business function’s end users outside the ICT organisation (ex EUC) are:

  • Wrong version – Was the version of the EUC tool approved?
  • Unauthorised Change of parameters and logic – Was the change authorised and tested?
  • Lack of ownership and visibility – Was the ownership assigned and linked to business functions, processes and other information assets to allow visibility, transparency and risk management (GRC)?
  • Unauthorised Data manipulation (extract, store)
  • Unauthorised Data Change (write to corporate database)
  • Unauthorised access control (to EUC tool & data)
  • Unreliable availability of EUC tool or product (not included in the redundancy or resilience programs)

(Image source: AI generated – Copilot)

What are key controls to address consumption of EUC and AI capabilities?

While there are many suitable controls to address specific risk and use case, I have outlined a few steps that will help raise the maturity of any organization dealing with the risk of end user computing and related technologies:

  • Understand where, how, what is done = inventory: tools, use cases, functions supported
  • Evaluate existing risk
  • Educate users on expected and forbidden practices
  • Help users address existing, high risk, end user computing practices
  • Implement tools to auto discover high risk practices
  • Enhance data governance, risk and compliance programs
  • Enhance capabilities of ROC (Risk Operations Centres) and SOC (Security Operations Centres)
  • Coach leaders and employees on modern ICT capabilities and risks from the end user perspective
  • Build awareness and culture to support responsible and secure use of ICT capabilities for end users.

DORA RTS in EU Official journal

For your convinience we have prepared the list of EU 2022/2554 (DORA) releated technical standards published in EU official journal:

Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information

Integrity vs. Authenticity of information

Regulatory frameworks in the field of information security in 2024, in addition to the already known properties of information such as confidentiality, integrity, and availability, particularly highlighted authenticity. In practice, we find that in some places there is a simplification and misunderstanding of the differences between integrity and authenticity. For this purpose, the following record was created. (Partially using ChatGPT.)

The concepts of authenticity and integrity refer to two different aspects of information and system security.

Authenticity

Authenticity of Information
Authenticity of Information

Authenticity refers to ensuring that the identities of entities (users, devices, or systems) and the origin of data or communications are reliably verified and not falsely represented. It means that organizations can trust that:

  • The users or entities accessing the systems are who they claim to be.
  • Documents, data, or communications are indeed from the rightful sender.

Examples in practice:

  • Using two-factor authentication to verify users.
  • Digital signatures that ensure a document or message is genuinely from the author.

Integrity

Integrity of Information
Information integrity risk

Integrity refers to protecting data and systems from unauthorized changes, including preventing and detecting data tampering or corruption. It ensures that:

  • Data is accurate, complete, and has not been altered without authorization.
  • Systems operate as intended without external influences or errors that could affect outcomes.

Examples in practice:

Using checksums (e.g., hash functions) to verify that data remains unchanged.

Log files that record all data changes and allow for review to detect potential manipulations.

Difference between authenticity and integrity

Authenticity focuses on reliable identification and verification of identity and source of information.

Integrity ensures that information or systems remain unchanged and protected from manipulations.

Both concepts are crucial for ensuring trust and security in digital ecosystems, especially in the context of the EU Digital Operational Resilience Act (DORA), which aims to increase the resilience of financial institutions to cyber and other operational threats.

DORA Q&A update 03

European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) (jointly ESAs) have issued the decision ESA 2024 22 of 08 November 2024 concerning the reporting by competent authorities to the ESAs of information necessary for the designation of critical ICT third party service providers in accordance with Article 31(1)(a) of Regulation (EU) 2022/2554.

This information was published on ESMA site:

The ESAs also published on 15th of November  a list of validation rules that will be used when analysing the registers of information and the visual representation of the data model. These rules will be included in the updated reporting technical package (including updated data point model, taxonomy and validation rules), which is set to be published in December 2024.

Workshop

Financial entities who would like to learn more about how to prepare their registers of information and hear about the outcomes of the 2024 Dry Run exercise, are invited to take part in an information workshop on 18 December 2024.

The workshop will be held virtually from 10:00 to 13:00. Interested parties can register by 16 December 2024 at the following link.

AI act implications

The Artificial Intelligence Act REGULATION (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 is the first framework at EU level to lay down harmonised rules on the use of AI systems, prohibitions on certain AI practices, specific requirements for high-risk AI systems and obligations for operators of such systems.

Regulation (EU) 2024/1689 establishes a comprehensive legal framework for the development, use and regulation of artificial intelligence (AI) systems in the EU, thereby introducing specific requirements for industries and the public sector, including the Slovenian market. This regulation aims to ensure the compliance of UI systems with EU fundamental rights and principles such as health protection, security, democracy and the rule of law, and to manage the risks posed by UI. In the following, I summarize the key impacts, milestones and effects of the regulation on industries and the public sector in Slovenia.

Impact on individual industries

  1. Technology sector (specifically for UI developers) :
    • The regulation sets strict requirements for high-risk UI systems that are often used in the technology sector, such as facial recognition systems, analytics and decision automation. The developers of these systems will have to ensure compliance with requirements covering transparency, traceability, data security and respect for fundamental rights.
    • Each UI system will have to obtain certification before being available on the EU market, which will affect the time and costs of development and implementation of new technologies.
  2. Financial sector :
    • The use of UI for financial analysis, credit risk assessments and advisory services will have to follow strict regulatory guidelines regarding accountability and transparency.
    • Automated lending decision-making and risk analysis systems will also need to be transparent and non-discriminatory, which means additional costs to maintain compliance.
  3. Manufacturing sector (industrial automation) :
    • Companies using UI to automate and optimize production will need to ensure that their systems are designed according to security standards.
    • Potrebna bo ocena tveganj za UI v primeru, da avtomatizacija vključuje nevarne naloge ali kritične infrastrukture. Stroški skladnosti se lahko povečajo, zlasti za manjša podjetja.
  4. Healthcare :
    • The healthcare sector, which relies on UI for diagnostic tools, health risk prediction and treatment recommendations, will need to ensure that these systems are tested and verified for accuracy, reliability and compliance with personal data protection regulations.
    • For the use of UI in healthcare, additional steps for certification and traceability will be prescribed, which may increase the development and implementation time of new solutions.
  5. Transport and logistics (including autonomous vehicles) :
    • The regulation introduces requirements for the use of AI in transport, especially for autonomous vehicles and drones, where safety, reliability and responsibility are key elements.
    • Manufacturers will have to provide certification and demonstrate safety mechanisms before putting vehicles and systems into circulation.

Impact on the public sector

The public sector will have to use UI responsibly, especially for tasks that affect the fundamental rights of citizens. UI systems used by public authorities will thus be subject to stricter verification and certification for compliance.

  1. Use of UI for public services :
    • Public organizations will need to obtain certified UI systems for tasks such as security surveillance technology, social services, decision automation in the allocation of social assistance or other benefits.
    • To prevent biased or unfair decision-making, authorities will have to ensure that UI is designed in a transparent and non-discriminatory manner, which may prolong the implementation of such systems in the public sector.
  2. Data collection and transparency :
    • Public institutions will have to strictly comply with the requirements for the protection of personal data when using UI, thus ensuring the trust of citizens.
    • The emphasis is on responsibility for all algorithms that affect access to public services or other rights, which means stricter control procedures and security standards for all UI infrastructure.

Key dates and milestones

  • 2024 – Publication and adoption of the regulation : The regulation was adopted on 13 June 2024 and entered into force after publication in the Official Journal of the EU.
  • 2025 – Start of use : It is envisaged that companies and public institutions will have a certain transition period to adapt existing UI systems. The start of use date is likely to be set to 2025.
  • 2026 – First conformity assessment and verification of high-risk UI systems : The certification system for high-risk UI is expected to become mandatory.
  • 2030 – Full implementation and compliance review of the regulation : By this date, the regulation will be fully implemented, all industries are expected to be compliant, and regular compliance reviews are planned.

Specific dates:

Entry into force and application This Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union. It applies from 2 August 2026.

However:

(a) Chapters I and II shall apply from 2 February 2025;

(b) Chapter III, Section 4, Chapter V, Chapter VII and Chapter XII and Article 78 shall apply from 2 August 2025, except for Article 101;

(c) Article 6(1) and the corresponding obligations from this Regulation shall apply from 2 August 2027.

This Regulation is fully binding and directly applicable in all Member States. Done at Brussels, 13 June 2024

Regulation (EU) 2024/1689 will require compliance with complex safety and ethical standards, which brings significant financial and organizational challenges for industries and the public sector.

Data Governance – key principles

Data governance is a critical framework for managing and ensuring the quality, security, and effective use of data within an organization. Here are some key principles of data governance:

  1. Accountability
    Ownership: Assign clear ownership of data assets to specific individuals or roles within the organization.
    Responsibilities: Define responsibilities for data management, ensuring that all data-related activities have accountable parties.
  2. Transparency
    Data Lineage: Ensure that the origin, movement, and transformations of data are documented and traceable.
    Clear Policies: Establish and communicate clear policies and standards for data management, access, and use.
  3. Integrity
    Accuracy: Maintain data accuracy and reliability through regular validation and quality checks.
    Consistency: Ensure consistency in data definitions, formats, and standards across the organization.
  4. Compliance
    Regulatory Adherence: Comply with legal, regulatory, and industry-specific data requirements (e.g., GDPR, HIPAA).
    Auditability: Implement processes that enable data and processes to be audited for compliance.
  5. Security
    Protection: Implement measures to protect data from unauthorized access, breaches, and other security threats.
    Privacy: Safeguard personal and sensitive information, ensuring that data privacy laws and regulations are adhered to.
  6. Quality
    Data Quality Management: Continuously monitor and improve the quality of data, addressing issues like duplicates, errors, and outdated information.
    Data Stewardship: Assign roles responsible for ensuring data quality across the organization.
  7. Standardization
    Data Standards: Define and enforce consistent data standards and definitions to facilitate interoperability and integration.
    Metadata Management: Maintain comprehensive metadata that describes data characteristics, origins, and usage.
  8. Accessibility
    Ease of Access: Ensure that data is accessible to authorized users in a timely and efficient manner.
    Data Democratization: Empower users to access and use data effectively while maintaining security and compliance.
  9. Agility
    Adaptability: Allow for flexible data governance practices that can adapt to changing business needs, technology advancements, and regulatory environments.
    Scalability: Design governance frameworks that can scale with the organization’s growth and data complexity.
  10. Ethics
    Responsible Use: Promote the ethical use of data, ensuring that data practices align with the organization’s values and societal norms.
    Bias Mitigation: Identify and mitigate potential biases in data collection, processing, and analysis.
  11. Collaboration
    Cross-Functional Collaboration: Foster collaboration across departments to ensure that data governance is integrated into all business processes.
    Stakeholder Engagement: Engage stakeholders in governance activities, ensuring their needs and concerns are addressed.
  • These principles provide a foundation for establishing effective data governance practices, ensuring that data is managed as a valuable organizational asset.

Implementation of these principles requires synchronized effort from all key stakeholders in any organization.

Need support? Let us know.

DORA Q&A update 02

The purpose of this post is share the facts & links about DORA to community.

DORA act

  • Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)

RTS published and sent to the EU Commission – first batch on 17th of January 2024:

  • JC 2023 83 – RTS on criteria for the classification of ICT-related incidents
    • JC_2023_83_-_Final_Report_on_draft_RTS_on_classification_of_major_incidents_and_significant_cyber_threats.pdf
  • JC 2023 84 – RTS on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (Was replaced with JC(2024) 1531).
    • JC_2023_84_-_Final_report_on_draft_RTS_to_specify_the_policy_on_ICT_services_supporting_critical_or_important_functions.pdf
  • JC 2023 85 – Implementing Technical Standards (ITS) to establish the templates for the register of information
    • JC_2023_85_-_Final_report_on_draft_ITS_on_Register_of_Information.pdf
  • JC 2023 86 – RTS on ICT risk management framework and on simplified ICT risk management framework (Was replaced with JC(2024) 1532.)
    • JC_2023_86_-_Final_report_on_draft_RTS_on_ICT_Risk_Management_Framework_and_on_simplified_ICT_Risk_Management_Framework.pdf

Final Reports – draft RTS submitted to the European Commission on 17th July 2024:

Final Reports – draft RTS submitted to the European Commission on 26th July 2024:

  • JC 2024 53 – Final Report RTS .. to assess when subcontracting ICT services supporting critical or important functions
    • Draft Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554;
    • JC 2024-53_Final report DORA RTS on subcontracting.pdf

The set of guidelines include:

  • Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
    • JC 2024 34 Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554. EBA site;
    • JC 2024 34 Joint Guidelines pdf
  • Guidelines on oversight cooperation.

https://www.eba.europa.eu/publications-and-media/press-releases/esas-published-second-batch-policy-products-under-dora

Update to DORA regulation – Supplementing Regulation (EU) 2022/2554:

Criteria for the designation of ICT third-party service providers as critical for financial entities

  • Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities. (EU) 2024/1502.

Criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents

123

Copyright © 2026 AREM / Advisory Services for Sustainable Growth / Assurance Risk Enterprise Management