The Aikido to regulatory pressure: Stop fighting regulation and start winning

This might feel counterintuitive. Regulations are burdensome by design, and building systems around them can look like surrender from the outside. But in practice, it is the only way to turn regulatory pressure into something productive.

‍

The fighter’s losing strategy and the high cost of “checking the box”

The scale of the challenges in order to remain compliant are enormous. The AI Act alone sets fines of up to €35 million or 7 percent of global revenue. NIS2 introduces direct accountability for executives. DORA became enforceable in January 2025 without a transition period. CSRD is on track to impose some of the strictest sustainability reporting standards in the world.

Yet, the most common corporate response looks like this:

Siloed panic: The legal department interprets the AI Act, IT scrambles to satisfy DORA, and sustainability officers chase suppliers for Scope 3 emissions. Each team acts alone, burning budget and producing a patchwork of disconnected solutions.

The compliance-in-a-box illusion: Vendors promise quick fixes. Companies buy one tool for AI, another for ESG, another for resilience testing. Nothing integrates. Technical debt grows, agility shrinks.

A defensive mindset: The only goal is to avoid fines. Compliance spending is categorized under “cost of doing business.” The return is zero by design.

The result is painful and ineffective. Many firms have already spent more than €1 million on DORA alone without building systems that are meaningfully more resilient. Two thirds of organizations subject to NIS2 missed the October 2024 deadline. In finance, more than half admitted they had not even mapped their critical ICT functions months after DORA came into force.

At Eli5, we have seen this play out repeatedly. As a RegTech builder, we were the team that helped ING move from regulatory scrutiny to becoming one of the leaders in regulatory technology. We often get called in when the damage has already been done. Companies have bought a stack of disconnected tools, hired consultants to produce reports, and still find themselves unprepared. Compliance has become pure overhead, draining budgets without creating value.

But regulation does not have to play out this way.

‍

The Aikido master’s pivot: weaponizing the compliance budget

The regular fighter meets regulation with resistance. The Aikido master accepts it as a given and uses its energy to create momentum. For business leaders, the pivot is to stop treating compliance as a bill and start treating it as a guaranteed investment budget. Yes, there are more inspiring ways to innovate than letting regulatory pressure be the catalyst. But operating in the European market means this is the reality. Better to turn the hassle into a productive perspective.

So let’s look at the positives. Regulation brings two things that are usually hard to secure: board-level urgency and guaranteed capital. That capital can either be drained on a patchwork of tools and services just to get the box checked, or it can be invested in platforms and operational improvements that turn compliance into a driving force for a stronger business.

The practical difference shows up when you look at how companies approach the new rules.

Take the AI Act, which forces companies to govern their high-risk AI models with strict requirements around bias, transparency, and documentation. The fighter buys a standalone tool to scan models for bias before deployment. The master uses the same budget to build a central MLOps and governance platform. Compliance becomes part of the way models are developed and monitored. Instead of slowing teams down, it accelerates the safe rollout of AI across the organization.

Or look at CSRD, the new EU directive on corporate sustainability reporting. It requires companies to provide detailed, audited data not only on their own operations but also on their entire supply chain. That includes so-called “Scope 3 emissions,” which cover everything from the carbon footprint of suppliers to how customers use and dispose of the product. The fighter responds by hiring consultants to chase suppliers for spreadsheets and stitch together estimates. The master invests in a supply chain intelligence platform that gathers real-time data, builds a digital twin of operations, and highlights inefficiencies. The reporting requirement is still met, but the same system now helps cut costs, reduce waste, and make the entire value chain more resilient.

You can think what you want about regulations. If you believe most of the EU’s rules are nonsense, I can only agree with you. The AI Act is written by people who don’t understand how AI actually works. Anti-money laundering rules consume hundreds of billions while failing to catch more than a fraction of illicit transactions. ESG reporting is loaded with political baggage that adds friction without driving real progress.

But complaining won’t make the rules go away. What matters is how you use the capital that is now locked in. Some companies will drain it on short-term fixes, doing the bare minimum to avoid feeding into their frustration about regulators. Others will invest it into systems that pay dividends far beyond compliance. The latter will be the ones that turn regulation into ROI, building the systems that return them a lot more than just that check in the box.

‍

From box-ticking to antifragile systems

When DORA came into force on January 17, 2025, financial institutions were expected to prove that they could keep their core digital operations running even under stress. That meant mapping out their most critical IT systems, knowing exactly how failure in one part could ripple through the business, and being able to measure cyber and operational risk in hard financial terms.

Yet surveys in the months after showed most firms were far from ready. PwC found that more than half of financial institutions were still trying to identify which systems even counted as “critical” under the law. Only 39 percent had developed a way to quantify ICT risk in terms that boards could act on. A Deloitte poll revealed that more than a quarter of firms hadn’t made any progress at all.

This is what the fighter’s approach looks like in practice. Compliance projects were run as fire drills. Consultancies were hired, reports were produced, and penetration tests were ticked off. But the outcome was largely superficial. Budgets were burned without building systems that could withstand real-world shocks.

The Aikido approach looked very different. Some institutions treated DORA as a mandate to overhaul resilience altogether. They invested in chaos engineering, a discipline that originated at companies like Netflix. The idea is simple but powerful: you intentionally trigger small failures in live systems to see how they react. That might mean shutting down a server, slowing down a network connection, or breaking an API on purpose. By doing this in a controlled way, engineers uncover hidden weaknesses before those weaknesses cause real outages.

In case studies from the financial services sector, adopting chaos engineering led to dramatic improvements. Critical system failures dropped by 94 percent. Average recovery time after an incident fell from more than four hours to under twenty minutes.

The payoff is obvious when you look at the cost of failure. IBM estimates the global average cost of a data breach at $4.88 million. Supply chain attacks alone are projected to cost $60 billion globally this year. For the banks that embraced resilience engineering under DORA, those costs became far less likely. They turned a regulatory burden into an operational advantage, delivering higher uptime, faster recovery, and stronger customer trust.

Meanwhile, competitors that treated DORA as a paperwork exercise remain fragile. Their compliance spending is sunk. Their operations are no more resilient than before. And when the next major outage or cyberattack hits, the gap between the two approaches will widen.

‍

The end match: your choice for 2028

By the time the next wave of regulation lands, the difference between the fighter and the Aikido master will be clear. The fighter will be buried under layers of technical debt, managing a pile of disconnected compliance tools while bracing for the next set of rules. Each new requirement will mean another round of scrambling, more consultants, and more sunk costs.

The Aikido master will be operating on a different level. Their compliance systems will not sit on the side of the business but at its core. Governance of AI models, resilience of IT infrastructure, and transparency of supply chains will already be built into how the company runs day to day. New regulations will feel like feature updates, not existential threats.

At Eli5, we have seen both sides of this match play out. We were part of helping ING move from regulatory scrutiny to becoming one of the leaders in RegTech, and we still get called into organizations where compliance has been reduced to stacks of disconnected tools. But more importantly, we also build RegTech products that move companies ahead of the curve: from horizon scanning platforms that detect regulatory changes early, to AI-assisted compliance systems that automate reporting and monitoring. These experiences confirm the same lesson every time. Regulation is not going away, but the way you choose to handle it decides whether it becomes a cost or a moat.

The rules are the same for everyone. The outcomes are not. Regulation can drain your budget, or it can fund the very platforms that give you an edge. The choice is yours.