Built on
Spring Boot
Flowable BPMN
Apache Camel
Eclipse Foundation
Apache Software Foundation
Regulated Industries

Built for Every Industry
Where Compliance Is Not Optional

Any regulated organisation operating under DORA, NIS2, EU AI Act, GDPR, or sector-specific supervision can benefit from sovereign process automation and AI governance. Banking is where we start. It is not where we stop.

Primary Focus

Banking & Financial Services

Banking and financial services organisations. Payments institutions. e-Money providers. Credit unions. Operating under DORA, NIS2, EU AI Act, and PSD2 simultaneously. with a compliance clock that is already running.

  • KYC and customer onboarding automation
  • AML triage and fraud detection with HITL
  • Loan servicing and credit operations
  • DORA ICT process resilience documentation
  • EU AI Act high-risk system conformity
DORA NIS2 EU AI Act PSD2 GDPR
High-Growth Vertical

Telecommunications

National and regional telecoms operating critical infrastructure under NIS2. Complex OSS/BSS workflows, customer lifecycle processes, and increasingly. AI-driven network management that requires governance infrastructure.

  • NIS2 critical infrastructure process automation
  • Customer lifecycle and provisioning workflows
  • AI-driven network anomaly detection with audit trails
  • Fraud and revenue assurance operations
  • Regulatory reporting and evidence packs
NIS2 EU AI Act GDPR EECC
Strategic Vertical

Public Sector & Government

Ministries, agencies, and public bodies adopting AI in citizen-facing services. Sovereign deployment is not a preference. it is a constitutional requirement. The platform is built for on-premises deployment from the ground up.

  • Citizen service workflow automation
  • AI-assisted case management with mandatory HITL
  • Procurement and benefits processing
  • EU AI Act high-risk system documentation for public bodies
  • Open-source by policy. Apache 2.0 satisfies procurement rules
EU AI Act NIS2 GDPR eIDAS
Adjacent Vertical

Insurance & Pensions

Insurers and pension funds under Solvency II and EIOPA supervision operating increasingly with AI-assisted underwriting, claims automation, and actuarial tooling. all of which fall under EU AI Act high-risk provisions.

  • Claims processing and triage automation
  • AI-assisted underwriting with governance audit trail
  • Solvency II process documentation
  • Customer onboarding and KYC workflows
  • Fraud detection with sovereign data infrastructure
Solvency II EU AI Act GDPR EIOPA
The Challenge

Two Crises Are Converging
on Your Bank Right Now

Every regional bank in the EU faces compounding operational and regulatory exposure simultaneously. Waiting is no longer a neutral position.

Crisis 01

The Operations Crisis

Loan servicing, KYC, dispute handling, and AML triage still run on email chains and spreadsheets. Each year of delay compounds ICT resilience exposure and supply chain risk simultaneously.

Banks that automate now build a durable competitive advantage. Those who wait accumulate compounding technical and regulatory debt.

DORA Art. 6-15 NIS2 ICT Resilience
Crisis 02

The Shadow AI Crisis

Credit officers use public LLMs. Ops teams classify documents with ungoverned AI tools. None of it is inventoried, risk-scored, or auditable. Gartner (2025): 60% of financial institutions cannot enumerate their deployed AI models.

For banks already running AI, this is active non-compliance — not a future risk. The EU AI Act high-risk provisions for credit scoring, AML, and KYC are enforceable from December 2027.

EU AI Act Art. 9/14/72 Annex III High-Risk
See How Torexis Solves This →
The Platform

One Platform. Two Planes.
Zero Rewrites.

Process Automation and AI Governance on a single open-source foundation. Legacy systems wrapped via open-standard connectors. No replacement required.

Zero Core systems replaced.
All wrapped.
2 Control planes:
Automation + AI Tower,
one shared audit trail.
Apache 2.0 Licence across full stack.
Forkable. No vendor
dependency ever.
16 wks Fixed-price POC from
first conversation to
production-grade result.

Automation Plane

Deterministic BPMN 2.0 execution at banking scale. Every workflow is auditable, reproducible, and compliant with ECB, EBA, and national competent authority supervisory requirements.

  • BPMN 2.0 (ISO 19510:2013). readable by compliance teams without engineering support
  • Every execution logged: start, completions, routing decisions, overrides. timestamped
  • Historic Process Instance exportable as PDF for regulators in under five seconds
  • DORA granularity: every ICT process step is a durable, timestamped artefact
  • DMN decision tables, case management, and ISO 20022 forms built in

AI Control Tower

Adaptive intelligence under governance. Every model and agent is registered, risk-classified, guardrailed, and monitored. before any production deployment is permitted.

  • Model & Agent Registry: version control, lineage tags, data cards, EU AI Act classification
  • Runtime Guardrails: PII/PHI redaction, prompt firewall, output validators, confidence gates
  • HITL Approval Workflow: BPMN-driven, SLA timers, role-based assignment, digital signature
  • Observability & Evidence Pack: drift detection, SIEM integration, alert manager
  • Sovereign RAG: enterprise knowledge retrieval that never leaves your jurisdiction
Open Foundations

Enterprise-Grade Open Stack
No Vendor Lock-In

Apache 2.0 licence across every layer. Battle-tested in high-availability regulated environments. Deployable entirely inside the bank's perimeter.

Spring Boot
Spring Boot
Powers 60%+ of enterprise Java systems globally. Battle-tested in high-availability regulated environments.
Flowable BPMN
Flowable BPMN
SAP-backed. 50M+ downloads. Production-proven in regulated financial services deployments.
Apache Camel
Apache Camel
20+ years active development. 200+ protocol connectors: HTTP, JDBC, SOAP, REST, SFTP, MQ, FIX.
Eclipse Foundation
Eclipse Dirigible
Open-source low-code runtime with Eclipse Foundation governance and IP stewardship.
Sovereign RAG loading="lazy" />
Sovereign RAG
Vector search, semantic indexing, and LLM inference on infrastructure the bank controls. Zero data egress.
Apache 2.0 LICENCE FULL STACK

Sovereignty by Default

Apache 2.0 licence across the full stack means no sudden licence changes, no vendor extraction, no lock-in at the infrastructure layer. Every component is portable, forkable, and jurisdiction-independent. Eclipse Foundation membership provides governance, IP stewardship, and community transparency that no proprietary vendor can replicate.

On-premises or sovereign cloud deployment
Zero proprietary cloud dependency
EU Cloud Sovereignty Framework v1.2.1 aligned
GDPR Art. 44-49 satisfied by architecture
Forkable by the bank's own engineering team
Incremental adoption. one process at a time
Sovereign Intelligence

Enterprise Knowledge That
Never Leaves Your Jurisdiction

Sovereign RAG (Retrieval Augmented Generation) built entirely on enterprise data. Vector search, semantic indexing, and LLM inference run on infrastructure you control. Zero data egress. by architecture, not by policy.

What It Means

Regulatory documents, credit policy manuals, and AML typologies are ingested, chunked, embedded, and indexed inside the organisation's perimeter. Semantic retrieval provides context to any LLM. whether running locally or on a sovereign cloud instance.

No document leaves the jurisdiction. No query reaches an external endpoint. No inference token travels outside the network perimeter.

Traceability at Every Step

Every RAG answer is traceable to its source document and version. PII guardrails apply at retrieval time. Source citations and lineage references are included with every response. The audit trail is immutable and exportable.

Satisfies EU Cloud Sovereignty Framework v1.2.1 objective SOV-1 and GDPR Art. 44-49 via on-premises deployment.

Use Cases

  • Compliance officer assistant. instant access to regulatory precedents
  • Credit analyst knowledge base. policy manuals and product guides
  • AML typology search. pattern matching across case histories
  • Branch officer product guidance. real-time, always current
  • Contract review and legal research. jurisdiction-contained
  • Internal audit intelligence. query historical decisions and logs
Regulatory Depth

Torexis Maps Directly to
Every Active EU Regulation

Compliance is not a feature layer bolted on top. It is the architecture. Every component is designed from first principles to satisfy regulatory requirements.

Regulation
Status
Torexis Coverage
Key Articles
DORA
Enforcement Live
ICT process resilience, immutable audit trail, incident classification
Art. 6-15, 17
NIS2
Transposed. Most EU States
Supply chain risk, lineage tracking, data provenance from source to decision
Art. 21, 23
EU AI Act
Dec 2027 Enforcement
High-risk classifier, post-market monitoring, Annex IV documentation, HITL gates
Art. 9, 10, 13, 14, 72
GDPR
Active
Data lineage, consent tracking, retention policies, automated lineage propagation, PII redaction
Art. 5(1)(e), 17, 44-49
PSD2
Active
Transaction-anomaly monitoring, fraud audit evidence for supervisory inspection
Art. 97
Banking Use Cases

Regulated Workflows
Running on Torexis

Each of these three use cases is a standalone 16-week POC candidate covering the core EU AI Act high-risk exposure zone.

AI Agent · High-Risk EU AI Act

KYC & Customer Onboarding

KYC Agent ingests identity documents and runs sanctions/PEP screening. Confidence below threshold triggers a BPMN HITL gate: KYC Analyst reviews with full evidence. model output, confidence score, document excerpts.

Confidence ≥ 0.85 → Auto-approve. 0.60 to 0.85 → Human review. Below 0.60 → High-risk escalation.

EU AI Act Annex III Art. 14 HITL DORA Art. 17
AI Agent · PSD2 Compliant

Fraud Detection & AML Triage

Transaction pattern scoring on sovereign data. No PII sent to external endpoints. High-confidence auto-flag triggers temporary hold. Medium-confidence routes to Fraud Operations Analyst with SHAP explanation artefact.

AML Triage monitors real-time feeds. Low-risk cases auto-closed with logged rationale. NIS2 supply-chain lineage traces data provenance from source feed to triage decision.

PSD2 Art. 97 NIS2 DORA Audit Trail
Process Automation · DORA

Loan Servicing

End-to-end in a live BPMN process. Intake, fee calculation via core banking API (Apache Camel), confirmation, credit analyst review, execution, and closure. every step timestamped, every decision attributed to a named role.

Historic Process Instance exportable as PDF for a regulator or internal auditor in under five seconds. DORA granularity enforced at every ICT process step.

DORA Art. 6-15 ISO 19510 ECB/EBA Ready
Case Studies

Regulated Workflows
Running in Production

Two fully-specified banking workflows illustrating what Torexis delivers inside 16 weeks. Both are standalone POC candidates.

Case Study 01

KYC Agent with Mandatory Human Oversight

A KYC AI agent runs inside a BPMN-governed onboarding process. Every decision routes through a confidence gateway. Low-confidence cases go to a human analyst. Every step is logged to an immutable audit store and exportable for regulators in under five seconds.

KYC BPMN process flow diagram showing confidence gateway, HITL routing, and audit trail

KYC onboarding BPMN flow. customer submission through confidence gateway to HITL and audit store

Confidence ≥ 0.85 Auto-approve with full audit trail
0.60 to 0.85 Routes to KYC Analyst with evidence pack
Below 0.60 High-risk escalation path
EU AI Act Art. 14 Human oversight structurally enforced at process level
Annex III Full conformity documentation generated automatically
DORA ICT process steps timestamped and auditable
Case Study 02

Loan Servicing in a Live BPMN Process

Early repayment request received at branch. System Task calls core banking API via Apache Camel. Fee calculation returned and persisted. Credit Operations Analyst reviews and approves. Transaction executes. Every step attributed to a named role with a timestamp. Process instance exported as PDF in under five seconds.

Loan Servicing BPMN process flow diagram - intake, fee calculation, analyst review, execution and audit

Automation Plane. raw data channelled through BPMN structured process flow

Intake Branch officer receives User Task in Process Inbox with identity verification
Fee calculation System Task calls core banking API via Apache Camel connector
Analyst review Credit Operations Analyst approves or returns with captured reason
Execution Transaction executes, ticket closes, officer notified, instance sealed with hash
Audit output PDF exportable in under 5 seconds for regulator or internal auditor
DORA Art. 6-15 Every ICT process step is a durable, timestamped artefact
The Team

Built by Engineers Who
Have Done This Before

A founder-led team with deep roots in regulated-industry enterprise software, AI governance, and open-source engineering.

Iliyan Nenov
Iliyan Nenov
AI & Data Science

Advises Torexis on AI governance, data architecture, and responsible AI strategy for regulated environments. Brings experience in designing auditable technology approaches, governance models, and architecture patterns for enterprise AI adoption.

AI Governance · Enterprise Architecture · Regulated AI
Peter Kirkov
Peter Kirkov
Security & Compliance

Owns the regulatory compliance architecture and security posture of the platform. Translates DORA, NIS2, and EU AI Act requirements into system-level guarantees. not policy documents.

DORA · NIS2 · EU AI Act
Nedelcho Delchev
Nedelcho Delchev
Enterprise Engineering

Open-source guru and enterprise software engineering lead. Eclipse Foundation contributor. Brings deep platform engineering expertise and the community governance credentials that give Torexis's open-source commitment its institutional weight.

Eclipse Foundation · Enterprise Architecture · Platform Development
Engagement Model

From First Conversation
to Production in Sixteen Weeks

No big-bang go-live. No multi-year commitment required at the outset. Every process module is independently deliverable, measurable, and reversible.

Organisations Torexis Is Built For

Torexis is for EU-regulated organisations where process compliance, AI governance, and data sovereignty are operational requirements across any sector. If three or more criteria below apply, it is a qualified conversation.

Holds a regulated licence in an EU/EEA jurisdiction - banking, insurance, telecom, energy/utilities, healthcare, gaming, or public sector - and operates under DORA, NIS2, EU AI Act, or equivalent obligations
Has received or commissioned a regulatory gap assessment with system-level remediation requirements (DORA, NIS2, EU AI Act, Solvency II, BEREC, or sector-specific equivalent)
Has evaluated hyperscaler AI platforms and rejected them on sovereignty, data residency, or contractual lock-in grounds
Runs complex multi-step operational workflows - customer onboarding, claims processing, service provisioning, consent management, or regulatory reporting - that are manual or fragmented across legacy systems
Needs a documented, auditable AI decision trail for regulators or internal risk committees - applicable in financial services, insurance, energy, telecoms, healthcare, public sector, and licensed gaming
Has an IT or transformation team able to engage at architecture level and a mandate to run a time-boxed proof of concept on a live operational problem
Start a Conversation

Bring a Problem That Is
Genuinely Hard

If you have a DORA gap, a stalled AI pilot, or a compliance deadline that feels unmanageable. that is the right starting point. We will respond within one business day.

Your information is processed in accordance with GDPR. We will never share your details with third parties.