The resilience pipeline reversed
A forward read of the operational-resilience rules that aren’t in force yet. The short version: in 2025 the US federal track pulled back — while the EU, UK and Canada moved supervision onto firms’ critical vendors. For a cross-border operator, the pressure now arrives from the outside in.
If you only tracked Washington, you’d conclude operational-resilience regulation is stalling. That read is half right and wholly misleading. The two biggest US federal proposals were abandoned in 2025 — but over the same window Europe, the UK and Canada kept moving, and they moved in the same direction: toward the firms’ critical third parties. Here is where the pipeline actually sits, and what it means if you have to absorb it.
Where the pipeline actually sits
The critical third party is becoming the unit of supervision
For two decades, regulators supervised the regulated firm and told it to manage its vendors. That is changing. Under DORA, European supervisors now designate “critical ICT third-party providers” — the first list of 19, published in November 2025, reaches the large cloud and infrastructure names — and oversee them directly, with inspections beginning in 2026. The UK built the same power from scratch: its Critical Third Parties regime took effect in January 2025, letting the regulators (and HM Treasury) reach the supplier itself. Canada’s OSFI E-21 and B-10 push the same expectation through third-party and dependency mapping. The common thread is not a shared text; it is a shared conclusion — that a handful of shared suppliers have become single points of failure for the whole system, and supervising the banks one at a time no longer covers the risk.
The US federal track reversed — and the vacuum filled from outside
This is the genuine surprise, and it cuts against the “regulation only ever ratchets up” instinct. Under a deregulatory posture, the CFTC withdrew its Operational Resilience Framework for futures and swap firms in September 2025, and the SEC withdrew fourteen proposals in June 2025 — among them the adviser and fund cybersecurity rule, the Reg SCI expansion, and the outsourcing rule. So the near-term US federal resilience pipeline is, candidly, thin. But the exposure did not vanish; it relocated. It moved to the states — California’s CPPA cyber-audit and risk-assessment rules phase in from 2026, New York’s DFS regime is fully in force — and it moved offshore: a US manager with EU clients is inside DORA, and a US cloud or technology provider big enough to matter can be designated under the UK or EU third-party regimes regardless of where it is domiciled. For US operators, the operative rules increasingly aren’t written in Washington.
Incident-reporting clocks are multiplying — and now cover your vendors
The most concrete near-term burden is reporting. The deadlines don’t agree with each other — DORA runs a staged major-incident report, the SEC’s Reg S-P adds a customer-breach notification, and the EU’s Cyber Resilience Act adds actively-exploited-vulnerability reporting from September 2026 — and the UK’s new regime, final in 2026 and in force March 2027, goes a step further: a single standardised operational-incident report and a register of “material third-party arrangements” that firms must maintain and file. The direction is unmistakable: regulators want to see incidents faster, in a common format, and they increasingly want to know which suppliers sit behind them.
AI came through the resilience door — on a slipping timeline
AI is not arriving as a standalone regime so much as riding the cyber and resilience rails already in place: model logging, robustness, human oversight and incident reporting. The notable 2026 development is that even Europe blinked on timing — the Digital Omnibus, agreed in mid-2026, deferred the AI Act’s high-risk obligations from August 2026 to December 2027 (the transparency duties still land in August 2026). California’s automated-decision rules, by contrast, phase in from 2027. The lesson for operators is not to chase each date but to note that AI governance is being folded into the same evidence file — controls, testing, logging, incident response — that resilience already demands.
The pipeline, dated
| Date | Where | Instrument | What it changes | Status |
|---|---|---|---|---|
| Jan 2025 | EU | DORA — full application | Direct EU oversight of financial firms' ICT risk, incident reporting and third-party arrangements | In force |
| Jan 2025 | UK | Critical Third Parties regime (PS24/16) | Regulators can designate & directly oversee critical suppliers (e.g. major cloud) | In force |
| Jun 2025 | US | SEC withdraws 14 proposals | Adviser/fund cybersecurity, Reg SCI expansion and outsourcing rules pulled | Withdrawn |
| Sep 2025 | US | CFTC withdraws Operational Resilience Framework | The US futures/swaps resilience rule abandoned before finalisation | Withdrawn |
| Nov 2025 | EU | DORA — first critical ICT providers designated | 19 providers named; oversight inspections begin 2026 | In force |
| Jan 2026 | US-state | California CPPA rules effective | Cyber audits, risk assessments and automated-decision rules (phased 2026-2028) | In force, phasing |
| Jun 2026 | US | SEC Reg S-P — smaller advisers comply | Incident-response program + service-provider breach notification | In force |
| Sep 2026 | CA | OSFI E-21 — full adherence | Critical operations, disruption tolerances, dependency mapping (testing 2027) | Upcoming |
| Sep 2026 | EU | Cyber Resilience Act — reporting | Actively-exploited-vulnerability & incident reporting for connected products | Upcoming |
| Mar 2027 | UK | Operational incident & third-party reporting (PS26/2) | Single incident report + a register of material third-party arrangements | Final, not yet in force |
| Dec 2027 | EU | AI Act — high-risk obligations | Deferred from Aug 2026 by the 2026 Digital Omnibus; logging, robustness, oversight | Deferred |
- Forward-looking dates move. Several items here are scheduled, not yet in force, and effective dates can shift — the EU AI Act’s 16-month deferral in 2026 is the cautionary example. Confirm the current date against the primary source before you act.
- Status ≠ reach. A withdrawn US proposal (CFTC, SEC) does not mean a US firm is unaffected — DORA, the UK CTP regime and US state rules can still bind it directly or through its vendors.
- This is an operator’s outlook, not legal advice. Applicability is entity- and activity-specific; a private-fund adviser, a bank and a cloud provider each pick up a different subset. Take the specifics to counsel.
- Scope. This note covers operational resilience, third-party risk and resilience-relevant cyber/AI — not the full compliance waterfront.