Three Deadlines, One Team: Turning the 2026 Regulatory Stack Into Adoption Decisions
- May 27
- 6 min read

The week of 5 May 2026 was a useful reminder of how the regulatory calendar has reorganised the year inside European financial institutions. The ECON Committee of the European Parliament cleared the trilogue text of PSD3 and the Payment Services Regulation. COREPER had endorsed the same texts a fortnight earlier. Publication in the Official Journal is now expected between June and September. Meanwhile the August 2026 high-risk deadline of the AI Act has stopped being a slide in a deck and started being a date on a Gantt chart. And the ECB has confirmed that the 2026 SREP cycle will, for the first time, fold digital operational resilience directly into Pillar 2 capital scoring under DORA.
Three deadlines. One team. That is the part the headlines tend to miss.
If you sit in the innovation office, in transformation, in the CIO's office, or in any function that owns a roadmap rather than a single regulatory file, you already know what is happening. The same handful of people inside the bank are being asked to interpret PSR/PSD3, prove DORA resilience, classify AI systems against the AI Act, and somehow keep a forward-looking innovation agenda alive while doing it. Regulatory readiness, in this context, is no longer a compliance question. It is a buying question, a partnering question and a sequencing question. And it is the question that quietly determines whether the rest of the 2026 roadmap survives.
The problem with treating each regulation as its own track
The first instinct, in most institutions, is to assign each regulation to a workstream and let the workstreams operate in parallel. DORA goes to operational risk. PSR/PSD3 goes to payments. The AI Act goes to model risk or to a newly stood-up AI governance committee. MiCA goes to digital assets. FIDA, when it lands, will go to open finance. Each track gets a programme manager, a steering committee and a budget line.
In theory this is clean. In practice it has three problems that anyone who has run a horizon scan in the last six months will recognise.
The first is that the regulations are not independent. DORA's ICT third-party register cycle, with its 31 December 2025 reference date and Article 30 contract requirements, sits directly on top of the procurement pipeline that any AI Act high-risk classification will pull from. PSD3 explicitly demands DORA alignment from re-authorised payment institutions. The AI Act will, in practice, be supervised inside banks by the EBA and ESMA, the same bodies that own the resilience file. Anyone treating these as separate domains is paying for the same work twice and discovering the dependencies late.
The second is that the regulations create buying triggers, not just policy work. The 19 designated Critical ICT Third-Party Providers published by the European Supervisory Authorities in November 2025, the verification-of-payee obligation that PSR is preparing to extend to every wire transfer, the conformity-assessment and human-oversight obligations the AI Act will impose on credit scoring and fraud models, all of these translate into procurement decisions. Vendors get added. Vendors get removed. Contracts get rewritten. The institutions that have already done the work of mapping innovators against the obligation set are quietly moving while the rest are still inventorying.
The third is that the workstream model is invisible to the rest of the business. The head of payments knows what is happening on PSR. The head of model risk knows what is happening on the AI Act. The head of innovation knows neither in any operational detail, because both files are running on compliance calendars rather than adoption calendars. The result is a familiar pattern: a regulator-driven procurement decision gets made in Q3 that closes off an innovation choice the strategy team had been preparing since Q1.
The common approaches, and where they break
There are roughly three patterns financial institutions are using to handle this.
The first is the big-consultancy programme. A tier-one firm comes in, maps obligations, builds a heatmap and delivers a roadmap with workstreams. The output is competent and the slides are excellent. The weakness is that the roadmap is built on the consultancy's view of the market, which is itself shaped by the vendors they are partnered with. Innovation scouting becomes a derivative of someone else's deal flow.
The second is the in-house tiger team. Pull people from risk, compliance, payments, AI governance and innovation. Lock them in a room. Have them produce a quarterly view. This works while the team holds together. It struggles when the underlying market moves faster than the team can update its picture, which in 2026 is most of the time. It also tends to produce excellent internal documents that no one outside the room ever reads.
The third is the vendor-led approach. Let the major ICT providers, payment schemes and AI platform vendors describe how their roadmap will solve the regulatory problem. This is fast, cheap and produces a deck. It is also the route that quietly hands the strategic agenda to whichever vendor showed up first and stayed loudest.
None of these are wrong. They each address part of the problem. What they share is a missing layer: a way to stay current on what other comparable institutions are actually doing, what the credible innovators in each obligation area look like, and where the buying triggers are landing in peer markets. That layer is harder to buy than a heatmap. It is also where most of the difference between a fast institution and a slow one is now being made.
A more honest model of regulatory readiness
The institutions that are handling the 2026 stack with the least drama tend to share three habits.
They treat regulation as a buying signal rather than only as a compliance load. When the ECB publishes a finding pattern, when ESMA designates a CTPP, when the European Parliament locks a PSR text, these are not just compliance events. They are procurement events. Each one quietly reshapes the vendor landscape. The institutions that get the early read are the ones that have built routine exposure to the right innovators ahead of the deadline, not the ones that issue an RFP after it.
They benchmark against peers in adjacent markets, not only the home market. The shape of the DACH response to DORA is not the same as the Nordic one. The Irish read on PSR is not the French one. National competent authorities will not converge on enforcement on day one. The institutions that look horizontally, that talk to peers in markets where the same regulation has hit slightly earlier or slightly later, get the cheapest education in the system.
And they protect a small amount of senior time for forward-looking exposure, even under delivery pressure. Not events, not conferences, not the panel circuit. Small-format peer conversations and curated discovery sessions where the conversation is genuinely about what is moving and why. This is the habit that is hardest to defend internally and most valuable in practice.
This is where the work The Connector does sits naturally rather than as a pitch. The Discovery Innovation Meeting format exists to give a senior team thirty minutes with a relevant innovator, framed against a real obligation or roadmap question, without the full vendor-day overhead. The Peer Forum is built around the second habit: cross-market peer conversations where the comparison is real and the room is small. The Roundtables sit at the intersection of a specific regulation and the buying triggers it creates. And Finance X Magazine continues to be the editorial layer that keeps the picture current between those moments, for the times when a senior leader has fifteen minutes between meetings rather than a half-day offsite.
None of these formats are a substitute for the compliance work. They are designed to sit alongside it, so that the compliance work does not silently kill the innovation agenda.
Why this matters right now
The window in which 2026 can still be shaped is narrow. The DORA SREP cycle has begun. The AI Act high-risk deadline is twelve weeks away as of this writing. PSR is on track for publication this quarter or next. The 2027 budgeting cycle inside most institutions will begin before any of those three files is fully closed.
The decisions that will define the 2027 vendor landscape are being made now, by the institutions that have understood that regulatory readiness and adoption strategy are the same conversation. The institutions that are still treating them as separate files are accumulating two kinds of debt at once: compliance debt, because the obligations stack up, and innovation debt, because every parallel programme silently uses budget and attention that the forward-looking agenda would have used.
The honest position is that no single function inside the bank owns this. Compliance owns the file. Procurement owns the contract. Risk owns the residual exposure. Innovation owns the roadmap. Without a deliberate habit of cross-cutting exposure, the institution defaults to whichever function shouted loudest in the last steering committee. That is rarely the function with the best read on the market.
The closing thought
Regulatory readiness in 2026 is not a question of whether the policies are in the right folder. It is a question of whether the institution can hold three things in view at once: the obligation, the buying trigger and the peer picture. The teams that can do this will treat the 2026 stack as a focusing device. The teams that cannot will treat it as a tax.
If your innovation, transformation or strategy function is heading into the next quarter without a clear view of how DORA, PSR/PSD3 and the AI Act are reshaping the vendor landscape you will actually be buying from in 2027, that is the conversation worth scheduling before August. Not the policy review. The peer view.



