As regulation intensifies, Microsoft helps financial leaders meet growing demands

Regulatory change has always been a fact of life in financial services. Banks, insurers, capital markets firms and others in recent years have been especially impacted by regulations concerning operational resilience, cybersecurity and—most recently—the emergence of AI. Regulatory bodies are working to keep pace with transformational innovation across multiple sectors, and technology companies like Microsoft are now recognized as critical infrastructure providers to the financial industry.

While major technology shifts certainly introduce new risks, the good news is that they also provide capabilities and solutions to not only help meet regulatory expectations from a compliance and risk perspective, but also greatly improve operational reliability, resiliency, security, and governance.

In the European Union, two landmark regulations are redefining expectations and requirements regarding cybersecurity and operational resilience:

• The Digital Operational Resilience Act (DORA) focuses specifically on financial institutions, requiring firms to demonstrate end‑to‑end operational resilience, including Information and Communication Technology (ICT) risk management and incident handling. For the first time, it also broadens regulatory scope by giving regulators direct oversight of companies identified as critical third parties (which includes Microsoft) because of the role these companies play as key providers within the wider financial ecosystem.
• The European Union Network and Information Security Directive 2 (NIS2) sets a new benchmark for cybersecurity obligations by implementing stronger compliance requirements and expanding its scope to cover critical sectors and requirements for risk management, incident reporting, and governance.

While DORA and NIS2 originate in the EU, their impact extends well beyond Europe, illustrating the “Brussels Effect,” whereby EU rules influence global business and security practices. Indeed, Microsoft often takes a global view of and a scaled approach to these regulatory requirements, which means firms can have confidence that these operational and security controls are applied consistently, irrespective of the jurisdictions in which they operate.

Additional jurisdictions, including the US, UK, Australia, Singapore, and Canada are also strengthening expectations around cybersecurity, risk management and incident notification. In the US, the Security and Exchange Commission’s amended Regulation S-P (Reg. SP), requires “covered institutions” to adopt written incident response plans, notify customers of data breaches, maintain oversight of service providers, meet new recordkeeping requirements, and notify regulators of major incidents. Parallel obligations also apply under the US Federal Bank Agencies’ Security Incident Notification Rule (formally titled the “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”).

Reg. SP is intended to protect sensitive customer information. It applies to broker dealers, registered investment advisors, registered investment companies, and registered transfer agents. After Reg. SP came into force on December 3, 2025, for large firms and June 3, 2025, for smaller firms, boards are accountable for ensuring that customer data protection and incident response are governed, resourced, tested, and enforced at the enterprise level. Firms must implement policies to oversee service providers, including:

• Due diligence and monitoring
• Contractual arrangements establishing service provider responsibilities
• Breach notification requirements obligating service providers to notify the firm of security incidents (no later than 72 hours after discovery)

Harmonizing these requirements on a global scale can be challenging for any multi-jurisdictional financial firm. With Microsoft’s integrated approach to regulatory compliance, companies can trust that their compliance requirements will be supported wherever they operate globally.

Financial firms remain primarily accountable as regulated institutions

One of the most important and often misunderstood aspects of Reg. SP and similar regulations are the notification responsibilities and timelines. Financial services firms and technology providers have distinct responsibilities:

Financial services institutions: According to Reg. SP, NIS2, DORA, and similar regulations, notification requirements are directed at the regulated entity, meaning the financial institution itself is responsible for compliance. These rules define when financial institutions must assess incidents, determine materiality, and notify regulators or customers when required. While technology providers must provide timely notice when they discover a material incident, financial institutions remain accountable to adhering to these obligations, which include:

• Determining whether an incident is material under the relevant regulation
• Meeting regulatory disclosure and notification deadlines
• Maintaining governance, oversight, and documentation to support those decisions

Technology providers: Microsoft is committed to adhering to applicable regulations and ensuring that our services will enable customers to meet their regulatory requirements worldwide. Although we do not assume the regulatory disclosure obligations of financial institutions, we do provide assistance and resources to help customers meet their compliance requirements, including:

• Security and compliance capabilities that support regulatory alignment
• Transparency and documentation to help assess incidents
• Integrated support that assists with incident management and regulatory mapping
• Customer notification of incidents (as contractually committed to), in alignment with applicable regulatory requirements

How Microsoft helps support a unified approach

Financial services leaders need consistent, integrated capabilities rather than one-off compliance fixes. Microsoft applies a global approach in helping firms comply with applicable regulations by aligning our commercial commitments and underlying services to manage compliance across jurisdictions. We help customers navigate these disparate regulatory requirements by offering the following capabilities:

• Compliance mapping with Microsoft Purview Compliance Manager: Provides NIS2 and other regulatory assessment templates to help organizations assess and track compliance across Microsoft cloud services.

• Control mapping with Compliance for Microsoft Cloud (EDE): An optional enhanced support package, delivered through Microsoft Unified Support, that assigns a dedicated engineer to help an organization interpret relevant Microsoft controls and gain assurance when responding to regulatory and compliance requirements.

• Continuous threat monitoring with Microsoft Sentinel: Enables real‑time threat detection and continuous security monitoring, with automated incident handling and evidence workflows that support NIS2 requirements and align with DORA ICT risk management and operational‑resilience expectations.

• Security protection with Microsoft Defender XDR: Delivers cross-platform threat protection and advanced response capabilities.

• Compliance and policy enforcement with Azure Policy & Security Center: Enforces compliance monitoring and policy adherence across hybrid multi-cloud environments.

• Customer managed keys with Azure Key Vault & Intune: Supports cryptography, secure key management, and device security controls.

• Identify management with Microsoft Entra ID: Provides identity and access management, including strong access-control capabilities through multifactor authentication and privileged identity management.

• Lifecyle security and compliance management with Microsoft Unified: Helps operationalize incident management and resilience controls aligned with regulatory expectations under frameworks including DORA, NIS2, and the EU AI Act, and supports the security and response capabilities that underpin SP obligations.

For customers with deeper compliance assurance needs, Compliance for Microsoft Cloud (EDE) is an optional Microsoft Unified Support add-on that provides a dedicated engineer focused on compliance related scenarios, helping customers interpret Microsoft controls and support regulatory and assurance discussions across Microsoft’s core online services.

The elements of accountability

The requirements under Reg. SP, DORA, and NIS2 assign clear accountability on firms to establish and maintain governance, management oversight, and documented operational processes necessary to notify regulators and customers of incidents in a timely manner. Boards and executives are increasingly expected to:

• Understand regulatory exposure across jurisdictions
• Ensure that incident response and disclosure processes are in place
• Maintain appropriate governance and oversight of technology providers as part of their third-party risk management programs

Financial services leaders should consider these essential points:

1. Reg. SP is the catalyst, not the exception. It reflects a broader global trend toward cybersecurity and resilience expectations.
2. Regulatory disclosure obligations remain with the financial organization. Microsoft supports compliance but does not assume customer notification timelines.
3. A capability‑led approach scales better than rule‑by‑rule responses. Microsoft Purview, Azure Policy and Security Center, and Microsoft Unified form a practical foundation for managing regulatory change across regions.

Microsoft’s comprehensive security, governance, and compliance portfolio enables financial organizations to address changing regulatory requirements with confidence. Microsoft remains dedicated to supporting the financial services industry as a reliable partner, fostering growth, adaptability, and effective management of ongoing transformation.

Learn how Microsoft helps financial leaders navigate regulatory requirements

• Visit our blog for stories of how Microsoft for Financial Services helps firms accelerate business value.
• See how financial institutions strengthen security and resilience—without slowing down modernization—in our video series.
• To learn more about Microsoft’s overall platform strategy, including compliance, for regulated financial services, see Microsoft for Financial Services.
• For more on how Microsoft frames regulatory compliance as a long‑term strategic challenge for financial services, visit our Compliance Overview.