EU financial regulation is undergoing a fundamental shift. What was once a system built around periodic compliance is rapidly evolving into a model of continuous, data-driven supervision.
For regulated firms, this is more than just a regulatory change, it is a change in how supervision itself operates. Increasingly, authorities are not simply assessing whether rules are followed; they are building systems to observe risk, resilience, and behaviour in real time.
Three key developments are driving this transformation: the evolution of risk-based supervision, the operationalisation of digital resilience under DORA, and the centralisation of anti-money laundering oversight through AMLA.
Risk-based supervision is becoming data-driven
Supervisory models such as those applied by the Cyprus Securities and Exchange Commission (the “CySEC”) have long relied on risk-based supervision (the “RBS”). Traditionally, this meant allocating supervisory attention based on firm size, business model, and historical risk indicators.
That model is now evolving.
Supervisors are increasingly leveraging:
- granular, high-frequency reporting
- automated risk scoring
- cross-sector data analysis
- supervisory technology
For firms, this means that risk profiles are no longer assessed once a year, they are continuously recalibrated based on incoming data. Static compliance frameworks are no longer sufficient; firms must ensure that their data, controls, and governance structures withstand ongoing scrutiny.
Digital Operational Resilience Act (DORA): supervision enters the technology stack
DORA represents a significant expansion of supervisory scope into ICT risk and operational resilience.
It requires firms to demonstrate not only that controls exist, but that systems can withstand, respond to, and recover from disruption. This includes:
- structured ICT risk management frameworks
- mandatory incident reporting
- advanced resilience testing (including threat-led penetration testing)
- oversight of third-party technology providers
Crucially, DORA also changes the role of supervisors.
Supervision is no longer limited to governance and compliance reviews, as it now extends into the operational and technological core of financial institutions. Supervisors are increasingly focused on how systems function in practice, not just how they are documented.
For firms, this means that IT, risk, and compliance functions must converge. Operational resilience is has become more than just a technological issue, it is now a regulatory priority.
Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA): the end of fragmented AML supervision
The creation of AMLA marks a decisive shift toward centralised AML/CFT supervision in the EU.
Historically, anti-money laundering supervision has been fragmented across member states, leading to inconsistencies in enforcement and regulatory expectations. AMLA addresses this by:
- directly supervising high-risk cross-border institutions
- coordinating national authorities and Financial Intelligence Units
- promoting a single supervisory approach across the EU
This reduces national discretion and increases convergence in supervisory expectations.
For firms operating across multiple jurisdictions, this means fewer opportunities for regulatory arbitrage, but also greater consistency and predictability in AML requirements. At the same time, supervisory scrutiny is expected to become more intensive and more coordinated.
From compliance to supervisory infrastructure
Seen holistically, these developments signal a structural shift. EU regulation is moving:
- from rules to systems
- from periodic checks to continuous monitoring
- from national supervision to EU-level coordination
This is the emergence of a supervisory infrastructure, a model in which:
- data is continuously collected and analysed
- risks are identified in near real time
- supervision is embedded across regulatory, technological, and operational layers
In this environment, compliance is no longer a standalone function. It becomes part of a broader ecosystem of risk, data, and resilience management.
What this means for firms
Firms should not treat these developments as isolated regulatory initiatives. Together, they require a shift in operating model:
- Data readiness: ensuring regulatory data is accurate, accessible, and usable in real time
- Integrated governance: aligning compliance, risk, and IT functions
- Operational resilience: embedding resilience into systems, not just policies
- Proactive engagement: anticipating supervisory expectations rather than reacting to them
This evolution has profound implications. For regulators, it requires enhanced capabilities in data analytics, cybersecurity, and cross-border coordination. For firms, it demands a shift from compliance-driven thinking to resilience, transparency, and continuous engagement with supervisors.
Ultimately, the EU is constructing not just a regulatory framework, but a supervisory infrastructure, one designed to operate at the same speed, scale, and complexity as modern financial markets.
Those that adapt early will be better positioned to operate within increasingly data-intensive and supervisory-driven environments.
Author:
Stefania Christofidou
Compliance Consultant at
AMF Global Ltd
Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. Readers are advised to consult with legal professionals for advice specific to their individual circumstances.