GovHorizon Insights

DORA, NIS2, and the AI Act: Why Traditional Compliance is Breaking in Financial Services

pedro.tavares@govhorizon.com (Pedro Tavares) — Tue, 20 Jan 2026 17:00:28 GMT

Regulatory compliance used to be more predictable. Directives came with transposition deadlines. Regulations applied directly. Organizations had frameworks to manage implementation.

Now the system is under stress.

Digital Operational Resilience Act (DORA), a Regulation introduced by the European Union to strengthen the digital resilience of financial entities became enforceable one year ago, applying uniformly through all member States. NIS2, a Directive that establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU is fragmenting: 19 countries received formal warnings in May 2025 for missing the October 2024 deadline. As of January 2026, 8 countries still need to transpose the Directive. Finally, the AI Act adds penalties up to €35 million or 7% of global turnover, phasing in through 2027.

Three major frameworks. Different legal mechanisms. Overlapping enforcement. Each affects how the others apply.

Three Regulations, Three Different Realities

Consider a financial institution expanding to Belgium, Luxembourg, and Ireland:

DORA: Uniform application across all markets
NIS2: Belgium enacted early. Ireland still in process. Luxembourg transposed with jurisdiction-specific variations
AI Act: First deadline hit February 2, 2025. General-purpose AI obligations start August 2, 2025

Different teams track different pieces: compliance monitors national rules, legal analyzes EU directives, IT implements technical requirements, strategy plans expansion. No framework or even system connects these to show: "What are the five regulatory intersections affecting our roadmap over the next 18 months?"

Why Organizations Are Struggling: Five Challenges

Cross-Regulation Dependencies
GDPR affects AI Act compliance. NIS2's 24-hour incident reporting must integrate with DORA's ICT classification criteria.
National Variations
Italy and Slovenia extended NIS2 sector coverage. Belgium added governance requirements. Hungary requires local registration regardless of headquarters.
Timeline Misalignment
DORA: January 2025. NIS2: October 2024 (missed by 19 countries). AI Act: Phased through August 2027.
Siloed Response
Compliance, legal, IT, and strategy operate independently. Each sees part of the picture. No team owns the intersections.
Cascading Requirements
A digital lending platform needs DORA operational resilience, NIS2 cybersecurity, AI Act documentation, and GDPR privacy controls. Miss one, the entire timeline slips.

The Hidden Cost: Strategic Delays

Since GDPR came into force in 2018, organizations faced €1.2 billion in fines. But operational disruption cost more: product launches delayed, expansion plans halted, customer onboarding slowed.

And yet, the pattern is repeating:

DORA: The ECB's 2024 Guide requires exit strategies in place before systems go live, a shift from developing plans during contract implementation. Financial entities must maintain ICT service registers, assess concentration risks regularly, and ensure contracts include audit rights and termination provisions.

NIS2: Scope extends to postal services, chemical sectors, food distribution. Banks can't complete compliance until suppliers in delayed-transposition countries finalize theirs.

AI Act: Phased implementation began February 2, 2025, with penalties up to €35 million or 7% of global turnover for serious violations. High-risk AI systems, including credit scoring and fraud detection, require comprehensive technical documentation, risk assessments, human oversight, and regular monitoring throughout the system's lifecycle.

What Anticipatory Compliance Looks Like

Leading institutions operate differently. They track draft standards months before adoption, identify gaps, and begin remediation early rather than waiting for final publication. Standing committees bring together compliance, IT, legal, risk, and strategy teams to connect regulatory intelligence to quarterly plans. Vendor management becomes strategic: organizations map dependencies against regulatory timelines and assess third-party readiness as part of procurement decisions. Strong strategic, data-driven, and legal monitoring capabilities guide market entry choices.

Institutions prioritize jurisdictions where regulatory frameworks are already in place over markets still resolving transposition uncertainties. When similar legal requirements exist across multiple countries, organizations sequence expansion to minimize compliance friction and accelerate time to market. The AI Act requires lifecycle documentation, so financial entities embed decision logs, risk assessments, and testing results in development workflows from inception rather than treating them as checklists before launch.

Three Strategic Opportunities

Operational Resilience as Differentiator
DORA enables uptime SLAs competitors can't match. Process transactions during incidents that disable others.
Cybersecurity as Partnership Enabler
41% of non-NIS2 entities face compliance requests from partners. Strong posture creates B2B opportunities.
Ethical AI as Trust Driver
Exceeding AI Act minimums builds trust that translates to customer acquisition, retention, and premium pricing for "ethical AI" products.

Questions for Leadership

Financial institutions have compliance teams, legal counsel, IT departments, and strategy groups. What's missing is the layer connecting these before intersections become collisions.

Regulatory Intersection Visibility
Can leadership see how DORA, NIS2, and AI Act affect roadmaps differently across jurisdictions?
Cross-Functional Coordination
Do teams meet regularly to map regulatory changes to business initiatives before decisions lock in?
Vendor Regulatory Readiness
Are providers assessed for compliance during selection—or discovered after contracts are signed?
Jurisdiction Intelligence
Is market entry informed by implementation status, or proceeding without considering transposition progress?
Scenario Planning
Are decisions tested against multiple regulatory futures visible in consultation documents?

As of January 2026, financial institutions face the most complex regulatory environment the sector has seen. DORA is enforceable. NIS2 is fragmenting across 27 member states. The AI Act is phasing in with billion-euro fines. Each regulation changes how the others apply.

Organizations that can anticipate intersections and turn cascading requirements into competitive positioning aren't waiting for regulations to arrive. They're already three quarters ahead.

SVB and Credit Suisse: What Risk Models Missed in 2023

Luis Pinto — Tue, 21 Oct 2025 11:55:44 GMT

March 2023: The Failure Nobody Saw Coming

Silicon Valley Bank collapsed in 48 hours. Three days later, Signature Bank followed. Credit Suisse, a 167-year-old institution, one of the world’s largest 30 banks with assets exceeding $500 billion, was emergency-sold to UBS the same month by $3.25B. The damage impacted regulation and Swiss reputation.

The financial world called it a shock. But the IMF had been publishing warnings that bank capital buffers 'could not be enough for some banks if financial conditions tightened sharply. Political sentiment on bank regulation had visibly shifted five years earlier. Central banks had clearly signaled the rate hiking cycle was coming. Geopolitical fragmentation was reshaping capital flows. Every major multilateral organization was flagging the same systemic vulnerabilities.

The signals were there, the data was there. But monitoring failed.

What They Were Watching

SVB's internal models tracked capital ratios, liquidity buffers, and asset-liability matching. The Fed noted that “When interest rates started to rise, SVB did not consider the early signs of market risk, removed its hedges, and had significant unrealized losses on its held-to-maturity investment securities.”

Credit Suisse had 108 on-site supervisory reviews between 2018-2022, with 382 flagged issues. Their risk management frameworks looked comprehensive on paper.

Both banks had extensive compliance programs, stress testing, and risk committees. The internal machinery was running, but, it's possible to manage something so big without failing some red flags?

What They Missed

In 2018, the U.S. Congress passed the Economic Growth, Regulatory Relief, and Consumer Protection Act, raising the threshold for enhanced regulatory oversight from $50 billion to $250 billion in assets. SVB had $209 billion. US regulators could treat midsize banks with a lighter approach.

SVB's CEO had personally lobbied for the rollback. Banks celebrated the deregulation. This wasn't technical banking regulation. This was political economy.

Meanwhile, the macro environment was transforming. Five months before the collapse, the IMF's October 2022 report explicitly warned that 'a sudden, disorderly tightening in financial conditions may interact with preexisting vulnerabilities' and that despite high capital levels, stress tests showed bank buffers might be insufficient.

At the same time geopolitical fragmentation was accelerating, particularly the war in Ukraine with strong impact in many areas.

These weren't inside technical risks. These were strategic-level shifts reshaping the entire operating environment, and it wasn’t a one day change, nor a one week change. But when there are so many external variables, all of them interconnected, something will eventually fail in our eyes.

The Intelligence Gap

Banks spend heavily on quantitative risk modeling. They have chief risk officers, model validation teams, and sophisticated stress testing. But there is still lacking strategic intelligence infrastructure.

Consider some risk functions that financial institutions should be tracking these last years:

Regulatory Sentiment Shifts: The 2018 deregulation wasn't just about rule changes. It represented a political consensus that midsize banks deserved lighter oversight. When President Biden blamed the rollback for SVB's failure in March 2023, it signaled an imminent reversal. Banks monitoring political sentiment would have seen this coming and adjusted their risk posture accordingly.

Macro Regime Changes: The World Bank warned that countries facing high financial sector risks often lack adequate crisis management frameworks. The IMF's October 2023 stress tests showed many banks in advanced economies faced significant potential capital losses from securities marking and loan provisioning. This wasn't speculation - it was published analysis from multilateral institutions.

Geopolitical Fragmentation: Research from the ECB showed that geopolitical risk materializes through multiple channels - reduced economic activity, surging inflation, increased sovereign risk, and shifts in capital flows. Banks with significant cross-border operations or sector concentrations needed scenario planning around fragmentation, not just interest rate curves.

Emerging Risk Signals: In January 2024, the World Economic Forum's risk survey showed financial sector risks had dropped to the bottom of global concerns despite the March crisis. This complacency was itself a red flag that vulnerabilities were being ignored.

None of this required proprietary data or advanced quantitative methods. It required systematic monitoring of regulatory developments, geopolitical analysis, and interpretation of multilateral institution research.

Five Strategic Blind Spots

Regulatory Environment as Lagging Indicator

Banks treat regulation as fixed constraints. They monitor rule changes but miss the political dynamics that determine enforcement intensity.

The 2018 rollback created implicit permission for lighter supervision.

Strategic intelligence tracks not just what regulators can do, but what political environment makes them willing to do it.

Geopolitical Risk as Exogenous Shock

Most banks include geopolitical scenarios in stress tests but treat them as tail risks - low probability events to check a box.

The IMF's analysis showed geopolitical tensions directly affect bank funding costs, profitability, and credit provision. ECB research found heightened geopolitical risk has been associated with lower bank capitalization throughout the past century.

These aren't shocks. They're structural forces that need continuous assessment, not annual scenario exercises.

Macro Transitions Modeled in Isolation

SVB missed the policy regime shift - from a decade of near-zero rates to aggressive tightening to combat inflation spikes caused partly by geopolitical disruption (Ukraine war's impact on energy and food prices).

Banks model rate scenarios but don't systematically monitor the forces driving rate decisions - inflation sources, geopolitical supply shocks, political pressure on central banks.

Multilateral Research as Academic Exercise

The IMF, World Bank, BIS, OECD and many other multilateral organizations publish extensive financial stability analysis. But the capacity to absorb and integrate all that information is still reduced. There is never enough people or agile processes that can identify these threats.

Foresight Treated as Speculation

Credit Suisse's failures (Greensill, Archegos) showed a pattern: weak governance combined with inadequate strategic oversight. Swiss Financial Market Supervisory Authority (FINMA) post-crisis report noted repeated management errors and culture problems eroded client confidence years before collapse.

Forward-looking scenario planning could have identified the trajectory. But banks compartmentalize "foresight" as soft skill planning exercises rather than systematic early warning.

A Different Kind of Blindness

Better stress tests won't solve this. Neither will more sophisticated models.

SVB's interest rate exposure was particularly catastrophic not because their models failed, but because the context changed - regulatory oversight had weakened, depositor concentration had increased, and the macro regime had shifted. The vulnerability existed in their models. What they missed was whether it mattered.

Banks have no systematic way to track these contextual shifts. What's missing is strategic intelligence monitoring:

Regulatory and political sentiment shifts across jurisdictions

Geopolitical developments and their financial transmission channels

Macro regime changes and their second-order effects

Multilateral institution research and risk assessments

Cross-domain pattern recognition (how political, economic, and geopolitical forces interact)

This isn't risk management. It's strategic context - the layer above technical risk functions that helps institutions understand which risks matter and why.

But the real edge comes from monitoring the external environment that determines whether internal vulnerabilities matter. SVB's interest rate exposure was particularly catastrophic because regulatory oversight had weakened and depositor concentration had increased while the macro policy regime shifted dramatically.

The $50 Billion Lesson

The 2023 bank failures had multiple causes - poor governance, concentrated risks, inadequate oversight. But they also revealed something else: strategic blindness.

Institutions were optimized for yesterday's environment while missing clear signals about tomorrow's. The IMF published warnings. Political winds shifted visibly. Geopolitical fragmentation was documented. The information was public. Yet these banks weren't systematically tracking it.

The variables existed; they showed values that, on their own, might not have been a problem at short therm. But nothing is isolated in today’s world. And the combination of factores that were created, when brought together, resulted in a catastrophic outcome.

In today's information overload, there was no infrastructure to convert external intelligence into strategic foresight. They have excellent models for what they're watching. They have no systematic process for discovering what they should be watching.

That's one critical gap.

Planning for the Future: Why Public Institutions Must Embrace Foresight Now

pedro.tavares@govhorizon.com (Pedro Tavares) — Wed, 06 Aug 2025 16:17:32 GMT

In March 2021, a massive container ship—the Ever Given—blocked the Suez Canal for six days. It was a single, unexpected incident that cost the global economy an estimated $60 billion. The lesson? What once seemed improbable can quickly become reality, revealing how vulnerable today’s systems really are. And more importantly, how unprepared governments and institutions often remain.

Today, we face the most geopolitically unstable decade since the Cold War. In just five years, we’ve experienced a global pandemic, war returning to Europe, heightened tensions in the Middle East, and growing rivalry between global economic powers. Meanwhile, societal and technological shifts are happening faster than many governments can track, let alone manage.

In this context, strategic foresight is no longer a luxury—it’s a necessity.

When Decisions Come Too Late
The modern state wasn’t built for this level of uncertainty. Institutions still operate as if the world moves in predictable increments. But today, an energy crisis can be triggered by a single threat to the Strait of Hormuz, and artificial intelligence can transform industries in mere months.

Governments still plan in silos. They rarely use structured scenario-building, risk assessment, or impact evaluation across sectors. The result is policy-making that reacts to crises rather than preparing for them.

This isn’t unique to the public sector. European carmakers hesitated on the energy transition. Meanwhile, China invested early in battery tech, design talent, and AI. Today, Chinese manufacturers are not just competing in Europe—they’re leading.

The same applies to artificial intelligence: the chips are American, the talent is increasingly Chinese, and Europe is struggling to scale its investment.

The Case for Institutionalized Foresight
Strategic foresight and scenario planning need to become standard tools—not afterthoughts. Some countries are already showing the way:

Finland has a Parliamentary Committee for the Future.
Singapore applies alternative scenarios in policy decision-making.
The UK has created permanent horizon-scanning teams within government.

The OECD’s 2024 framework explicitly calls for a shift toward “anticipatory governance.” This means more than creating planning teams—it requires embedding foresight into every policy cycle, from design to implementation.

Artificial intelligence can further enhance this effort by helping governments process more data, from more sources, more quickly—if the right capacities are in place.

A Call to Action: Build Now What You’ll Need Tomorrow
In an era when change outruns institutional response, short-term political cycles are not enough to secure long-term public value. Public sector organizations must move from reactive crisis management to structured anticipation.

This means:

Investing in foresight skills and tools;
Creating governance frameworks that allow early action;
Embedding scenario thinking into budgeting, planning, and evaluation;
Empowering teams to challenge assumptions and model disruptions;
Using AI responsibly to scale anticipatory intelligence.

The goal isn’t to predict the future. It’s to be ready for several possible ones—and act before choices become trade-offs.

As Harold Macmillan, former UK Prime-Minister once said, when asked what most challenges governments: “Events, dear boy, events.”