One rulebook, four accents
The United States, European Union, United Kingdom and Canada all regulate operational resilience in financial services — and they all reach for the same eight principles. But each encodes them differently, and each leaves a different operational risk on your desk. The capability is one; the way you must prove it — and where you can get hurt — is four.
Our companion note showed finance, healthcare and infrastructure converging on the same resilience principles. This one asks the transatlantic question within the same sector — financial services: do the four jurisdictions regulate resilience the same way? We mapped 508 in-force financial-resilience obligations — United States (237), European Union (86), United Kingdom (125), Canada (60) — onto one eight-principle framework. Finance is deliberate: it is the only sector with a mature, in-force resilience regime in all four jurisdictions, so the comparison is like-for-like. The principles are shared. What diverges is how each jurisdiction encodes, weights and enforces them — and that divergence tells a cross-border operator exactly where the effort, and the risk, will land.
The evidence: eight principles, four jurisdictions
Reading the columns: four profiles, and the risk in each
Each column is a regulatory philosophy — and each hands a COO a different kind of problem. “Risk” below means execution and interpretive risk (how easily you can be wrong, and how hard it is to prove you were right), not the odds of enforcement.
| Jurisdiction | The accent | The operational risk for a COO |
|---|---|---|
| United States | Broad and prescriptive. Heaviest on incident reporting (41.7%) and — once measured correctly — cyber controls (38.0%); no single blind spot. | Lowest ambiguity, highest timing risk. Many regulators and overlapping duties, and the reporting clocks are unforgiving — the acute failure is a late or unstructured incident notification. Invest first in the incident-reporting muscle and a board-evidence trail. |
| European Union | Codified. DORA and its technical standards spell the controls out article by article; governance sits low (7.0%) because it is handled horizontally. | Lowest ambiguity, highest load. Prescription applies whether or not it reduces risk in your context, so the exposure is cost and box-ticking, not guesswork. Budget for breadth of conformance and build a control-to-article map. |
| United Kingdom | Outcome-based. Identify important business services, set impact tolerances, stay within them; continuity (51.2%) and third-party (47.2%) dominate, and cyber is written as an outcome, not a control list. | Pragmatic, but interpretive. You define what is “important” and “tolerable,” so judgement risk exists — but the framework is structured enough to defend. Your service map and impact-tolerance methodology are the compliance artifact; get them right and the rest follows. |
| Canada | Principles-based. OSFI states expectations and asks the institution to apply judgement; the most even spread of the four, and the thinnest corpus. | Highest interpretive risk. Least prescriptive — two firms can both “comply” and one still be criticised, because the burden of proof sits with you. Over-document the rationale; the deliverable is a defensible judgement trail, not a checklist. |
Reading the rows: where the lines actually fall
The clean fault line is the Atlantic, not the four regimes — and it shows up in governance. The US and Canada both treat board accountability as roughly twice the priority the two European regimes do (14.9% and 16.4% versus 7.0% and 7.2%), and risk assessment leans the same way (US/Canada ~20%; EU/UK ~10–14%). On the “who owns this, and have you assessed your own risk” management-system principles, North America runs materially heavier than Europe. For a North-American firm expanding into Europe, that is the trap: your governance-heavy posture is not what Europe grades — it grades continuity and codified detail. For a European firm entering North America, expect noticeably more scrutiny of board ownership and personal accountability.
But “Europe” is not one bloc below that line. The EU and UK diverge from each other as sharply as either does from the US: the EU is technical and codified, the UK is service-based and outcome-driven. The corrected cyber numbers sharpen a second contrast — the United States is the most cyber-prescriptive of the four (38.0% of its obligations are technical/cyber controls, consistent with its rules-and-controls tradition), while the United Kingdom writes almost no enumerated controls at all (3.2%). And Canada quietly leads the field on one thing — testing and exercises (30.9%, the highest testing score of the four): OSFI pushes scenario and recovery testing harder than any of the others. One row rewards a second look: the EU’s near-absent disaster-recovery cell is not an omission — DORA files recovery and backup inside its continuity articles ("Response and recovery," and "Backup… restoration and recovery," Arts. 11–12[2]), not as a standalone category. The EU regulates disaster recovery; it simply shelves it under continuity.
The same control, four accents
Read one principle across the four regimes and the difference in technique is unmistakable — each asks for the same underlying capability in its own idiom. Every quote is from an in-force instrument; superscripts link to the exact provision.
| Principle | United States | European Union | United Kingdom | Canada |
|---|---|---|---|---|
| Governance & accountability | “Disclose the board of directors’ oversight of risks from cybersecurity threats.”SEC · 17 CFR 229.106(c) | “The management body shall define, approve, oversee and bear responsibility for all ICT risk-management arrangements.”DORA · Reg (EU) 2022/2554 Art. 5 | “Produce and maintain a written self-assessment of compliance with the operational-resilience rules, approved by the board.”PRA · SS1/21 §8.1 | “Ensure breaches of disruption tolerances are escalated to senior management and addressed in a timely, sustainable way.”OSFI · Guideline E-21 §1.1 |
| Risk & resilience assessment | “Assess the likelihood and potential damage of identified threats, weighing the sensitivity of customer information.”OCC · 12 CFR 30 App. B (III.B.2) | “Develop, document and implement ICT risk-management policies and procedures.”DORA RTS · Reg (EU) 2024/1774 Art. 3 | “Identify important business services whose disruption could cause intolerable harm to clients or risk to market integrity.”FCA · SYSC 15A.2 | “Maintain a current, comprehensive inventory of technology assets and their documented interdependencies.”OSFI · Guideline B-13 §2.2.2 |
| Business continuity & operational resilience | “Maintain a business continuity plan incorporating a secondary site with a distinct risk profile from the primary site.”FRB Reg HH · 12 CFR 234.3(a)(17)(vii) | “Put in place ICT response and recovery plans — subject, for all but microenterprises, to independent internal audit review.”DORA · Reg (EU) 2022/2554 Art. 11–12 | “Set an impact tolerance, including a mandatory time-based metric, for each important business service.”PRA · SS1/21 §3.1 | “Establish tolerances for disruption for each critical operation — the maximum disruption withstood across severe-but-plausible scenarios.”OSFI · Guideline E-21 §3.2 |
| Disaster recovery & backup | “Maintain a cybersecurity program that includes the ability to recover from cybersecurity events and restore normal operations.”NYDFS · 23 NYCRR 500.2(b) | — no standalone category; recovery & backup fold into DORA’s continuity articles (Arts. 11–12) | “Set recovery-time and recovery-point objectives for the resources underpinning each important business service.”PRA · SS1/21 §3.14 | “Establish and maintain an Enterprise Disaster Recovery Program to sustain technology-service delivery through disruption.”OSFI · Guideline B-13 §2.9 (Principle 12) |
| Third-party & supply-chain risk | “Exercise due diligence in selecting service providers that handle customer information.”OCC · 12 CFR 30 App. B (III.D.1) | “Before contracting, take due consideration of ICT providers’ use of subcontractors and assess ICT concentration risk.”DORA · Reg (EU) 2022/2554 Art. 28–29 | “Understand and manage sub-outsourcing dependencies that could threaten operational resilience and service delivery.”PRA · SS1/21 §5.6 / SS2/21 | “Assess systemic concentration risk — sector-wide dependence on common critical third-party providers.”OSFI · Guideline B-10 |
| Incident detection, response & reporting | “Notify the OCC promptly upon the occurrence of a computer-security notification incident.”OCC · 12 CFR 53.3 | “Classify ICT-related incidents by prescribed criteria — clients affected, duration, geographic spread, data losses, economic impact.”DORA · Reg (EU) 2022/2554 Art. 18 | “Report to the FCA any failure to remain within impact tolerances for an important business service.”FCA · SYSC 15A.2.11G | “Implement incident-response procedures with internal/external communication and escalation triggers, and test them periodically.”OSFI · Guideline B-13 §2.7.2 |
| Testing & exercises | “Test systems, policies, procedures and controls to confirm they function as intended, under a documented testing framework.”FRB Reg HH · 12 CFR 234.3(a)(17)(i) | “Perform advanced threat-led penetration testing (TLPT) of critical ICT systems.”DORA · Reg (EU) 2022/2554 Art. 26 | “Demonstrate the ability to deliver each important business service within its impact tolerance under severe-but-plausible scenarios.”PRA · SS1/21 §4.1 | “Regularly scenario-test disaster-recovery capabilities against severe-but-plausible scenarios, including critical third-party technologies.”OSFI · Guideline B-13 §2.9.3 |
| Technical & cyber security controls | “Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of information systems.”NYDFS · 23 NYCRR 500.2(a) | “Implement network-security-management safeguards protecting networks against intrusion and misuse.”DORA RTS · Reg (EU) 2024/1774 Art. 13 | “Take reasonable steps to ensure the technology resilience of systemic third-party services, including sound cyber-resilience strategies.”FCA/PRA CTP · CTPS 4.5.1R | “Proactively identify, defend against, detect, respond to and recover from cyber-security threats and incidents.”OSFI · Guideline B-13 §3.0 |
Why they diverge
The split is not disagreement about what resilience is — it is four regulatory techniques. The United States regulates through many agencies and a disclosure-and-enforcement tradition, so resilience surfaces as duties to detect, escalate and notify, wrapped in board accountability and, as the corrected figures show, a heavy layer of prescriptive cyber controls. The European Union writes one directly-applicable regulation — DORA — and a stack of regulatory technical standards (RTS)[10] beneath it, so the obligation is the codified article. The United Kingdom pioneered the outcome-based template through the FCA and PRA (SS1/21[5], SS2/21[6]): name your important business services, set impact tolerances, stay within them — and treat cyber as one more way a service can fail, not a separate control code. Canada’s OSFI works through principles-based guidance (B-13[7], E-21[4]), producing the most even spread and asking the institution to exercise judgement.