Every regulator now says the same thing in different words: prove you are resilient, in control, and able to respond fast. In 2026, that goes from slideware to strict supervision.

This article breaks down the most important 2026 regulatory changes for finance and professional services in the US, UK, and DACH-and what they mean for your identity, access, and audit strategy.

Executive summary

The EU's Digital Operational Resilience Act (DORA) has applied to in-scope financial entities since January 17, 20251dorapp.eu, and 2026 is when supervisors start testing how real your controls are-not just whether you tick a program box.

From September 11, 2026, the EU Cyber Resilience Act (CRA) mandates vulnerability and incident reporting for products with digital elements2eshield.pl, while most EU AI Act obligations kick in August 2, 20263digital-strategy.ec.europa.eu-forcing direct changes in AI, software, and identity controls for financial services.

At the same time, New York's amended cybersecurity regulation (23 NYCRR Part 500) has all Second-Amendment requirements in force by November 1, 2025, with 2025 certification due April 15, 20264hoganlovells.com; and Swiss and UK supervisors will require full adherence to new operational-resilience regimes starting in 20265deloitte.com.

Regulators now expect near real-time answers to: "Who has access to what, on which basis, and how fast can you change that?" Identity governance is now a frontline control-no more afterthought.

2026: from rule-writing to enforcement

Between 2020 and 2024, regulators wrote new rules. 2025 and 2026 are about real enforcement.

Key 2026 milestones for finance and professional services:

  • DORA moves from preparation to hard supervision, with EU authorities beginning to supervise critical ICT third-party providers and integrating ICT resilience into core risk processes (SREP)6eba.europa.eu.
  • CRA incident and vulnerability-reporting requirements for digital product vendors start September 11, 20267heuking.de.
  • The EU AI Act's core obligations become enforceable August 2, 2026; more high-risk rules follow in 20273digital-strategy.ec.europa.eu.
  • Germany's NIS2 Implementation Act (NIS2UmsuCG) and revised BSI Act take force December 6, 2025. Entities must register with BSI via a new portal by January 6, 2026, and complete registration soon after8gtlaw.com.
  • Austria's NISG 2026 expands risk-management and incident-reporting from October 1, 2026, for about 4,000 medium-size entities across 18 sectors, including finance and professional services9austrian-standards.at.
  • FINMA expects Swiss banks to fully comply with Circular 2023/1 on operational risks and resilience by January 1, 2026, including stronger ICT and cyber-risk management5deloitte.com.

The threat landscape more than justifies this push. Verizon's 2025 Data Breach Investigations Report links one in five breaches to stolen credentials; in web-app attack patterns, stolen logins account for 88% of incidents10helpnetsecurity.com. IBM puts the average global cost of a breach at USD 4.88 million in 2024, the steepest year-on-year jump since the pandemic11ibm.com.

Regulators read the same headlines you do. Their answer? Continuous, evidence-backed control-not annual box-ticking.

EU & DACH: DORA, NIS2, CRA, AI Act - identity as operational resilience

DORA: identity and third-party access as prudential risk

DORA isn't just about better incident reporting. It builds ICT governance, third-party risk, and testing into the same prudential framework as capital and liquidity.

For finance and professional services in the EU and DACH, this means:

  • One up-to-date inventory of all ICT services-including SaaS, OT/ICS, and long-tail tools-not just banking platforms.
  • Consistent access policies across both internal systems and outsourced services.
  • Proof you can detect, contain, and recover from identity-driven incidents (credential theft, privilege abuse) during resilience tests.

Manual joiner/mover/leaver checklists and spreadsheet reviews can't keep up. When supervisors ask how a "material business service" could be disrupted by access failure, you'll need more than a policy PDF.

NIS2 & NISG 2026: board-level accountability in Germany and Austria

NIS2 Implementation and revised BSI Act make identity and access control a board-level responsibility for thousands of German organizations.

  • Over 30,000 companies in Germany fall under NIS2, including key finance/professional services12scheja-partners.de.
  • Management must demonstrate controls, incident-response, training, and supplier security-all rooted in clear access knowledge across systems.
  • Early 2026: mandatory BSI registration and portal use for incident reporting by in-scope German firms.

Austria's NISG 2026 creates a national cyber-security authority. From October 1, 2026, covered entities must run documented risk-management and incident processes, and train management on their duties9austrian-standards.at.

For IT and compliance, that means: no orphaned accounts, no "HR forgot to deactivate them," no ungoverned admin access for suppliers.

CRA & EU AI Act: software, AI, and new species of identities

The CRA and AI Act build on DORA and NIS2-they define what real security and governance look like for software and AI.

  • CRA Article 14 demands vendors of digital products detect and report active vulnerabilities and serious security incidents fast, starting September 11, 2026.
  • The Single Reporting Platform (ENISA) enforces expected near real-time incident visibility by the same date.

For finance building products or platforms, the overlaps with identity are clear:

  1. You must prove control over which identities-human, contractor, bot, CI/CD-can deploy or change code.
  2. You must trace which component version was exposed to which users when an incident hits.

The EU AI Act adds more. High-risk finance uses-credit scoring, fraud engines, automated risk analysis-draw new data governance, transparency, and logging requirements beginning August 2026.

Your AI agents and models now become "first-class identities." They require lifecycle management, access controls, and immutable audit-no more black boxes.

UK: operational resilience, critical third parties, and the Cyber Security & Resilience Bill

The UK takes its own approach to resilience-not a DORA clone.

  • Existing PRA/FCA operational-resilience and outsourcing rules, plus new guidance (November 2024) on supervising third-party providers for important services. Firms must manage concentration risk, test severe disruption scenarios, and maintain governance over third-party access and data flows13fca.org.uk.
  • The forthcoming Cyber Security and Resilience Bill (late 2025) marks the biggest update to UK cyber law in a decade-modernizing NIS and setting new duties for essential and digital service providers.14en.wikipedia.org

UK boards must now show how identity, access, and third-party management practices directly support customer outcomes and financial stability. Tech alone won't save you.

US: disclosure-heavy regulation meets state-level cyber rules

US regulators focus on disclosure and accountability over prescriptive technical mandates-but your control stack needs to land in the same place.

  • The SEC's 2023 rules: public companies must disclose material cyber incidents within four business days, and explain cyber-risk management, strategy, and governance in annual reports15sec.gov. By 2026, boards, CISOs, and audit committees need those answers ready before-not during-an incident.
  • NYDFS Part 500 Second Amendment: phased in by November 1, 2025, tightening requirements around MFA, asset management, and governance. Annual certification for 2025 is due April 15, 2026. NYDFS is moving from education to enforcement.4hoganlovells.com

US regulators are converging with EU/UK peers on one point: if you can't prove how access is granted, reviewed, and revoked, you can't prove "reasonable" cyber-risk management.

What this means in practice: four identity expectations in 2026

Across these regimes, four expectations repeat:

1. Continuous, not periodic, governance

Annual access reviews don't match 24/7 attacks. Regulators now expect you to:

  • Detect suspicious access or privilege changes fast.
  • Trigger just-in-time reviews on risk change (role changes, contractor renewals, new AI agents).
  • Produce fresh, explainable evidence on demand-not just scramble before an audit.

2. Complete coverage-not just the SCIM-friendly 20%

Most organizations run a messy mix of SSO apps, long-tail SaaS, on-prem/OT, and external portals. DORA, NIS2, and NYDFS don't let you ignore the hard-to-integrate 80%.

This means:

  • Onboarding/offboarding must be zero-touch for all apps-even without SCIM or APIs.
  • Contractors, offshore teams, bots, and AI agents must live in the same lifecycle as employees.

3. Fine-grained control and SoD-beyond group assignments

Auditors want answers on segregation of duties (SoD) and high-risk access. "They're in the Finance group" isn't enough.

You need:

  • Entitlement-level awareness (e.g., who can approve wire transfers over the threshold, who can access specific deal rooms).
  • Workflows that block or flag SoD conflicts before granting access.

4. Immutable, explainable audit evidence

Top regimes (DORA, NIS2, CRA, AI Act, NYDFS, SEC) demand one thing: proof of who approved what, under which policy, at what time-backed by logs that can't be tampered with.

Manual spreadsheets and scattered logs don't scale to this standard.

Where right-sized identity governance fits (and how Iden approaches 2026)

Running SSO (Okta, Entra) and a SIEM is not enough. In 2026, that gap becomes dangerous.

Modern identity governance should:

  • Automate lifecycle decisions across your full stack. Not just SCIM apps-also Notion, Slack, Figma, GitHub, DocuSign, NetSuite, external portals, and legacy/OT.
  • Run policy-driven, agentic workflows. AI-driven, autonomous workflows that route and execute provisioning, deprovisioning, access reviews, and evidence collection in real time-instead of rubber-stamp approvals.
  • Deliver fine-grained, explainable control. Channel-, repo-, project-, and entitlement-level access, tied to business roles and SoD rules.
  • Maintain immutable audit logs. Bank-grade logs enable instant, defensible answers to auditors' "who had access to what, when, and why?"-no weeks wasted in Excel.

Iden fills this gap for modern, SaaS-heavy finance and professional-services teams. Iden connects to any app (SCIM, API, or neither), including long-tail SaaS and legacy/OT, automating the full identity lifecycle-onboarding, changes, offboarding, and access reviews-with policy-driven, intelligent workflows.

Universal coverage and granular control-without forcing enterprise upgrades ("no SCIM tax")-lets lean teams achieve continuous governance at regulatory speed, without swelling the IAM department.

Real outcomes: Iden users see about 80% fewer access tickets, 120+ hours/quarter saved on access reviews, and up to 30% SaaS spend reduction through license reclamation and SCIM tax avoidance. For lean IT teams prepping for SOC 2, ISO 27001, DORA, or NIS2, that's the difference between surviving audit season and drowning in it.

Snapshot: 2026 regulations and what they expect from identity

Regulation / regime Region / scope 2026 milestone Identity & access implications
DORA EU financial entities First full year of application and ICT-third-party oversight Consistent access controls and incident response across internal and outsourced ICT; identity data feeds resilience testing.1dorapp.eu
NIS2 / NIS2UmsuCG Germany BSI registration, board-level cyber duties in early 2026 Management personally accountable for risk-based access control, supplier access, incident reporting.8gtlaw.com
NISG 2026 Austria Obligations live October 1, 2026 Requires robust identity, access, and incident processes across covered services.9austrian-standards.at
CRA EU (digital products) Vulnerability/incident reporting from Sept 11, 2026 Traceable, role-based access to development/build/deploy; fast revocation for compromised identities.7heuking.de
EU AI Act EU (incl. finance) Main obligations apply Aug 2, 2026 High-risk AI gets logged, explainable decisions; AI agents treated as governed identities.3digital-strategy.ec.europa.eu
Cyber Security & Resilience Bill + OpRes rules UK 2026: Bill progresses, CTP oversight, PRA/FCA updates Boards must show identity, access, third-party controls underpin resilience/consumer outcomes.14en.wikipedia.org
SEC cyber-disclosure rules US public companies 2026: mature expectations Formalized governance, evidence that identity controls are active and board-overseen.15sec.gov
NYDFS Part 500 (Second Amendment) NY-reg financial All requirements live Nov 1, 2025; certification Apr 15, 2026 Tighter MFA, inventory, governance; manual offboarding/orphaned accounts hard to justify.4hoganlovells.com
FINMA Circular 2023/1 Swiss banks Compliance expected Jan 1, 2026 Operational risk and resilience now include cyber-identity is part of core risk.5deloitte.com

Frequently Asked Questions

How do I prioritize 2026 regulatory changes if we're mid-market, not a global bank?

Start with the regimes clearly covering you:

  • EU/DACH: DORA + NIS2/NISG 2026 + CRA/AI Act if you build or rely on software and AI.
  • UK: PRA/FCA operational-resilience and outsourcing, plus the Cyber Security & Resilience Bill.
  • US: SEC cyber-disclosure (if public) and NYDFS Part 500 if regulated in New York.

Map requirements to four control areas: full app/identity inventory, lifecycle automation, granular access/policy, auditable logs. If a control doesn't serve those, challenge its purpose.

How do DORA and NIS2 overlap for finance and professional services in DACH?

DORA is sector-specific-focusing on finance and their ICT providers. NIS2 is broad-covering all essential/important entities, including part of finance and professional services.

They overlap on:

  • Board-level accountability for cyber and operational resilience.
  • ICT/third-party risk management.
  • Timely incident reporting.

Build one integrated identity and access approach that answers both sets of questions. Don't run split stacks.

Does the EU AI Act matter if we only use third-party AI tools (e.g., LLMs) and don't build our own models?

Yes-if AI is embedded in regulated processes (credit scoring, fraud checks, suitability). Even if the model is third-party, you may fall under "high-risk." You'll need:

  • Inventory of AI systems and uses.
  • Control over data access.
  • Audit logs of prompts, outputs, and key decisions.

Treat AI agents like privileged identities: govern access, monitor behavior, and be ready to cut access fast.

What kind of access-review evidence are auditors expecting in 2026?

Across SOC 2, ISO 27001, DORA, NIS2, NYDFS, evidence means:

  • Clear scope: which systems, populations, entitlements reviewed.
  • Record of who attested to what, when, and results.
  • Follow-up proof-e.g., deprovisioned or right-sized access.

If you're still in spreadsheets/email, you'll struggle to prove reviews weren't just "rubber-stamp." Automated, policy-driven reviews with immutable logs are the new baseline.

Where does an identity-governance platform like Iden sit next to SSO and SIEM?

In short:

  • SSO (Okta, Entra): Authenticates and brokers logins.
  • SIEM/XDR: Monitors runtime threats.
  • Identity governance: Decides who should have access, keeps that aligned with policy, and proves it to auditors.

Iden plugs into SSO and HRIS, then automates provisioning/deprovisioning, reviews, and audit across every app-including those SSO can't reach-meeting 2026's compliance bar without extra headcount or SCIM tax.