On 25 April 2025, the EBA published draft RTS for the appointment of contact points by crypto providers.

Draft RTS define when crypto-asset service providers (CASPs) have to appoint a central contact point. A central contact point can be an important tool in the fight against financial crime.

CASPs established in one EU Member State can provide services in another EU Member State. In some cases, where they have a local ‘establishment’, for example a crypto ATM, they must comply with local AML/CFT obligations as well as those that apply in the home Member State. In those situations, central contact points can help mitigate the money laundering and terrorist financing (ML/TF) risks associated with the cross-border provision of crypto asset services and facilitate adequate AML/CFT supervision and oversight.

The draft RTS set out:

• The conditions under which CASPs should appoint a central contact point; and
• The roles and responsibilities of that central contact point.

In line with the EBA’s legal mandate, the draft RTS do not define the form a central contact point should take, or where in the EU it should be based.

On 25 April 2025, the ECB published ECMS User Test Execution Testing Conditions.

The ECMS functionalities are categorised into 12 different functionalities (See Annex 1). The counterparties (CPTYs)/CSDs/TPAs as part of the ECMS testing actors will be regularly informed via this testing conditions document of an overview of the ECMS functionalities that are open for counterparty testing and of the software limitations that are impacting testing for the functionality opened for CPTY/CSD/TPA testing. With this communication, all the CPTYs/CSDs/TPAs involved in UT are informed of the testing conditions i) enabling fine tuning of local test plan efforts and ii) avoiding defects/bugs on the known/documented limitations. 

This overview is updated on a fortnightly basis, and all involved ECMS testing actors are informed of any update on the planning of the testable scope.

The document starts with presenting in section 2.1 the complementary information to the principles and planning aspects stated in User Testing Terms of Reference for Pre-Production, in line with ECMS current testing conditions. 

Then, the document presents in section 2.2 the overview of testing conditions in two categories: 

• Functional domains open for CPTY/CSDs/TPAs testing (including the functional elements to be opened in upcoming 2 weeks period) in ECMS UT phase including the limitations that might impact the testing of these functionalities. 
• Functionalities that the Eurosystem has not fully tested and hence are not open for CPTY/CSDs/TPAs testing in the ECMS UT phase.

On 14 April 2025, EDPB adopted guidelines on processing personal data through blockchains.

A blockchain is a distributed digital ledger system that can confirm transactions  and  establish  who  owned  a  digital  asset  (such  as cryptocurrency)  at  a  given  time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.

As the use of blockchain technologies is expanding, the Board considers it important to help organisations using these technologies to comply with the GDPR. 

In its guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data.

The guidelines highlight the importance of implementing technical and organisational measures at the earliest stages of the design of the processing. The EDPB also clarifies that the roles and responsibilities of the different actors in a blockchain-related processing of personal data should be assessed during the design of the processing.

In addition, organisations should carry out a Data Protection Impact Assessment (DPIA) before processing personal data through blockchain technologies, where the processing is likely to result in a high risk to the rights and freedoms of individuals.

According to the Board, organisations should also ensure the highest protection of individuals’ personal data during the processing so that they are not made accessible to an indefinite number of persons by default.

The guidelines provide examples of different techniques for data minimisation, as well as for handling and storing personal data. As a general rule, storing personal data in a blockchain should be avoided if this conflicts with data protection principles.

Finally, the Board highlights the importance of the rights of individuals especially regarding transparency, rectification and erasure of personal data. 

The guidelines will be subject to public consultation until 9 June 2025, providing stakeholders with the opportunity to comment.

On 29 April 2025, the ESMA issued supervisory guidelines to prevent market abuse under MiCA.

Based on ESMA's experience under Market Abuse Regulation (MAR), the guidelines intended for NCAs include general principles for effective supervision and specific practices for detecting and preventing market abuse in crypto assets. They consider the unique features of crypto trading, such as its cross-border nature and the intensive use of social media.

The guidelines set out general principles requiring supervisory activity to be risk-based and proportionate, and set the objective for NCAs to build a common supervisory culture specific for crypto assets through an open dialogue with the industry and interactions with other NCAs.

The guidelines aim to support consistent and efficient supervisory practices among NCAs, ensuring a common supervisory culture for crypto assets.

The Guidelines will be translated into all EU languages and published on ESMA’s website and will start applying three months after that date. However, ESMA recommends that NCAs already start implementing the principles included in the guidelines whilst waiting for the translations.

On 10 April 2025, the ESMA published report on the rules on firms’ order execution policies under MiFID II.

In the draft RTS ESMA specifies the rules, with the objective to enhance investment firms’ order execution and foster investor protection.

The RTS includes requirements on: 

• the establishment of an investment firm’s order execution policy; this includes the classification of financial instruments in which firms execute client orders and the selection of venues for the order execution policy;
• the investment firm’s procedures and criteria to monitor and regularly assess the effectiveness of its order execution arrangements and order execution policy;
• the investment firm’s execution of client orders through own account dealing; and
• how an investment firm should deal with specific client instructions.

The overall objective is to ensure that the rules from the MiFIR Review are applied consistently, with simplification and burden reduction as the guiding principle.  

On 15 April 2025, the ESMA published final report on Draft regulatory technical standards on liquidity management tools under the AIFMD and UCITS directive.

The revised AIFMD and UCITS Directive provide that ESMA shall develop draft regulatory technical standards (RTS) to determine the characteristics of liquidity management tools (LMTs) available to AIFMs managing open-ended AIFs and to UCITS. 

On 8 July 2024, ESMA published a Consultation Paper (CP) on the proposed draft RTS. The public consultation closed on 8 October 2024. This final report includes the revised RTS developed taking into account the feedback received to the consultation.

The draft RTS set out in this final report have been submitted to the European Commission for adoption. From the date of submission, the European Commission shall take a decision on whether to adopt the RTS within three months. The Commission may extend that period by one month.

On 24 April 2025, the ESMA published its  annual risk assessment of leveraged AIFs.

On an annual basis, National Competent Authorities (NCAs) and ESMA assess the risks posed by leveraged Alternative Investment Funds (AIFs), within the framework defined by ESMA’s Guidelines on AIFMD Article 25. This article provides the summary of the 2024 risk assessment. ESMA identify leverage-related risks within different categories of AIFs and assess their potential systemic relevance. 

• Leveraged AIFs overall: The overall level of leverage of funds included in the sample remains limited. However, substantially leveraged funds increased their leverage further. The median leverage ratio of the substantially leveraged funds increased from 450% in 2022 to 530% in 2023, which calls for attention;
• Real estate (RE) funds: REs operated in a market environment of falling real estate prices, especially in Commercial Real estate (CRE). While the RE fund sector has been resilient at EU level, the combination of declining real estate prices and outflows from some funds put pressure on RE funds in some jurisdictions. Given that leverage limits under AIFMD Article 25 are a macroprudential tool, the systemic relevance of RE funds needs to be considered. RE funds could be systemically relevant in jurisdictions where groups of RE funds own a large share of the underlying market for real estate assets;
• Hedge funds (HFs): HFs display the highest levels of leverage. Their risk is first assessed on an individual basis, as specific HF strategies can limit the relevance of group analysis. However, HFs also collectively have considerable exposures to sovereign bonds across strategies, which may pose a risk of market impact;
• Other AIFs: The category of “other AIFs” – which is by far the largest type of AIFs – includes GBP Liability-Driven Investment (LDI) funds, which gain leveraged exposures to the UK government bond market and have been subject to specific resilience requirements and an increased monitoring since 2022. The assessment shows that imposing limits to the interest rate risk they can take successfully increased the resilience of the sector, and for some funds resulted in a decline of leverage. As a consequence, the Central Bank of Ireland (CBI) and the Commission de Surveillance du Secteur Financier (CSSF), decided to turn these measures into an “other restriction” under Article 25(3) of the AIFMD.

Finally,  ESMA also consider the contribution of AIFs to the funding of non-financial corporations (NFCs). Our assessment shows that their contribution to the corporate bond markets is already substantial, thus highlighting the importance of the resilience of the AIF sector for the real economy. 

This article contributes to ESMA’s financial stability objective by presenting the AIFMD Article 25 framework and the results of the risk assessment performed by ESMA and NCAs in 2024, based on the end of 2023 AIFMD data.

On 24 April 2025, the ESMA published its first analysis on risks in UCITS.

UCITS are subject to tight regulatory constraints, designed to ensure diversified portfolios and control over all market exposure. These rules also limit their use of financial derivatives for both investment and hedging purposes. When using such instruments, funds can manage their risk profile by employing the so-called absolute Value-at-Risk (VaR) approach and thereby assess the maximum potential loss they might incur at any given time.

In a new analysis, ESMA reports that UCITS using the absolute VaR approach to manage their risk profile account for around 8% of the UCITS universe. These funds follow a heterogeneous range of investment strategies and can increase their exposures using derivatives. Withing this group, a subset of funds shows risk profiles and characteristics more commonly associated with hedge funds, such as complex derivative exposures with high levels of gross leverage and heightened sensitivity to market conditions. These funds tend to be exposed to risks related to liquidity imbalances and complexity, and some have higher risks than hedge funds. While this subset is small (2% of the UCITS segment), they have a larger volume of assets than EU hedge funds. 

The diversity of strategies and relatively fragmented manager base in the VaR UCITS segment reflects a dynamic market but also underscores the importance of close supervisory attention to ensure risks are properly understood and managed.

On 15 April 2025, the ESMA published Final Report on the Guidelines on LMTs of UCITS and open-ended AIFs.

The revised AIFMD and UCITS Directive1 provide that ESMA shall develop guidelines on the selection and calibration of liquidity management tools (LMTs) by UCITS and AIFMs of open-ended AIFs for liquidity risk management and for mitigating financial stability risks. Those guidelines shall recognise that the primary responsibility for liquidity risk management remains with the UCITS and AIFM. Furthermore, they shall include indications as to the circumstances in which side pockets can be activated and allow adequate time for adaptation before they apply, in particular for existing UCITS and open-ended AIFs. On 8 July 2024, ESMA published a Consultation Paper (CP) on the proposed draft guidelines. The public consultation closed on 8 October 2024. 

This final report includes the revised guidelines developed taking into account the feedback received to the consultation.

The Guidelines in Annex III of this report will be translated into the official EU languages and published on the ESMA website. The publication of the translations will trigger a two-month period during which NCAs must notify ESMA whether they comply or intend to comply with the guidelines. The Guidelines will apply upon the application date of the RTS on the characteristics of the Liquidity Management Tools (LMTs).

On 23 April 2025, the EC published Commission Delegated Regulation (EU) supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards specifying the conditions and indicators that the EBA is to use to determine whether extraordinary circumstances in the sense of Article 325az(5) and Article 325bf(6) of that Regulation have occurred.

In accordance with Articles 325bf(6) and 325az(5) of Regulation (EU) No 575/2013, as amended by Regulation (EU) 2024/1623, competent authorities may permit institutions to derogate from certain requirements of the regulatory framework for the use of internal models, or apply a softer version of those requirements, where a situation of extraordinary circumstances has occurred. In accordance with Article 325az(9) CRR, the occurrence of extraordinary circumstances shall be determined by the EBA, which must issue an opinion to that effect. 

The delegated act establishes a high-level framework for identifying a situation of extraordinary circumstances, by setting out conditions that need to be met and indicators that the EBA shall use to determine whether extraordinary circumstances have occurred. 

The delegated act foresees that extraordinary circumstances could be recognised where there is a situation of significant cross-border financial market stress, or a major regime shift associated with a similar level of stress (e.g. a liquidity crisis), that are capable of rendering the outcome of the back-testing and profit and loss attribution requirements inappropriate.

As regards the indicators to be used to identify a situation of extraordinary circumstances, the delegated act envisages that at least volatility indicators, including indicators of realised volatilities, and correlation indicators should be considered. The assessment should also take into account how quickly the financial stress manifested or the regime shift happened. Other indicators and factors that are representative of or reflect the nature of the stress or regime shift can also be taken into consideration.

On 3 April 2025, the European Parliament voted postpone the application dates for new EU laws on due diligence and sustainability reporting requirements.

The new due diligence rules require companies to mitigate their negative impact on people and the planet. Member states will have an extra year – until 26 July 2027 – to transpose the rules into national legislation. The one-year extension will also apply to the first wave of businesses to be affected, namely: EU companies with over 5,000 employees and net turnover higher than €1.5 billion, and non-EU companies with a turnover above this threshold in the EU. These companies will only have to apply the rules from 2028. The date of application will be the same for the second wave of companies: those in the EU with over 3,000 employees and net turnover higher than €900 million, and non-EU companies with turnover above that threshold in the EU.

Application of the sustainability reporting directive will also be delayed by two years for the second and third waves of companies covered by the legislation. Large companies with more than 250 employees will be required to report on their social and environmental measures for the first time in 2028 for the previous financial year, while listed small and medium-sized enterprises will have to provide this information one year later.

To speed up adoption of the measures, the Parliament agreed to deal with the file under its urgent procedure. To enter into force, the draft law now requires formal approval by the Council, which endorsed the same text on 26 March 2025.

On 16 April 2025, the EU published Directive (EU) 2025/794 of the European Parliament and of the Council of 14 April 2025 amending Directives (EU) 2022/2464 and (EU) 2024/1760 as regards the dates from which Member States are to apply certain corporate sustainability reporting and due diligence requirements.

In its communication of 11 February 2025 entitled ‘A simpler and faster Europe: Communication on implementation and simplification’, the Commission set out a vision for an implementation and simplification agenda that delivers fast and visible improvements for people and business on the ground. That requires more than an incremental approach and the Union is to take bold action to achieve that goal. The European Parliament, the Council, the Commission, the authorities of the Member States at all levels and stakeholders need to work together to streamline and simplify Union, national and regional rules and to implement policies more effectively.

In the context of the Commission’s commitment to reducing reporting burdens and to enhancing competitiveness, it is necessary to introduce targeted amendments to Directives (EU) 2022/2464 and (EU) 2024/1760  of the European Parliament and of the Council in order to achieve those objectives, whilst maintaining the policy objectives of the Green Deal as set out in the Commission’s communication of 11 December 2019 entitled ‘The European Green Deal’ and the Sustainable Finance Action Plan as set out in the Commission’s communication of 8 March 2018 entitled ‘Action Plan: Financing Sustainable Growth’.

Directive (EU) 2022/2464 specifies the dates from which Member States are to apply the sustainability reporting requirements set out in Directive 2013/34/EU of the European Parliament and of the Council, with different dates depending on the size of the undertaking concerned. Large undertakings that are public-interest entities with more than 500 employees on average during the financial year and public-interest entities that are parent undertakings of a large group with more than 500 employees on average on its balance sheet dates, on a consolidated basis, during the financial year are to report in 2025 for financial years beginning on or after 1 January 2024. Other large undertakings and other parent undertakings of a large group are to report in 2026 for financial years beginning on or after 1 January 2025. Small and medium-sized undertakings, except micro-undertakings, small and non-complex institutions, captive insurance undertakings and captive reinsurance undertakings are to report in 2027 for financial years beginning on or after 1 January 2026. Considering the ongoing Commission initiatives which aim to simplify certain existing sustainability reporting obligations and to reduce the related administrative burden on undertakings, and in order to provide for legal clarity and to avoid the undertakings currently required to report for financial years beginning on or after 1 January 2025 and on or after 1 January 2026 incurring unnecessary and avoidable costs, the sustainability reporting requirements for those undertakings should be postponed by two years.

This Directive enters into force on 16 April 2025. 

On 14 April 2025, the EU Council gave final green light on the ‘Stop-the-clock’ mechanism to boost EU competitiveness and provide legal certainty to businesses.

This proposal (the so-called ‘Stop-the-clock’ directive) postpones the dates of application of certain corporate sustainability reporting and due diligence requirements, as well as the transposition deadline of the due diligence provisions.

The proposal forms part of the ‘Omnibus I’ package adopted by the Commission at the end of February 2025 to simplify EU legislation in the field of sustainability. In view of significant implications for the business community, the Council and the European Parliament have treated this proposal with utmost priority aiming to provide EU companies with the necessary legal certainty as regards their reporting and due diligence obligations. 

The EU’s co-legislators therefore supported the Commission’s proposal to postpone:

• by two years the entry into application of the Corporate Sustainability Reporting Directive (CSRD) requirements for large companies that have not yet started reporting, as well as listed SMEs, and
• by one year the transposition deadline and the first phase of the application (covering the largest companies) of the Corporate Sustainability Due Diligence Directive (CSDDD).

On 1 April 2025, the FSMA published Anti-Money Laundering and Countering the Financing of Terrorism 

This circular informs obliged entities FSMA_2025_05 of the content and methods of transmission of information aimed at assessing the compliance and effectiveness of the anti-money laundering and countering the financing of terrorism system that they have put in place. This collection is carried out by means of an annual questionnaire, which is an important tool in the exercise of the FSMA's legal powers of permanent supervision in AML/CFT matters. 

The questionnaire dated 31 December 2024 will be made available on the FiMiS platform starting from 1 April 2025. It must be completed as soon as possible and no later than 6 May 2025.

On 29 March 2025 Belgium publishes Royal Decree transposing Article 3 of EU Directive  2023/2864 of the European Parliament and of the Council of 13 December 2023 amending certain Directives as regards the establishment and operation of the European Single Access Point.

The Royal Decree of 29 March 2025 transposes Article 3 of EU Directive 2023/2864 into Belgian law, adapting two key Royal Decrees: the Royal Decree of 14 November 2007 on the obligations of issuers of financial instruments and the Royal Decree of 21 August 2008 concerning multilateral trading facilities.

Chapter I introduces amendments to ensure that regulated information published by issuers is transmitted electronically to the European Single Access Point, operated by ESMA. It requires issuers to use specific formats, add metadata, and clarifies their obligations under GDPR. New definitions related to ESAP and data formats are also included.

Chapter II amends the 2008 Decree to ensure that companies listed on Alternext are excluded from these new ESAP-related requirements, as the Transparency Directive only applies to regulated markets.

This initiative aligns Belgium with the EU objective of centralizing financial and sustainability information to improve transparency, investor access, and regulatory supervision across member states.

It enters into force on 10 July 2026.

On April 2, 2025, the National Bank of Belgium (NBB) published Communication NBB_2025_05, announcing the digitalisation of the "qualifying holding" (QLF) and "fit & proper" (FAP) forms, effective from May 1, 2025. This initiative aims to streamline the submission process for these forms through the secure OneGate platform.?

The digitalisation applies to various financial institutions, including credit institutions, investment firms, payment institutions, electronic money institutions, insurance and reinsurance companies, central securities depositories, and their respective branches in Belgium and abroad. Additionally, it encompasses individuals or entities intending to acquire, increase, reduce, or transfer qualifying holdings in these institutions.?

The NBB emphasises the necessity for financial institutions to implement internal organisational measures to ensure the involvement of all responsible parties in the "fit & proper" process. This includes establishing clear procedures for the validation of QLF and FAP forms to maintain compliance with regulatory standards.?

Furthermore, the NBB has updated the validation method for both QLF and FAP forms. The previous system of scanned handwritten signatures will no longer be accepted. Instead, electronic validation will be required, relying on strong authentication via a OneGate electronic certificate. This new validation process will have the same legal effect as a qualified electronic signature, ensuring compliance with legal standards.?

Financial institutions are expected to establish clear internal policies regarding the individuals authorised to submit QLF and FAP forms on their behalf. These policies should ensure that all necessary information is accurately and securely transmitted to the NBB, maintaining the integrity and transparency of the regulatory process.?

On 10 April 2025, the Chambre des représentants de Belgique adopted Draft law on the supervision of financial messaging service providers.

The purpose of this draft law is to subject systemically important financial messaging service providers established in Belgium to a set of conditions for the exercise of their activity and to place them under the direct legal supervision of the National Bank of Belgium. 

The present draft law imposes a series of obligations on providers of systemically important financial messaging services established in Belgium. It is proposed to define such systemic importance on the basis of exceeding a threshold for the number of financial transactions, calculated in a calendar year, for which a provider has offered financial messaging services. 

In order to fully understand the objectives pursued by this draft law, it is first important to provide an overview of the supervisory activities that the Bank currently carries out with regard to financial market infrastructures and financial messaging service providers, in particular with regard to SWIFT. It will be clear that this oversight is mainly based on soft law and moral suasion, while at least part of this oversight of systemically important financial messaging service providers should be based on a legally binding and enforceable framework. That is therefore the real objective of this draft law. 

The reasons for setting these objectives are then explained in general terms, before reviewing the political, practical and legal choices that are proposed to implement them. 

Finally, where necessary, explanations are provided for each article as to the choices made and their possible implications.

News Belgium Publishes Article: "Paper and PDF invoices are now the past! Is your company ready for e-Invoicing?"

The FPS Finance and the FPS Economy are launching an awareness campaign. E-invoicing will become mandatory from 1 January 2026 for business-to-business  transactions. This obligation affects nearly 1.2 million companies subject to VAT. Today, nearly 250,000 companies are registered on Peppol, the secure network that facilitates the transmission of standardised business documents between companies. Many of them have yet to take the plunge. The FPS Finance and the FPS Economy are therefore launching an awareness campaign for them.

From 1 January 2026, all Belgian companies subject to VAT will have to use structured electronic invoices for B2B transactions. Sending invoices in PDF format by e-mail will no longer be enough; Invoices will have to be exchanged directly between the companies' software via structured formats.  

The government has launched an awareness campaign, providing resources through efacture.belgium.be, including FAQs and contact information to assist businesses in the transition. 

The aim is to reduce the VAT gap and digitize the Belgian economy. Belgium is one step ahead of the European regulation that will become mandatory for intra-community transactions from 1 July 2030

On 28 April 2025, the CVM's technical area published CVM/SRE Circular Letter 1/2025 on FIAGRO registrations and Other Securitization Securities.

The document aims to guide the market on requirements for automatic registration of public offerings for the distribution of Investment Funds in Agroindustrial Production Chains (FIAGRO) and Other Securitization Securities (OTS), according to Law 14,430 and CVM Resolutions 60 and 160.

The main topics of the documents are:

• Changes in the requirements for automatic registration of public offerings of FIAGRO, due to the issuance of CVM Resolution 214, which establishes Normative Annex VI of CVM Resolution 175, specific to FIAGRO, and revoked CVM Resolution 39;
• Use of automatic registration requirements for public offerings created specifically to deal with public offerings of OTS, which are not Certificates of Receivables; and
• Use of automatic registration requirements for public offerings created specifically to deal with public offerings of OTS, which are not Certificates of Receivables.

BACKGROUND

On 28 April 2025, the Central Bank of Brazil (BCB) published Resolution No. 5,206, which amends Resolution No. 4,072/2012 on the establishment and operation of foreign bank branches in Brazil. This update reflects Brazil’s efforts to make its financial sector more accessible to international players.

WHAT'S NEW?

Resolution CMN No. 5,206/2025 introduces the following changes:

• Simplified Documentation Requirements: Foreign financial institutions are now required to submit fewer documents to obtain authorization for setting up a branch.
• Streamlined Administrative Procedures: The approval process has been made more efficient, with reduced bureaucracy and simplified steps.
• Faster Processing Times: The expected time for reviewing and approving branch establishment requests has been significantly shortened, promoting quicker access to the Brazilian market.

WHAT'S NEXT?

The Resolution enters into force on 1 May 2025.

Foreign banks intending to establish a presence in Brazil can benefit from the simplified procedure immediately from that date.

Institutions should review the updated requirements to prepare any pending applications in line with the revised framework.

On 10 April 2025,  the Autorité de contrôle prudentiel et de résolution (ACPR) and the Autorité des marchés financiers (AMF) regularly update their blacklists of websites identified as offering unauthorized investments, particularly in the unregulated foreign exchange (Forex) market and in derivative products whose underlying assets are crypto-assets.

These lists include websites and platforms operating illegally or without proper authorization in France. The aim is twofold:

• To inform and protect the public from potentially fraudulent or high-risk actors.
• To prevent financial scams, especially in sectors that are often targeted due to their complexity and the difficulty of regulation, such as Forex and crypto derivatives.

The blacklists are published and regularly updated on the official websites of the AMF and the ACPR, sometimes in coordination with other European authorities.

Version française

Le 10 avril 2025, l’Autorité de contrôle prudentiel et de résolution (ACPR) et l’Autorité des marchés financiers (AMF) ont mis à jour leurs listes noires de sites identifiés comme proposant des investissements non autorisés, notamment sur le marché des changes non réglementé (Forex) et sur les produits dérivés dont les actifs sous-jacents sont des crypto-actifs.

Ces listes recensent des plateformes opérant illégalement ou sans autorisation en France. Elles visent à :

• informer et protéger le public contre les acteurs frauduleux ou à haut risque ;
• prévenir les arnaques financières, notamment dans les secteurs complexes comme le Forex ou les dérivés crypto.

Les listes sont régulièrement mises à jour sur les sites officiels de l’AMF et de l’ACPR, parfois en coordination avec d'autres autorités européennes.

On 7 April 2025, AMF published a communication related to the application the EBA Guidelines on Restrictive Measures for Crypto-Asset Service Providers

On November 14, 2024, the European Banking Authority (EBA) published its Guidelines EBA/GL/2024/15. These guidelines specify the requirements of Regulation (EU) 2023/1113 ("TFR 2") concerning internal policies, procedures, and controls aimed at ensuring the implementation of restrictive measures, such as asset freezes and economic restrictions, at both the European and national levels. They address measures related to the transfers of funds and transfers of crypto-assets.

The AMF is publishing Position DOC-2025-02 to incorporate these guidelines. This position will apply from December 30, 2025. It concerns Crypto-Asset Service Providers (CASPs) under AMF supervision according to Ordinance No. 2024-397 of October 15, 2024, as well as Digital Asset Service Providers (DASPs) that are registered and benefiting from the transitional period provided for by Law No. 2023-171 of March 9, 2023, and Article 143 of Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA), with the transitional period ending on July 1, 2026.

The goal is to strengthen CASPs’ and DASPs’ ability to identify, freeze, and report funds and crypto-assets linked to persons or entities subject to international sanctions. It also aims to harmonize compliance with restrictive measures across the European Union, in line with the objectives of the TFR 2 Regulation.

Version française

Le 7 avril 2025, l'AMF a publié une communication relative à l'application des lignes directrices de l'ABE sur les mesures restrictives applicables aux prestataires de services de crypto-actifs.

Le 14 novembre 2024, l'Autorité bancaire européenne (ABE) a publié ses lignes directrices EBA/GL/2024/15. Ces lignes directrices précisent les exigences du règlement (UE) 2023/1113 ( » TFR 2 ») concernant les politiques, procédures et contrôles internes visant à assurer la mise en œuvre de mesures restrictives, telles que le gel des avoirs et les restrictions économiques, tant au niveau européen que national. Elles traitent des mesures relatives aux transferts de fonds et aux transferts de crypto-actifs.

L'AMF publie la position DOC-2025-02 afin d'intégrer ces lignes directrices. Cette position s'appliquera à compter du 30 décembre 2025. Elle concerne les prestataires de services en crypto-actifs (PSAC) placés sous le contrôle de l'AMF selon l'ordonnance n° 2024-397 du 15 octobre 2024, ainsi que les prestataires de services en actifs numériques (PSAN) enregistrés et bénéficiant de la période transitoire prévue par la loi n° 2023-171 du 9 mars 2023 et l'article 143 du règlement (UE) n° 2023/1114 sur les marchés de crypto-actifs (MCA), la période transitoire s'achevant le 1er juillet 2026.

L'objectif est de renforcer la capacité des PCAS et des PSAD à identifier, geler et déclarer les fonds et les crypto-actifs liés à des personnes ou à des entités faisant l'objet de sanctions internationales. Il vise également à harmoniser le respect des mesures restrictives dans l'ensemble de l'Union européenne, conformément aux objectifs du règlement TFR 2.

On 28 April 2025,  AFG published a communication on the extension of the submission date of the RoI under DORA regulation.

The deadline for submitting the Register of Information (RoI) under the Digital Operational Resilience Act (DORA) has been extended to 23 May 2025.

Version française

Le 28 avril 2025, l'AFG a publié une communication sur l'extension de la date de soumission du RdI en vertu du règlement DORA.

La date limite de soumission du registre d'information (RoI) en vertu de la loi sur la résilience opérationnelle numérique (DORA) a été prolongée jusqu'au 23 mai 2025.

On  25 April 2025, the Irish Funds published  its 2024 Funds Annual Review that highlights the strength of the Irish industry and their work in reinforcing Ireland’s role as a global centre for investment funds – built on trust, capability and innovation. Irish Funds remains focused on supporting innovation and enhancing Ireland’s leadership in mobilising private capital.

Key achievements include :

• Successful re-launch of the ELTIF structure, enabling future growth for private asset strategies in Ireland.
• Secured the ‘fast track’ filing of documents with the CBI for funds with names that use ESG/sustainability terms. This represented substantial savings for managers/investors.
• Raising the public profile of our industry to secure stronger government commitment, as reflected in the Funds Sector 2030 Review and the Election Manifestos.
• Expanding promotional activity to new locations such as Milan and Frankfurt, which grow the potential market for our members’ services.
• Indecon Report confirmed and highlighted the significant growth and impact of our industry, reinforcing our messaging, through media visibility and enhanced government engagement

On 15 April 2025, Ireland's National Parliament published an Act to amend the Financial Services and Pensions Ombudsman Act 2017.

The key aim of the Financial Services and Pensions Ombudsman (Amendment) Act is to strengthen protections for financial consumers in Ireland by amending the legislation that underpins the FSPO, so that it can continue to carry out its statutory functions in line with the Constitution. This followed the Supreme Court Zalewski case that impacted on organisations that had a quasi-judicial function, such as the FSPO.

The act makes provision regarding the calculation of expenses incurred by the Ombudsman in the performance of his or her functions; to provide for the appointment of additional persons to act as Ombudsman; to make further provision for the conduct of investigations; to provide for certain other consequential amendments; and to provide for related matters.

This Act shall come into operation on such day or days as the Minister for Finance may appoint by order or orders either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions.

On 8 April 2025, the CSSF published the Circular CSSF 25/879 related to information requirements in relation to transfers of funds and certain crypto-assets transfers under Regulation (EU) 2023/1113 (“Travel Rule Guidelines”).

The CSSF Circular CSSF 25/879 announces the adoption of the European Banking Authority's (EBA) Guidelines on information requirements for transfers of funds and certain crypto-asset transfers under Regulation (EU) 2023/1113, commonly referred to as the "Travel Rule Guidelines." These Guidelines aim to prevent the misuse of fund and crypto-asset transfers for money laundering and terrorist financing purposes by ensuring that payment service providers (PSPs), intermediary PSPs (IPSPs), crypto-asset service providers (CASPs), and intermediary CASPs (ICASPs) implement appropriate measures.?

Scope and Applicability: The Guidelines apply to PSPs, IPSPs, CASPs, and ICASPs operating within the EU.?

Implementation Date: The Guidelines come into effect on 30 December 2024, replacing the previous Joint Guidelines under Article 25 of Regulation (EU) 2015/847. ?

Requirements: Entities must establish procedures to detect and manage transfers lacking required information on the originator and beneficiary. This includes implementing effective systems to identify missing or incomplete information and taking appropriate actions to mitigate associated risks. ?

The adoption of these Guidelines seeks to harmonize practices across the EU, enhancing the overall effectiveness of the anti-money laundering and counter-terrorist financing (AML/CFT) framework.

Version française

Le 8 avril 2025, la CSSF a publié la Circulaire CSSF 25/879 relative aux exigences d'information concernant les transferts de fonds et certains transferts de crypto-actifs en vertu du Règlement (UE) 2023/1113 (les « Directives sur la règle du voyage »).

La Circulaire CSSF 25/879 annonce l'adoption des Directives de l'Autorité bancaire européenne (ABE) sur les exigences d'information pour les transferts de fonds et certains transferts de crypto-actifs en vertu du Règlement (UE) 2023/1113, communément appelées les « Directives sur la règle du voyage ». Ces directives visent à prévenir l'utilisation abusive des transferts de fonds et de crypto-actifs à des fins de blanchiment d'argent et de financement du terrorisme, en veillant à ce que les prestataires de services de paiement (PSP), les PSP intermédiaires (IPSP), les prestataires de services de crypto-actifs (CASP) et les CASP intermédiaires (ICAS) mettent en place des mesures appropriées.

Champ d'application et applicabilité : Les Directives s'appliquent aux PSP, IPSP, CASP et ICAS opérant au sein de l'UE.

Date de mise en œuvre : Les Directives entreront en vigueur le 30 décembre 2024, remplaçant les anciennes Directives conjointes en vertu de l'Article 25 du Règlement (UE) 2015/847.

Exigences : Les entités doivent mettre en place des procédures pour détecter et gérer les transferts manquant d'informations requises sur l'initiateur et le bénéficiaire. Cela inclut la mise en œuvre de systèmes efficaces pour identifier les informations manquantes ou incomplètes et prendre les mesures appropriées pour atténuer les risques associés.

L'adoption de ces Directives vise à harmoniser les pratiques au sein de l'UE, renforçant ainsi l'efficacité globale du cadre de lutte contre le blanchiment d'argent et le financement du terrorisme (LBC/FT).

BACKGROUND

On 30 April 2025, the CSSF published Circular CSSF 25/885, implementing the European Banking Authority (EBA) guidelines for supervising compliance with the Markets in Crypto-Assets Regulation (MiCAR), specifically Titles III and IV on asset-referenced tokens (ARTs) and e-money tokens (EMTs).

WHAT'S NEW?

The EBA has developed standardized supervisory templates to support national authorities in:

• Assessing authorization applications from ART and EMT issuers.
• Monitoring ongoing compliance, including reserve management, governance, and investor protection measures.
• Ensuring coordinated supervision and information-sharing among EU regulators.Supporting enforcement actions in case of breaches.

These templates aim to harmonize supervisory practices across the EU.

WHAT'S NEXT?

For firms issuing ARTs or EMTs, supervisory expectations will now be more predictable and standardized, reducing regulatory uncertainty and promoting a level playing field within the EU.

Version française

BACKGROUND

Le 30 avril 2025, la CSSF a publié la circulaire CSSF 25/885, mettant en œuvre les lignes directrices de l'Autorité bancaire européenne (ABE) pour la surveillance de la conformité avec le règlement sur les marchés des crypto-actifs (MiCAR), en particulier les titres III et IV sur les jetons référencés par des actifs (ART) et les jetons de monnaie électronique (EMT).

WHAT'S NEW?

L'ABE a élaboré des modèles de surveillance normalisés pour aider les autorités nationales à :

• Évaluer les demandes d'autorisation des émetteurs d'ART et d'EMT.
• Contrôler la conformité en cours, y compris la gestion des réserves, la gouvernance et les mesures de protection des investisseurs.
• Assurer une supervision coordonnée et le partage d'informations entre les régulateurs de l'UE.
• Soutenir les mesures d'exécution en cas de violation.

Ces modèles visent à harmoniser les pratiques de surveillance dans l'ensemble de l'UE.

WHAT'S NEXT?

BACKGROUND

On 30 April 2025, the CSSF published Circular CSSF 25/890, implementing the Joint Guidelines from the European Supervisory Authorities (ESAs) (JC 2024 28) to support the application of Regulation (EU) 2023/1114 (MiCAR) on crypto-assets.

WHAT'S NEW?

The circular introduces standardized templates and a classification test for crypto-assets (excluding ARTs and EMTs).

• - Requirements for firms offering or admitting crypto-assets to submit detailed explanations and legal opinions using the prescribed formats.
• Obligations for non-credit institutions issuing ARTs to submit legal opinions aligned with these templates.
• A standardised classification test to help firms determine if a crypto-asset falls within MiCAR’s scope, ensuring proper regulatory treatment.

This circular applies to national regulators, crypto-asset service providers (CASPs), and firms dealing in crypto-assets, including non-credit institutions offering ARTs.

WHAT'S NEXT?

The guidelines become effective on 12 May 2025.

Firms must:

• Use the new templates for reporting and legal documentation.
• Apply the classification test to determine MiCAR applicability.
• Ensure submission of appropriate legal opinions, particularly for ARTs issued by non-credit institutions, to remain compliant and reduce regulatory risk.

Version française

BACKGROUND

Le 30 avril 2025, la CSSF a publié la circulaire CSSF 25/890, mettant en œuvre les lignes directrices conjointes des autorités européennes de surveillance (AES) (JC 2024 28) pour soutenir l'application du règlement (UE) 2023/1114 (MiCAR) sur les crypto-actifs.

WHAT'S NEW?

La circulaire introduit :

• Des modèles standardisés et un test de classification pour les crypto-actifs (à l'exclusion des ART et EMT).
• L'obligation pour les entreprises qui offrent ou admettent des crypto-actifs de soumettre des explications détaillées et des avis juridiques en utilisant les formats prescrits.
• L'obligation pour les établissements autres que les établissements de crédit qui émettent des ART de soumettre des avis juridiques conformes à ces modèles.
• Un test de classification standardisé pour aider les entreprises à déterminer si un crypto-actif entre dans le champ d'application du MiCAR, garantissant ainsi un traitement réglementaire approprié.

Cette circulaire s'applique aux régulateurs nationaux, aux fournisseurs de services de crypto-actifs (CASP) et aux entreprises traitant des crypto-actifs, y compris les établissements autres que les établissements de crédit qui proposent des ART

WHAT'S NEXT?

Les lignes directrices entrent en vigueur le 12 mai 2025.

Les entreprises doivent :

• Utiliser les nouveaux modèles de déclaration et de documentation juridique.
• Appliquer le test de classification pour déterminer l'applicabilité du MiCAR.
• Veiller à soumettre des avis juridiques appropriés, en particulier pour les ART émises par des établissements autres que des établissements de crédit, afin de rester conformes et de réduire le risque réglementaire.

BACKGROUND

On 24 April 2025, the CSSF published a communication on the correction of the most frequent issues in the submitted Registers of Information (RoI) under DORA. This follows the end of the user acceptance testing (UAT) phase of the RoI reporting process, during which the European Supervisory Authorities (ESAs) identified several recurring issues.

WHAT'S NEW?

To support financial entities under its supervision, the CSSF has issued a guide aimed at helping them correct the most common problems found during the validation of RoI submissions to both the CSSF and the ESAs. While not exhaustive, the guide focuses on the most frequently encountered issues. It will be updated regularly, and the CSSF strongly recommends consulting it before reaching out to their helpdesk.

Additional guidance has also been published to clarify whether RoI submissions should be made on a consolidated or individual basis, depending on whether the financial entities are supervised by the CSSF or the ECB.

The guide is meant to be read alongside the ESA observations from the UAT phase.

WHAT'S NEXT?

• Financial entities that have not yet submitted their RoI must do so as soon as possible.
• Before contacting the CSSF helpdesk, entities should consult the published guide.
• Entities must also review the guidance regarding consolidated vs. individual RoI submissions if applicable.

Proper completion and submission of the RoI are essential, as this process supports transparency and regulatory compliance under the DORA framework.

Version française

BACKGROUND

Le 24 avril 2025, la CSSF a publié une communication sur la correction des problèmes les plus fréquents dans les registres d'information (RoI) soumis dans le cadre de DORA. Cette communication fait suite à la fin de la phase de test d'acceptation par l'utilisateur (UAT) du processus de déclaration des RdI, au cours de laquelle les autorités européennes de surveillance (AES) ont identifié plusieurs problèmes récurrents.

WHAT'S NEW?

Afin de soutenir les entités financières sous sa supervision, la CSSF a publié un guide visant à les aider à corriger les problèmes les plus courants rencontrés lors de la validation des soumissions de RdI à la fois à la CSSF et aux AES. Sans être exhaustif, ce guide se concentre sur les problèmes les plus fréquemment rencontrés. Il sera régulièrement mis à jour et la CSSF recommande vivement de le consulter avant de faire appel à son helpdesk.

Des orientations supplémentaires ont également été publiées pour clarifier si les soumissions de RdI doivent être faites sur une base consolidée ou individuelle, selon que les entités financières sont supervisées par la CSSF ou la BCE.

Le guide doit être lu en parallèle avec les observations de l'ESA de la phase UAT.

WHAT'S NEXT?

• Les entités financières qui n'ont pas encore soumis leur RdI doivent le faire dans les plus brefs délais.
• Avant de contacter le helpdesk de la CSSF, les entités doivent consulter le guide publié.
• Les entités doivent également prendre connaissance de la guidance concernant les soumissions de RdI consolidées par rapport aux soumissions de RdI individuelles, le cas échéant.

Il est essentiel de remplir et de soumettre correctement les RdI, car ce processus favorise la transparence et la conformité réglementaire dans le cadre du DORA.

On 1 April, 2025, CSSF published the Circular 25/877 related to stress test scenarios under Article 28 of the Money Market Fund Regulation – Update 2024 (ESMA50-43599798-10651).

The CSSF Circular 25/877 details updates to the ESMA Guidelines on stress test scenarios under Article 28 of the Money Market Fund Regulation. The circular addresses money market funds (MMFs) under the supervision of the CSSF and Luxembourg managers of MMFs. It repeals and replaces previous versions to integrate the updated 2024 Guidelines published on 7 January 2025. These updates provide new methodologies for assessing macro-systemic shocks and recalibrated risk parameters, reflecting recent market developments. The 2024 Guidelines specify minimum requirements for stress testing MMFs, allowing managers to tailor their approaches accordingly. Additionally, the circular includes compliance and reporting obligations, providing guidance on reporting templates and necessary fields for stress tests.

The CSSF circular will enter into force as of 24 April 2025 and will enter into application as of 30 June 2025.

Version française

Le 1er avril 2025, la CSSF a publié la circulaire 25/877 relative aux scénarios de stress test en vertu de l'article 28 du règlement relatif aux fonds du marché monétaire - Mise à jour 2024 (ESMA50-43599798-10651).

La circulaire CSSF 25/877 détaille les mises à jour des lignes directrices de l'ESMA sur les scénarios de stress test en vertu de l'article 28 du règlement sur les fonds du marché monétaire. La circulaire s'adresse aux fonds monétaires (MMF) sous la supervision de la CSSF et aux gestionnaires luxembourgeois de MMF. Elle abroge et remplace les versions précédentes afin d'intégrer les lignes directrices 2024 mises à jour publiées le 7 janvier 2025. Ces mises à jour fournissent de nouvelles méthodologies d'évaluation des chocs macro-systémiques et des paramètres de risque recalibrés, reflétant les évolutions récentes du marché. Les lignes directrices 2024 précisent les exigences minimales pour les tests de résistance des OPC monétaires, ce qui permet aux gestionnaires d'adapter leurs approches en conséquence. En outre, la circulaire inclut des obligations de conformité et de reporting, fournissant des conseils sur les modèles de reporting et les champs nécessaires pour les tests de résistance.

La circulaire de la CSSF entrera en vigueur le 24 avril 2025 et s'appliquera à partir du 30 juin 2025.

BACKGROUND

On 9 April 2025, the CSSF published Circular CSSF 25/883, amending Circular CSSF 22/806 on outsourcing arrangements.

This amendment provides further guidance for financial entities in Luxembourg on managing outsourcing relationships, particularly for ICT services, in line with evolving EU regulations such as the Digital Operational Resilience Act (DORA) and the EBA Guidelines.

WHAT'S NEW?

Circular 25/883 introduces several clarifications and enhancements to strengthen governance, resilience, and oversight in outsourcing practices:

• Enhanced Risk Management Framework: Financial entities must apply thorough due diligence, continuous monitoring, and clear escalation procedures in their outsourcing arrangements.
• Governance and Oversight: Responsibility for outsourced services remains with the financial entity, which must ensure third-party providers meet internal security and operational standards.
• Access to Data and Control Mechanisms: Entities must retain full control over their data. Providers must not access data without prior consent unless legally required or in emergencies. Entities must monitor and audit all access to sensitive data.
• Outsourcing of Critical or Important Functions: These arrangements must undergo heightened scrutiny, with service providers required to demonstrate sufficient resilience, resources, and continuity planning.
• Notification and Reporting Requirements: Entities must report specific outsourcing arrangements to the CSSF, including details on providers, risks, and mitigating controls.
• Third-Party Risk Assessment: There is an increased emphasis on regular risk reviews for critical or sensitive third-party relationships, ensuring providers remain compliant with applicable regulations.

WHAT'S NEXT?

Financial entities must review their current outsourcing arrangements to ensure alignment with the updated requirements in Circular CSSF 25/883.

They should strengthen internal oversight mechanisms, reinforce risk management, and update notification processes in accordance with the amended Circular.

Ongoing risk assessments, particularly for critical functions and ICT outsourcing, should be prioritized to ensure regulatory compliance and operational resilience.

Version française

BACKGROUND

Le 9 avril 2025, la CSSF a publié la circulaire CSSF 25/883, modifiant la circulaire CSSF 22/806 relative aux accords d'externalisation.

Cet amendement fournit des orientations supplémentaires aux entités financières au Luxembourg sur la gestion des relations d'externalisation, en particulier pour les services TIC, conformément à l'évolution des réglementations de l'UE telles que la loi sur la résilience opérationnelle numérique (DORA) et les lignes directrices de l'ABE.

WHAT'S NEW?

La circulaire 25/883 introduit plusieurs clarifications et améliorations visant à renforcer la gouvernance, la résilience et la surveillance des pratiques d'externalisation :

• Cadre de gestion des risques amélioré : Les entités financières doivent appliquer une diligence raisonnable approfondie, une surveillance continue et des procédures d'escalade claires dans leurs accords d'externalisation.
• Gouvernance et supervision : La responsabilité des services externalisés incombe à l'entité financière, qui doit s'assurer que les fournisseurs tiers respectent les normes internes de sécurité et d'exploitation.
• Accès aux données et mécanismes de contrôle : Les entités doivent conserver le contrôle total de leurs données. Les fournisseurs ne doivent pas accéder aux données sans consentement préalable, sauf en cas d'obligation légale ou d'urgence. Les entités doivent contrôler et vérifier tous les accès aux données sensibles.
• Externalisation de fonctions critiques ou importantes : Ces accords doivent faire l'objet d'un examen approfondi, les prestataires de services devant faire preuve d'une résilience, de ressources et d'un plan de continuité suffisants.
• Exigences en matière de notification et de rapport : Les entités doivent notifier à la CSSF les accords d'externalisation spécifiques, y compris les détails sur les fournisseurs, les risques et les contrôles d'atténuation.
• Évaluation des risques liés aux tiers : L'accent est mis sur l'évaluation régulière des risques liés aux relations avec les tiers critiques ou sensibles, afin de s'assurer que les fournisseurs restent en conformité avec les réglementations en vigueur.

WHAT'S NEXT?

Les entités financières doivent revoir leurs accords d'externalisation actuels afin de s'aligner sur les exigences actualisées de la circulaire CSSF 25/883.

Elles doivent renforcer les mécanismes de contrôle interne, la gestion des risques et les processus de notification conformément à la circulaire amendée.

L'évaluation continue des risques, en particulier pour les fonctions critiques et l'externalisation des TIC, devrait être une priorité pour assurer la conformité réglementaire et la résilience opérationnelle.

BACKGROUND

On 9 April 2025, the CSSF published Circular CSSF 25/881, which amends Circular CSSF 20/750 on the requirements for ICT and security risk management in the financial sector.

This update reflects the evolution of regulatory expectations and technological developments, with a focus on ensuring the resilience, security, and effective governance of ICT systems used by financial institutions in Luxembourg.

WHAT'S NEW?

Circular CSSF 25/881 strengthens and updates several key areas of the ICT risk management framework:

• Risk Management Framework: Financial institutions must implement a comprehensive approach covering the identification, assessment, and mitigation of ICT and cybersecurity risks.
• Operational Resilience: Greater emphasis is placed on ensuring systems remain functional under adverse conditions, such as cyberattacks or outages.
• Cybersecurity Measures: Entities must adopt enhanced controls for data protection, access management, threat detection, and incident response.
• Third-Party Risk Management: Institutions must evaluate the security standards and resilience capabilities of third-party ICT providers, particularly those involved in outsourcing or cloud services.
• Governance and Oversight: Clear governance structures, with defined roles and senior management accountability for ICT risk, are now required.
• Incident Management and Reporting: Stricter obligations are introduced for identifying, responding to, and reporting ICT-related incidents, including data breaches and cyber events.
• Business Continuity and Disaster Recovery: Institutions must maintain robust continuity and recovery plans to ensure uninterrupted operations during crises.
• Alignment with International Standards: The revised circular aligns national expectations with global benchmarks such as those from ENISA and the ECB.

WHAT'S NEXT?

Financial institutions should review and strengthen their ICT risk management frameworks in line with the new requirements.Cybersecurity and operational resilience strategies must be updated to reflect the circular’s enhanced expectations.

Entities must ensure their governance structures and incident response protocols are aligned with CSSF 25/881.

Special attention should be given to outsourcing risk assessments and ensuring business continuity plans are in place and tested.

Version française

BACKGROUND

Le 9 avril 2025, la CSSF a publié la circulaire CSSF 25/881, qui modifie la circulaire CSSF 20/750 relative aux exigences en matière de gestion des risques liés aux TIC et à la sécurité dans le secteur financier.

Cette mise à jour reflète l'évolution des attentes réglementaires et des développements technologiques, en mettant l'accent sur la résilience, la sécurité et la gouvernance efficace des systèmes TIC utilisés par les institutions financières au Luxembourg

WHAT'S NEW?

La circulaire CSSF 25/881 renforce et met à jour plusieurs domaines clés du cadre de gestion des risques liés aux TIC :

• Cadre de gestion des risques : Les institutions financières doivent mettre en œuvre une approche globale couvrant l'identification, l'évaluation et l'atténuation des risques liés aux TIC et à la cybersécurité.
• Résilience opérationnelle : L'accent est mis sur la nécessité de veiller à ce que les systèmes restent fonctionnels dans des conditions défavorables, telles que des cyberattaques ou des pannes.
• Mesures de cybersécurité : Les entités doivent adopter des contrôles renforcés pour la protection des données, la gestion des accès, la détection des menaces et la réponse aux incidents.
• Gestion des risques liés aux tiers : Les institutions doivent évaluer les normes de sécurité et les capacités de résilience des fournisseurs de TIC tiers, en particulier ceux qui sont impliqués dans l'externalisation ou les services cloud.
• Gouvernance et supervision : Des structures de gouvernance claires, avec des rôles définis et la responsabilité de la haute direction pour les risques liés aux TIC, sont désormais requises.
• Gestion et signalement des incidents : Des obligations plus strictes sont introduites pour l'identification, la réponse et le rapport des incidents liés aux TIC, y compris les violations de données et les cyber-événements.
• Continuité des activités et reprise après sinistre : Les institutions doivent mettre en place de solides plans de continuité et de reprise des activités afin de garantir un fonctionnement ininterrompu en cas de crise.
• Alignement sur les normes internationales : La circulaire révisée aligne les attentes nationales sur les références mondiales telles que celles de l'ENISA et de la BCE.

WHAT'S NEXT?

Les institutions financières doivent revoir et renforcer leurs cadres de gestion des risques liés aux TIC conformément aux nouvelles exigences.

Les stratégies de cybersécurité et de résilience opérationnelle doivent être mises à jour pour refléter les attentes accrues de la circulaire.

Les entités doivent s'assurer que leurs structures de gouvernance et leurs protocoles de réponse aux incidents sont alignés sur la circulaire CSSF 25/881.

Une attention particulière doit être accordée à l'évaluation des risques liés à l'externalisation et à la mise en place et au test de plans de continuité des activités.

BACKGROUND

On 9 April 2025, the CSSF published a communication announcing coordinated updates to several ICT-related circulars, reflecting the entry into application of the Digital Operational Resilience Act (DORA). These changes clarify the applicable requirements for both DORA entities and non-DORA entities supervised by the CSSF, with a focus on ICT risk management and ICT third-party outsourcing.

WHAT'S NEW?

The updates include:

1. ICT and Security Risk Management:

• Circular CSSF 25/881 updates Circular CSSF 20/750.
  - Applies to non-DORA entities, who continue to follow Circular 20/750.

• Circular CSSF 25/880 is newly issued for Payment Service Providers (PSPs).
  - Implements EBA Guidelines (EBA/GL/2025/02), replacing the previous EBA/GL/2019/04.
  - Introduces new reporting obligations under Article 105-1(2) of the Law of 10 November 2009.
  - Aims to align PSP oversight with harmonised DORA requirements.

2. ICT Third-Party Services and Outsourcing:

• Circular CSSF 25/883 amends Circular CSSF 22/806:
  - For DORA entities, only business process outsourcing remains governed by this circular.
  - CT outsourcing provisions have been repealed and are now governed by DORA.
  - For non-DORA entities, Circular 22/806 (as amended) continues to apply in full.

• Circular CSSF 25/882 introduces new DORA-specific requirements:
  - Applies to DORA entities using critical or important ICT third-party services.
  - Covers reporting obligations, register maintenance, and additional retained provisions from Circular 22/806.

3. Effective Date:

• All changes entered into force on 9 April 2025.

WHAT'S NEXT?

The CSSF will update its website with a revised mapping of applicable circulars to facilitate clarity and ensure firms can identify which rules apply to their specific regulatory status.

Version française

BACKGROUND

On 9 April 2025, the CSSF published a communication announcing coordinated updates to several ICT-related circulars, reflecting the entry into application of the Digital Operational Resilience Act (DORA). These changes clarify the applicable requirements for both DORA entities and non-DORA entities supervised by the CSSF, with a focus on ICT risk management and ICT third-party outsourcing.

WHAT'S NEW?

Les mises à jour sont les suivantes :

1. Gestion des risques liés aux TIC et à la sécurité :

• La circulaire CSSF 25/881 met à jour la circulaire CSSF 20/750.
  - Elle s'applique aux entités non DORA, qui continuent à suivre la circulaire 20/750.
  - La circulaire CSSF 25/880 est nouvellement publiée pour les prestataires de services de paiement (PSP).
  - Met en œuvre les lignes directrices de l'ABE (EBA/GL/2025/02), qui remplacent les précédentes EBA/GL/2019/04.
  - Introduit de nouvelles obligations de déclaration en vertu de l'article 105-1 (2) de la loi du 10 novembre 2009.
  - Vise à aligner la surveillance des prestataires de services de paiement sur les exigences harmonisées de la loi DORA.

2. Services de tiers dans le domaine des TIC et externalisation :

• La circulaire CSSF 25/883 modifie la circulaire CSSF 22/806 :
  - Pour les entités DORA, seule l'externalisation des processus d'affaires reste régie par cette circulaire.
  - Les dispositions relatives à l'externalisation des TIC ont été abrogées et sont désormais régies par la DORA.
  - Pour les entités non DORA, la circulaire 22/806 (telle que modifiée) continue à s'appliquer dans son intégralité.
  - La circulaire CSSF 25/882 introduit de nouvelles exigences spécifiques aux DORA :
  - S'applique aux entités DORA qui utilisent des services ICT tiers critiques ou importants.
  - Couvre les obligations de reporting, la tenue du registre et les dispositions supplémentaires conservées de la circulaire 22/806.

3. Date d'entrée en vigueur :

• Tous les changements sont entrés en vigueur le 9 avril 2025.

WHAT'S NEXT?

La CSSF mettra à jour son site web avec une cartographie révisée des circulaires applicables afin de faciliter la clarté et d'assurer que les entreprises puissent identifier les règles qui s'appliquent à leur statut réglementaire spécifique.

BACKGROUND

On 9 April 2025, the CSSF published a communication on the definition of "ICT services" under DORA. This communication provides additional guidance and procedural updates concerning the definition of ICT services and introduces a new notification form for ICT third-party arrangements, applicable to both DORA and non-DORA entities.

WHAT'S NEW?

First, regarding the definition of ICT services, the CSSF refers to the ESAs’ joint Q&A—particularly answer DORA030—which clarifies the broad scope of “ICT services” under Article 3(21) of DORA. The European Commission has confirmed that this broad definition is intentional. All supervised entities should carefully consider this interpretation, as it may apply either directly (as financial entities under DORA) or indirectly (as service providers to DORA entities). The CSSF also clarifies that financial services offered by professionals not covered by Articles 29-3 to 29-6 of the Law of 5 April 1993 are not to be considered ICT services under DORA. However, services falling within those articles—due to their technical nature—do qualify as ICT services under Article 3(21), even if provided by a regulated financial institution.

Second, the CSSF introduces a new notification form for financial entities subject to DORA. It must be used when:

• A new contractual arrangement involves ICT services supporting critical or important functions (to be notified as early as possible, and at least three months in advance—or one month if the provider is a Luxembourg support PFS).
• A function becomes critical or important over time (to be notified without undue delay).

The new form is effective immediately, with a transitional period until 10 May 2025 for entities already preparing notifications using the previous version.

The CSSF also reminds that:

• Notifications submitted under Circular CSSF 22/806 for existing ICT outsourcing arrangements do not need to be re-submitted under DORA.
• Existing contracts signed before 17 January 2025 that were not notifiable under Circular 22/806 also remain exempt from notification under DORA, but must still appear in the entity’s Register of Information.

WHAT'S NEXT?

After 10 May 2025, only the new notification form will be accepted for compliance with Article 28(3) of DORA and sub-chapter 2.1 of Circular CSSF 25/882.

For non-DORA supervised entities, the framework under Circular CSSF 22/806 (as amended by Circular CSSF 25/883) continues to apply. These entities must continue to notify critical or important ICT outsourcing arrangements using an updated version of the existing form, now revised to remove two questions previously linked to repealed paragraph 143 of Circular 22/806.

Version française

BACKGROUND

Le 9 avril 2025, la CSSF a publié une communication sur la définition des « services TIC » dans le cadre de DORA. Cette communication fournit des orientations supplémentaires et des mises à jour procédurales concernant la définition des services TIC et introduit un nouveau formulaire de notification pour les accords de tiers en matière de TIC, applicable à la fois aux entités DORA et non DORA.

WHAT'S NEW?

Tout d'abord, en ce qui concerne la définition des services TIC, la CSSF se réfère aux questions-réponses conjointes des AES - en particulier la réponse DORA030 - qui clarifie le large champ d'application des « services TIC » en vertu de l'article 3(21) de la loi DORA. La Commission européenne a confirmé que cette définition large était intentionnelle. Toutes les entités supervisées doivent examiner attentivement cette interprétation, car elle peut s'appliquer soit directement (en tant qu'entités financières sous DORA), soit indirectement (en tant que fournisseurs de services aux entités DORA). La CSSF précise également que les services financiers offerts par des professionnels qui ne sont pas couverts par les articles 29-3 à 29-6 de la loi du 5 avril 1993 ne sont pas à considérer comme des services TIC au sens de la loi DORA. Toutefois, les services relevant de ces articles - en raison de leur nature technique - peuvent être considérés comme des services TIC au sens de l'article 3(21), même s'ils sont fournis par une institution financière réglementée.

Deuxièmement, la CSSF introduit un nouveau formulaire de notification pour les entités financières soumises au DORA. Ce formulaire doit être utilisé dans les cas suivants :

• Un nouvel accord contractuel implique des services TIC soutenant des fonctions critiques ou importantes (à notifier le plus tôt possible, et au moins trois mois à l'avance - ou un mois si le fournisseur est un PSF de support luxembourgeois).
• Une fonction devient critique ou importante au fil du temps (à notifier sans délai excessif).

Le nouveau formulaire entre en vigueur immédiatement, avec une période transitoire jusqu'au 10 mai 2025 pour les entités qui préparent déjà des notifications en utilisant la version précédente.

La CSSF rappelle également que :

• Les notifications soumises en vertu de la circulaire CSSF 22/806 pour des contrats d'externalisation de TIC existants ne doivent pas être soumises à nouveau en vertu de la loi DORA.
• Les contrats existants signés avant le 17 janvier 2025 qui n'étaient pas notifiables en vertu de la circulaire 22/806 restent également exemptés de notification en vertu de DORA, mais doivent toujours figurer dans le registre d'information de l'entité.

WHAT'S NEXT?

Après le 10 mai 2025, seul le nouveau formulaire de notification sera accepté pour se conformer à l'article 28(3) de la DORA et au sous-chapitre 2.1 de la circulaire CSSF 25/882.

Pour les entités non supervisées par le DORA, le cadre de la circulaire CSSF 22/806 (telle qu'amendée par la circulaire CSSF 25/883) continue à s'appliquer. Ces entités doivent continuer à notifier les accords d'externalisation des TIC critiques ou importants en utilisant une version mise à jour du formulaire existant, maintenant révisé pour supprimer deux questions précédemment liées au paragraphe 143 abrogé de la Circulaire 22/806.

On 9 April 2025, the CSSF published the Circular CSSF 25/880 on relationship management of payment service users and PSP ICT assessment.

Circular CSSF 25/880, published on 9 April 2025, sets out updated regulatory expectations for payment service providers (PSPs) under the Luxembourg Law of 10 November 2009 on payment services. It reflects the application of the Digital Operational Resilience Act (DORA), which became applicable on 17 January 2025. The circular transposes the revised EBA Guidelines (EBA/GL/2025/02), which narrow the focus of earlier ICT risk management rules to the relationship management of payment service users (PSUs), and it integrates Luxembourg-specific requirements for PSP ICT assessments.

The circular consists of three main chapters. The first chapter introduces measures that PSPs must adopt to strengthen their management of user relationships. These include ensuring users are aware of security risks, allowing them to adjust transaction limits, disabling certain payment functionalities, receiving alerts about suspicious activity, and accessing support. PSPs are also required to inform users about updates to security procedures and provide timely assistance.

The second chapter reaffirms the obligation for PSPs to submit an annual ICT risk assessment to the CSSF using a standardised form available on the CSSF eDesk portal. The form must be validated by the PSP’s management, specifically the member responsible for ICT, and submitted by 31 March each year. Institutions not offering payment services and EEA branches established in Luxembourg are exempt from this requirement, while Luxembourg-based PSPs with EEA branches must include those branches in their assessments.

The third and final chapter confirms the entry into force of the circular, reinforcing the CSSF’s updated regulatory framework for ICT and security risk management in the payments sector.

Version française

Le 9 avril 2025, la CSSF a publié la Circulaire CSSF 25/880 sur la gestion des relations avec les utilisateurs de services de paiement et l’évaluation des risques ICT des PSP.

La Circulaire CSSF 25/880, publiée le 9 avril 2025, établit les attentes réglementaires mises à jour pour les prestataires de services de paiement (PSP) en vertu de la Loi luxembourgeoise du 10 novembre 2009 sur les services de paiement. Elle reflète l'application du Digital Operational Resilience Act (DORA), qui est devenu applicable le 17 janvier 2025. La circulaire transpose les Directives révisées de l'ABE (EBA/GL/2025/02), qui recentrent les règles de gestion des risques ICT précédentes sur la gestion des relations avec les utilisateurs de services de paiement (PSU), et intègre les exigences spécifiques au Luxembourg pour les évaluations ICT des PSP.

La circulaire se compose de trois chapitres principaux. Le premier chapitre présente les mesures que les PSP doivent adopter pour renforcer la gestion de leurs relations avec les utilisateurs. Cela inclut l'obligation d'informer les utilisateurs des risques de sécurité, de leur permettre d'ajuster les limites de transaction, de désactiver certaines fonctionnalités de paiement, de recevoir des alertes sur des activités suspectes et d'avoir accès à un support. Les PSP doivent également informer les utilisateurs des mises à jour des procédures de sécurité et fournir une assistance en temps voulu.

Le deuxième chapitre réaffirme l'obligation pour les PSP de soumettre une évaluation annuelle des risques ICT à la CSSF, en utilisant un formulaire standardisé disponible sur le portail eDesk de la CSSF. Le formulaire doit être validé par la direction du PSP, en particulier le membre responsable de l'ICT, et soumis avant le 31 mars de chaque année. Les institutions ne proposant pas de services de paiement et les succursales de l'EEE établies au Luxembourg sont exemptées de cette exigence, tandis que les PSP basés au Luxembourg avec des succursales dans l'EEE doivent inclure celles-ci dans leurs évaluations.

Le troisième et dernier chapitre confirme l'entrée en vigueur de la circulaire, renforçant ainsi le cadre réglementaire mis à jour de la CSSF pour la gestion des risques ICT et de sécurité dans le secteur des paiements.

BACKGROUND

On 8 April 2025, the CSSF published Circular CSSF 25/878 and announced the adoption of the revised EBA Guidelines (EBA/GL/2024/01) on money laundering and terrorist financing (ML/TF) risk factors. These amendments build on the existing Guidelines (EBA/GL/2021/02) and reflect changes introduced by EU Regulations, particularly MiCAR (Regulation EU 2023/1114) and the Transfer of Funds Regulation (Regulation EU 2023/1113). The circular applies to all credit and financial institutions, including crypto-asset service providers (CASPs), as defined in the amended AML/CFT Law of 12 November 2004.

WHAT'S NEW?

The updated Guidelines introduce new considerations specifically tailored to the risks associated with crypto-assets and the operations of CASPs. These include the addition of crypto-specific risk factors in Title I, and detailed guidance in Title II on how credit and financial institutions should assess ML/TF risks when dealing with clients engaged in crypto services, particularly those not yet authorised under MiCAR. A newly added Guideline 21 outlines sector-specific expectations for CASPs, covering risks linked to unregulated entities, anonymity-enhancing products, and high-risk customer profiles. The Guidelines also propose a range of mitigating measures that CASPs should apply based on their risk assessments.

Circular CSSF 25/878 also clarifies the transitional status of virtual asset service providers (VASPs) that were registered as of 30 December 2024. These entities will remain within the CSSF’s supervisory scope and continue to be subject to the AML/CFT Law until 1 July 2026 or until they are either granted or denied authorisation under MiCAR, whichever occurs first. Despite the regulatory transition, they are to be treated as CASPs for the purpose of applying the new Guidelines.

WHAT'S NEXT?

The revised Guidelines became applicable since 30 December 2024. Circular CSSF 25/878 is effective immediately and complements prior circulars CSSF 23/842 and CSSF 21/782.

Version française

BACKGROUND

Le 8 avril 2025, la CSSF a publié la circulaire CSSF 25/878 et annoncé l'adoption des lignes directrices révisées de l'ABE (EBA/GL/2024/01) sur les facteurs de risque de blanchiment de capitaux et de financement du terrorisme (ML/TF). Ces amendements s'appuient sur les lignes directrices existantes (EBA/GL/2021/02) et reflètent les changements introduits par les règlements de l'UE, en particulier MiCAR (règlement UE 2023/1114) et le règlement sur les transferts de fonds (règlement UE 2023/1113). La circulaire s'applique à toutes les institutions financières et de crédit, y compris les fournisseurs de services de crypto-actifs (CASP), tels que définis dans la loi modifiée du 12 novembre 2004 relative à la lutte contre le blanchiment de capitaux et le financement du terrorisme.

WHAT'S NEW?

Les lignes directrices actualisées introduisent de nouvelles considérations spécifiquement adaptées aux risques associés aux crypto-actifs et aux opérations des PCAS. Il s'agit notamment de l'ajout de facteurs de risque spécifiques aux crypto-actifs dans le titre I, et d'orientations détaillées dans le titre II sur la manière dont les établissements de crédit et les institutions financières doivent évaluer les risques de blanchiment d'argent et de financement du terrorisme lorsqu'ils traitent avec des clients engagés dans des services de crypto-monnaie, en particulier ceux qui ne sont pas encore autorisés en vertu de la MiCAR. Une nouvelle ligne directrice 21 décrit les attentes spécifiques au secteur pour les CASP, couvrant les risques liés aux entités non réglementées, aux produits renforçant l'anonymat et aux profils de clients à haut risque. Les lignes directrices proposent également une série de mesures d'atténuation que les CASP doivent appliquer sur la base de leur évaluation des risques.

La circulaire CSSF 25/878 clarifie également le statut transitoire des prestataires de services d'actifs virtuels (PSAV) qui ont été enregistrés au 30 décembre 2024. Ces entités resteront dans le champ de surveillance de la CSSF et continueront à être soumises à la loi LAB/CFT jusqu'au 1er juillet 2026 ou jusqu'à ce qu'une autorisation leur soit accordée ou refusée dans le cadre du MiCAR, selon la première éventualité. Malgré la transition réglementaire, ils doivent être traités comme des PCAS aux fins de l'application des nouvelles lignes directrices.

WHAT'S NEXT?

Les lignes directrices révisées sont applicables depuis le 30 décembre 2024. La circulaire CSSF 25/878 entre en vigueur immédiatement et complète les circulaires CSSF 23/842 et CSSF 21/782.

BACKGROUND

On 9 April 2025, the CSSF published Circular CSSF 25/882 setting out requirements for financial entities subject to the Digital Operational Resilience Act (DORA) regarding the use of ICT third-party services.

The circular is part of the CSSF’s broader effort to ensure operational resilience and proper risk management when financial entities rely on external ICT providers.

WHAT'S NEW?

Circular 25/882 outlines key expectations for the outsourcing of ICT services, particularly cloud computing.

It defines core characteristics of cloud services (e.g. on-demand self-service, resource pooling, elasticity), and highlights that:

• Cloud providers must not access data without prior consent and such access must be strictly monitored.
• Manual intervention by cloud providers is only permitted in specific cases (e.g. global maintenance or at the financial entity’s request).
• A designated cloud officer must be appointed within each financial entity. If cloud services are outsourced, the entity must also identify the cloud officer on the provider’s side.Entities must retain competence and responsibility for ICT risk management, even when services are outsourced.

WHAT'S NEXT?

Financial entities must ensure strict governance, security, and monitoring of ICT third-party arrangements, in line with DORA.

They must conduct regular audits and reviews of access controls to ensure providers follow sound security practices.

The CSSF expects clear allocation of responsibilities, and ongoing capability within firms to oversee and secure cloud and ICT services.

Version française

BACKGROUND

Le 9 avril 2025, la CSSF a publié la circulaire CSSF 25/882 définissant les exigences pour les entités financières soumises à la loi sur la résilience opérationnelle numérique (DORA) en ce qui concerne l'utilisation de services TIC tiers.

WHAT'S NEW?

Cette circulaire s'inscrit dans le cadre des efforts déployés par la CSSF pour assurer la résilience opérationnelle et la bonne gestion des risques lorsque les entités financières font appel à des fournisseurs externes de TIC". "La circulaire 25/882 décrit les attentes clés en matière d'externalisation des services TIC, en particulier l'informatique en nuage (cloud computing).

Elle définit les caractéristiques essentielles des services en nuage (par exemple, le libre-service à la demande, la mise en commun des ressources, l'élasticité), et souligne que :

• Les fournisseurs de services en nuage ne doivent pas accéder aux données sans consentement préalable et cet accès doit être strictement contrôlé.
• L'intervention manuelle des fournisseurs de services en nuage n'est autorisée que dans des cas spécifiques (par exemple, pour la maintenance globale ou à la demande de l'entité financière).
• Un responsable de l'informatique en nuage doit être désigné au sein de chaque entité financière. Si les services en nuage sont externalisés, l'entité doit également identifier le responsable du nuage du côté du fournisseur.
• Les entités doivent conserver la compétence et la responsabilité de la gestion des risques liés aux TIC, même lorsque les services sont externalisés.

WHAT'S NEXT?

Les entités financières doivent assurer une gouvernance, une sécurité et un suivi stricts des accords de TIC avec des tiers, conformément à la loi DORA.

Elles doivent procéder à des audits et à des examens réguliers des contrôles d'accès afin de s'assurer que les fournisseurs suivent des pratiques de sécurité saines.

La CSSF s'attend à ce que les responsabilités soient clairement réparties et que les entreprises soient en mesure de superviser et de sécuriser les services de cloud computing et de TIC.

BACKGROUND

On 30 April 2025, the CSSF published a communication extending the submission deadline for the Register of Information (RoI) under DORA.

As previously communicated on 15 January 2025, financial entities were required to submit, correct, and re-submit their RoI via eDesk by end-April 2025.

WHAT'S NEW?

The CSSF has announced that the eDesk procedure will remain open until 31 May 2025, giving financial entities additional time to submit corrected registers.

The CSSF also highlights that the European Supervisory Authorities (ESAs) have updated some of their validation rules, specifically in the “technical checks” tab of the EBA’s document on RoI reporting.

Entities must review these updates, as any invalid technical check will now trigger error messages and lead to register rejection by the ESAs.

WHAT'S NEXT?

Financial entities must correct all technical issues first, then re-submit the RoI via eDesk.

If other (non-technical) issues are found, they should be corrected in a second step, with the updated register submitted by 31 May 2025 at the latest.

Entities are expected to regularly consult the updated validation rules document to ensure compliance.

Version française

BACKGROUND

Le 30 avril 2025, la CSSF a publié une communication prolongeant le délai de soumission du Registre d'Information (RoI) sous DORA.

Comme précédemment communiqué le 15 janvier 2025, les entités financières devaient soumettre, corriger et re-soumettre leur RdI via eDesk pour la fin avril 2025.

WHAT'S NEW?

La CSSF a annoncé que la procédure eDesk resterait ouverte jusqu'au 31 mai 2025, donnant ainsi aux entités financières un délai supplémentaire pour soumettre des registres corrigés.

La CSSF souligne également que les autorités européennes de surveillance (AES) ont mis à jour certaines de leurs règles de validation, en particulier dans l'onglet « technical checks » du document de l'ABE sur le reporting des RdI.

Les entités doivent prendre connaissance de ces mises à jour, car tout contrôle technique non valide déclenchera désormais des messages d'erreur et entraînera le rejet du registre par les AES.

WHAT'S NEXT?

Les entités financières doivent d'abord corriger tous les problèmes techniques, puis soumettre à nouveau la RdI via eDesk.

Si d'autres problèmes (non techniques) sont détectés, ils doivent être corrigés dans un deuxième temps, et le registre mis à jour doit être soumis au plus tard le 31 mai 2025.

Les entités sont censées consulter régulièrement le document sur les règles de validation mises à jour afin de s'assurer de leur conformité.

On 2 April 2025, the CSSF published a reminder related to  the transmission method for the internalised settlement reporting of the Article 9 of the Central Securities Depositaries Regulation (CSDR Art.9) will change.

Starting from 1 July 2025, the reports will be exclusively collected through the two methods below, free of charge:

• Zip file (including the report in XML format) to be submitted in the dedicated eDesk procedure
• Automated submission of the ZIP file (including the report in XML format) via API (S3 protocol)

The quarterly reports covering the current reference period (Q2 2025) as well as all resubmissions related to previous reference periods are impacted.

No CSDR Art. 9 reporting will be accepted through the historical external channels.

Version française

Le 2 avril 2025, la CSSF a publié un rappel relatif à la méthode de transmission des déclarations de règlement-livraison internalisé de l'article 9 du règlement relatif aux dépositaires centraux de titres (CSDR Art.9) va changer.

A partir du 1er juillet 2025, les rapports seront exclusivement collectés par les deux méthodes ci-dessous, sans frais :

• Fichier Zip (y compris le rapport au format XML) à soumettre dans le cadre de la procédure eDesk dédiée.
• Soumission automatisée du fichier ZIP (y compris le rapport en format XML) via API (protocole S3).

Les rapports trimestriels couvrant la période de référence actuelle (Q2 2025) ainsi que toutes les resoumissions relatives aux périodes de référence précédentes sont concernées.

Aucune déclaration au titre de l'art. 9 ne sera accepté par le biais des canaux externes antérieurs.

On 16 April 2025, the CSSF published a communication related to the new transmission metho for MMF reporting.

Starting from 1 September 2025, the transmission method for Money Market Fund reporting will change.

The reports will be exclusively collected through the two methods below, and this will be free of charge:

• ZIP file (including the report in xml format) to be submitted in the dedicated eDesk procedure
• Automated submission of the ZIP file (including the report in xml format) via API (S3 protocol)
• You will be able to test this new transmission mode from 1 July 2025 on eDesk PREPROD.

Version française

Le 16 avril 2025, la CSSF a publié une communication concernant la nouvelle méthode de transmission pour la déclaration des Fonds du Marché Monétaire (MMF).

À partir du 1er septembre 2025, la méthode de transmission pour les rapports relatifs aux Fonds du Marché Monétaire changera.

Les rapports seront exclusivement collectés par les deux méthodes suivantes, et ce, gratuitement :

• Fichier ZIP (incluant le rapport au format XML) à soumettre via la procédure dédiée sur eDesk.
• Soumission automatisée du fichier ZIP (incluant le rapport au format XML) via API (protocole S3).
• Vous pourrez tester cette nouvelle méthode de transmission à partir du 1er juillet 2025 sur eDesk PREPROD.

On 4 April 2025, the CSSF published a communication on the ESMA CSA focusing on the compliance an internal audit functions for of UCITS Management Companies (MANCOs) and authorised Alternative Investment Fund Managers (AIFMs).

On 14 February 2025,  ESMA in coordination with National Competent Authorities (NCAs), launched a Common Supervisory Action (CSA) focusing on the compliance and internal audit functions of MANCOs and AIFMs across the EU. The purpose of this CSA is to assess whether these firms have established effective compliance and internal audit functions, supported by adequate staffing, authority, knowledge, and expertise, as required under the AIFMD and UCITS Directive. These functions play a critical role in ensuring that internal control systems are in place to monitor and manage regulatory risks.

In Luxembourg, the CSSF will begin implementing the CSA by mid-June 2025. A selected sample of Luxembourg-based UCITS Managers and AIFMs will be required to complete a detailed questionnaire that addresses internal policies, procedures, delegation arrangements, reporting lines to senior management, and internal control plans. The CSSF will notify the firms that are in scope by email no later than 11 April 2025. Firms not contacted are not subject to this exercise.

Responses must be submitted through the CSSF’s eDesk Portal, which offers a secure platform and integrated data quality checks. Firms must ensure their eDesk user email addresses and role assignments are kept current to receive the relevant communications. Once the questionnaire section is activated on eDesk, firms will be informed through the platform, and guidance—updated as necessary with input from ESMA—will be made available to assist in completing the process.

Version française

Le 4 avril 2025, la CSSF a publié une communication concernant l'action de supervision commune (CSA) de l'ESMA, portant sur les fonctions de conformité et d'audit interne des Sociétés de Gestion de Fonds UCITS (MANCOs) et des gestionnaires de fonds d'investissement alternatifs autorisés (AIFM).

Le 14 février 2025, l'ESMA, en coordination avec les Autorités Compétentes Nationales (ACN), a lancé une Action de Supervision Commune (CSA) axée sur les fonctions de conformité et d'audit interne des MANCOs et AIFMs à travers l'UE. L'objectif de cette CSA est d'évaluer si ces entreprises ont mis en place des fonctions de conformité et d'audit interne efficaces, soutenues par un personnel adéquat, une autorité, des connaissances et une expertise, comme l'exigent la directive AIFMD et la directive UCITS. Ces fonctions jouent un rôle clé dans la garantie que des systèmes de contrôle internes sont en place pour surveiller et gérer les risques réglementaires.

Au Luxembourg, la CSSF commencera la mise en œuvre de la CSA à partir de la mi-juin 2025. Un échantillon sélectionné de gestionnaires de fonds UCITS et d'AIFMs basés au Luxembourg devra remplir un questionnaire détaillé portant sur les politiques internes, les procédures, les arrangements de délégation, les lignes de reporting vers la direction générale et les plans de contrôle interne. La CSSF informera les entreprises concernées par email au plus tard le 11 avril 2025. Les entreprises non contactées ne seront pas soumises à cet exercice.

Les réponses doivent être soumises via le portail eDesk de la CSSF, qui offre une plateforme sécurisée et des vérifications intégrées de la qualité des données. Les entreprises doivent s'assurer que les adresses e-mail des utilisateurs eDesk et les affectations de rôles sont maintenues à jour pour recevoir les communications pertinentes. Une fois la section du questionnaire activée sur eDesk, les entreprises seront informées via la plateforme, et des guides qui seront mise à jour si nécessaire avec l'apport de l'ESMA et seront disponibles pour les aider à compléter le processus.

On 10 April 2025, the BNM and Bank of Thailand (BOT) have signed an Memorandum of Understanding (MoU) to Enhance Cybersecurity and Digital Fraud Protection.

This initiative promotes a closer working relationship between the two central banks, enabling more effective information sharing, capacity building, and the exchange of best practices.

This MoU exemplifies BNM and BOT’s commitment to enhance cybersecurity preparedness and strengthen the cyber defenses of both nations' financial industries.

On 24 April 2025, the CNMV published circular establishing reserved statements templates for crypto-asset service providers and simplifying companies’ reporting. The new standard determines the information to be reported by entities including data essential to its activity, pursuant to the Regulation for crypto-assets markets.

The CNMV has approved the new Circular that establishes the reserved statements to be submitted by crypto-asset service providers. The new standard mends four different Circulars and affecting:

• New crypto-asset service providers
•  Investment firms
• Credit institutions
• Management companies providing such services (collective investment scheme management companies) or close-ended CISMC.

The Circular includes possible obligations that allow entities to be prepared to meet any requirements they may receive from the CNMV. Moreover, the new standard aligns, to a large extent, the reporting of national financial advisory firms with that of other IFs and improves the information of entities as a whole.

In relation to accounting and the protection of client assets, CASPs must submit their audited annual accounts and the client asset protection report when required. The Circular also establishes a new statement for prevention of money laundering and financing of terrorism and modifies the information system for the calculation of contributions to the Investment Guarantee Fund. The new regulation standardizes the reserved statements that different entities must submit before the CNMV, with their content and periodicity.

Reserved statements regarding rules of conduct are also modified to allow for appropriate supervision: the reserved statements’ model for CASPs that the CNMV may require is defined, information is improved and simplified; the frequency of reports is reduced from a quarterly to a half-yearly basis.

The standard enters into force on 14 May 2025.

On 24 April 2025, the CNMV revised the content of key investor information documents for collective investment schemes (UCITS and AIF). The CNMV has reviewed the Key Investor Information Documents for UCITS and AIFs to verify compliance with the PRIIPs Regulation. While the overall content meets regulatory standards, several important inconsistencies were found.

The main inconsistencies found were as follows:

• As for the product section, incomplete information was detected on the investment policy applied by the institution regarding transactions of derivative instruments and their purpose (investment, hedging). 
• Lack of information on the warnings required in the prospectuses was also detected, specifically regarding investment in high-yield assets.
• As for risk disclosure, PRIIPs require the inclusion of a numerical indicator between 1 and 7 (1 being the lowest and 7 the highest). As for some types of AFI (for example, Venture Capital and Private Equity funds), it was found that a risk level of 6 is not always indicated, as set forth in the aforementioned Regulation. 
• Furthermore, the Regulation establishes that, in the case of Collective Investment Schemes, a methodology for calculating the aforementioned indicator must be applied based on a historical series of net asset values corresponding to a minimum period of two years, adding that, in the case said minimum period is not available, its calculation must be based on a benchmark that best represents the performance of the fund's portfolio. To this respect, a small number of funds were identified where benchmarks used were not representative, resulting in a lower indicator and subsequent risk underestimation. 
• As for performance scenarios, positive performance information was found in stress scenarios for some UCITS with buy-and-hold policies, as well as Venture Capital and Private Equity funds. In this regard, it shall be noted that the data and methodological assumptions used to estimate scenarios should be prudent and results should be balanced and consistent (i.e. not highlighting favourable results at the expense of unfavourable ones).
• Regarding cost composition, errors were detected in the information provided on recurring costs (management, deposit, etc.), subscription and/or redemption fees and performance fees, as they do not coincide with that included in the prospectus or in the Periodic Public Reporting of certain vehicles. Lastly, related to this same section, it was found that funds with high portfolio turnover were not reporting transaction costs. 

The CNMV has informed management companies of the inconsistencies detected for the revision of KIID drafting procedures and for control strengthening in order to ensure compliance with the European Regulation of the information provided to investors. The CNMV will continue to take a supervisory approach in this matter.

On 29 April 2025, the UK Government published a Draft SI and Policy Note on the Regulatory regime for cryptoassets (regulated activities).

The Government issued a draft of forthcoming statutory provisions to create new regulated activities for cryptoassets, and an explainer document detailing the intended policy outcomes of these provisions.

In October 2023, HM Treasury published detailed proposals for creating a UK financial services regulatory regime for cryptoassets, including stablecoin.

On 21 November 2024, the government confirmed that it will proceed with introducing this regime, broadly in line with the previously published proposals.

This will see the creation of new regulated activities such as operating a cryptoasset trading exchange and stablecoin issuance, as well as market abuse and admissions and disclosures regimes.

The government is now publishing draft statutory provisions associated with the new regulated activities for cryptoassets, accompanied by an explanatory policy note. 

The government will publish statutory provisions for the market abuse and admissions and disclosures regimes in due course.

HM Treasury welcomes any technical comments on this draft SI by 23 May 2025.

On the 16 April 2025FCA published CP25/9 on further proposals on product information for Consumer Composite Investments

In CP24/30, proposals was put forward for a new product information regime for Consumer Composite Investments. Goal is to design a flexible regime that prioritises good consumer outcomes through empowering consumers to make effective, timely and properly informed decisions, and enables firms to tailor their communications to meet consumers’ needs. 

As signposted in CP24/30, consulting is being done on some remaining issues to support the regime. This includes our proposals for:  

• A revised approach to the calculation of transaction costs.
• Revisions to current cost disclosure requirements under the MiFID Org Reg.
• Transitional provisions to allow firms flexibility to move across to the new regime as soon as they’re ready.
• Consequential amendments to the FCA Handbook. 

This consultation will be of interest to: 

• Consumers and consumer organisations.
• Those who manufacture Packaged Retail and Insurance-based Investment Products Undertakings for Collective Investment in Transferable Securities, non-UCITS retail schemes, or non-PRIIP packaged products, including:
  - Issuers or underwriters of securities that are or may be classed as PRIIPs.
  - Fund managers, including overseas fund managers.
  - Issuers of structured products and derivatives.
• Those who advise on or sell PRIIPs, UCITS, NURS, or non-PRIIP packaged products, including:
  - Wealth managers, financial advisers and stockbrokers.
  - Discretionary investment management firms.
  - Life insurance companies.
  - Firms providing services in relation to insurance-based investments.
  - Firms operating retail investment platforms.
• Industry bodies that represent or provide professional services to these groups.

The consultation closes on the 28 May 2025.

On the 07 April 2025, UK amended rules for investment managers to support growth. 

The consultation proposes simplifying the Regulatory framework for Alternative Investment Fund Managers, while retaining core consumer and market protections. 

Key points include:

• Creating new categories for firms subject to AIFMD so that rules can be applied in a more flexible and tailored way.
• Simplifying the regulatory framework for AIFs, while retaining core consumer and market protections.
• Removing detailed, firm-facing requirements from legislation, in line with the UK’s established model for financial services regulation.
• Enabling the FCA to create a more proportionate and streamlined regime for fund managers, ensuring rules are properly tailored to the nature and scale of a firm’s business.

This consultation is accompanied by an FCA Call for Input, setting out the proposed approach to the detailed rules for AIF Managers.

The consultation closes on the 09 June 2025.

On the 24 April 2025, FCA proposed streamlining the rules on the types of funds investment firms must hold to absorb losses and maintain financial resilience during periods of stress.

The proposals do not change the rules about how much capital firms must hold but focus on simplifying and consolidating the existing rules about what qualifies as regulatory capital. The current regulatory capital rules were designed for banks, making them complex and not tailored to investment firms’ business models. The FCA proposes removing large sections which are not relevant to the vast majority of firms and making others simpler. These changes would reduce the volume of legal text by 70%. 

Now the FCA proposes removing the EU-derived rules and to make them clearer and more accessible, reducing the time and resources firms spend interpreting and applying the requirements.

This applies to MIFIDPRU investment firms, UK parent entities complying with MIFIDPRU 3, and parent undertakings subject to the Group Capital Test. It does not apply to banks or other PRA-regulated entities.

The consultation closes on the 12 June 2025.

On the 9 April 2025, the BoE published letter on Significant risk transfer financing, prudential expectations.

Prudential Regulation Authority’s concerns and expectations following recent supervisory reviews, particularly in relation to securities financing transactions and regulatory capital treatment.

Prudential Concerns:

Some firms show inadequate assessment of collateral eligibility, particularly under Article 299(2)(c) of the UK CRR, leading to potential undercapitalization of risks. An imprudent practice includes using repackaged illiquid assets to justify trading book treatment without sufficient evidence.

Capital Requirements:

Firms are expected to apply appropriate Pillar 1 treatment to risks, and where Pillar 1 is insufficient, use Pillar 2A. Illiquid collateral not qualifying for trading book should be treated under banking book rules.

Policy Update – PS9/24

Upcoming rule changes introduce new eligibility criteria for SFT collateral under Articles 299A(1a) and (1c). Firms must demonstrate:

• Sufficient secondary market liquidity, especially under stressed conditions.
• Ability to mark collateral to market daily via an active, liquid market, or appropriately model it if using proxies, ensuring all material risks are captured.

Relevant firms, that will be contacted, are expected to respond by the 11 June 2025.

On the 22 April 2025, the PRA published PS5/25 and SS1/25 on step-in risk.

The PRA introduced rules requiring firms to assess and manage step-in risk related to certain unconsolidated entities, evaluate material entities for significant indicators, take mitigating action if needed, and report their assessments alongside the ICAAP. The PRA confirmed that its original policy rationale and regulatory objectives remain appropriate.

Scope and level of application

Firms must assess step-in risk at group, sub-group, and individual levels to capture all material risks. The PRA rejected calls to limit this scope and added a new reporting field to clarify assessment levels. Ring-fenced banks must also comply at the sub-group level.

Identification of entities to be evaluated for step-in risk

The PRA confirmed that firms must assess step-in risk for all relevant unconsolidated entities, but clarified some exclusions, such as market-making activity and senior securitisation positions in third-party securitisation special purpose entities. It rejected suggestions to redefine commercial entities or exclude entities based on legal prohibitions but emphasized that firms should use judgment and document their approach.

Assessment of material entities against indicators

The PRA proposed assessing material entities against step-in risk indicators, with examples in the supervisory statement. Following feedback, it replaced the term “aggressively” with “actively.

Reporting Issues

The PRA will now require firms to report capital and liquidity impacts in template SI2 only where step-in risk is significant, easing the burden of reporting. The step-in risk assessment remains part of Internal Capital Adequacy Assessment Process using standard templates, aligning with Basel Committee on Banking Supervision guidelines. The PRA also clarified that total assets reported in SI2 reflect size, not risk, and do not automatically imply significant step-in risk.

Other issues

The PRA clarified that step-in risk rules and related party transaction rules address different risks, step-in risk focuses on unconsolidated entities and potential non-contractual financial support, while related party rules govern terms of intra-group dealings. The PRA also confirmed its aim is not to eliminate all step-in risk, but to help firms identify, assess, and manage it as part of sound risk management.

Enters into the effect on the 1 January 2026.

On the 8 April 2025, the FCA published its work programme 2025-2026. This work programme sets out what the FCA will deliver in 2025/26 on its 4 strategic priorities.

1. A smarter regulator: more efficient and effective. 

The FCA aims to enhance regulatory efficiency and reduce burdens on firms through several measures. It will streamline data collection by removing unnecessary reporting requirements and expanding the 'My FCA' platform to centralise regulatory tasks, invoicing, and user management. A new feature in RegData, called 'flexi collections,' will simplify ad-hoc data submissions. The FCA is also digitising and simplifying the authorisation process to improve application quality and speed. Its supervision model will focus on higher-risk areas, offer lighter oversight for responsible firms, and engage more directly with key market participants. To better detect and address harm, the FCA will enhance its use of data and intelligence, automate triage, and use network analytics to identify risky actors. Operational performance will be improved by using insights to guide resource allocation and ensure alignment with strategic goals.

2. Supporting growth.

In 2025/26, the FCA will support UK growth by focusing on four main areas. It will unlock capital and economic growth by reforming the prospectus regime, launching a private market platform (PISCES), adjusting rules on investment research and commodity derivatives, and updating remuneration and disclosure requirements. New initiatives include reviewing capital rules for trading firms, simplifying insurance conduct standards, and continuing pension reforms. To accelerate digital innovation, the FCA will develop the digital securities sandbox, support faster securities settlement and digital assets, consult on changes to contactless payment limits, and set new digital service standards. It will also begin shaping open finance using new data access powers, with a focus on SME lending. To reduce the regulatory burden, the FCA will streamline transaction reporting and senior manager rules, simplify regulation for asset managers, and reduce complexity following the introduction of the Consumer Duty. It will also expand pre-application support and clarify the approach to motor finance redress. Finally, it will develop a dedicated UK crypto regime by consulting on all regulated crypto activities in 2025, issuing policies in 2026, and preparing for authorisation.

3. Helping consumers navigate their financial lives.

The FCA’s ongoing work in the motor finance space includes confirming within six weeks of the Supreme Court’s decision whether it will propose a redress scheme and, if so, outlining how it will proceed. Depending on the outcome, the FCA may also consult separately on rule changes. In the mortgage market, the FCA will consult in May on proposals to allow consumers to remortgage, reduce terms, and discuss mortgage options without needing regulated advice. It will also propose retiring certain guidance now covered by the Consumer Duty, reducing the regulatory burden on firms. In June, the FCA will launch a public discussion on the future of the mortgage market, exploring what is needed for consumers at various life stages and how regulation can support this. For new work in 2025/26, the FCA will collaborate with the Government to bring Deferred Payment Credit into the regulatory framework by developing new rules to replace certain provisions of the disapplied Consumer Credit Act. Additionally, it will encourage firms to adopt innovative solutions that enhance consumer resilience.

4. Fighting financial crime.

In 2025/26, the FCA will focus on identifying financial crime and tackling organised crime. To identify financial crime, it will build a new data-led detection capability that brings together multiple data sets. This will enhance its ability to identify financial crime within regulated firms and take timely action. In tackling organised crime, the FCA will collaborate more closely with partners to share and analyse data, closing the gaps where criminals hide. It will work to prevent criminals from accessing financial firms and will disrupt and disable their activities when detected.

On the 14 April 2025, the FCA published 8th edition of the Regulatory Initiatives Grid.

The Regulatory Initiatives Forum Grid is a biannual publication that sets out the regulatory pipeline. It enables the financial services industry and other stakeholders to understand and plan for the timing of the initiatives that may have a significant operational impact on them. 

This Grid is published by the Financial Services Regulatory Initiatives, launched to strengthen coordination between Forum members. The Forum is comprised of the Bank of England, Financial Conduct Authority, Payment Systems Regulator, Competition and Markets Authority, Financial Reporting Council, The Pensions Regulator, and Information Commissioner’s Office, with HM Treasury attending as an observer member.

This is the eighth edition of the Regulatory Initiatives Grid. The previous publication, due in May 2024, was postponed following the announcement of the General Election. Although the Forum published an interim update in October 2024, this edition reflects the significant reprioritization that has taken place since the new Government came to power.

Among the initiatives included in eighth edition of the Grid are those which will support growth, competitiveness, investment and innovation, while maintaining financial stability and consumer protection. Examples include the Bank of England’s Digital Securities Sandbox and the PRA’s Matching Adjustment Investment Accelerator. 

The Grid includes additional information where changes to our work programme could have a significant impact on firms’ planning. 

On 9 April 2025, CFTC published a staff letter relating to certain Foreign Exchange transactions addressing the classification of certain foreign exchange (FX) transactions under the Commodity Exchange Act (CEA).

In the letter, the CFTC clarified that:

• Window FX Forwards, as detailed in the letter, should be categorized as foreign exchange forwards.
• Package FX Spot Transactions, as described in the letter, should not be classified as foreign exchange swaps or swaps.

This interpretative letter was issued by the CFTC's Market Participants Division and the Division of Market Oversight. It provides clarity on how certain FX transactions should be viewed under the CEA, helping market participants better understand their regulatory obligations.

The classification of FX transactions is important because it determines whether the transaction is subject to specific regulatory requirements, including those related to swaps, and whether it falls under the CFTC’s jurisdiction. This guidance aims to support greater regulatory clarity for market participants dealing with FX transactions.

On 14 April 2025, the BIS published working paper on a formally defined model to describe and compare payment system architectures.

Proposals for new payment system architectures abound. To understand their opportunities and challenges, it is paramount to be able to describe and compare them in a consistent and standardised manner. This paper therefore proposes a formally defined model to represent three key functions of payment system architectures: issuance/withdrawal, holding and transfer of funds. The model defines payment diagrams, using a precisely defined syntax. The authors illustrate the application of these diagrams for domestic and cross-border account transfers, as well as cash, card, e-money and stablecoin payments. However, the payment diagrams can be used for any type of funds and can be applied across different payment system architectures. The authors also demonstrate how the diagrams correspond to the balance sheet approach commonly used in economics, and that it offers added value by providing an end-to end visualisation of every stage of the payment journey.  model provides a tool for central banks, regulators and the payment industry to better understand and compare existing and new payment system architectures.

On 24 April 2025, the BIS Innovation Hub published news on Project Meridian FX - exploring synchronised settlement in FX.

Project Meridian FX (Project MFX) is a joint project between the Bank for International Settlements  (BIS) Innovation Hub (London and Eurosystem Centres), Bank of England, Bank of France, Bank of Italy, Deutsche Bundesbank and the European Central Bank. It explores how operators of wholesale payment infrastructures can enable interoperability with new technologies, such as distributed ledger technology (DLT), with a focus on foreign exchange (FX) transactions. 

At the heart of Project Meridian FX is the synchronisation operator - a technology-neutral interface designed to coordinate the simultaneous exchange of assets across payment systems. Through the experiments conducted, synchronisation operators enabled atomically settled FX transactions between different wholesale payment infrastructures across jurisdictions, and between an RTGS system and a DLT platform.

On 9 April 2025, the ISDA published response to ESMA on CCP Model Validation.

In the consultation paper, ESMA sets out proposed quantitative thresholds and qualitative elements to be considered when determining whether a model change is significant.

In the response, ISDA noted that more information would be necessary to understand the rationale behind the thresholds that are proposed. ISDA provided comments on ESMA’s interpretation of ‘concentration risk’ and on the proposed lookback period for assessing whether a change in significant.