01Definition and scope
Regulatory monitoring is the ongoing, repeating practice by which a supervised financial institution watches the stream of regulatory developments and obligations relevant to its business. The process decomposes into four movements: detect, assess, route to the responsible function, and evidence. Unlike a one-off legal opinion, monitoring is continuous by definition — it does not end when a single requirement is implemented but runs as a standing function of the compliance, risk and legal organisation.
The scope covers both binding and not-yet-binding material: adopted regulations and directives, technical standards (RTS/ITS), guidelines, Q&As, opinions and supervisory letters, but also consultation papers and drafts that signal future obligations. What matters is the tie to the institution itself: monitoring filters the whole regulatory noise down to the signals that touch that firm's specific licence, sector and jurisdiction.
02Regulatory monitoring vs horizon scanning vs regulatory change management
The three terms are often used interchangeably but denote different things. Regulatory monitoring is the umbrella practice of continuously watching the whole relevant rule universe — both binding obligations and new developments. Horizon scanning is the forward-looking subset of that: the deliberate detection of emerging, not-yet-binding signals — drafts, consultations, weak signals — before they become operational reality [1]. All horizon scanning is monitoring; not all monitoring is horizon scanning, because monitoring also keeps tracking requirements that are already in force.
Regulatory change management, by contrast, is the downstream implementation workflow: once monitoring has identified and routed a relevant item, change management takes over the gap analysis, the assignment of actions, the tracking to deadline and the sign-off. Monitoring is therefore the sensing at the start of the chain; change management is the execution at the end. And RegTech (regulatory technology) is not a practice at all but the software category used to automate both [2] — the toolkit, not the activity itself.
03What a monitoring programme covers
A credible monitoring programme first defines its source universe. For an EU/EEA institution that typically spans EUR-Lex as the primary source of EU law, the three European Supervisory Authorities (EBA, EIOPA, ESMA) and the national competent authorities of the EEA — roughly 45 bodies across the three sectoral supervisory networks, from BaFin, AMF and CSSF to MFSA, IVASS and FMA. These sources emit very different output types: regulations and directives, RTS and ITS, guidelines, Q&As, opinions, supervisory letters and consultation papers.
The second building block is classification. Every inbound item is assessed against the institution itself — by regulatory impact, affected area and deadline criticality — and only the relevant signals are passed on. It is precisely this filtering and assessment work that separates a functioning monitoring practice from a mere RSS subscription: the EBA names “regulatory horizon screening” as a RegTech use case and documents “better monitoring and sampling capabilities, and reduced human errors” as a benefit [2].
04The supervisory expectation
Regulatory monitoring is not a voluntary best practice but an implicit supervisory expectation. Its canonical basis is the Basel standard “Compliance and the compliance function in banks” (2005): the compliance function is to advise senior management on the applicable laws, rules and standards, “including keeping them informed on developments in the area” [3]. This duty to keep management informed of developments is the supervisory heart of monitoring — you cannot inform on what you do not monitor.
The EU supervisory authorities make this expectation concrete sector by sector. In its 2024 Supervisory Convergence Plan, EIOPA treats digital transformation, insurers' use of AI and DORA implementation as continuously monitored topics rather than periodic reviews [4]. The pressure is compounded by the volume of binding frameworks: DORA (Regulation (EU) 2022/2554) has been fully applicable since 17 January 2025 [5], and MiCA (Regulation (EU) 2023/1114) creates a harmonised framework for crypto-asset service providers [6] — both of which require institutions to keep tracking ongoing amendments to the technical standards.
05The audit trail: evidence as the real test
In an inspection it is not the fact that an institution monitors that counts — it is that it can prove when it became aware of a requirement and how it responded. That makes the fourth step of the practice, evidence, the decisive one. A robust monitoring programme writes an immutable, timestamped audit trail continuously: which signal was detected when, how it was classified, to whom it was routed and with what outcome it was closed. Evidence reconstructed “on request” typically fails this test.
That closes the loop back to the supervisory expectation: the Basel standard requires management to be kept informed of developments [3]; the practical proof of that information is the audit trail. Evidence is therefore not a downstream documentation chore but the actual output of a monitoring programme — the point at which an operational function is distinguished from a merely aspirational one.
Sources
Every cited claim links to the primary source. External links open in a new tab.
- [1]GOV.UK · Government Office for Science — Futures Toolkit (horizon scanning)
- [2]EBA · Analysis of RegTech in the EU financial sector (EBA/REP/2021/17, June 2021)
- [3]Basel Committee · Compliance and the compliance function in banks (2005), para. 35
- [4]EIOPA · Supervisory Convergence Plan 2024
- [5]Regulation (EU) 2022/2554 (DORA) — EUR-Lex
- [6]Regulation (EU) 2023/1114 (MiCA) — EUR-Lex