On 26 November 2025, the EC published consultation on formats for the submission of beneficial ownership information to central registers.

This initiative will establish the formats used to submit beneficial ownership information referred to in Article 62 of Regulation (EU) 2024/1624 to central registers. The concept of beneficial ownership was introduced to increase the transparency of complex corporate structures in the fight against money laundering and terrorist financing.
It will include a checklist of minimum requirements for this information to be examined by the entity in charge of the central register.

The Consultation closes on 24 December 2025.

On 24 November 2025, the EP publishes in-depth analysis of The Future of Anti-Money Laundering in the European Union.

This briefing analyses the establishment of the European Anti-Money Laundering Authority (AMLA) as a cornerstone of the EU’s 2024 Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) legislative reform. As AMLA formally began its operations in the summer of 2025, a key question will be how effectively the Authority translates the new rulebook into consistent supervisory practice across the Union. The briefing examines how the new framework addresses long-standing regulatory fragmentation, enhances supervisory convergence, and strengthens the Union’s capacity to detect and prevent financial crime. It also explores AMLA’s institutional mandate, its interaction with national and EU authorities, and its potential evolution in a digitalised financial environment. Finally, it considers broader policy and geopolitical implications, assessing how AMLA may contribute to a more integrated and resilient European financial system.

BACKGROUND

On 19 November 2025, the European Commission published a proposal (COM(2025) 836) for a Regulation amending the AI Act (Regulation EU 2024/1689) and Regulation (EU) 2018/1139, as part of the broader “Digital Omnibus on AI”. The initiative forms part of the EU’s simplification agenda, aiming to reduce administrative burdens while maintaining the AI Act’s high level of protection for health, safety and fundamental rights.

The AI Act entered into force on 1 August 2024, with phased application until 2 August 2027. Stakeholder consultations revealed concerns about delays in designating authorities and conformity assessment bodies, the slow availability of harmonised standards, legal uncertainty for SMEs, and potential bottlenecks in applying high-risk rules. The proposal therefore introduces targeted, technical amendments to facilitate a smoother, more innovation-oriented implementation without changing the substantive scope of the AI Act.

WHAT'S NEW?

1. Adjusted timelines and support tools for high-risk AI

The proposal links the application of high-risk AI obligations to the availability of harmonised standards, common specifications and EU guidance. High-risk rules will apply after a Commission confirmation that support tools exist, subject to a transition period and a fixed latest-application date. It also clarifies integration of high-risk requirements into sectoral product legislation listed in Annex I.

AI literacy obligations are rebalanced: the responsibility to foster general AI literacy shifts from providers/deployers to the Commission and Member States, while training obligations for deployers of high-risk systems remain.

2. Expanded simplifications for SMEs and new support for SMCs

Regulatory privileges already granted to SMEs (e.g., lighter technical documentation and quality management) are extended to small mid-caps (SMCs). Penalty reductions, guidance and voluntary support tools are also adapted to SMC needs. This responds to concerns that SMEs and SMCs face disproportionate compliance burdens.

3. Strengthened role for the AI Office and centralised oversight

A new supervisory architecture gives the AI Office exclusive competence over:

• AI systems based on general-purpose AI models where the provider offers both the model and the system, and
• AI systems embedded in very large online platforms (VLOPs) or search engines.

The Commission may adopt implementing acts specifying enforcement powers and procedures, and can carry out conformity assessments for systems falling under the AI Office’s remit.

4. Streamlined conformity assessment and registration

Key simplifications include:

• A single designation procedure for conformity assessment bodies seeking approval under both the AI Act and other harmonisation legislation.
• Clarified rules for systems classified as high-risk under both Annex I and Annex III.
• Removal of the registration obligation for systems technically linked to high-risk areas but exempted under Article 6(3) because they perform only narrow or preparatory tasks.
• Greater flexibility in post-market monitoring (no longer requiring a harmonised plan).

A new Annex XIV introduces codes and categories for notified bodies within the NANDO system.

5. Legal basis for processing special categories of personal data for bias detection

A new Article 4a provides a clear legal basis for providers and deployers to exceptionally process sensitive data to detect and correct bias, under strict safeguards and in line with EU data protection law. This removes significant legal uncertainty around fairness testing.

6. Expanded regulatory sandboxes and real-world testing

The proposal enhances experimentation frameworks by:

• Requiring cross-border cooperation among national AI sandboxes;
• Empowering the AI Office to establish an EU-level sandbox from 2028;
• Extending real-world testing to systems covered under Section A of Annex I and enabling voluntary testing agreements between Member States and the Commission.

These measures address industry demands for more supervised, practical testing environments, especially for automotive and other industrial sectors.

7. Governance, costs and fundamental rights

The shift of supervisory responsibilities from national authorities to the AI Office requires 53 FTE at EU level (15 via redeployment). The Commission expects savings of EUR 297–433 million from reduced administrative burdens. As the proposal does not alter the definition or substantive requirements of high-risk AI systems, the fundamental rights impact remains unchanged from the original AI Act.

WHAT'S NEXT?

Legislative process

The proposal will be examined by the Parliament and Council under the ordinary legislative procedure. It forms part of the EU’s wider Digital Package on Simplification and is closely linked to the Digital Fitness Check assessing cumulative impacts of EU digital rules.

Forthcoming implementation guidance

Implementation will be supported by extensive Commission and AI Office guidance, including:

• High-risk classification and transparency guidelines,
• Templates for fundamental rights impact assessments,
• Guidance on serious incident reporting, substantial modifications, post-market monitoring, quality management for SMEs/SMCs, and the interplay of the AI Act with GDPR, the Cyber Resilience Act and the Machinery Regulation.

On 11 November 2025, the EDPS published Guidance for Risk Management of Artificial Intelligence systems.

The development, procurement and deployment of AI systems involving the processing of personal data by European Union Institutions, Bodies, Offices and Agencies (EUIs) raises significant risks to data subjects’ fundamental rights and freedoms, including but not limited to privacy and data protection. As the cornerstone of Regulation 2018/1725 (EUDPR),1 the principle of accountability enshrined in Article 4(2) (for administrative personal data) and Article 71(4) (for operational personal data) requires EUIs to identify and mitigate these risks, as well as to demonstrate how they did so. This is all the more important for AI systems that are the product of intricate supply chains often involving multiple actors processing personal data in different capacities.

This Guidance aims to guide EUIs acting as data controllers in identifying and mitigating some of these risks. More specifically, they focus on the risk of non-compliance with certain data protection principles elicited in the EUDPR for which the mitigation strategies that controllers must implement can be technical in nature – namely fairness, accuracy, data minimisation, security and data subjects’ rights. As such, the technical controls listed in this Guidance are by no means exhaustive, and do not exempt EUIs from conducting their own assessment of the risks raised by their specific processing activities. In doing so, it refrains from ranking their likelihood and severity.

First, this document provides an overview of the risk management methodology according to ISO 31000:2018 (Section 2). Second, it outlines the typical development lifecycle of AI systems as well as the different steps involved in their procurement (Section 3). Third, it explores the notions of interpretability and explainability as cross-cutting concerns that condition compliance with all the provisions covered in this Guidance (Section 4). Lastly, it breaks down the four general principles listed above, namely fairness, accuracy, data minimisation and security into specific risks, each of which is then described and paired with technical measures that controllers can implement to mitigate these risks (Section 5).

More specifically, this Guidance focuses on the risk of non-compliance with a select few data protection principles for which the “controls” that controllers must implement can be technical in nature – namely fairness, accuracy, data minimisation, security and certain data subjects’ rights. The EDPS insists on the fact that the list of risks and countermeasures outlined in this Guidance is not exhaustive, but merely reflects some of the most pressing issues that controllers must address when procuring, developing and deploying AI systems.

On 25 November 2025, the EP published press release on adoption of text on use of AI in the financial sector.

The resolution looks at the rapidly growing use of artificial intelligence by the financial sector, recognising its potential to improve efficiency, innovation, consumer services, and investments. More particularly, MEPs say that there is strong potential for AI to benefit the financial sector through fraud detection, personalised advice, transaction monitoring, and Environmental, Social and Governance (ESG) data analysis.

However MEPs also flag significant risks such as data-bias, model opacity, over-reliance on a few technology providers, cyber-security threats, and governance challenges. To mitigate these, MEPs stress the need for human oversight, robust data governance, an update to the EU’s supervisory tools, and call for a regulatory framework that would encourage innovation but not at the cost of consumer protection and financial stability.

The resolution asks the Commission and supervisors to issue clearer, proportionate guidance rather than producing new rules. It also urges supervisory authorities to cooperate better, including through consistent interpretations, information-sharing, and cross-border coordination.

MEPs also call for greater investment in AI, increasing AI literacy and reskilling, researching the environmental footprint of AI, setting up AI-specific regulatory ‘sandboxes’, and reducing regulatory barriers for AI-based financial firms.

On 17 November 2025, the ESMA published Peer Review on the supervision of depositary obligations.

The Peer Review assessed how National Competent Authorities (NCAs) supervise and enforce key depositary obligations under UCITS and AIFMD, with a focus on oversight (valuation; investment restrictions/leverage limits), safekeeping (including due diligence, asset segregation), and delegation.

The review found notable divergence in supervisory approaches among NCAs, despite all having processes and procedures in place. While the Czech National Bank (CZ) was found broadly robust and Luxembourg (LU) largely meeting expectations, some NCAs (especially Ireland, Italy, Sweden) exhibited shortcomings, especially regarding the intrusiveness, frequency, and effectiveness of supervisory activities. A common finding was the high concentration of assets in a small number of depositaries, raising systemic risk concerns. Variations in staffing and risk-based resource allocation were also flagged—particularly a lack of dedicated resources in Sweden.

The report recommends that NCAs increase the intensity and frequency of supervision for systemically significant entities and strengthen practices around delegation, due diligence, and on-site assessment. It highlights the need for in-depth review of third-party arrangements to ensure key oversight functions are not improperly delegated. Selected good practices—like cross-checking breach reports and reviewing internal audit findings—are encouraged sector-wide.

Timelines align with ESMA’s 2024 Work Programme, with recommendations calling for near-term supervisory enhancements to ensure convergence and uphold investor protection and market stability.

On 21 November 2025, the ECB published its guideline on TIBER-EU SSM Implementation.

Under Articles 26 and 27 of the Digital Operational Resilience Act (DORA), identified financial entities must carry out, at least every three years, advanced operational resilience testing by means of threat-led penetration testing (TLPT). The European Central Bank (ECB) is the competent authority (CA) and TLPT authority (TLPTA) for significant institutions (SIs) under Articles 26 and 46 DORA and is thus ultimately responsible for the operationalisation of TLPT. To help SIs fulfil the DORA TLPT requirements, the ECB has decided to adopt the Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU).

The aim of a correctly performed TLPT is to provide a learning experience for the SI and to serve as an effective supervisory tool. The TIBER-EU framework enables European and national authorities to perform TLPT for financial entities within their remit in order to further strengthen these entities’ resilience to sophisticated cyberattacks.

This guide sets out how the ECB adopts and implements the TIBER-EU framework for the TLPT of SIs as identified for TLPT according to DORA. This means that, for any SI identified by the ECB as falling under the DORA requirement to undergo mandatory TLPT, this document can be used as guidance on how to fulfil the requirements under DORA and the accompanying Regulatory Technical Standards (RTS) on TLPT . Note that only the requirements under DORA and the RTS are legally binding, and they take precedence over the TIBER-EU framework.

On 6 November 2025, the EU publishes Corrigendum to Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act) (OJ L, 2025/38, 15.1.2025).

On page 30, Article 22, point (3)(b), concerning Article 12(6), first subparagraph, of Regulation (EU) 2021/694:
for: ‘If duly justified for security reasons, the work programme may also provide that legal entities established in associated countries and legal entities that are established in the Union but are controlled from third countries may be eligible to participate in all or some actions under Specific Objectives 1 and 2 only if they comply with the requirements to be fulfilled by those legal entities to guarantee the protection of the essential security interests of the Union and the Member States and to ensure the protection of classified documents information. Those requirements shall be set out in the work programme.’,

read: ‘If duly justified for security reasons, the work programme may also provide that legal entities established in associated countries and legal entities that are established in the Union but are controlled from third countries may be eligible to participate in all or some actions under Specific Objectives 1, 2 and 6 only if they comply with the requirements to be fulfilled by those legal entities to guarantee the protection of the essential security interests of the Union and the Member States and to ensure the protection of classified documents information. Those requirements shall be set out in the work programme.’.

On 19 November 2025, the EC published Proposal for a Regulation of the European Parliament and of the Council on the establishment of European Business Wallets.

This legislative initiative aims to create a harmonised, trusted digital framework enabling economic operators and public sector bodies to securely identify, authenticate, and exchange data with full legal effect across EU borders. The regulation addresses the fragmentation and administrative burdens in cross-border business-to-government (B2G) and business-to-business (B2B) interactions by providing a user-friendly digital instrument compliant with existing EU company and trust service laws.

Key objectives are to reduce administrative burdens, streamline compliance processes, and enhance service delivery by ensuring secure, trusted digital identification accessible across the Single Market. The proposal complements the European Digital Identity Framework (eIDAS) by introducing functionalities tailored to business needs, including the digital management of representation rights, mandates, and official document exchange via a secure communication channel.

The regulation mandates acceptance of European Business Wallets by all public sector bodies for core functionalities such as identification, authentication, signing, sealing, submission, and receipt of documents with legal equivalence to paper-based processes. Technical standards and interoperability with existing EU digital identity tools and authentic sources are guaranteed, supporting technological neutrality and market-driven innovation.

Expected impacts include substantial reductions in compliance costs and administrative burdens, especially for SMEs and micro-enterprises, increased efficiency for public authorities, improved data quality, and enhanced cybersecurity and digital sovereignty for the EU. The initiative also aligns with EU policies such as the Single Market Strategy, SME strategy, Digital Decade, and sustainability goals, promoting competitiveness, trust, and resilience within the internal market.

On 18 November 2025, the EBA publishes ESAs List of designated CTPPs.

This designation marks a crucial step in the implementation of the DORA oversight framework.

First, the ESAs collected data from the Registers of Information maintained by financial entities, which detail their contractual arrangements for ICT services.

Second, the ESAs conducted a detailed criticality assessment in cooperation with the Competent Authorities (CAs) across the EU from the banking, insurance and pensions, and securities and markets sectors. This assessment was carried out in line with the multifaceted criteria set out in DORA, which required a complete evaluation of a provider’s systemic importance, its role in supporting critical or important functions for financial entities, and the level of substitutability of its services.

Third, ICT third-party providers assessed as critical were formally notified, after which they benefitted from their right to be heard by providing a reasoned statement. The final designation decisions were adopted following a careful review of all relevant information, ensuring the integrity of the process.

The designated CTPPs provide a range of ICT services (e.g. from core infrastructure to business and data services) to financial entities of all types and sizes across the European Union, reflecting their pivotal role within the financial ecosystem.

The objective of the DORA Oversight Framework, mandated to the ESAs, is to promote the sound management of ICT risk by the critical providers. Through direct oversight engagement, the ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities. This serves to mitigate risks that could impact the operational resilience of the financial sector of the EU.

On 5 November 2025, the EBA publishes its final Guidelines on environmental scenario analysis.

These Guidelines complement the EBA's existing framework on the management of ESG risks by providing specific standards for the use of scenario analysis, particularly concerning environmental and climate-related risks. The document addresses mandates under both the Capital Requirements Directive (CRD) and the Capital Requirements Regulation (CRR), with a specific focus on institutions using the Internal Ratings-Based (IRB) Approach for credit risk.

The key objective is to enhance institutions' resilience by using scenario analysis to test both short-term financial robustness (capital and liquidity adequacy) and the resilience of their business models over the medium to long term. The scope is currently limited to environmental risks, with a primary focus on physical and transition risks stemming from climate change. Social and governance factors are excluded for now due to a lack of mature assessment methodologies but may be included in future updates.

The Guidelines outline a progressive and proportionate approach, allowing institutions to use methods ranging from simple qualitative analyses to sophisticated quantitative models. They provide guidance on the prerequisites for conducting such analyses, including the identification of transmission channels that translate climate risks into financial impacts. The document also clarifies the use of a simplified approach in the form of sensitivity analysis. The Guidelines will apply from 1 January 2027, following translation into official EU languages and a two-month period for national competent authorities to report on their compliance.

On 17 November 2025, the EC published CDR supplementing Directive 2009/65/EC of the European Parliament and of the Council with regard to regulatory technical standards specifying the characteristics of liquidity management tools.
This regulation follows amendments introduced by Directive (EU) 2024/927, aiming at increasing transparency, harmonizing liquidity risk practices across the Union, and preventing divergent national approaches.

The regulation defines key liquidity management tools, including suspension of subscriptions, redemptions and repurchases, redemption gates, extension of notice periods, redemption fees, swing pricing, dual pricing, anti-dilution levies, redemption in kind, and side pockets. It mandates UCITS to select at least two tools from a harmonized list, ensuring flexibility across different asset classes, jurisdictions, and market conditions, with the purpose of improving fund resilience during stressed market conditions.

The standards were developed by ESMA following a comprehensive consultation process, which involved 33 responses, and a cost-benefit analysis confirming the positive societal and investor benefits outweigh supervisory and compliance costs. ESMA published the draft standards on 15 April 2025, which the European Commission reviewed and adapted for legal clarity and consistency, resulting in a final regulation that is directly applicable across all EU Member States.

Key provisions require UCITS to implement safeguards such as automatic suspension of all investor transactions during stress, specific calculation methodologies for activation thresholds of redemption gates, transparent criteria for extending notice periods, and rules governing redemption fees that incorporate estimated explicit and implicit transaction costs. Swing pricing can be applied on a full or partial basis, adjusting net asset values to prevent dilution of existing investors caused by large redemptions or subscriptions. Dual pricing methods are clarified, including calculating distinct NAVs based on bid-ask spreads, or a single NAV with adjustments.

The regulation also revises detailed mechanics for activation and application of anti-dilution levies, redemption in kind, and side pockets—mechanisms designed to segregate or physically separate assets when market or legal features change significantly. It emphasizes the importance of transparency, fair treatment, and investor protection, especially under adverse market scenarios. Transition provisions give existing UCITS until 16 April 2027 to comply, though they may opt for early adoption.

Applying from 16 April 2026, the regulation aims to harmonize liquidity management practices across the EU, strengthening UCITS resilience and investor confidence while reducing systemic risks in stressed market environments.

BACKGROUND

On 17 November 2025, the European Commission adopted a Commission Delegated Regulation supplementing AIFMD (Directive 2011/61/EU) with regulatory technical standards on the characteristics of liquidity management tools (LMTs). The RTS implement Article 16(2g) AIFMD as amended by Directive (EU) 2024/927, which introduced a harmonised list of LMTs in Annex V and requires AIFMs to select at least two LMTs for each open-ended AIF from 16 April 2026. The measure responds to recommendations from ESRB, ESMA, FSB and IOSCO to harmonise LMT design and use in open-ended funds, strengthen fund resilience under stress and reduce divergent national practices.

WHAT'S NEW?

The Regulation defines detailed operational characteristics for nine LMTs: suspension of subscriptions, repurchases and redemptions; redemption gates; extension of notice periods; redemption fees; swing pricing; dual pricing; anti-dilution levy; redemption in kind; and side pockets. Suspensions must apply simultaneously to subscriptions, repurchases and redemptions, for all investors and all share classes, and remain strictly temporary. Redemption gates must be based on clearly defined activation thresholds set at fund level, investor level, or as a combination, expressed against NAV, liquid assets or monetary amounts, with pro-rata execution of orders once activated.

For anti-dilution tools (redemption fees, swing pricing, dual pricing, anti-dilution levies), the RTS require inclusion of estimated explicit transaction costs and, where appropriate, implicit costs and market impact on a best-effort basis, ensuring liquidity costs are borne by subscribing and redeeming investors rather than remaining investors. Redemption in kind is framed as the transfer of assets instead of cash, while clarifying that normal ETF creation/redemption activity with authorised participants and market-makers does not count as activating the “redemption in kind” LMT. Side pockets can be created via accounting segregation (dedicated share class) or physical separation (new AIF), are closed to new flows, and are used to isolate assets whose economic or legal features have become highly uncertain.

WHAT'S NEXT?

The Regulation applies from 16 April 2026 and is directly applicable in all Member States. AIFs constituted before that date benefit from a transitional period until 16 April 2027, during which they are deemed compliant but may opt into the new regime earlier, subject to notification to their home competent authority. In practice, AIFMs will need to review and update fund documentation, liquidity risk frameworks, LMT methodologies (thresholds, swing factors, fee/levy ranges), governance and investor disclosures so that, by April 2026, each open-ended AIF has at least two appropriate LMTs calibrated and operational for use under both normal and stressed market conditions.

BACKGROUND

On 19 November 2025, the European Commission published a digital simplification package aimed at cutting red tape in the EU’s digital rulebook and boosting innovation and competitiveness. The initiative forms the seventh omnibus proposal in the Commission’s broader simplification agenda, which targets at least a 25% reduction in administrative burdens (35% for SMEs) by 2029. The package combines a “Digital Omnibus” revising existing digital legislation, a Data Union Strategy to unlock high-quality data (especially for AI), and a proposal for European Business Wallets to streamline cross-border interactions between businesses and public authorities. Overall, the Commission estimates up to EUR 5 billion in administrative savings by 2029 and up to EUR 150 billion per year in additional savings from the Business Wallets, assuming broad uptake.

WHAT'S NEW?

1. Digital Omnibus – AI, cybersecurity, data and privacy

The Digital Omnibus revises the implementation architecture around the AI Act, cybersecurity reporting and data protection rules:

• AI Act implementation and simplifications: Entry into application of high-risk AI rules is linked to the availability of standards and support tools, with a maximum 16-month delay once the Commission confirms readiness. Simplifications currently available to SMEs are extended to small mid-caps (SMCs), notably lighter technical documentation requirements (expected savings of at least EUR 225 million per year). Access to regulatory sandboxes is broadened, including an EU-level sandbox from 2028 and more real-world testing in key sectors such as automotive, while the AI Office’s powers are reinforced and oversight of general-purpose AI (GPAI) models is further centralised.
• Cybersecurity incident reporting: The package introduces a single entry point for incident notifications so that firms can meet reporting obligations under multiple frameworks (NIS2, GDPR, DORA and others) through one interface. This is intended to reduce duplication while maintaining high security and reliability standards for the reporting channel.
• Targeted GDPR and cookie amendments: Limited changes to the GDPR aim to clarify, harmonise and simplify specific provisions without altering its core and level of protection. Cookie rules are modernised to reduce banner fatigue, enable one-click consent and allow users to manage preferences centrally via browser or device settings, improving user experience and legal certainty for service providers.
• Data rules and access for AI: The package consolidates elements of the EU data acquis around the Data Act, merging four instruments for greater legal clarity. It introduces targeted exemptions to some cloud-switching rules for SMEs and SMCs (around EUR 1.5 billion in one-off savings), and provides model contractual terms and standard contractual clauses to support compliant data access and cloud contracts. It also seeks to “feed” AI innovation by improving access to high-quality, up-to-date datasets for European AI companies.

2. Data Union Strategy

The Data Union Strategy complements the Omnibus by setting out measures to unlock more high-quality data for AI and strengthen data sovereignty. It foresees tools such as data labs, a Data Act Legal Helpdesk, and an “anti-leakage” toolbox and guidance to protect sensitive non-personal data and assess fair treatment of EU data abroad. The aim is to operationalise the Data Act, support businesses in implementation and ensure that European data is used under conditions that respect EU rules and strategic interests.

3. European Business Wallet

The European Business Wallet proposal creates a unified digital identity and credential tool for companies and public bodies across the EU. Through the Wallet, businesses will be able to:

• Digitally sign, timestamp and seal documents;
• Create, store and exchange verifiable digital documents securely;
• Interact electronically with other companies and public administrations in all 27 Member States.

This is designed to make activities such as expanding into other Member States, paying taxes and dealing with authorities far more automated and cross-border by design, dramatically reducing paper-based and in-person procedures. With widespread adoption, the Commission estimates potential savings of up to EUR 150 billion annually for businesses.

WHAT'S NEXT?

Legislative process and timing
The Digital Omnibus regulations and the European Business Wallet proposal will now be examined by the European Parliament and the Council under the ordinary legislative procedure. Once adopted, detailed implementation timelines will be set in the final texts, in particular for the single cybersecurity reporting interface, AI Act adjustments and the deployment of Business Wallet infrastructure at Member State level.

Digital Fitness Check and further simplification steps
In parallel, the Commission has launched a broad public consultation under the Digital Fitness Check, open until 11 March 2026. This “stress test” will review how the existing digital rulebook performs against competitiveness objectives, and will assess overlaps, incoherence and cumulative burdens. The results are expected to feed into further simplification proposals and possible additional streamlining of digital legislation.

On 6 November 2025, the EBA published Follow-up Peer Review Report on the exclusion from the Credit Valuation Adjustement (CVA) risk of transactions with non-financial counterparties established in a third country.

This report follows the 2023 peer review evaluating competent authorities’ (CAs) supervision of institutions applying the Exclusion RTS (Commission Delegated Regulation (EU) 2018/728) under Article 382(4) CRR. The follow-up review, conducted pursuant to Article 23 of the EBA Decision on Peer Review Committees, assessed whether CAs addressed prior deficiencies identified in applying the RTS.

The follow-up review covered Denmark, Hungary, Sweden, and the ECB/SSM, focusing on:

• Supervisory engagement with CVA risk in smaller and specialized institutions;
• Monitoring of CVA risks from exempted transactions under CRR; and
• Compliance with the Exclusion RTS.

The EBA found overall improvements in supervisory practices across jurisdictions. Hungary demonstrated full implementation of Exclusion RTS monitoring within its ICAAP review process and was upgraded to “fully applied”. Other CAs (Denmark, Sweden, and the ECB) remained “largely applied”. The report also observed stronger monitoring of derivatives and securities financing transactions (SFTs) to capture CVA exposures, consistent with updated CRR3 and EMIR frameworks effective from 2025.

The Peer Review Committee (PRC) concludes that CAs broadly maintain sufficient CVA supervisory coverage aligned with SREP Guidelines but recommends reinforcing periodic RTS compliance checks (at least every three years) and continuing the strengthening of CVA risk reviews, particularly regarding transactions benefiting from exemptions.

BACKGROUND

On 27 November 2025, the European Parliament and Council reached a political agreement on the Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3). Together, these two instruments constitute the core of the EU’s new payment services framework, replacing parts of PSD2 and addressing long-standing concerns around online fraud, opaque charging practices, uneven competition, open banking obstacles, and declining access to cash.

The package covers banks, payment institutions, electronic money institutions, post-giro institutions, technical service providers, and certain online platforms and telecom operators. While the PSR harmonises conduct-of-business and fraud-prevention rules through a directly applicable regulation, PSD3 focuses on authorisation, supervision, and the competitive conditions under which payment service providers (PSPs) operate.

WHAT'S NEW?

Stronger fraud protection and PSP liability rules

The agreement introduces a comprehensive fraud-prevention architecture. PSPs must verify payee name–identifier matching, apply strong customer authentication, and conduct risk assessments for all transactions. Failure to implement adequate prevention mechanisms results in full liability for customer losses.
Key enhancements include:

• Automated blocking tools and spending limits to mitigate fraud exposure;
• Obligations for receiving PSPs to freeze suspicious incoming transactions;
• Full refunds for impersonation fraud where customers report the incident to police and notify their PSP;
• Online platforms’ liability towards PSPs when they fail to remove notified fraudulent content, complementing the Digital Services Act.

Financial service advertisers on major platforms must prove legal authorisation in the relevant Member State. PSPs must also provide human—not only automated—customer support, and public authorities must invest in fraud-awareness education.

Transparent charging and clearer consumer information

All fees must be disclosed before payment initiation, including currency conversion margins and ATM withdrawal costs, regardless of operator. The transparency requirements apply across all PSPs and are reinforced with harmonised disclosure formats.

Improved access to cash

To ensure cash availability particularly in remote regions, retail stores may offer cash withdrawals between EUR 100 and EUR 150 without requiring a purchase, supplementing ATM networks.

Promoting competition and advancing open banking

PSD3 introduces measures to ensure that account-servicing providers (ASPSPs) cannot discriminate against authorised open banking providers. The agreement strengthens data access rights, bans technical and contractual obstacles, and grants users dashboards to manage third-party permissions.
Device manufacturers and electronic service providers must allow storage and transmission of payment-relevant data on fair, reasonable and non-discriminatory terms, enabling innovation in payment interfaces.

Simplified and risk-based authorisation framework

Authorisation of payment institutions will follow harmonised timelines, strengthened prudential requirements, and more proportionate capital rules.
Crypto-asset service providers already authorised under MiCA benefit from a streamlined process limited to the payment services listed in their application, subject to appropriate risk controls.

Enhanced consumer redress mechanisms

All PSPs must participate in alternative dispute resolution procedures whenever consumers choose to use them.

WHAT'S NEXT?

Formal adoption and implementation
The deal now requires approval by both institutions before publication in the Official Journal. Once adopted, the PSR will apply directly, while PSD3 will require national transposition. A transition period—expected to extend into 2026 and beyond—will follow technical finalisation of the regulatory framework.

Operational preparation for PSPs
Providers will need to adapt fraud-prevention systems, customer support processes, data-access interfaces, and authorisation documentation. Open banking actors and ASPSPs must prepare for a more stringent and enforceable non-discrimination framework.

Impact on consumers and the payments ecosystem
The package aims to materially reduce online payment fraud, enhance trust in digital payments, preserve cash accessibility, and support innovation by levelling the competitive field between banks and non-bank PSPs. The measures underpin the broader EU ambition to create an integrated, secure and innovation-oriented payments market.

On 18 November 2025, the ECB published results of its Supervisory Review and Evaluation Process (SREP) for 2025.

The SREP shows that the banks supervised by the ECB have continued to exhibit strong capital and liquidity positions.

While euro area real GDP growth is expected to strengthen over the projection horizon and risks to the economic outlook have become more balanced following the trade agreements in the second half of the year, the macroeconomic environment in which European banks operate is still marked by heightened geopolitical risks and economic uncertainty.

The total capital ratio of significant institutions reached 20.1% as at end 2024, increasing slightly further to 20.2% in the second quarter of 2025. The Common Equity Tier 1 (CET1) ratio stood at 16.1% as at the second quarter of 2025. The weighted average leverage ratio stood at 5.9% as at the second quarter of 2025.

Banks continued to exhibit strong profitability, on the back of still favourable net interest income (NII), with the aggregated annual return on equity (ROE) standing at 9.5% at the end of 2024, as compared with 9.3% in 2023, and increasing further to 10.1% in the second quarter of 2025. However, cost pressures intensified, in some cases offsetting increases in NII. The cost-to-income ratio decreased to 54.9% in 2024 and remained stable in the second quarter of 2025, from 57.0% in 2023.

In the 2025 SREP cycle, the average overall SREP score improved further to 2.5 (2.6 in 2024).

Looking ahead, and in line with the current supervisory priorities, supervisors will prioritise prudent risk-taking and sound credit standards to prevent the emergence of future NPLs. Moreover, to ensure adequate credit risk management, they will continue to monitor banks’ exposure to vulnerable sectors against the backdrop of the current global environment and resulting economic uncertainty. In addition, supervisors will review institutions’ implementation of the standard approach to ensure adequate capitalisation and consistent implementation of CRR III.

On 24 November 2025, the EC published Proposal for a Regulation amending MiFiR on equity market liquidity, market data and post trade risk reduction services.

The regulation primarily revises the criteria defining a "liquid market" for equity instruments by replacing the previous "free float" criterion with a "market capitalisation" criterion set at EUR 100 million, applicable to shares, depositary receipts, ETFs, and certificates. This ensures consistent liquidity assessments by competent authorities using parameters such as market capitalisation, average daily turnover, and the number of transactions, including specific provisions for newly admitted instruments during their initial six weeks of trading. Competent authorities conduct assessments at predetermined intervals, with results published for use by market operators and investment firms.

The amendment removes provisions clarifying what constitutes a "reasonable commercial basis" for market data publication by trading venues and systematic internalisers, following changes introduced by MiFIR Review (Regulation (EU) 2024/791), which empowers ESMA to develop regulatory technical standards on this matter. It also deletes the size-specific obligation for systematic internalisers regarding non-equity instruments, consistent with the removal of pre-trade transparency requirements for these instruments.

Additionally, the regulation specifies conditions defining post-trade risk reduction (PTRR) services, which include compression, rebalancing, and basis risk optimisation services, exempting transactions formed through these services from certain transparency, trading, and best execution requirements. PTRR services must operate under predetermined non-discretionary rules, apply risk reduction across portfolios neutrally, and should not influence price formation.

The amendment also abolishes portfolio compression services' publication requirements, removing obligations for investment firms and market operators to disclose transaction volumes and timing through approved publication arrangements ("APAs").

The regulation was developed after extensive stakeholder consultations, including public feedback on liquidity thresholds and PTRR services' definitions, leading to confirmation of ESMA’s proposed criteria. The legal updates are effective from 23 August 2026 and aim to enhance market transparency, data availability on a reasonable commercial basis, and clarify regulatory obligations in EU financial markets under MiFIR and MiFID II.

On 7 November 2025, the EC published consultation on Sustainable investment – review of the EU taxonomy environmental delegated act.

The EU Taxonomy is a classification system that defines criteria for environmentally sustainable economic activities, which helps incentivise investments needed for the green transition of the EU economy.

The core problem this initiative aims to tackle is that certain technical screening criteria set out in the Climate and Environmental Delegated Acts have proven difficult to apply in practice. While the EU Taxonomy is an important element of the EU Sustainable Finance framework, stakeholders have flagged in some instances inconsistencies, legal uncertainty, and overly complex technical screening criteria, drawing on the experience gained in the first years of application and reporting.

The Consultation closes on 5 December 2025.

On 13 November 2025, the EP publishes press release on Parliament adopting its position on simplified sustainability reporting and due diligence duties for businesses.

MEPs consider that only businesses employing on average over 1750 employees and with a net annual turnover of over €450 million should have to carry out social and environmental reporting. Only businesses within this scope would also be required to provide sustainability reporting under taxonomy rules (i.e. a classification of sustainable investments).

Due diligence requirements would apply only to large corporations with more than 5,000 employees and a net annual turnover of over €1.5 billion. MEPs want these businesses to adopt a risk-based approach to monitoring and identifying their negative impact on people and the planet. Instead of systematically requesting information from their smaller business partners, they should rely on information that is already available and could only request additional information from their smaller business partners as a last resort.

These companies would no longer need to prepare a transition plan to make their business model compatible with the Paris Agreement and could face fines for not complying with due diligence requirements the guidance on which will be provided by the Commission and member states. Offending firms would be liable at the national rather than EU level and

On 10 November 2025, the EU publishes Corrigendum to Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence and amending Directive (EU) 2019/1937 and Regulation (EU) 2023/2859 (OJ L, 2024/1760, 5.7.2024).

1. On page 27, footnote 33:
for: ‘(33) Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).’,
read: ‘(33) Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).’.

2. On page 32, in Article 6(1):
for: ‘1. Member States shall ensure that parent companies falling under the scope of this Directive are allowed to fulfil the obligations set out in Articles 7 to 11 and Article 22 …’
,
read: ‘1. Member States shall ensure that parent companies falling under the scope of this Directive are allowed to fulfil the obligations set out in Articles 7 to 16 and Article 22 …’.

BACKGROUND

On 10 November 2025, the European Union published Commission Delegated Regulation (EU) 2025/1416 in the Official Journal. Although adopted on 11 July 2025, the regulation becomes applicable three days after its publication. It amends Delegated Regulation (EU) 2023/2772 to adjust the timetable for applying certain ESRS disclosure requirements.

This amendment follows the Commission’s Omnibus Simplification Package, which proposes to significantly narrow the scope of undertakings required to report sustainability information under the CSRD by limiting the obligation to large undertakings with more than 1,000 employees. As long as this legislative process is ongoing, the Commission considers it disproportionate to introduce stricter or additional reporting obligations for undertakings that may ultimately fall outside the revised scope. The amendment therefore modifies the ESRS phase-in framework to ensure proportionality and alignment with the evolving legislative landscape.

WHAT'S NEW?

From financial year 2025 onwards, undertakings within the CSRD/ESRS scope will apply the revised phase-in table in Appendix C of ESRS 1 and the updated wording of ESRS 2 §17.

Application for entities already reporting for FY 2024
Undertakings that begin reporting for financial year 2024 will follow the adjusted phase-in path for 2025 and 2026. The updated Appendix C now extends the temporary exemptions for the most complex topical standards (ESRS E4, S2, S3, S4), allowing these entities additional time to build the necessary reporting capabilities.

Minimum disclosures when exemptions are used
Any undertaking making use of temporary exemptions for full topical standards must still conduct a materiality assessment for ESRS E4, S1, S2, S3 and S4. Where a topic is assessed as material, the entity must provide the minimum set of summarised disclosures required under ESRS 2 §17, ensuring baseline transparency during the phase-in period.

Interaction with broader CSRD reforms
Member States and reporting undertakings will need to consider this Delegated Regulation together with Directive (EU) 2025/794 and the ongoing legislative process for the Omnibus Simplification Package. The overall scope of undertakings required to report under CSRD may evolve once negotiations on that package are finalised.

Overall, Delegated Regulation (EU) 2025/1416 recalibrates the ESRS phase-in regime to reduce unnecessary burdens, maintain proportionality, and ensure that complex reporting requirements are introduced in a more coherent and manageable manner.

WHAT'S NEXT?

From financial year 2025 onwards, undertakings must apply the revised phase-in schedule in Appendix C of ESRS 1 and the updated minimum disclosure obligations in ESRS 2.

Entities already reporting for FY 2024 will follow an adjusted phase-in path for 2025 and 2026, benefiting from extended relief for the most complex topical standards.

Minimum disclosures during exemptions must still be provided when material, ensuring continuity of transparency.

Interaction with broader CSRD reform remains important, as the scope of undertakings subject to sustainability reporting may change once the Omnibus Simplification Package is finalised.

On 3 November 2025, the EU published Commission Delegated Regulation (EU) 2025/1143 of 12 June 2025 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards on the authorisation and organisational requirements for approved publication arrangements and approved reporting mechanisms, and on the authorisation requirements for consolidated tape providers, and repealing Commission Delegated Regulation (EU) 2017/571.

This regulation supplements Regulation (EU) No 600/2014 concerning technical standards for data reporting service providers (DRSPs)—specifically, approved publication arrangements (APAs), approved reporting mechanisms (ARMs), and consolidated tape providers (CTPs).

It updates the authorisation and organisational requirements, mandates ongoing compliance, and repeals the previous Delegated Regulation (EU) 2017/571. The regulation emphasizes the importance of strong governance, organisational independence, conflict of interest management, and robust internal controls, including the digital operational resilience standards mandated by Regulation EU 2022/2554.

Key provisions include detailed requirements for organisational structures, governance policies, management body composition, and internal control systems. The regulation also specifies the data quality monitoring processes, error correction procedures, security measures, and the use of machine-readable formats for data publication, facilitating automated access and analysis. Furthermore, it mandates transparency around fees, energy consumption for operations, and the oversight of third-party providers, ensuring operational integrity and resilience.

Entities seeking authorisation are required to submit comprehensive information demonstrating compliance with these standards, including organisational charts, governance policies, conflict management strategies, and ICT risk management arrangements. Authorisation and ongoing supervision are handled by ESMA or relevant national authorities, who will assess organizational capacity, independence, and operational resilience. The regulation aligns with broader EU initiatives to create a unified framework for data reporting and transparency in financial markets, reflecting the EU's aim to enhance market integrity, investor protection, and operational robustness across all market segments.

This Regulation enters into force 24 November 2025.

BACKGROUND

On 3 November 2025, the EU published Commission Delegated Regulation (EU) 2025/1155 of 12 June 2025 supplementing MiFIR with new regulatory technical standards on (i) the input and output data of consolidated tapes, (ii) the synchronisation of business clocks, and (iii) the revenue redistribution mechanism for the equity consolidated tape. The regulation updates the technical framework needed for the establishment and operation of the MiFIR consolidated tapes and repeals Delegated Regulation (EU) 2017/574 to reflect recent MiFIR amendments.

WHAT'S NEW?

The RTS sets harmonised obligations for data contributors (regulated markets, MTFs, systematic internalisers, DPEs, APAs, and investment firms operating SME growth markets) to deliver pre- and post-trade data to CTPs as close to real time as technically possible, subject to strict latency thresholds (50ms for shares/ETFs; 500ms for bonds and derivatives). All input data must adhere to the ISO 20022 methodology at conceptual and logical levels to ensure consistency across contributors.

Minimum transmission protocol requirements are introduced, covering performance, reliability, security (secure transport, authentication), and compatibility, ensuring high-quality consolidated market data. The RTS also specifies the full set of mandatory data fields for both input (contributors) and output (CTPs).

A key component is Chapter III on business clock synchronisation. Trading venues, investment firms, SIs, APAs, DPEs and CTPs must synchronise their clocks to UTC, documenting traceability and meeting accuracy thresholds depending on trading activity. For members and users of trading venues:

• High-frequency algorithmic trading: max 100 microseconds divergence; 0.1 microsecond granularity.
• Voice trading, RFQ with human intervention, negotiated trades: max 1 second divergence; 1 second granularity.

Finally, the RTS establishes a revenue redistribution scheme for the equity CTP, with weighting criteria for trading volumes and admissions to trading, and enforcement mechanisms including suspension from revenue redistribution for serious reporting breaches.

WHAT'S NEXT?

The regulation enters into force on 24 November 2025, but provisions on business clock synchronisation (Articles 11–16) apply from 2 March 2026.

On 3 November 2025, the EU published CDR (EU) 2025/1246 of 18 June 2025 amending the regulatory technical standards laid down in Delegated Regulations (EU) 2017/583 and (EU) 2017/587 as regards transparency requirements for trading venues and investment firms in respect of bonds, structured finance products, emission allowances, and equity instruments.

The Regulation modifies pre- and post-trade transparency standards, definitions, and obligations stemming from Regulation EU No 600/2014 (MiFIR). Key aspects include removing outdated definitions related to package transactions, amending conditions for central limit order books and periodic auction systems, updating requirements for deferred publication of transactions, distinguishing bond categories for deferral calibration, and introducing static liquidity determinations for certain financial instruments.

The amendments also set specific thresholds for large-scale orders, improve data granularity for equity systematic internalisers, and clarify transparency for trading systems and transaction types. It maintains mandated timelines for publication, including a deferral period schedule and real-time reporting within five minutes after trade execution. The Regulation grants competent authorities powers to temporarily suspend transparency obligations under defined liquidity conditions.

The effective application date is deferred to prepare market participants and consolidate tape providers for implementation. This update targets harmonising transparency rules to streamline and stabilise market data reporting and increase market integrity in line with current market practices and technological advancements.

The Regulation enters into force on 24 November 2025.

On 20 November 2025, the EC published press release on adoption rules for sustainable financial products.

Key elements of the proposal are:
Simplified disclosures: The Commission proposes to delete entity-level disclosure requirements for Financial Market Participants (FMPs) concerning principal adverse impacts indicators. This aims to streamline corporate disclosures by addressing overlaps between the Corporate Sustainability Reporting Directive (CSRD) and SFDR, reducing implementation costs. In the future, only the largest FMPs subject to updated CSRD thresholds will disclose their environmental and societal impacts, significantly cutting reporting burdens and eliminating duplications. At the product level, disclosures will be reduced to focus only on data that is available, comparable, and meaningful, giving providers clarity to design and present sustainability characteristics more relevant and comparable for investors. The revised disclosures will also be more retail-friendly for ease of understanding.

Clear categorisation system: Based on stakeholder consensus, the Commission proposes a simple product categorisation with three clear categories aligned with existing market practices and regulatory guidance. This aims to simplify retail investors’ investment journeys and facilitate informed decisions. The categories are:

• Sustainable category: products contributing to sustainability goals, investing in companies or projects meeting high sustainability standards;
• Transition category: products investing in companies/projects not yet sustainable but on credible transition paths contributing to improvements in climate, environment, or social areas;
• ESG basics category: products integrating various ESG approaches but not meeting the above criteria, such as best-in-class performers or pursuing returns while excluding worst ESG performers.

Categorised products must have at least 70% of investments supporting the chosen sustainability strategy and exclude investments in harmful industries like tobacco, prohibited weapons, fossil fuels beyond limits, and human rights violators. ESG claims in names and marketing will be restricted to these categorised products, a key step to combat greenwashing and increase trust in sustainable investments. This framework seeks to balance simplification and enhanced transparency to better serve both providers and investors.

On 26 November 2025, the EP publishes on approved proposal to simplify InvestEU programme reporting requirements.

InvestEU is the EU’s main instrument for attracting public and private investment. The proposal is part of the Omnibus II package, which seeks to simplify EU rules, boost competitiveness, and enhance investment capacity.

The changes will reinforce the InvestEU programme with a €2.9 billion increase in the EU guarantee. This additional guarantee will enable more financial support to be channelled, for instance, into housing, modern transport infrastructure, clean energy technologies, and skills development.

Other changes include improved oversight and simplified procedures to encourage greater private-sector involvement, as well as the introduction of a €50 million turnover cap in the definition of small and medium-sized enterprises, to ensure that funding actually reaches them.