Do you do PSD2 and Berlin Group XS2A integrations?

Yes. PSD2 (Directive (EU) 2015/2366) and the EBA RTS require an XS2A (Access to Account) interface; the de-facto European standard is the Berlin Group NextGenPSD2 framework. Most Hungarian banks use it, exposing AISP / PISP / CBPII roles. The 27 March 2020 domestic-features Annex covers the Hungarian market specifically — that's the spec we implement, with OAuth2 + OIDC + dynamic client registration. SCA decision points are typically the EUR 30-50 contactless threshold and fraud-rate-based TRA exemptions.

Can you build MNB XBRL data submission?

Yes. MNB regulation 55/2024. (XII. 3.) governs banking sector data reporting on the EBA Data Point Model (DPM) + XBRL Filing Rules (currently version 5.5). We build the pipeline: internal core-banking (T24 / SAP Banking / proprietary) -> data aggregation -> DPM mapping -> XBRL instance generation -> MNB validation -> submission with retry. We also document the data-compilation process controls per MNB Recommendation 19/2022. Pilot delivery 4-6 months, full prod 8-14 months.

Where is the data stored, and is on-prem an option?

Default: EU-region cloud (AWS Frankfurt, Azure West Europe, GCP Belgium). For banking customers the most common pattern is hybrid: production data in EU region, residency-sensitive parts (PII, KYC, transaction-level data) on-prem or in Hungarian sovereign hosting (your data centre, HUNNGCloud). Full on-prem deploy works too: Kubernetes, Terraform IaC, GitOps via Argo CD. Source-code escrow (NCC Group or equivalent) is a standard option in long-term banking contracts.

How do you cover NIS2 and EU AI Act compliance?

Banks are typically essential entities under NIS2 Annex I — fines at least EUR 10M or 2% of global turnover. AI components (credit scoring, fraud detection, AML) are high-risk under EU AI Act Annex III — by 2 August 2026 you need an Annex IV technical file plus an FRIA (Art. 27). Every banking project we ship comes with: NIS2 Article 21(2) ten-measure mapping, AI Act gap analysis, audit logging, EU-region model deployment. Detail: /en/nis2-checklist-for-it-leaders/ and /en/eu-ai-act-high-risk-checklist/.

How much does a banking custom build cost?

Banking projects typically run 30-50% above an equivalent general enterprise build because of the compliance overhead (DORA TLPT, MNB audit, source-code escrow, penetration test, four-eyes review). A medium pipeline (PSD2 XS2A new API module, or core-banking middleware): 6-10 months, HUF 35-90M. MNB XBRL pipeline: 4-7 months, HUF 18-45M. Full core-banking add-on module or fintech MVP: 8-14 months, HUF 70-180M. Exact quote after a 30-minute scoping call.

DORA · PSD2 · MNB · NIS2 · EU AI Act

Software development for the banking sector

DORA-aligned ICT resilience, PSD2 / Berlin Group XS2A integration, MNB XBRL data-submission pipelines, and AI modules built to the EU AI Act high-risk (Annex III) requirements — all in one codebase. Hungarian Kft. partner, EU-region data, source-code escrow on request. Last updated 2026-05-04.

Request a banking scoping call

30-minute consultation

TL;DR

DORA (Reg. 2022/2554) has been applicable since 17 January 2025 — ICT risk, TLPT every 3 years, third-party CTPP oversight.
The Hungarian supervisor is the MNB; regulation 55/2024. (XII. 3.) requires EBA DPM + XBRL Filing Rules 5.5 as the data format.
Hungary's NIS2 transposition (Act LXIX of 2024, in force 2026-01-06) treats banks as essential entities — fines >= EUR 10M or 2% of global turnover.
Credit-scoring and fraud-detection AI: high-risk under EU AI Act Annex III — FRIA + Annex IV technical file by 2026-08-02.
Banking project ranges: HUF 35-180M depending on scope, EU-region deployment, escrow and on-prem options included.

Pain map — what banking IT directors are dealing with right now

Concrete, named problems we keep meeting in 2026 at Hungarian credit institutions.

DORA ICT resilience testing (Art. 24-27)

DORA has been applicable since 17 January 2025. Significant financial entities need a threat-led penetration test (TLPT) every three years and an annual operational resilience test. Most internal teams don't have the capacity to run that as a non-functional test pipeline.

MNB XBRL submitted manually from Excel

Many smaller credit institutions still hand-build MNB reports under regulation 55/2024. (XII. 3.). One validation error in a 200-row XBRL instance triggers hours of replay work. We build automated DPM-mapping pipelines instead.

Middleware to legacy core-banking (T24, in-house)

Modern fintech UX (Berlin Group XS2A, mobile app) and legacy core (Temenos Transact / T24, AS/400-style mainframes) need a structured middleware between them — REST/JSON at the front, ISO 20022 MT/MX at the back, audit storage in the middle.

AI credit scoring / fraud detection — EU AI Act gap

EU AI Act Annex III point 5 (essential services — creditworthiness assessment) classifies credit-scoring and AML/fraud-detection AI as high-risk. From 2 August 2026 you need an FRIA, Annex IV technical documentation, and post-market monitoring.

Source-code escrow + four-eyes review, not ad-hoc

Both MNB and your internal audit expect a versioned, code-reviewed deploy pipeline. We ship GitOps + Argo CD + protected branches + a minimum-2-approver workflow by default, with NCC Group escrow.

Regulatory landscape for banking software

Only items grounded in official sources (EUR-Lex, NJT, MNB). References at the bottom of the page.

Regulation	Applicable	Scope	Penalty
DORA — Reg. (EU) 2022/2554	Applicable 2025-01-17	ICT risk, incident reporting, TLPT, third-party risk	Set by Member State — MNB
PSD2 — Dir. (EU) 2015/2366 + EBA RTS	SCA enforced 2019-09-14	Strong Customer Authentication, XS2A, AISP/PISP	Member State sanctions
NIS2 — Dir. (EU) 2022/2555	HU 2026-01-06 (Act LXIX of 2024)	Essential entity (Annex I — banking), Art. 21(2) ten measures	>= EUR 10M or 2%
EU AI Act — Reg. (EU) 2024/1689	2026-08-02 high-risk AI	Credit scoring, AML, fraud (Annex III)	<= EUR 15M or 3% (Art. 99(4))
MNB regulation 55/2024. (XII. 3.)	In force	MNB data submission for banking / financial entities	MNB sanctions
GDPR — Reg. (EU) 2016/679	2018-05-25	Financial PII, banking secrecy, automated decision (Art. 22)	<= EUR 20M or 4%

Integration matrix — what we connect to

Every named system has a documented API and live integrations in production at our banking customers.

System	Protocol	Note
Temenos Transact (T24)	TAFC + REST + JSON	Legacy T24 core-banking, ISO 20022 MX bridging.
SAP Banking / FSDM	BAPI / OData / IDoc	FSDM-based data model, S/4HANA Finance migration path.
Berlin Group NextGenPSD2 XS2A	REST + OAuth2 + OIDC	AISP / PISP / CBPII roles, Hungarian Annex 2020-03-27.
MNB XBRL submitter (EBA DPM)	XBRL Filing Rules 5.5	Regulation 55/2024. (XII. 3.), MNB validation + retry logic.
GIRO Instant Payment	ISO 20022 pacs.008/.002	AFR (Hungarian instant payment), 5s SLA.
SWIFT MX (CBPR+, Target2)	ISO 20022 MX	Cross-border and high-value domestic payments.
KHR (Central Credit Information System)	BISZ Zrt. web service	Credit-data lookup with consent flow.
SimplePay / Barion / OTP / K&H	REST + 3DS2	Hungarian payment gateways for the B2C side.
AML/KYC providers	REST + webhook	Typical: Onfido, ComplyAdvantage, LexisNexis Refinitiv.

Why pick us for a banking project

Compliance built in

NIS2 Article 21(2) ten-measure mapping, EU AI Act Annex IV technical-file template, DORA ICT register, MNB-style audit logging by default.

EU-region data, on-prem option

AWS Frankfurt / Azure West Europe / GCP Belgium by default; full on-prem Kubernetes deploy into a Hungarian data centre when residency is stricter.

Source-code escrow

NCC Group or equivalent notarised deposit for banking contracts so the business doesn't stop if the supplier disappears.

Four-eyes review + GitOps

Protected branches, minimum 2 reviewers, signed commits, Argo CD deploy pipeline, immutable artifact store. Release history becomes the audit story.

Pricing for banking projects

Our published project ranges (see /pricing.md), adjusted for banking overhead (about +30%). External auditor or notified-body fees are separate.

· MNB XBRL pipeline: 4-7 months, HUF 18-45M
· PSD2 XS2A new API module (Berlin Group v1.3.x): 6-10 months, HUF 35-90M
· Core-banking middleware (T24 / SAP Banking -> REST/JSON): 7-12 months, HUF 50-130M
· Fintech MVP (B2C mobile bank): 8-14 months, HUF 70-180M
· NIS2 + DORA gap audit + roadmap (you implement): 4-6 weeks, HUF 3-9M
· Continuous compliance retainer: HUF 0.8-2.8M / month

Talk in person, near our office

In a 30-minute scoping call we map the banking environment and compliance gaps and give you a tight estimate. Call +36 30 098 0767 or drop in.

Budapest office: Bank Center, Szabadság tér 7., 1054 Budapest, 1st floor, office 112. Mon-Fri 9:00-18:00 by appointment · balint@appforge.hu

Official sources

Last updated 2026-05-04. This page does not replace legal or MNB advice.

Internal links if you want to go deeper: NIS2 checklist · EU AI Act checklist · System integration.

GYIK

Banking sector — frequently asked

DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) became applicable on 17 January 2025 across all EU financial entities — banks, insurers, investment firms, e-money institutions, crypto-asset service providers. Five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing (TLPT), third-party ICT risk (CTPP oversight), information sharing. In Hungary the supervisor is the MNB (Magyar Nemzeti Bank). A mid-sized bank's compliance program is typically 12-18 months end to end.

Kapcsolódó megoldások

Let's start the banking scoping call

In 30 minutes we map the DORA / MNB / NIS2 / AI Act gaps and give you a tight time-and-cost estimate.

Request a banking scoping call →30 perc ingyenes konzultáció