• DORA · ICT Risk

  DORA Article 17 in practice: major ICT-related incident reporting for EU banks and EMIs

  What Article 17 actually requires, the four-hour / twenty-four-hour / one-month reporting cascade, and how to build a signable evidence trail that survives BaFin or ACPR inspection.

  Pascal Mauzé·22 April 2026·11 min read

• PSD3 · Safeguarding

  PSD3 safeguarding vs PSD2: what changes for a French EMI or payment institution in 2026–2027

  The safeguarding regime moves from national options to a harmonised EU baseline. We walk the deltas ACPR supervisors will care about and the operating-model changes EMIs should plan for.

  Pascal Mauzé·22 April 2026·10 min read

• Three lines of defence · Audit

  Three lines of defence inside a regulatory change platform: what is acceptable in inspection

  Most regtech products emulate 3LoD with an email thread. Inspection does not buy that. Here is what counts as a defensible 1LoD → 2LoD → 3LoD chain — and the five failure modes we see most often.

  Pascal Mauzé·22 April 2026·9 min read

• Horizon Scanning · EBA

  Horizon scanning the EU regulatory agenda Q2–Q4 2026: consultations, RTS, and level-2 measures

  A curated list of the consultations, regulatory technical standards, and level-2 measures to pre-commit reviewers for, by topic: DORA, PSD3 / PSR, MiCA, AMLR, CSRD, and CRR3.

  Pascal Mauzé·22 April 2026·12 min read