2026 regulatory themes are converging around the theme of continuous evidence – data quality, control effectiveness, and operational resilience demonstrated through repeatable artefacts rather than narrative attestations. In Europe, that direction is most explicit in ESMA’s data platform and supervisory tooling agenda, alongside the ESAs’ DORA-related coordination and oversight planning – see ESMA 2026 Annual Work Programme. In the US, the same direction is expressed through examinations and oversight reporting, where cybersecurity, technology-driven risk, and compliance programme effectiveness remain central, and generative AI is increasingly addressed through existing supervisory, recordkeeping, and market integrity obligations – see SEC 2026 Examination Priorities. The UK’s emphasis combines “smarter regulator” reforms with enduring operational resilience expectations and the emerging Critical Third Parties regime, placing dependency mapping and resilience evidence firmly into board-level risk conversations – see FCA Annual Work Programme 2025/26. In APAC, themes are similar but often expressed through implementation timetables (HKMA) and enforcement focus (MAS, ASIC), reinforcing that governance, data and controls must be “investigation-ready” as well as resilient.
Primary variations in emphasis across the jurisdictions include the EU formalising supervisory digitalisation and cross-authority coordination; the US signalling priorities via exams and self-regulatory guidance; the UK blending resilience policy with competitiveness and systemic third-party oversight; and APAC combining resilience deadlines with high-visibility enforcement priorities.
SEC 2026 Exam Priorities (US)
The SEC’s FY2026 Examination Priorities reiterate cybersecurity and operational risk as persistent examination themes, emphasising registrants’ practices for safeguarding customer records and managing information security and operational risks. The document also signals ongoing examiner interest in how firms manage emerging technology risk in the context of core obligations (rather than as a standalone “AI rule” framework).For governance, this often translates into greater reliance on demonstrable oversight: decision logs, escalation evidence, and test results that show controls operating as designed. Workflows that rely on periodic reviews tend to face pressure where cyber incidents, dispersed operations, or third-party dependencies increase operational risk. On data and technology, the SEC’s framing reinforces the importance of identity and access controls, retention, and incident response evidence that can be produced quickly and consistently.
FINRA Oversight and Planning (US)
FINRA’s 2026 Annual Regulatory Oversight Report is explicitly positioned as an input to annual compliance planning and includes new and updated content on cyber-enabled fraud, senior/aged investors, and generative AI trends. FINRA’s report tends to translate observed supervisory findings into practical control expectations across firm operations, market integrity, communications, and financial crime prevention.
From a governance angle, the report’s structure implicitly treats topics like GenAI as “inside the tent” of established supervision: the same accountability, training, and escalation disciplines apply, with an added requirement for explainability and auditability. Workflow implications show up in alert management, surveillance tuning, recordkeeping, and third-party oversight – particularly where GenAI alters how customer communications, research, or internal supervision is performed. Data/technology implications cluster around retention, monitoring, and evidence of supervisory review – including how exceptions are handled and resolved.
CFTC Swap-Dealer Conduct Updates (US)
The CFTC approved a final rule revising swap dealer business conduct standards and swap documentation requirements, and the Federal Register text sets out the detailed amendments – see Commodity Futures Trading Commission. A material aspect of the rulemaking is the codification and rationalisation of long-standing “staff no-action” positions into the rule text, shifting “market practice via letters” into formalised requirements.
For GRC, the near-term impact is less about conceptual redesign and more about control maintenance: policy updates, training, and supervisory procedures that can be evidenced; documentation workflows that ensure completeness and retrievability; and exception handling that is consistent across counterparties and products. Data and technology implications typically involve contract data capture, obligation mapping, and auditable linkage between documentation artefacts and compliance controls – especially where firms are standardising lifecycle controls across uncleared swaps and trading relationship documentation.
ESMA 2026 Work Programme (EU)
ESMA’s Annual Work Programme 2026 and accompanying release highlight rollout of the ESMA Data Platform, studies on data centralisation, and development of AI-powered supervisory tools (including anomaly detection and market abuse prevention). This is one of the clearest primary-source statements that the supervisory model is moving toward data-driven, risk-based monitoring supported by platform capability.
For governance, this elevates regulatory data quality and lineage from a reporting function concern to an enterprise GRC concern, because supervisory engagement becomes more data focused. Workflow implications include more frequent validation, reconciliation, and exception management discipline to support consistent submissions and analytics-driven inquiries. Data/technology implications typically include stronger data governance, traceable transformations, and reusable control logic that can be evidenced – particularly where supervisory tooling expects comparable data across entities and markets.
ESA Joint DORA Oversight (EU)
The European Supervisory Authorities’ (ESAs) Joint Committee 2026 Work Programme explicitly targets strengthening digital operational resilience, consumer protection, and identifying stability risks, with DORA-related coordination forming a material part of the agenda. The Work Programme also describes oversight planning and activities connected to critical ICT service providers under the DORA framework.
Governance implications tend to involve clearer senior accountability for ICT risk and third-party dependency controls, with DORA oversight focused on systemic resilience outcomes. Workflow implications include formalised risk assessment, testing programmes, and incident response that incorporate supplier and subcontractor dependency chains. Data and technology implications include dependency mapping, resilience metrics, and evidence packs that demonstrate not just policy design but operational execution – particularly around critical functions and outsourced ICT services.
ECB Supervisory Priorities 2026–28 (EU)
ECB Banking Supervision’s supervisory priorities for 2026–2028 frame the agenda for addressing key vulnerabilities in a complex risk environment. For GRC, this points to deeper linkage between governance and evidence: boards and senior committees are increasingly assessed on how risk identification translates into credible management action and capital/liquidity planning. Workflow implications include more integrated stress testing, risk appetite monitoring, and remediation tracking. Data/technology implications involve improving model inputs, lineage, and the ability to explain outcomes, assumptions, and management actions through auditable data pipelines.
FCA Smarter Regulator Agenda (UK)
The FCA’s Annual Work Programme 2025/26 sets out priorities including “a smarter regulator” and “fighting financial crime,” supported by ongoing focus on technology and data. While framed as a work programme, the content provides a directional signal for 2026 operating expectations: more digitised supervisory interaction and stronger reliance on high-quality information.
Governance implications include increased emphasis on management information that demonstrates effectiveness and prioritisation, where supervisors are focused on areas of greatest harm. Workflow implications include more standardised evidence production, reduced reliance on bespoke narrative responses, and stronger internal quality controls around data submitted to the regulator. Data/technology implications emphasise structured information flows, better-quality submissions, and governance over the systems that generate evidence, consistent with the FCA’s stated drive to modernise and digitise supervisory processes.
PRA Competitiveness Objective (UK)
The PRA’s published materials on its secondary objective on competitiveness and growth provide a primary-source for how prudential priorities are being balanced with proportionality and the competitiveness agenda. This is often interpreted as a demand for demonstrably effective controls that avoid unnecessary operational drag.
Governance implications typically include clearer articulation of risk-based prioritisation and evidence that control design is proportionate to material risk. Workflow implications often show up in rationalisation of overlapping controls and more deliberate “control by design” approaches in change programmes. Data/technology implications centre on automation and standardisation as enablers of both resilience and efficiency – particularly in areas like reporting controls, operational resilience evidence, and governance management information (MI).
BoE/PRA Impact Tolerances Framework UK)
The Bank of England/PRA operational resilience framework – impact tolerances for important business services remains the UK’s foundational resilience obligation. This requires firms to identify important business services, set up and test impact tolerances. Although introduced earlier, its practical implications remain prominent as resilience expectations move into business-as-usual evidence.
Governance implications typically include board-level ownership of service identification, impact tolerance setting, and investment prioritisation. Workflow implications include ongoing scenario testing, incident response integration, and remediation tracking that demonstrates progress against tolerances. Data/technology implications include service mapping, dependency tracking, and metrics that evidence resilience outcomes.
BoE Critical Third Parties Regime (UK)
The UK’s Critical Third Parties regime introduces direct supervisory oversight of designated systemic service providers, with HM Treasury designations and regulator-led resilience standards and testing expectations described in supervisory statements and joint policy materials. This creates a notable extension of the “operational resilience perimeter” into the technology supply chain.
Governance implications include increased focus on dependency concentration risk and accountability for critical third-party (CTP) resilience evidence. Workflow implications include stronger vendor governance integration with incident management, operational resilience testing, and exit planning – including contractual terms. Data/technology implications include detailed dependency maps, service-level evidence, and operational metrics that support both firm-side resilience and supervisory engagement – particularly where systemic cloud/ICT providers underpin multiple important business services.
HKMA Operational Resilience Deadline (APAC)
HKMA’s operational resilience expectations are set out in the OR-2 Supervisory Policy Manual module. This is an example of a resilience regime with a clear timetable and an explicit “post-May 2026” transition into business-as-usual resilience management.
Governance implications include defined roles for boards and senior management, and accountability for resilience outcomes rather than solely control design. Workflow implications include mapping interdependencies, scenario testing, and remediation tracking as routine disciplines with consistent evidence. Data/technology implications include service mapping, dependency visibility, and the ability to evidence resilience through measurable evidence. This will require stronger observability, centralised evidence repositories, and integrated incident management across technology and operations.
MAS Enforcement Priorities Focus (APAC)
MAS’ Enforcement Report 2023/2024 sets out enforcement actions and priorities for 2025/2026, providing a primary-source view of supervisory posture and areas of sustained scrutiny. While enforcement reporting is retrospective by nature, MAS uses the report to indicate where governance and control effectiveness expectations are tightening, including AML/CFT and market integrity themes.
Governance implications commonly include heightened accountability for control failures and clearer expectations around escalation and remediation ownership. Workflow implications include investigation readiness, consistent case management, documented decision trails, and timely completion of remediation actions. Data/technology implications centre on the ability to produce complete, coherent evidence – monitoring outputs, audit trails, and control testing results – without extensive manual effort.
ASIC Enforcement Priorities 2026 (APAC)
ASIC’s 2026 enforcement priorities include strengthening investigation and prosecution of insider trading, exploiting financially stressed consumers, unlawful practices to evade creditors, holding super trustees to account for service failures, and auditor misconduct, with explicit reference to emerging risks such as private credit. This positions market integrity and gatekeeper accountability as enduring themes, while highlighting transparency and valuation discipline.
Governance implications focus on accountability for market integrity controls, gatekeeper oversight, and timely remediation where failures occur. Workflow implications include stronger surveillance-to-investigation processes, evidence capture, and escalation discipline. Private markets are called out for more robust valuation, disclosure, and conflict management processes. Data/technology implications include investigation-ready records, analytics that support detection and reconstruction, and evidence of controls that demonstrate policy design and operational effectiveness.
The 2026 GRC Roadmap
Taken together, the 2026 regulatory signals across the US, EU, UK and APAC point to a steady recalibration of supervision away from episodic compliance checks and toward continuous, evidence-led oversight. Whether expressed through ESMA’s investment in supervisory data platforms, SEC and FINRA examination priorities, UK operational resilience regimes, or APAC enforcement posture, regulators are converging on the same practical question: can governance frameworks, workflows, and systems consistently demonstrate how risks are identified, controlled, and remediated under real operating conditions. The common denominator is not the introduction of radically new regulations, but a higher bar for how existing obligations are operationalised and evidenced.
Subscribe to our newsletter
