← Back to W² Advisory
Field Notes · Financial Services

The resilience pipeline reversed

A forward read of the operational-resilience rules that aren’t in force yet. The short version: in 2025 the US federal track pulled back — while the EU, UK and Canada moved supervision onto firms’ critical vendors. For a cross-border operator, the pressure now arrives from the outside in.

If you only tracked Washington, you’d conclude operational-resilience regulation is stalling. That read is half right and wholly misleading. The two biggest US federal proposals were abandoned in 2025 — but over the same window Europe, the UK and Canada kept moving, and they moved in the same direction: toward the firms’ critical third parties. Here is where the pipeline actually sits, and what it means if you have to absorb it.

The pipeline didn’t disappear — it moved. In 2025 the CFTC withdrew its Operational Resilience Framework and the SEC pulled fourteen proposals, including its adviser cybersecurity, Reg SCI and outsourcing rules. In the same window, DORA went live and named its first critical ICT providers, the UK stood up a Critical Third Parties regime, Canada’s OSFI set a September 2026 resilience deadline, and the EU AI Act’s high-risk clock — though slipped to December 2027 — kept ticking. The unit of supervision is shifting from the regulated firm to its suppliers, and for US operators the binding pressure now comes through the states and through Europe’s extraterritorial reach.

Where the pipeline actually sits

Operational-resilience milestones, 2025–2027. Hollow markers (○) are withdrawn US proposals; filled markers are in force or scheduled. Colour = jurisdiction.
202520262027TODAYDORA in forceJan 2025UK CTP regimeJan 2025×SEC pulls 14 rules ⟲Jun 2025×CFTC pulls ORF ⟲Sep 2025DORA CTPPs namedNov 2025CA CPPA rulesJan 2026SEC Reg S-PJun 2026EU CRA reportingSep 2026OSFI E-21Sep 2026UK incident + 3PMar 2027EU AI Act high-riskDec 2027○ = withdrawn / reversed    ● = in force or scheduledEUUKCanadaUS federalUS state

The critical third party is becoming the unit of supervision

For two decades, regulators supervised the regulated firm and told it to manage its vendors. That is changing. Under DORA, European supervisors now designate “critical ICT third-party providers” — the first list of 19, published in November 2025, reaches the large cloud and infrastructure names — and oversee them directly, with inspections beginning in 2026. The UK built the same power from scratch: its Critical Third Parties regime took effect in January 2025, letting the regulators (and HM Treasury) reach the supplier itself. Canada’s OSFI E-21 and B-10 push the same expectation through third-party and dependency mapping. The common thread is not a shared text; it is a shared conclusion — that a handful of shared suppliers have become single points of failure for the whole system, and supervising the banks one at a time no longer covers the risk.

The US federal track reversed — and the vacuum filled from outside

This is the genuine surprise, and it cuts against the “regulation only ever ratchets up” instinct. Under a deregulatory posture, the CFTC withdrew its Operational Resilience Framework for futures and swap firms in September 2025, and the SEC withdrew fourteen proposals in June 2025 — among them the adviser and fund cybersecurity rule, the Reg SCI expansion, and the outsourcing rule. So the near-term US federal resilience pipeline is, candidly, thin. But the exposure did not vanish; it relocated. It moved to the states — California’s CPPA cyber-audit and risk-assessment rules phase in from 2026, New York’s DFS regime is fully in force — and it moved offshore: a US manager with EU clients is inside DORA, and a US cloud or technology provider big enough to matter can be designated under the UK or EU third-party regimes regardless of where it is domiciled. For US operators, the operative rules increasingly aren’t written in Washington.

Incident-reporting clocks are multiplying — and now cover your vendors

The most concrete near-term burden is reporting. The deadlines don’t agree with each other — DORA runs a staged major-incident report, the SEC’s Reg S-P adds a customer-breach notification, and the EU’s Cyber Resilience Act adds actively-exploited-vulnerability reporting from September 2026 — and the UK’s new regime, final in 2026 and in force March 2027, goes a step further: a single standardised operational-incident report and a register of “material third-party arrangements” that firms must maintain and file. The direction is unmistakable: regulators want to see incidents faster, in a common format, and they increasingly want to know which suppliers sit behind them.

AI came through the resilience door — on a slipping timeline

AI is not arriving as a standalone regime so much as riding the cyber and resilience rails already in place: model logging, robustness, human oversight and incident reporting. The notable 2026 development is that even Europe blinked on timing — the Digital Omnibus, agreed in mid-2026, deferred the AI Act’s high-risk obligations from August 2026 to December 2027 (the transparency duties still land in August 2026). California’s automated-decision rules, by contrast, phase in from 2027. The lesson for operators is not to chase each date but to note that AI governance is being folded into the same evidence file — controls, testing, logging, incident response — that resilience already demands.

The pipeline, dated

Key operational-resilience milestones and what each one actually changes. Dates are the effective/compliance dates, not the publication dates.
DateWhereInstrumentWhat it changesStatus
Jan 2025EUDORA — full applicationDirect EU oversight of financial firms' ICT risk, incident reporting and third-party arrangementsIn force
Jan 2025UKCritical Third Parties regime (PS24/16)Regulators can designate & directly oversee critical suppliers (e.g. major cloud)In force
Jun 2025USSEC withdraws 14 proposalsAdviser/fund cybersecurity, Reg SCI expansion and outsourcing rules pulledWithdrawn
Sep 2025USCFTC withdraws Operational Resilience FrameworkThe US futures/swaps resilience rule abandoned before finalisationWithdrawn
Nov 2025EUDORA — first critical ICT providers designated19 providers named; oversight inspections begin 2026In force
Jan 2026US-stateCalifornia CPPA rules effectiveCyber audits, risk assessments and automated-decision rules (phased 2026-2028)In force, phasing
Jun 2026USSEC Reg S-P — smaller advisers complyIncident-response program + service-provider breach notificationIn force
Sep 2026CAOSFI E-21 — full adherenceCritical operations, disruption tolerances, dependency mapping (testing 2027)Upcoming
Sep 2026EUCyber Resilience Act — reportingActively-exploited-vulnerability & incident reporting for connected productsUpcoming
Mar 2027UKOperational incident & third-party reporting (PS26/2)Single incident report + a register of material third-party arrangementsFinal, not yet in force
Dec 2027EUAI Act — high-risk obligationsDeferred from Aug 2026 by the 2026 Digital Omnibus; logging, robustness, oversightDeferred
Read these caveats before using this.
  • Forward-looking dates move. Several items here are scheduled, not yet in force, and effective dates can shift — the EU AI Act’s 16-month deferral in 2026 is the cautionary example. Confirm the current date against the primary source before you act.
  • Status ≠ reach. A withdrawn US proposal (CFTC, SEC) does not mean a US firm is unaffected — DORA, the UK CTP regime and US state rules can still bind it directly or through its vendors.
  • This is an operator’s outlook, not legal advice. Applicability is entity- and activity-specific; a private-fund adviser, a bank and a cloud provider each pick up a different subset. Take the specifics to counsel.
  • Scope. This note covers operational resilience, third-party risk and resilience-relevant cyber/AI — not the full compliance waterfront.
What this means for operators

Build for the regime that reaches you first

Facing a resilience or third-party-risk build?

WSquare Advisory builds the operating capability growing firms don’t yet have — the continuity, vendor-oversight and incident-response disciplines these regimes increasingly expect. If that’s the work in front of you, let’s talk.

Start a Conversation →