⏱ 6 min read
Recommended Reading
Executive summary
Regulated industries require demonstrable control over data flows and operational resilience. DORA establishes EU rules on digital operational resilience for financial entities, raising scrutiny on ICT risk governance and evidence. ARB governance with Sparx EA
Kafka governance in these contexts must support auditability, retention policy justification, access controls, and lineage. W3C PROV and OpenLineage provide provenance/lineage models that can help standardize evidence capture about data movement. ArchiMate modeling standards
- Evidence needs: audit trails, change history, retention proofs
Kafka as a natural audit platform
Kafka's append-only log architecture makes it a natural fit for regulated environments — every event is immutable, timestamped, and sequenced. But "natural fit" does not mean "compliant by default." Specific configuration and governance are required. Sparx EA governance best practices
Immutability: Kafka's log is append-only by design. Messages cannot be modified or deleted (unless topic compaction or retention policies remove them). For audit purposes, this means the event stream is a tamper-evident record of everything that happened. Configure retention to meet regulatory requirements: GDPR (6 years for financial data), MiFID II (5 years for transaction records), healthcare (varies by jurisdiction, often 10+ years).
Audit trail: Every event carries metadata: producer timestamp, producer identity (via mTLS or SASL), topic, partition, and offset. Consumer offsets track who read what and when. Together, these create a complete audit trail: who produced the event, when, and who consumed it.
Compliance controls: Encryption at rest (AES-256) protects stored events. Encryption in transit (TLS 1.3) protects flowing events. ACL-based access control restricts which services can produce or consume from which topics. These must be configured explicitly — Kafka ships with security disabled by default.
GDPR right-to-erasure challenge: Kafka's immutability conflicts with GDPR's right to erasure. The standard approach: use log compaction with tombstone records. When a deletion is requested, produce a tombstone (null value) for the customer's key. After compaction, the original events are removed. Alternatively, encrypt events with per-customer keys and destroy the key upon deletion request (crypto-shredding).
# Kafka retention for regulatory compliance
# Set per-topic based on regulation requirements
kafka-configs --alter --topic payments.authorized --add-config retention.ms=189216000000 # 6 years (GDPR financial)
kafka-configs --alter --topic trading.executions --add-config retention.ms=157680000000 # 5 years (MiFID II)The regulated data lifecycle in Kafka
Regulated industries must manage the complete lifecycle of data flowing through Kafka, from ingestion to purging. Each stage has specific compliance requirements that the platform team must configure and the architecture team must govern.
Ingest (encrypt in transit): All data entering Kafka must be encrypted in transit using TLS 1.2 or higher. Mutual TLS (mTLS) provides both encryption and producer authentication — the cluster knows which service produced each event. Configure ssl.client.auth=required on brokers. This satisfies encryption-in-transit requirements for GDPR, PCI-DSS, and DORA.
Store (encrypt at rest): Data stored on broker disks must be encrypted at rest. Kafka supports native encryption at rest (since version 3.0) or filesystem-level encryption (dm-crypt, LUKS). For highly sensitive data (payment card numbers, health records), consider field-level encryption where the Kafka broker never sees the plaintext — only the producing and consuming applications hold the encryption keys.
Process (ACL-controlled): Every producer and consumer must authenticate and be authorized. Kafka ACLs define which service accounts can produce to which topics and which can consume. Map ACLs to Active Directory groups for centralized identity management. Log all ACL changes for audit. Review ACLs quarterly to revoke access for decommissioned services.
Retain (regulatory period): Retention periods must match regulatory requirements. Financial transactions: 5-7 years (MiFID II, SOX). Health records: 10+ years (HIPAA varies by state). Payment card data: minimize retention (PCI-DSS principle of data minimization). Configure per-topic retention: retention.ms for time-based, retention.bytes for size-based, or both. Document the regulatory basis for each topic's retention in the architecture repository.
Purge (crypto-shredding): When data must be deleted (GDPR right to erasure, customer account closure), Kafka's append-only architecture creates a challenge. Two approaches: log compaction with tombstone records (produce a null-value message for the key, which compaction removes permanently), or crypto-shredding (encrypt events with per-entity keys and destroy the key when deletion is required — the encrypted data becomes permanently unreadable without the key). Document which approach applies to each topic in the architecture repository.
Audit evidence automation
Regulators require evidence, not promises. Automate evidence generation for each compliance control. Encryption in transit: export TLS configuration and certificate inventory monthly. Access control: export ACL configurations and access logs weekly. Retention compliance: script that verifies each topic's retention setting matches the documented requirement. Schema governance: export Schema Registry compatibility settings and change history. Store evidence in the architecture repository, linked to the regulatory requirements they satisfy. When the auditor visits, evidence generation takes minutes, not weeks.
DORA compliance and Kafka
The Digital Operational Resilience Act (DORA) introduces specific requirements for financial institutions' ICT systems, including event-driven platforms like Kafka. integration architecture diagram
ICT risk management (Article 6): Kafka clusters must be included in the organization's ICT risk register. Model each cluster as a Technology Service in ArchiMate with risk assessment tagged values: Risk_Level, Threat_Scenarios, Mitigation_Controls. The architecture repository must show which business processes depend on Kafka — if the cluster fails, which business functions are affected?
Digital operational resilience testing (Article 26): Kafka's disaster recovery capability must be tested annually. Document the DR architecture: cross-region replication using MirrorMaker 2, failover procedures, and Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each topic tier. Test results are stored as evidence in the architecture repository.
Third-party ICT risk (Article 28): If using managed Kafka (Confluent Cloud, AWS MSK), the vendor is a critical ICT third-party provider subject to DORA oversight. Document the vendor dependency in the architecture repository, including contractual SLAs, exit strategy, and data portability plan.
If you'd like hands-on training tailored to your team (Sparx Enterprise Architect, ArchiMate, TOGAF, BPMN, SysML, Apache Kafka, or the Archi tool), you can reach us via our contact page.
Frequently Asked Questions
What is enterprise architecture?
Enterprise architecture is a discipline that aligns an organisation's strategy, business operations, information systems, and technology infrastructure. It provides a structured framework for understanding how an enterprise works today, where it needs to go, and how to manage the transition.
How is ArchiMate used in enterprise architecture practice?
ArchiMate is used as the standard modeling language in enterprise architecture practice. It enables architects to create consistent, layered models covering business capabilities, application services, data flows, and technology infrastructure — all traceable from strategic goals to implementation.
What tools are used for enterprise architecture modeling?
Common enterprise architecture modeling tools include Sparx Enterprise Architect (Sparx EA), Archi, BiZZdesign Enterprise Studio, LeanIX, and Orbus iServer. Sparx EA is widely used for its ArchiMate, UML, BPMN and SysML support combined with powerful automation and scripting capabilities.