EU Fintech Pack
The eu-fintech pack provides a production-ready set of constraints for financial services operating under EU regulation. It covers MiFID II order handling requirements, PSD2 strong customer authentication, GDPR data minimization, and EU AI Act Article 9 obligations.
Apply the pack
vyb init --pack eu-fintech
Regulatory coverage
| Regulation | Coverage |
|---|---|
| MiFID II | Order handling, best execution records, audit trail requirements |
| PSD2 | Strong customer authentication (SCA), open banking API security |
| GDPR | Data minimization, PII logging prohibition, retention annotations |
| EU AI Act | Article 9 (risk management), Article 10 (data quality), Annex III |
| SOC 2 | CC6.1, CC6.7, CC7.1, CC7.2 trust service criteria |
What the pack enforces
Security rules (all at block severity)
| Rule ID | Name | What it catches |
|---|---|---|
sec-001 | no-eval | eval() and Function() constructor |
sec-002 | no-hardcoded-secrets | Inline API keys, JWT secrets, passwords |
sec-003 | no-md5-sha1 | Use of MD5 or SHA-1 for cryptography |
sec-004 | no-http-external | HTTP (non-TLS) calls to external services |
sec-005 | require-content-security-policy | Missing CSP header in server responses |
sec-006 | no-prototype-pollution | __proto__, constructor.prototype assignments |
Data rules (block severity)
| Rule ID | Name | What it catches |
|---|---|---|
dat-001 | no-pii-logging | Email, phone, IBAN, SSN in console.log |
dat-002 | no-raw-pii-store | Storing PII without encryption annotation |
dat-003 | require-retention-annotation | Data models without @retention JSDoc tag |
dat-004 | no-client-side-pii-cache | Storing PII in localStorage or sessionStorage |
LLM rules (EU AI Act compliance)
| Rule ID | Name | Severity | What it catches |
|---|---|---|---|
llm-001 | require-ai-output-schema | warn | AI calls without structured output schema |
llm-002 | no-raw-ai-dom-output | block | Unsanitized AI output written to DOM |
llm-003 | require-ai-audit-log | block | AI-generated decisions without audit log |
llm-004 | no-autonomous-financial-action | block | AI code paths that execute financial actions without human approval |
Dependency rules
| Rule ID | Name | Severity | What it catches |
|---|---|---|---|
pkg-001 | no-gpl-packages | block | GPL-licensed dependencies |
pkg-002 | pin-major-versions | warn | Dependencies with ^ or ~ on major version |
pkg-003 | no-outdated-crypto | block | node-forge < 1.3.0, elliptic < 6.5.4 |
Compliance mappings
The EU Fintech pack maps all block rules to specific regulatory controls. These mappings appear in the Evidence Pack PDF and JSON:
# Example of a pack rule with EU AI Act mapping
- id: llm-003
name: require-ai-audit-log
severity: block
pattern: "(openai|anthropic|claude|gpt).*\\.(create|invoke|run)"
maps-to:
- framework: eu-ai-act
control: Art.9.2 # Risk management system
- framework: eu-ai-act
control: Art.12.1 # Record-keeping obligations
- framework: soc2
control: CC7.2 # System monitoring
Customizing the pack
After applying the pack, open .vyb/spec.yaml and adjust for your stack:
# These rules come from the pack. You can override any of them:
categories:
data:
rules:
# Pack default: warn. We upgrade to block for our regulated context:
- id: dat-003
severity: block
# Add our own rule on top of the pack:
- id: dat-010
name: require-iban-mask
description: IBANs displayed in UI must be masked
severity: block
pattern: "IBAN[0-9]{15,34}"
remediation: Mask IBANs to show only the last 4 digits in UI.
Key date reminder
EU AI Act enforcement begins August 2, 2026. The llm-* rules in this pack address the core Article 9 and Article 12 obligations. Every passing vyb check produces a signed Evidence Pack that can be presented to regulators as proof of technical risk management compliance.
Next: US Healthtech PHI Pack