The operational resilience requirements imposed on regulated financial institutions over the past five years have, on superficial reading, multiplied. The Digital Operational Resilience Act in Europe, the OCC's Heightened Standards in the United States, and the Bank of England's Supervisory Statement SS2/21 each impose their own catalogue of expectations. Most institutions have read them as three separate regimes and constructed three separate response programs.

On closer reading, the regimes are not three. They are one, expressed in three regional dialects. The shared operating definition of resilience, the underlying evidence the regulators require, and the institutional capability the regimes test are, in substantial overlap, the same.

The convergence

Each of the three regimes requires the institution to do the same five things. It must identify the business services on which its operation depends. It must map the underlying resources (people, processes, technology, third parties, data) on which those services depend. It must set tolerances for disruption. It must test, through severe-but-plausible scenarios, whether its actual posture meets those tolerances. And it must report, to the regulator and to internal governance, on the gaps the testing reveals.

The terminology differs. DORA speaks of critical or important functions. The OCC speaks of critical operations. The Bank of England speaks of important business services. The substantive question is the same. The methodologies the regulators apply when they inspect against the regimes are, in our reading, more similar than the regulations themselves suggest.

Where the regimes meaningfully differ

The differences are real, but smaller than the institutional response has assumed. They cluster in three areas.

Incident reporting

DORA imposes the most prescriptive incident-reporting timelines of the three. Major incidents must be reported on a staged cadence, with initial notification within hours and intermediate updates within days. The OCC regime is less prescriptive on timing but more substantive on the content of the report. SS2/21 sits in between. An institution that builds its incident-reporting capability to the DORA cadence will, in nearly all cases, satisfy the other two.

Third-party scope

DORA introduces the concept of critical ICT third-party providers, which become subject to a direct supervisory regime independent of the institutions they serve. The OCC and Bank of England regimes hold the institution accountable for its third parties but do not extend supervisory authority to the third parties directly. The institutional implication is that DORA requires the institution to identify which of its vendors will be classified as critical, and to operate on the assumption that those vendors will themselves be examined.

Concentration risk

All three regimes address vendor concentration. DORA does so most explicitly, requiring institutions to assess and manage concentration in ICT third-party services. The OCC has signaled increasing supervisory focus on concentration through guidance rather than rule. The Bank of England addresses the issue through the supervisory dialogue. An institution that has constructed a robust concentration analysis under DORA will be substantially ahead of the OCC and Bank of England expectations as those regimes evolve.

A unified evidence model

The institutional opportunity is to design the resilience program once, against the union of the three regimes, rather than three times against each individually. The unified evidence model rests on five components.

A business service taxonomy that identifies the institution's important services, classified consistently with the most demanding of the three regimes (DORA) and harmonized with the terminology used by each.

A resource map that links each business service to the people, processes, technology, third parties, and data on which it depends, with the granularity required to compute blast radius and identify single points of failure.

A tolerance register that sets, for each important service, the maximum tolerable period of disruption, and that has been approved by the appropriate institutional governance forum in a form that the regulator will accept.

A scenario library that defines the severe-but-plausible scenarios against which the institution will test, including the cross-jurisdictional scenarios that all three regimes increasingly emphasize (third-party concentration failure, regional cloud outage, sustained cyber incident).

An incident reporting capability built to the DORA timing and content standard, which by construction satisfies the other two.

The institution that builds the resilience capability once, to the union of the three regimes, operates on a single program. The institution that builds it three times operates on three programs that disagree.

The operating implications

The most consequential operating implication of the unified model is that the resilience function becomes a single function rather than a portfolio of regional compliance projects. The team that runs the scenario testing for DORA is the team that runs the scenario testing for SS2/21. The third-party concentration analysis produced for DORA is the third-party concentration analysis presented to the OCC. The same artifacts are reused, with regional addenda where the regimes diverge.

The cost saving is material but not the principal benefit. The principal benefit is the coherence of the institutional position. An institution that runs three programs cannot reliably represent a single operational posture. An institution that runs one program can.

The institutional opportunity

The window for designing the unified program is presently open. DORA enforcement began in 2025; OCC supervisory practice has been steadily tightening; the Bank of England regime entered full effect in 2025. Institutions that took the position early, and built unified programs in 2024 and 2025, have spent 2026 operating from a settled posture. Institutions that took the regimes serially are presently in their second or third response project, with the third still to come.

The arbitrage on this is narrowing. By 2027 the unified approach will be the obvious approach, and the institutional reward for adopting it now will have substantially diminished. The cost of operating three programs, however, will continue to compound. The next twelve months are the period in which the choice meaningfully reduces the institutional cost of resilience compliance over the following five years.