DORA Bites, the EU AI Act Looms, and Agentic AI Is Eating Compliance Alive

7 April 2026. RegTech is having its biggest week in years. With DORA enforcement heating up, the EU AI Act's August deadline bearing down, and AI-powered compliance platforms slashing false positives by 70%, the regulatory technology sector is moving from "nice to have" to "non-negotiable." Here's everything you need to know.

There's a running joke in compliance departments: the only thing growing faster than the regulatory burden is the budget to manage it. But this week, that punchline landed differently. The RegTech sector is in the middle of a transformation so sweeping that the joke might soon be obsolete, replaced by AI agents that read regulations, flag risks, and file reports faster than any human team ever could.

From DORA's active enforcement phase to the EU AI Act's approaching August deadline, and from Regnology's industry recognition to ComplyAdvantage's agentic AI revolution, the last seven days have been a masterclass in why regulatory technology is no longer optional. Let's break it down.

DORA's Grace Period Is Officially Over

If you're a financial institution operating in Europe and you haven't achieved full DORA compliance yet, this week brought uncomfortable news: the grace period is done.

The Digital Operational Resilience Act entered into force on January 17, 2025, requiring banks, insurance companies, investment firms, and other financial entities to withstand, respond to, and recover from ICT disruptions. But the informal tolerance period that characterised 2025 supervision has ended. National competent authorities are now conducting active enforcement reviews, cross-checking Register of Information data automatically, and, this is the part that hurts, issuing the first compulsion payments.

The numbers are sobering. According to Deloitte research, only 50% of institutions expected to reach full compliance by end of 2025, with a further 38% pushing their target into 2026. That means nearly half of all regulated entities have entered the enforcement phase with known compliance gaps.

And the penalty framework is no joke. Non-compliant organisations face fines of up to 2% of global annual turnover or EUR 10 million, whichever is higher. Individual fines can reach EUR 1 million. For critical ICT third-party providers, it gets worse: up to EUR 5 million, plus 1% of average daily global turnover for each day of continued non-compliance, for up to six months.

As one analysis from Gresham Technologies put it, DORA transforms cloud outages from third-party problems into your problems. Financial institutions are now operationally responsible for the resilience of their critical vendors.

The EU AI Act: August 2 Is Coming, Ready or Not

If DORA wasn't enough to keep compliance teams busy, the EU AI Act's most significant enforcement phase is just four months away. On August 2, 2026, full compliance requirements for high-risk AI systems become enforceable, marking what legal firm Kennedys called "the most closely governed AI systems in global commerce."

What does that mean in practice? Organisations deploying high-risk AI systems, in areas spanning biometrics, critical infrastructure, employment, law enforcement, and financial services, must have quality management systems, risk management frameworks, technical documentation, conformity assessments, and EU database registrations complete by that date.

The costs are not trivial. According to legal analysis, large enterprises should expect $8-15 million in initial investment for high-risk system compliance, mid-size companies face $2-5 million initially with $500K-2M in ongoing annual costs, and SMEs may need $500K-2M upfront.

Penalties for non-compliance are designed to sting: up to EUR 35 million or 7% of worldwide turnover for prohibited practices, up to EUR 15 million or 3% for other infringements, and up to EUR 7.5 million or 1% for supplying incorrect information.

There's one possible lifeline. The European Commission's Digital Omnibus package, proposed in November 2025, could extend certain high-risk enforcement deadlines to December 2027, but only if harmonised standards and compliance support tools remain unavailable. The package is still under negotiation, meaning compliance teams can't count on the extension.

Agentic AI: ComplyAdvantage and Sumsub Join Forces

While regulators tighten the screws, the RegTech sector is responding with its most powerful weapon yet: agentic AI. And no partnership announced this week illustrates the trend better than the tie-up between ComplyAdvantage and Sumsub.

Sumsub, trusted by over 4,000 companies worldwide for KYC, KYB, and transaction monitoring, announced the integration of ComplyAdvantage's Mesh platform, an AI-native intelligence layer that unifies screening, monitoring, customer risk scoring, and payments analysis. Unlike legacy systems with AI retrofitted on top, Mesh was built entirely on AI foundations.

The headline numbers are remarkable. ComplyAdvantage's agentic workflows, powered by its AI teammate "Cassie," can automate investigations, remediation, and filings, reducing false positives by 70%, cutting investigation times by up to 84%, and enabling organisations to handle 7x more work with the same staff.

Sumsub is launching Mesh Bring Your Own Key (BYOK), enabling customers to connect their own ComplyAdvantage Mesh API credentials directly into the Sumsub platform. It's a model that could redefine how compliance infrastructure is assembled across the industry.

Regnology Wins Central Banking Award and Acquires Metadata

Speaking of industry recognition, Regnology cemented its position as a RegTech heavyweight this quarter. The firm won the 2026 Central Banking Award for RegTech/SupTech services, announced on March 12, 2026, specifically for its work deploying the Regnology Supervisory Hub for the Andorran Financial Authority, which went live in February 2025 and delivered end-to-end automation and near real-time supervision.

But it's Regnology's broader strategic moves that tell the bigger story. The company also completed its acquisition of Metadata, further consolidating its dominance in the RegTech-SupTech space that bridges the gap between financial institutions and their supervisors.

Perpetual KYC and the Death of the Refresh Cycle

One of the clearest regulatory shifts gaining momentum this week is the move from periodic KYC refreshes to perpetual KYC. As analysis from RegTech Analyst highlighted, static review cycles simply can't keep pace with changes in ownership structures, geographic exposure, or product usage.

Napier AI is at the forefront of this shift. The London-based RegTech, backed by £45 million from Crestline Investors, has developed its Perpetual Client Risk Assessment (pCRA), an advanced AML/KYC solution that continuously and dynamically assesses customer risk across the full client lifecycle. According to the Napier AI / AML Index 2025-2026, regulated firms could save $183 billion in compliance costs by adopting AI-driven AML strategies, potentially returning $3.3 trillion to global economies.

The enforcement backdrop reinforces why this matters. In the UK alone, the FCA fined Monzo GBP 21 million, Barclays GBP 43 million, and Nationwide GBP 44 million in 2025 for serious AML control failings. With Australia's "Tranche 2" reforms extending AML obligations to lawyers, accountants, and real estate agents from July 1, 2026, and AMLA guidelines on transaction monitoring due by July 10, 2026, the compliance dragnet is widening.

The $130 Billion Question

RegTech spending is expected to exceed $130 billion globally in 2026. The AI in RegTech market alone is forecast to reach $3.3 billion, growing at a CAGR of 36.1%. These aren't projections from breathless fintech boosters, they reflect the hard reality that financial institutions cannot scale compliance through headcount alone.

As we enter what many analysts are calling an inflection point for AI-enabled AML/KYC transformation, the message from this week's developments is clear: compliance is no longer a cost centre to be minimised. It's a competitive advantage to be automated, accelerated, and, if you're doing it right, turned into a growth engine.

The institutions that figure this out first won't just avoid fines. They'll onboard customers faster, detect threats earlier, and free up their best people to focus on the problems that actually require a human brain.

The rest? Well, the regulators are watching. And they've got algorithms too.