Skip to content
Horizon Scanner
Book a demo

For whom

Group Compliance Officer

Track seven EU frameworks simultaneously without building a twelve-person team. Every regulatory finding classified, routed and audit-trail-ready on the day it is published — under four hours between source and sign-off.

As of:

Your reality

You are responsible for DORA, MiCA, AMLA, EU AI Act, CSRD, TFR and NIS2 simultaneously — and for their consistency. EBA, EIOPA, ESMA and 22 national supervisors produce volumes no manual tracking setup can absorb anymore. Your inbox overflows; on Friday you learn what should have been escalated on Monday; every inspection tests a detail that sat in a supervisory letter six months ago that nobody saw.

01Your week as Group Compliance Officer

Monday, 8:30. Weekly meeting with the compliance heads of the subsidiaries. Over the weekend you have missed three EUR-Lex publications, two ESMA Q&As and four national supervisory letters — if they made it to your inbox at all. The weekly list you present to the executive board is based on what your teams sent you on Friday. Not on what the supervisors actually published.

Tuesday through Thursday. Three inspection preparations in parallel: BaFin DORA inspection at the group parent (Q3 2026), AMF MiCA authorisation dialogue for the French subsidiary, EIOPA themed review on AI applications in underwriting. Each topic demands a different knowledge base, a different set of deadlines, a different internal coordination effort.

Friday, 16:00. You write the weekly report to the executive board. The metric you cite is: "X findings this week, of which Y critical, Z escalated." What you cannot cite because you do not know: how many findings did the system actually produce this week — and how many did you miss?

02What changes for your role in 2026

Three structural shifts hit you simultaneously in 2026.

First: DORA inspections leave setup mode. Eighteen months after the date of application, ESAs and NCAs no longer test whether a register exists, but whether it is complete — sub-outsourcing chain, consistency with incident reports, board-briefing trail [1]. That is the class of findings that lands in the one inspection you cannot predict.

Second: high-risk AI becomes binding on 2 August 2026. If you operate underwriting or pricing systems falling under Annex III item 5, the FRIA, the database entry, the GDPR Art. 22 consistency and the DORA third-party listing must be in place by then [2].

Third: MiCA grandfathering expires by 1 July 2026. If your group has a CASP subsidiary or a crypto-adjacent asset-manager subsidiary, the national transitional rules must be replaced by a full MiCA authorisation [3]. In Spain, Italy, Malta and Cyprus the deadlines have already lapsed.

Each of these three shifts is manageable on its own. Together — with AMLA, CSRD, TFR and NIS2 as background noise — they exceed the capacity of any manual tracking that relies on inbox sorting and spreadsheet discipline.

03What your board actually wants to see from you

In its 2024 compliance-function study, McKinsey distilled two board expectations that will define the Group Compliance Officer role over the next decade: (a) quantifiable risk reduction, not activity reports — how many findings did the system produce, how many were classified correctly, how does the error rate compare against the peer benchmark? (b) scalability without headcount growth — the compliance function has reached an FTE peak; further scaling must come from technology [4].

Neither expectation can be met if the detection layer — the thing that surfaces findings in the first place — is manual. You cannot measure what you do not capture; you cannot scale without headcount if every new framework demands three FTE in compliance operations.

What changes

Six tasks Horizon Scanner takes off your desk

Concrete mechanics against the five friction points of your week. Each item is live in the tool — not on a roadmap.

  • 01

    Watch seven frameworks in parallel

    Horizon Scanner monitors all three ESAs (EBA, EIOPA, ESMA), 22 NCAs, EUR-Lex and the Commission consultation portals in parallel — DORA, MiCA, AMLA, EU AI Act, CSRD, TFR, NIS2 and 30+ other frameworks with no extra configuration. Each publication stream is polled hourly; every new release moves through classification within 30 minutes.

  • 02

    Classify findings — three dimensions, four-eyes review from score 3

    Each finding is scored on impact, reach and substantiveness (each 1 – 4). An overall score ≥ 3 automatically triggers four-eyes review — a second, deliberately different verification layer re-checks the classification before the finding leaves the triage queue.

  • 03

    Route to the right team — < 4 hours from publication to sign-off

    Pre-configured routing rules per framework, sector and function. DORA findings on the third-party register go to IT risk; SFDR PAI updates to sustainability reporting; AMLA classification changes to the MLRO. More than 90 % of all findings are correctly routed from day one — the rest enters a human-review queue.

  • 04

    Document audit-ready — 5-year audit trail

    Every action — classification, routing, re-classification, sign-off, escalation — is timestamped to an immutable audit log. Retention: 5 years. Export as CSV or JSON for inspectors. The inspector question "when did you know?" has an objective answer.

  • 05

    Auto-assemble board briefings

    Quarterly board briefings are auto-assembled from the audit log: every critical finding, every escalation, every cross-cutting trend. The briefing is a consistent deliverable, not a Monday-morning Excel cobbled together by hand.

  • 06

    Check cross-framework consistency

    DORA third-party register vs. AI Act database entry vs. GDPR record of processing — Horizon Scanner surfaces inconsistencies across the compliance registers of an AI pricing system in a single view. The most frequent 2026 inspection question is thereby answered pre-emptively.

The numbers your board sees

Translated from compliance language into board language.

  • < 4 hours

    Median time from supervisory publication to sign-off by the responsible team. The central efficiency KPI for the board.

  • ≥ 90 %

    Day-one default routing accuracy — the share of findings reaching the right team without manual correction. Benchmarked against 60 – 70 % in manual setups.

  • 5 years

    Audit-trail retention for every classification, routing and sign-off action — matches DORA, MiCA and AI Act documentation requirements with no separate configuration.

  • 0 FTE

    Additional compliance FTE per new EU framework. McKinsey's 2024 compliance study identified headcount-free scaling as board expectation No. 2.

Questions you will ask

  • How does Horizon Scanner integrate with our existing GRC tools?

    Via REST APIs and webhook subscriptions. Every finding can be pushed as an event into Archer, MetricStream, ServiceNow or a bespoke risk register. We hold the classification and audit-trail logic, the GRC tools hold the workflow logic — no duplicate tracking.

  • Who is responsible if a finding is misclassified?

    The supervised institution. Horizon Scanner is a tool, not an outsourced compliance function. But: the four-eyes logic (from score 3) and the cross-framework consistency checks materially reduce the error rate compared with manual classification. Inspections will find a technology-supported classification trail more consistent than a manual one.

  • What happens to historical findings during onboarding?

    On request we backfill the previous regulatory quarter into the audit trail so that an inspection can also cover the period before platform introduction. In the standard 30-day onboarding, capture is live from day one; historical data is extracted on request.

  • Who is liable if a finding is missed?

    We run the capture stream against 45 supervisory sources under a documented coverage SLA. A missing supervisory source is a service defect on our side. A classification or routing decision remains the institution's responsibility. The DPA contract sets out the liability allocation precisely.

Sources

  1. [1]EIOPA Supervisory Convergence Plan 2025/2026
  2. [2]Regulation (EU) 2024/1689 (AI Act) — application date Art. 113
  3. [3]Regulation (EU) 2023/1114 (MiCA) — Art. 143 transitional provisions
  4. [4]McKinsey — The compliance function at an inflection point (2024)

Let's walk through the reality of your week.

Twenty minutes. Concrete use cases from your group.

Book a conversation