What is regulatory horizon scanning and why compliance teams need it
Most compliance tools are built for proving existing compliance. Horizon scanning is a different discipline entirely: tracking what is coming before it becomes an obligation. Here is why the distinction matters and what good regulatory horizon scanning looks like in practice.
Two different problems that get treated as one
Compliance teams are typically asked to do two things that require completely different approaches. The first is proving that the firm meets its current obligations: documenting controls, passing audits, responding to supervisory requests. The second is tracking what those obligations will be in six, twelve, or twenty-four months: monitoring proposals, consultations, delegated acts, and implementing standards as they move through the legislative process.
Most compliance tools are built for the first problem. Regulatory horizon scanning is the name for the second, and it is consistently underserved.
The gap matters because EU financial regulation does not arrive fully formed. A regulation like the Markets in Crypto-Assets Regulation (MiCA) was in proposal stage in 2020, passed in 2023, and has phased implementation dates running through 2026. A firm that started preparing when the obligations became legally binding was already behind. A firm that tracked the regulation from the proposal stage had years to build systems, train staff, and sequence its authorisation process.
The same pattern holds for the Digital Operational Resilience Act (DORA), for the revised Payment Services Directive (PSD3), for the AI Act. The regulation is always visible long before it becomes enforceable. Horizon scanning is the discipline of using that visibility.
What horizon scanning is not
Horizon scanning is not the same as compliance monitoring, regulatory alert subscriptions, or reading your regulator’s newsletter.
Compliance monitoring tells you whether you are meeting obligations that already exist. That is a necessary function. It is not horizon scanning.
Regulatory alert subscriptions, of which there are many, typically surface announcements after they have been published in the Official Journal of the European Union or on a supervisory authority’s website. That is useful for staying informed. It is not the same as tracking a piece of legislation from the commission proposal stage, through trilogue, through delegated act development, to final regulatory technical standard (RTS) publication. By the time something appears in a newsletter, the window for proactive preparation has often narrowed significantly.
Reading supervisory authority publications is also not horizon scanning in any systematic sense. The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) each publish consultation papers, discussion papers, opinion documents, and draft technical standards on irregular schedules across multiple regulatory dossiers simultaneously. Tracking these manually across all three authorities, plus the European Commission, plus the EUR-Lex legislative database, is a significant workload for a small compliance team.
Horizon scanning is the systematic version of that activity: continuous monitoring of the full legislative pipeline, structured so that relevant developments surface to the right people before they become urgent.
Why the EU legislative pipeline is particularly complex to track
EU financial regulation does not work like national legislation. A piece of EU law typically passes through several distinct stages, each of which can produce compliance-relevant documents.
A commission proposal establishes the framework and is the first point at which the scope of future obligations becomes readable. This is usually published one to three years before the regulation takes effect.
Trilogue negotiations between the European Parliament, the Council of the EU, and the Commission modify the proposal and produce the final legislative text. Positions can shift materially during this stage.
After the regulation is published in the Official Journal, the empowering provisions authorise the relevant supervisory authority, typically EBA or ESMA, to develop regulatory and implementing technical standards. These RTS and ITS documents contain the specific requirements that firms actually have to implement. The headline regulation tells you that you need ICT risk management controls; the RTS specifies exactly what those controls must look like and how they must be documented.
Then there are Q&A processes, supervisory guidance documents, and national competent authority (NCA) interpretations, all of which can affect what compliance looks like in practice.
A firm tracking only the headline regulation is not doing horizon scanning. It is doing the easy part.
What good horizon scanning looks like
Effective regulatory horizon scanning has three characteristics.
The first is source coverage that reaches the full pipeline. This means monitoring EUR-Lex from the proposal stage, tracking EBA, ESMA, and EIOPA publication feeds, and covering Official Journal publications across the relevant regulatory perimeter. Coverage gaps at the source level create blind spots that no amount of analysis can compensate for.
The second is relevance filtering. A firm authorised as a payment institution under PSD2 has a different regulatory perimeter than an alternative investment fund manager or a crypto-asset service provider. The volume of EU financial regulation is large enough that undifferentiated monitoring creates noise rather than signal. Effective horizon scanning surfaces developments that are relevant to a specific firm’s authorisation type, jurisdiction, and business model, and suppresses everything else.
The third is lead time. The value of horizon scanning is the time it creates between becoming aware of a regulatory development and needing to respond to it. A system that surfaces an RTS consultation sixty days before the consultation deadline has created sixty days of preparation time. A system that surfaces the same consultation on day fifty-nine has not.
These three characteristics, source coverage, relevance filtering, and lead time, define the standard against which any horizon scanning approach should be evaluated.
Who needs it
The instinct in most firms is that horizon scanning is a large compliance department problem. In practice, the firms that benefit most are the ones that cannot afford to have it fail.
A boutique investment manager with two compliance staff cannot absorb a regulatory surprise. A fintech building a payments product needs to know whether PSD3 will affect its licensing requirements before it finalises its architecture. A non-EU firm evaluating entry into European financial markets needs to understand the regulatory perimeter before it makes an investment.
Enterprise compliance platforms exist for the large-bank use case. They are expensive, complex to implement, and designed for compliance teams of a size that most firms do not have. The gap in the market is affordable, high-quality horizon scanning for the firms that are not large banks: fintech founders, compliance professionals at mid-sized firms, boutique investors, and the legal and advisory practices that serve them.
The source integrity problem
There is a reason that most AI-based regulatory tools cannot be trusted for compliance purposes. EU financial regulation is precise. A single word in an RTS, such as whether a requirement is mandatory or discretionary, can determine whether a firm needs to rebuild a system or update a policy. Getting that word wrong has consequences.
Generic AI tools trained on large corpora do not know when their knowledge of a regulation is current. They do not cite CELEX IDs. They do not distinguish between the final published text and a working draft from eighteen months earlier. They produce confident answers that may or may not reflect the current state of the regulation, with no way for the reader to verify which.
The only defensible architecture for regulatory intelligence is one anchored to verified official sources: EUR-Lex, the Official Journal, and supervisory authority publications. Every claim in the output should trace back to a specific document with a retrievable identifier. This is not a feature; it is the baseline requirement for compliance use.
This is the same principle that applies to research pipelines more generally: data integrity comes before analysis. For a more detailed treatment of why deterministic source anchoring matters, see why deterministic RAG beats generative AI for research and AI belongs after the data is clean, not before.
The practical starting point
For firms currently doing horizon scanning manually or not at all, the practical starting point is defining the regulatory perimeter. Which regulations are currently in scope, and which are on a trajectory to become so? This list changes over time as the firm’s authorisations, products, and markets change.
The second step is identifying the source gaps. Most firms have good coverage of the regulations they are already complying with and poor coverage of what is in the legislative pipeline. EUR-Lex provides free access to the full text of all EU legislation, and the EBA and ESMA websites publish all their consultation papers and technical standards. The challenge is not access; it is systematic monitoring at volume.
The third step is building lead time into the process. The point of horizon scanning is to create preparation time, which means surfacing developments early enough for them to be useful. A consultation paper that closes in ninety days is an opportunity to shape the final standard. The same paper surfaced after the deadline is not.
Forseti, Citium’s EU regulatory intelligence platform, is in development and will monitor EU financial regulation continuously, delivering personalised horizon-scanning intelligence anchored to verified official sources with full CELEX traceability. If you want to be kept informed ahead of launch, get in touch.