Sebastien Rousseau

CATEGORY

Policy & resilience

DORA, EU AI Act, NIST standards, third-party risk — the supervisory pressure shaping technology decisions.

4 tags

Tags in this category

  • DORA — 54 articles

    Digital Operational Resilience Act — register of information, ICT third-party risk, threat-led penetration testing, and the operational resilience programme banks must run.

  • EU AI Act — 5 articles

    Implementation guidance, supervisory expectations, high-risk system classification, and the conformity-assessment burden the Act puts on banks.

  • NIST — 4 articles

    NIST standards relevant to banking — FIPS 203/204, AI RMF, SP 800/1800 series — and the supervisory adoption patterns around them.

  • Third-party risk — 2 articles

    ICT third-party risk under DORA, EBA outsourcing guidelines, and the supervisory expectation around critical-vendor concentration.

Recent articles in Policy & resilience

APPLIED AI

The Agentic AI Index for Banks in 2026: Measuring Autonomy

Agentic AI is operational infrastructure in 2026. This index measures it the way banks measure capital and credit: a six-dimension readiness score across autonomy tiers, the control plane, regulatory evidence, unit economics, organisational readiness, and global regulatory alignment.

PAYMENTS & MONEY

Open Source, FINOS and the Cloud-Native CIB Stack

Morgan Stanley, JPMorgan and Citi are doubling down on FINOS and the Linux Foundation. A Rust-and-zero-dependency stack — noyalib, http-handle, hsh, KyberLib — shows what the cloud-native CIB stack looks like in 2026 under PSD3, FiDA and DORA.

PAYMENTS & MONEY

Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury

Corporate and investment banks now treat cyber recovery, ISO 20022 fallback rails across RTGS, instant and tokenised networks, and quantum-safe treasury controls as one always-on operating model — the board-grade response to DORA Articles 5 and 6, FHE, QKD and PQC primitives, and ICT third-party concentration risk.

PAYMENTS & MONEY

The Post-Quantum Banking Resilience Index in 2026: EO 14409, Global Deadlines, and Fiduciary Cryptographic Agility

Executive Order 14409, ANSSI's hard 2030 deadline and DORA Article 5 have moved post-quantum cryptography from a long-range technical goal to an active regulatory mandate. This index converts securing registries, high-frequency ledgers and SWIFT channels into a board-ready 0–5 scorecard that aligns ML-KEM, ML-DSA and SLH-DSA primitives with fiduciary liability and balance-sheet risk.

PAYMENTS & MONEY

The 2026 Global Payments Outlook: Operating Model, Risk, and Revenue in an Agentic, Invisible, Real-Time World

The 2026 global payments cycle is defined by three converging forces — agentic commerce, invisible embedded payments, and real-time execution — sitting on top of a tokenised unified ledger under Project Agorá and a hard November 2026 SWIFT structured-address cut-over. This piece synthesises the J.P. Morgan, Global Payments, HSBC and Payments Association 2026 outlooks into a four-pillar G-SIB operating model.

INFRASTRUCTURE & CRYPTOGRAPHY

Quantum Dawn for CIB: From KyberLib to a Quantum-Resilient Payments Stack

BIS Quantum Dawn and the G7 January 2026 PQC roadmap have moved post-quantum cryptography from research to board agenda. This piece extends KyberLib from a toolkit into an enterprise CIB transition programme — covering high-value rails, trade finance, custody, and the disclosures regulators are now asking for.

APPLIED AI

From Pain.001 to Programmable Liquidity: ISO 20022 as the Autonomic Nervous System of Treasury in 2026

ISO 20022 in 2026 is the autonomic nervous system of treasury. pain.001 and pacs.008 carry richer data than any MT message ever did. Nearly half of banks remain off-track for the November 2026 SWIFT MT/MX cut-over, structured addresses become mandatory, and agentic treasury cannot exist without MX-native APIs. This article maps the engineering reality, from CBPR+ validation rules to a real pain.001 fragment with PstlAdr fields.