What is
TGRAF?

What does TGRAF cover?

TGRAF prescribes operational requirements across multiple technology domains:

• Technology architecture and design — secure, resilient, auditable systems.
• Cybersecurity controls — access management, encryption, intrusion detection, incident response.
• Business continuity and disaster recovery — documented plans, tested annually.
• Data governance — classification, retention, integrity, privacy.
• Third-party risk management — vendor due-diligence, ongoing monitoring, exit strategies.
• Operational resilience — capacity, performance, change-management, audit trail.
• Wallet and key management — segregation, multi-signature, hot/cold architecture.

What is the annual TGRAF audit?

VARA-licensed VASPs must engage an independent qualified auditor to conduct a comprehensive technology audit annually. The audit covers the full TGRAF framework, with findings reported to VARA. The audit is not a tick-box exercise — weaknesses identified must be remediated and tracked through to VARA supervisory dialogue.

What's the practical impact?

TGRAF compliance is materially more demanding than the technology-governance regime applicable to most non-VARA fintech firms. Common preparation work for prospective licensees includes: documenting all technology systems and dependencies; building incident-response and BCP frameworks; engaging cybersecurity certifications (ISO 27001 is common); establishing wallet-architecture documentation; and preparing the third-party-risk register.

How does TGRAF interact with other VARA rulebooks?

TGRAF is one of several VARA rulebooks (Compliance & Risk, Market Conduct, Custody Services, etc.). The rulebooks operate together — TGRAF specifies the technology layer that supports operational compliance with the activity-specific rulebooks. A custody licensee, for example, must satisfy the Custody Services Rulebook substantively and operate it on technology that satisfies TGRAF.