Regulatory change has always been a fact of life in financial services. Banks, insurers, capital markets firms and others in recent years have been especially impacted by regulations concerning operational resilience, cybersecurity and\u2014most recently\u2014the emergence of AI. Regulatory bodies are working to keep pace with transformational innovation across multiple sectors, and technology companies like Microsoft are now recognized as critical infrastructure providers to the financial industry.<\/p>\n\n\n\n
While major technology shifts certainly introduce new risks, the good news is that they also provide capabilities and solutions to not only help meet regulatory expectations from a compliance and risk perspective, but also greatly improve operational reliability, resiliency, security, and governance.<\/p>\n\n\n\n
In the European Union, two landmark regulations are redefining expectations and requirements regarding cybersecurity and operational resilience:<\/p>\n\n\n\n
While DORA and NIS2 originate in the EU, their impact extends well beyond Europe, illustrating the \u201cBrussels Effect,\u201d whereby EU rules influence global business and security practices. Indeed, Microsoft often takes a global view of and a scaled approach to these regulatory requirements, which means firms can have confidence that these operational and security controls are applied consistently, irrespective of the jurisdictions in which they operate.<\/p>\n\n\n\n
Additional jurisdictions, including the US, UK, Australia, Singapore, and Canada are also strengthening expectations around cybersecurity, risk management and incident notification. In the US, the Security and Exchange Commission\u2019s amended Regulation S-P<\/a> (Reg. SP), requires \u201ccovered institutions\u201d to adopt written incident response plans, notify customers of data breaches, maintain oversight of service providers, meet new recordkeeping requirements, and notify regulators of major incidents. Parallel obligations also apply under the US Federal Bank Agencies\u2019 Security Incident Notification Rule<\/a> (formally titled the \u201cComputer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers\u201d).<\/p>\n\n\n\n Reg. SP is intended to protect sensitive customer information. It applies to broker dealers, registered investment advisors, registered investment companies, and registered transfer agents. After Reg. SP came into force on December 3, 2025, for large firms and June 3, 2025, for smaller firms, boards are accountable for ensuring that customer data protection and incident response are governed, resourced, tested, and enforced at the enterprise level. Firms must implement policies to oversee service providers, including:<\/p>\n\n\n\n Harmonizing these requirements on a global scale can be challenging for any multi-jurisdictional financial firm. With Microsoft’s integrated approach to regulatory compliance, companies can trust that their compliance requirements will be supported wherever they operate globally.<\/p>\n\n\n\n One of the most important and often misunderstood aspects of Reg. SP and similar regulations are the notification responsibilities and timelines. Financial services firms and technology providers have distinct responsibilities:<\/p>\n\n\n\n Financial services institutions:<\/strong> According to Reg. SP, NIS2, DORA, and similar regulations, notification requirements are directed at the regulated entity, meaning the financial institution itself is responsible for compliance. These rules define when financial institutions must assess incidents, determine materiality, and notify regulators or customers when required. While technology providers must provide timely notice when they discover a material incident, financial institutions remain accountable to adhering to these obligations, which include:<\/p>\n\n\n\n Technology providers:<\/strong> Microsoft is committed to adhering to applicable regulations and ensuring that our services will enable customers to meet their regulatory requirements worldwide. Although we do not assume the regulatory disclosure obligations of financial institutions, we do <\/a>provide assistance and resources to help customers meet their compliance requirements, including:<\/p>\n\n\n\n Financial services leaders need consistent, integrated capabilities rather than one-off compliance fixes. Microsoft applies a global approach in helping firms comply with applicable regulations by aligning our commercial commitments and underlying services to manage compliance across jurisdictions. We help customers navigate these disparate regulatory requirements by offering the following capabilities:<\/p>\n\n\n\n For customers with deeper compliance assurance needs, Compliance for Microsoft Cloud (EDE) is an optional Microsoft Unified Support add-on that provides a dedicated engineer focused on compliance related scenarios, helping customers interpret Microsoft controls and support regulatory and assurance discussions across Microsoft\u2019s core online services.<\/p>\n\n\n\n The requirements under Reg. SP, DORA, and NIS2 assign clear accountability on firms to establish and maintain governance, management oversight, and documented operational processes necessary to notify regulators and customers of incidents in a timely manner. Boards and executives are increasingly expected to:<\/p>\n\n\n\n Financial services leaders should consider these essential points:<\/p>\n\n\n\n Microsoft\u2019s comprehensive security, governance, and compliance portfolio enables financial organizations to address changing regulatory requirements with confidence. Microsoft remains dedicated to supporting the financial services industry as a reliable partner, fostering growth, adaptability, and effective management of ongoing transformation.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Regulatory change has always been a fact of life in financial services. Banks, insurers, capital markets firms and others in recent years have been especially impacted by regulations concerning operational resilience, cybersecurity and\u2014most recently\u2014the emergence of AI.<\/p>\n","protected":false},"author":34,"featured_media":14140,"template":"","categories":[1156],"tags":[],"content-type":[118],"job-function":[],"coauthors":[1502],"class_list":["post-13743","ms-industry","type-ms-industry","status-publish","has-post-thumbnail","hentry","category-financial-services","content-type-thought-leadership"],"yoast_head":"\n\n
Financial firms remain primarily accountable as regulated institutions<\/h2>\n\n\n\n
\n
\n
How Microsoft helps support a unified approach<\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n
The elements of accountability <\/strong><\/h2>\n\n\n\n
\n
\n
Learn how Microsoft helps financial leaders navigate regulatory requirements<\/strong><\/h3>\n\n\n\n
\n