← Back to W² Advisory
Field Notes · Transatlantic · COO to COO

One rulebook, four accents

The United States, European Union, United Kingdom and Canada all regulate operational resilience in financial services — and they all reach for the same eight principles. But each encodes them differently, and each leaves a different operational risk on your desk. The capability is one; the way you must prove it — and where you can get hurt — is four.

Our companion note showed finance, healthcare and infrastructure converging on the same resilience principles. This one asks the transatlantic question within the same sector — financial services: do the four jurisdictions regulate resilience the same way? We mapped 508 in-force financial-resilience obligations — United States (237), European Union (86), United Kingdom (125), Canada (60) — onto one eight-principle framework. Finance is deliberate: it is the only sector with a mature, in-force resilience regime in all four jurisdictions, so the comparison is like-for-like. The principles are shared. What diverges is how each jurisdiction encodes, weights and enforces them — and that divergence tells a cross-border operator exactly where the effort, and the risk, will land.

A note on the eight principles — they came from the rules, not from us. The framework was not imposed top-down. Each principle was surfaced bottom-up from the vocabulary of the obligations themselves — the words the regulators actually use — then reconciled to a single spine so the four regimes could be compared on the same axes. The categories reflect the corpus, not a pre-existing checklist. Shares are within-jurisdiction (each cell is a % of that jurisdiction’s own obligations), so a small corpus and a large one compare fairly.

The evidence: eight principles, four jurisdictions

Share of each jurisdiction’s in-force financial-resilience obligations touching each principle. Darker = heavier emphasis. Read down a column for that jurisdiction’s centre of gravity; read across a row to see where the jurisdictions agree and split.
United States242 obl.European Union86 obl.United Kingdom125 obl.Canada55 obl.Governance & accountability14.9%7.0%7.2%16.4%Risk & resilience assessment19.8%14.0%9.6%21.8%Business continuity & op. resilience24.0%39.5%51.2%43.6%Disaster recovery & backup2.1%0.0%1.6%10.9%Third-party & supply-chain risk27.7%4.7%47.2%23.6%Incident detection / response / reporting41.7%15.1%30.4%29.1%Testing & exercises9.9%11.6%16.8%30.9%Technical & cyber controls38.0%12.8%3.2%10.9%SHARE OF EACH JURISDICTION'S IN-FORCE FINANCIAL-RESILIENCE OBLIGATIONS TOUCHING EACH PRINCIPLE · DARKER = HEAVIER EMPHASISSAME EIGHT PRINCIPLES, FOUR REGULATORY ACCENTS · FINANCE VERTICAL, IN-SCOPE ONLY · PRINCIPLES SURFACED FROM THE CORPUS

Reading the columns: four profiles, and the risk in each

Each column is a regulatory philosophy — and each hands a COO a different kind of problem. “Risk” below means execution and interpretive risk (how easily you can be wrong, and how hard it is to prove you were right), not the odds of enforcement.

JurisdictionThe accentThe operational risk for a COO
United StatesBroad and prescriptive. Heaviest on incident reporting (41.7%) and — once measured correctly — cyber controls (38.0%); no single blind spot.Lowest ambiguity, highest timing risk. Many regulators and overlapping duties, and the reporting clocks are unforgiving — the acute failure is a late or unstructured incident notification. Invest first in the incident-reporting muscle and a board-evidence trail.
European UnionCodified. DORA and its technical standards spell the controls out article by article; governance sits low (7.0%) because it is handled horizontally.Lowest ambiguity, highest load. Prescription applies whether or not it reduces risk in your context, so the exposure is cost and box-ticking, not guesswork. Budget for breadth of conformance and build a control-to-article map.
United KingdomOutcome-based. Identify important business services, set impact tolerances, stay within them; continuity (51.2%) and third-party (47.2%) dominate, and cyber is written as an outcome, not a control list.Pragmatic, but interpretive. You define what is “important” and “tolerable,” so judgement risk exists — but the framework is structured enough to defend. Your service map and impact-tolerance methodology are the compliance artifact; get them right and the rest follows.
CanadaPrinciples-based. OSFI states expectations and asks the institution to apply judgement; the most even spread of the four, and the thinnest corpus.Highest interpretive risk. Least prescriptive — two firms can both “comply” and one still be criticised, because the burden of proof sits with you. Over-document the rationale; the deliverable is a defensible judgement trail, not a checklist.

Reading the rows: where the lines actually fall

The clean fault line is the Atlantic, not the four regimes — and it shows up in governance. The US and Canada both treat board accountability as roughly twice the priority the two European regimes do (14.9% and 16.4% versus 7.0% and 7.2%), and risk assessment leans the same way (US/Canada ~20%; EU/UK ~10–14%). On the “who owns this, and have you assessed your own risk” management-system principles, North America runs materially heavier than Europe. For a North-American firm expanding into Europe, that is the trap: your governance-heavy posture is not what Europe grades — it grades continuity and codified detail. For a European firm entering North America, expect noticeably more scrutiny of board ownership and personal accountability.

But “Europe” is not one bloc below that line. The EU and UK diverge from each other as sharply as either does from the US: the EU is technical and codified, the UK is service-based and outcome-driven. The corrected cyber numbers sharpen a second contrast — the United States is the most cyber-prescriptive of the four (38.0% of its obligations are technical/cyber controls, consistent with its rules-and-controls tradition), while the United Kingdom writes almost no enumerated controls at all (3.2%). And Canada quietly leads the field on one thing — testing and exercises (30.9%, the highest testing score of the four): OSFI pushes scenario and recovery testing harder than any of the others. One row rewards a second look: the EU’s near-absent disaster-recovery cell is not an omission — DORA files recovery and backup inside its continuity articles ("Response and recovery," and "Backup… restoration and recovery," Arts. 11–12[2]), not as a standalone category. The EU regulates disaster recovery; it simply shelves it under continuity.

The same control, four accents

Read one principle across the four regimes and the difference in technique is unmistakable — each asks for the same underlying capability in its own idiom. Every quote is from an in-force instrument; superscripts link to the exact provision.

PrincipleUnited StatesEuropean UnionUnited KingdomCanada
Governance & accountability “Disclose the board of directors’ oversight of risks from cybersecurity threats.”SEC · 17 CFR 229.106(c)“The management body shall define, approve, oversee and bear responsibility for all ICT risk-management arrangements.”DORA · Reg (EU) 2022/2554 Art. 5“Produce and maintain a written self-assessment of compliance with the operational-resilience rules, approved by the board.”PRA · SS1/21 §8.1“Ensure breaches of disruption tolerances are escalated to senior management and addressed in a timely, sustainable way.”OSFI · Guideline E-21 §1.1
Risk & resilience assessment “Assess the likelihood and potential damage of identified threats, weighing the sensitivity of customer information.”OCC · 12 CFR 30 App. B (III.B.2)“Develop, document and implement ICT risk-management policies and procedures.”DORA RTS · Reg (EU) 2024/1774 Art. 3“Identify important business services whose disruption could cause intolerable harm to clients or risk to market integrity.”FCA · SYSC 15A.2“Maintain a current, comprehensive inventory of technology assets and their documented interdependencies.”OSFI · Guideline B-13 §2.2.2
Business continuity & operational resilience “Maintain a business continuity plan incorporating a secondary site with a distinct risk profile from the primary site.”FRB Reg HH · 12 CFR 234.3(a)(17)(vii)“Put in place ICT response and recovery plans — subject, for all but microenterprises, to independent internal audit review.”DORA · Reg (EU) 2022/2554 Art. 11–12“Set an impact tolerance, including a mandatory time-based metric, for each important business service.”PRA · SS1/21 §3.1“Establish tolerances for disruption for each critical operation — the maximum disruption withstood across severe-but-plausible scenarios.”OSFI · Guideline E-21 §3.2
Disaster recovery & backup “Maintain a cybersecurity program that includes the ability to recover from cybersecurity events and restore normal operations.”NYDFS · 23 NYCRR 500.2(b)— no standalone category; recovery & backup fold into DORA’s continuity articles (Arts. 11–12)“Set recovery-time and recovery-point objectives for the resources underpinning each important business service.”PRA · SS1/21 §3.14“Establish and maintain an Enterprise Disaster Recovery Program to sustain technology-service delivery through disruption.”OSFI · Guideline B-13 §2.9 (Principle 12)
Third-party & supply-chain risk “Exercise due diligence in selecting service providers that handle customer information.”OCC · 12 CFR 30 App. B (III.D.1)“Before contracting, take due consideration of ICT providers’ use of subcontractors and assess ICT concentration risk.”DORA · Reg (EU) 2022/2554 Art. 28–29“Understand and manage sub-outsourcing dependencies that could threaten operational resilience and service delivery.”PRA · SS1/21 §5.6 / SS2/21“Assess systemic concentration risk — sector-wide dependence on common critical third-party providers.”OSFI · Guideline B-10
Incident detection, response & reporting “Notify the OCC promptly upon the occurrence of a computer-security notification incident.”OCC · 12 CFR 53.3“Classify ICT-related incidents by prescribed criteria — clients affected, duration, geographic spread, data losses, economic impact.”DORA · Reg (EU) 2022/2554 Art. 18“Report to the FCA any failure to remain within impact tolerances for an important business service.”FCA · SYSC 15A.2.11G“Implement incident-response procedures with internal/external communication and escalation triggers, and test them periodically.”OSFI · Guideline B-13 §2.7.2
Testing & exercises “Test systems, policies, procedures and controls to confirm they function as intended, under a documented testing framework.”FRB Reg HH · 12 CFR 234.3(a)(17)(i)“Perform advanced threat-led penetration testing (TLPT) of critical ICT systems.”DORA · Reg (EU) 2022/2554 Art. 26“Demonstrate the ability to deliver each important business service within its impact tolerance under severe-but-plausible scenarios.”PRA · SS1/21 §4.1“Regularly scenario-test disaster-recovery capabilities against severe-but-plausible scenarios, including critical third-party technologies.”OSFI · Guideline B-13 §2.9.3
Technical & cyber security controls “Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of information systems.”NYDFS · 23 NYCRR 500.2(a)“Implement network-security-management safeguards protecting networks against intrusion and misuse.”DORA RTS · Reg (EU) 2024/1774 Art. 13“Take reasonable steps to ensure the technology resilience of systemic third-party services, including sound cyber-resilience strategies.”FCA/PRA CTP · CTPS 4.5.1R“Proactively identify, defend against, detect, respond to and recover from cyber-security threats and incidents.”OSFI · Guideline B-13 §3.0

Why they diverge

The split is not disagreement about what resilience is — it is four regulatory techniques. The United States regulates through many agencies and a disclosure-and-enforcement tradition, so resilience surfaces as duties to detect, escalate and notify, wrapped in board accountability and, as the corrected figures show, a heavy layer of prescriptive cyber controls. The European Union writes one directly-applicable regulation — DORA — and a stack of regulatory technical standards (RTS)[10] beneath it, so the obligation is the codified article. The United Kingdom pioneered the outcome-based template through the FCA and PRA (SS1/21[5], SS2/21[6]): name your important business services, set impact tolerances, stay within them — and treat cyber as one more way a service can fail, not a separate control code. Canada’s OSFI works through principles-based guidance (B-13[7], E-21[4]), producing the most even spread and asking the institution to exercise judgement.

What this means — COO to COO

Build the capability once; evidence it four ways; watch a different risk in each

How this was built — and its limits.
  • Finance only, on purpose. Finance is the one sector with a mature, in-force resilience regime in all four jurisdictions (US banking agencies + NYDFS, EU DORA, UK PRA/FCA, Canada OSFI), so a four-way comparison is like-for-like. The same cut is not yet possible for healthcare or infrastructure — outside finance the honest transatlantic comparison is US-vs-EU only, because UK health resilience runs largely on toolkits and a still-forthcoming bill, Canadian health law is provincial, and Canada’s flagship critical-infrastructure statute is enacted but not yet in force.
  • Principles are emergent, then reconciled to a canon — scored by a transparent, deterministic keyword-and-domain lexicon, the same one used in the cross-sector note, so the two are directly comparable.
  • In-force, in-scope obligations. 508 obligations tagged core or adjacent from primary instruments; out-of-scope material (e.g. the EU AI Act’s conformity articles) is excluded, since leaving it in would badly inflate one jurisdiction.
  • Canada is the thinnest column (60 obligations, OSFI-dominated) — read its profile as directional. EU obligations are terse because DORA and its RTS are extracted article-by-article; the emphasis shares are robust even where individual phrasings are short.
  • Thought-leadership, not compliance advice. Applicability is entity- and activity-specific.

Sources

Datasets (broad). United States — Electronic Code of Federal Regulations (eCFR) and the Federal Register. European Union — EUR-Lex. United Kingdom — FCA Handbook and Bank of England / PRA. Canada — OSFI guidance library.

Specific provisions cited

  1. 12 CFR 234.3 — Federal Reserve Regulation HH (risk-management standards for designated financial market utilities). Source of the US quotes below. — https://www.ecfr.gov/current/title-12/chapter-II/subchapter-A/part-234/section-234.3
  2. Regulation (EU) 2022/2554 (DORA) — esp. Art. 11–12 (response & recovery / backup & restoration), Art. 18 (incident classification). — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554
  3. FCA Handbook SYSC 15A — Operational resilience (SYSC 15A.2, incl. 15A.2.11G reporting). — https://www.handbook.fca.org.uk/handbook/SYSC/15A/2.html
  4. OSFI Guideline E-21 — Operational Risk and Resilience (§3.2 tolerances for disruption). — https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/operational-risk-management-resilience-guideline
  5. PRA Supervisory Statement SS1/21 — Operational resilience: impact tolerances for important business services. — https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss
  6. PRA Supervisory Statement SS2/21 — Outsourcing and third-party risk management. — https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss
  7. OSFI Guideline B-13 — Technology and Cyber Risk Management (§2.7 incident management). — https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/technology-cyber-risk-management
  8. FCA Handbook SYSC 13 — Operational risk: systems and controls (UK information-security expectations; JavaScript-rendered, so tracked but not machine-extractable). — https://www.handbook.fca.org.uk/handbook/SYSC/13/?view=chapter
  9. Bank of England CBEST — threat-led penetration-testing framework (supervisory cyber assessment). — https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector
  10. Delegated Reg (EU) 2024/1772 — RTS on classification of ICT-related incidents (under DORA Art. 18). — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1772
  11. NYDFS Cybersecurity Regulation — 23 NYCRR Part 500. — https://www.dfs.ny.gov/industry_guidance/cybersecurity
  12. SEC Regulation S-K — 17 CFR 229.106 (cybersecurity disclosure). — https://www.ecfr.gov/current/title-17/chapter-II/part-229/section-229.106
  13. Interagency Guidelines Establishing Information Security Standards — 12 CFR 30 App. B (OCC) / 12 CFR 364 App. B (FDIC). — https://www.ecfr.gov/current/title-12/chapter-I/part-30
  14. Computer-Security Incident Notification — 12 CFR 53 (OCC). — https://www.ecfr.gov/current/title-12/chapter-I/part-53
  15. Delegated Reg (EU) 2024/1774 — RTS on the ICT risk-management framework (DORA Art. 15). — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1774
  16. FCA / PRA / Bank of England Critical Third Parties regime (PS24/16; CTP rules). — https://www.bankofengland.co.uk/prudential-regulation/publication/2024/november/operational-resilience-critical-third-parties-to-the-uk-financial-sector
  17. OSFI Guideline B-10 — Third-Party Risk Management. — https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/third-party-risk-management-guideline

Acronyms

BC — Business continuity
CBEST — Bank of England threat-led penetration-testing framework
CFR — Code of Federal Regulations (US)
DORA — Digital Operational Resilience Act — EU Reg 2022/2554
DR — Disaster recovery
FCA — Financial Conduct Authority (UK)
FMU — Financial market utility (US)
FRB — Federal Reserve Board (US)
IBS — Important business service (UK)
ICT — Information & communications technology
NYDFS — New York State Dept. of Financial Services
OSFI — Office of the Superintendent of Financial Institutions (Canada)
PRA — Prudential Regulation Authority (UK)
PS — Policy statement (FCA)
RTS — Regulatory technical standard (EU)
SS — Supervisory statement (PRA)
SYSC — Senior Management Arrangements, Systems & Controls — FCA sourcebook

Operating across the Atlantic?

WSquare Advisory builds the resilience operating capability that US, EU, UK and Canadian regimes each expect — and helps you evidence one capability in the four idioms your regulators actually grade, while watching the risk that matters in each. If that’s the work in front of you, let’s talk.

Start a Conversation →