What is horizon scanning — and what are the benefits?

Horizon scanning is the systematic collection of insights on emerging trends, weak signals and pre-binding regulation, with the goal of identifying potential threats and opportunities before they become operational realities ^[1]. In the public-policy and strategic-foresight literature it is one component of a broader foresight toolkit — alongside scenario analysis, Delphi studies and backcasting ^[2]. In financial services the scope is narrower: regulatory texts, consultation drafts, supervisory speeches and enforcement trends from the bodies that supervise the institution.

The UK Cabinet Office Futures Toolkit summarises the practice as three movements — anticipate, scan peers, and read the surrounding signals next to the texts themselves ^[1].

The intellectual lineage runs through strategic foresight. The OECD operates one of the longest-running foresight programmes in the multilateral system; its 2025 Regulatory Policy Outlook puts horizon scanning and strategic foresight at the centre of forward-looking, adapt-and-learn regulation ^[4]. The European Commission published a parallel signal in its 2025 Strategic Foresight Report "Resilience 2.0", which positions foresight as the basis on which the EU adapts to systemic shocks — climate, security, demography, digital transformation ^[3].

What had historically been a public-sector competence has now reached supervised institutions: the EU supervisory authorities themselves expect their counterparties to scan, classify and act before the rules turn binding.

Three forces converged. First, regulatory volume: the European Banking Authority documented in 2021 that the sheer cadence of regulatory output — RTS, ITS, Q&A, opinions, peer-review reports — had outgrown the manual-monitoring capacity of most banks, and that "regulatory horizon screening" was the use case where RegTech produced the most measurable benefits ^[5]. Second, supervisory expectation: EIOPA's 2024 Supervisory Convergence Plan makes clear that insurers are expected to track DORA implementation, AI-use developments and Solvency II review items proactively, not retroactively ^[6]. Third, internal economics: McKinsey notes that the compliance function has spent a decade growing FTEs and that this growth has now peaked — future leverage comes from technology, not headcount ^[8].

When the EBA, EIOPA, OECD and McKinsey literature is read in parallel, four benefits recur with notable consistency.

Efficiency rather than headcount. McKinsey's compliance-function research dates the FTE growth peak and concludes that further productivity must come from automation of horizon scanning, classification, routing and audit-trail capture ^[8]. The EBA report frames the same outcome from the technology side: RegTech "increases efficiency, quells the impact of ongoing regulatory change and improves effectiveness" ^[5].

Early warning rather than reaction. The EBA explicitly lists "regulatory horizon screening" as a RegTech use case with documented "enhanced risk management, better monitoring and sampling capabilities, and reduced human errors" ^[5]. The benefit is structural: signals that are classified before they become enforcement events do not require crisis-grade remediation.

Auditability by default. BaFin's 2024 / 2025 supervisory expectations for insurance institutions explicitly require "effective risk management, appropriate governance and modern IT" — and the practical test in an inspection is whether the institution can evidence when it became aware of a given requirement ^[7]. An immutable, timestamped audit log is now the bar.

Speed against the inspection clock. The OECD’s 2025 outlook puts horizon scanning and strategic foresight at the core of agile, learning regulatory governance — real-time monitoring, not a quarterly cadence ^[4]. EIOPA's own convergence plan operates on a continuous review cycle ^[6].

The penalty frames have shifted materially in 2025. Four concrete figures are useful as anchors.

DORA (Regulation (EU) 2022/2554) has been fully applicable since 17 January 2025. It leaves administrative penalties for financial entities to the Member States (Art. 50 — effective, proportionate and dissuasive, with no harmonised EU ceiling); the only EU-level turnover-based sanction is the periodic penalty payment on designated critical ICT third-party providers of up to 1 % of average daily worldwide turnover, levied daily for up to six months (Art. 35) ^[12]. The real lever is evidence, not an EU-wide fine ceiling.

The EU AI Act sets fines at up to EUR 35 million or 7 % of total worldwide annual turnover for prohibited practices, and up to EUR 15 million or 3 % for high-risk breaches — and the high-risk obligations enter force on 2 August 2026. Credit-scoring, life-insurance and health-insurance pricing models fall directly into the high-risk category ^[10].

MiCA (Regulation (EU) 2023/1114) ends its transitional period on 1 July 2026; CASPs operating in the EU without a licence after that date will be in breach of EU law and required to cease activity ^[11].

On the AML side the centre of enforcement weight is shifting regionally. Fenergo's 2025 Global Penalties Report records an 18 % global decline in penalties (USD 3.8 billion) while EMEA total penalties (AML, KYC, sanctions, CDD) rose 767 % year-on-year ^[9]. Individual cases stay large: in September 2025 UBS settled a long-running French case over unlawful client solicitation and aggravated money laundering for EUR 835 million (~USD 985 million) — a criminal resolution, not a prudential AML-programme fine ^[9]. The US counterpart: the TD Bank resolution of USD 3.09 billion (October 2024) remains the largest penalty ever imposed under the US Bank Secrecy Act ^[13].

A useful signal of the discipline's seriousness: the EU supervisory authorities visibly run their own horizon scans. The European Commission's 2025 Strategic Foresight Report "Resilience 2.0" is published as an institutional product, with its own annual cadence and a chapter in the Commission Work Programme ^[3]. The OECD operates a permanent Strategic Foresight Programme and publishes its Regulatory Policy Outlook on a multi-year cycle ^[4]. EIOPA bakes the practice into its Supervisory Convergence Plan, treating digital transformation, AI use and Solvency II evolution as continuously monitored topics rather than periodic reviews ^[6].

The methodological standard outside finance is well documented. The UK Cabinet Office Futures Toolkit prescribes a structured PESTLE classification — Political, Economic, Social, Technological, Legal/Regulatory, Environmental — combined with a Likelihood/Impact matrix; it recommends a scanning group of at least ten diverse scanners and explicit source diversity ^[1]. Inside financial services the same logic is typically applied to a regulatory taxonomy: framework × jurisdiction × risk dimension.

Two KPI patterns appear consistently in industry practice (less academically established, flagged as observation rather than evidence): time-to-implementation for a regulatory update, and the percentage of inbound regulatory items that route correctly on first pass. Both are auditable; both directly indicate whether the scanning function is operational rather than aspirational.

Three patterns recur where horizon-scanning programmes underperform — observed in vendor and consultancy practice, qualitative and not peer-reviewed.

First, broad-but-shallow source coverage: monitoring 200 sources at low resolution typically produces less actionable output than monitoring 40 sources at high resolution. Second, classification by team rather than by content: when DORA findings land in the inbox of the legal team rather than IT-security, time-to-action grows substantially. Third, audit trails that are "available on request" rather than continuously written: this fails the supervisory test of when the institution became aware of a given requirement.

Horizon Scanner monitors 45 EU / EEA supervisory authorities — from EUR-Lex and the three ESAs to BaFin, AMF, CSSF, MFSA, IVASS, FMA and others — applies a three-dimensional 1–4 classification to every finding (regulatory impact, resource intensity, deadline criticality), routes high-impact items to the responsible team by default, and writes an immutable five-year audit trail by default. It is built specifically for the four benefits documented above — efficiency, early warning, auditability, and speed against the inspection clock.