MAS has moved first by making AI governance examinable at board level. But the signal is wider. Under DORA, global OpRes regimes, outsourcing and critical third-party oversight, cloud portability and concentration expectations, cyber resilience frameworks, and tightening AI and data protection guidance, sovereignty is no longer just about data location. It now means lawful and continuous control over access, behaviour, and exit.
The panel will ask one hard question: in an AI- and cloud-driven firm, can you demonstrate that control under supervisory challenge, or will regulators conclude that you cannot?
In 2026, sovereignty ceases to be a compliance discussion and becomes a prudential judgement on whether your operating model deserves capital confidence.
- 2006 BaFin Digital Sovereignty and ICT service outsourcing risk statement here
- NIST Quantum Capabilities to NIST Cybersecurity Framework 2.0 here
- CFTC Withdrawal of Proposed OpRes rules here
- NIST Guidelines for API Protection for Cloud-Native Systems here
- BoJ use of cloud in FS survey results here UK Containerization guidance here, BIS managing cloud risk here
- EC Digital Operational Resilience 01/24 standards hearing here rules here ESA DORA technical advice here
- UK ICO Generative AI data protection and GenAI here and HMG framework here
- Netherlands AI masterplan here
- Singapore model AI governance framework for generative AI here
- FSI Insights on policy implementation No 53; Managing cloud risk
- US AI 012/24 fact sheet here strategic plan here and Whitehouse blueprint for AI bill of rights here
- EU Cyber resilience act here cybersecurity certification MRA here and background here
- APRA operational risk management – CPS 230 here PRA PS6/21 OpRes here
- HMT Critical third parties here PRA DP3/22 CTP here / PRA SS2/21 Outsourcing and TPRM here
- US Interagency Guidance on Third-Party Relationships: Risk Management here
- EU Artificial Intelligence Act leaked copies here and here original texts here and here
- UK National AI action plan here ICO guidance on AI and data here
- EU deforestation regulation here
- EU Corporate sustainability due diligence (CSDDD) here
- Premium – Sovereignty Shock: Control Determines Capital here
- Premium – The OpRes Crackdown Starts: AI Is the Only Defence here
- Premium – Cloud Control Begins: The EU Data Act’s First Step here
- Premium – Data access disrupted: the EU Data Act here
- Premium Newsletter – Proving control in the age of DORA here
- Premium Newsletter – Digitalizing the FS backbone here
- GFMA White Paper on Public Cloud Portability here
- Legal assessment of draft EU AI act text here
- Analysis: Decoding DORA standards: what it means here
- Analysis: Accountability for GenAI here
- Forbes: New Financial Services Regs Will Require Comprehensive Action By Boards here
- Research report ‘Managing Digital Infrastructure Risk: a collaborative path to financial services safety’ here
