Interactive Tool

TGRAF readiness
scorecard.

Twenty questions across technology architecture, cybersecurity, wallet management, BCP and third-party risk. Indicative readiness score against VARA's Technology & Information Risk Assessment Framework. Anything below 70 needs material work before VARA submission.

Answer the 20 questions below honestly. The score indicates your readiness against VARA's Technology & Information Risk Assessment Framework. Anything below 70 needs material work before VARA submission.

Technology Architecture
Documented technology architecture diagram covering all systems, dependencies and data flows
Cloud / on-prem strategy formally documented with redundancy provisions
Change-management process with approval gates and rollback procedures
Capacity-planning framework against forecast transaction volumes
Cybersecurity
ISO 27001 / SOC 2 / equivalent certification (current)
Penetration testing performed at least annually by independent provider
Multi-factor authentication enforced for all admin and customer access
Encryption at rest and in transit for all customer and operational data
Incident-response plan documented and tested at least annually
Wallet / Key Management (if applicable)
Hot wallet / cold wallet segregation policy documented and enforced
Multi-signature governance for all hot-wallet movements above threshold
Hardware security module (HSM) or qualified custody provider for private keys
Customer-asset segregation from operational treasury at the blockchain level
BCP / Operational Resilience
Business continuity plan documented; tested at least annually
Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Geographic redundancy in critical systems
Third-Party Risk & Audit
Third-party vendor register with risk classifications
Due-diligence framework for new vendors; ongoing monitoring
Annual independent technology audit framework engaged
Internal audit function with technology coverage
Your TGRAF readiness score
0
Out of 100

About the TGRAF framework.

VARA's Technology & Information Risk Assessment Framework is the technology-governance backbone for licensed VASPs. It covers technology architecture, cybersecurity, business continuity, data governance, third-party risk and operational resilience.

Independent technology audits are mandatory annually. Material gaps identified must be remediated and tracked through VARA supervisory dialogue.

This scorecard is indicative only. Real TGRAF compliance assessment requires reviewing documentation, systems and audit evidence. Engage Neo Legal's VARA Supervision team for a full assessment.

Need specialist counsel?

Senior counsel only. Direct engagement with the partner who will run your matter.

VARA Supervision Practice →