On 6 March 2025, the European Banking Authority (EBA) published a consultation on new rules related to the anti- money laundering and countering the financing of terrorism (AML/CFT) package.

The consultation relates to four draft Regulatory Technical Standards (RTS) that will be part of the EBA’s response to the European Commission’s Call for Advice.  These technical standards will be central to the EU’s new AML/CFT regime and will shape how institutions and supervisors will comply with their AML/CFT obligations under the new AML/CFT package.

The proposed RTSs focus on the following aspects for which the EBA is providing its advice:

• the way the new EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) will decide which institutions will be subject to the direct supervision. The EBA is proposing that AMLA first determines which institutions are eligible for direct supervision taking into account their cross-border activities. In a second step, AMLA would consider the outcomes of the harmonised money-laundering/terrorist financing (ML/TF) risk assessment methodology.
• the determination of the ML/TF risk associated with each institution. The EBA is proposing to put in place a harmonised methodology that all national supervisors will apply when assessing an institution’s inherent risks, the quality of controls and the residual risks that remain after the controls have been applied. The proposed approach will ensure that supervisors’ entity-level risk assessments are consistent with comparable outcomes across Member States. It would also reduce regulatory burden for cross-border institutions, especially because different supervisors’ information requests would be aligned.
• the extent and quality of information institutions will have to obtain as part of the customer due diligence process under the new AML/CFT regime. To achieve effective outcomes, and to limit the cost of compliance, the EBA is proposing a framework within which institutions can choose the most appropriate approach to the extent that it is in compliance with the new AML Regulation. For example, the EBA lists the types of documents and sources of information that institutions should consult, rather than specify the documents and sources themselves.
• on indicators  and criteria to be taken into account when setting the level of pecuniary sanctions or taking administrative measures including developing a methodology on how to impose  periodic penalty payments. The aim is to ensure that AML/CFT breaches are assessed in the same way by all supervisors across the EU and that the enforcement action is proportionate, dissuasive and effective.

The European Commission has asked the EBA to prepare the above-mentioned technical standards to support the rapid and effective start of AMLA operations. The EBA will submit its response with the above-mentioned technical standards to the European Commission on 31 October 2025.

The consultation runs until 6 June 2025.

On 5 March 2025, the European Data Protection Board (EDPB) published a press release on Coordinated Enforcement Framework (CEF) 2025 – launch of coordinated enforcement on the right to erasure.

Following a year-long coordinated action on the right of access in 2024, the CEF's focus this year will shift to the implementation of another data protection right, namely the right to erasure or the “right to be forgotten” (Art.17 GDPR).

The Board selected this topic during its October 2024 plenary as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals.

During 2025, 32 Data Protection Authorities (DPAs) across Europe will take part in this initiative.

Participating DPAs will soon contact a number of controllers from different sectors across Europe, either by opening new formal investigations or doing fact-finding exercises. In the latter case, they might also decide to undertake additional follow-up actions if needed. 

DPAs will check how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right. 

DPAs will also stay in close contact to share and discuss their findings throughout this year. The results of these national actions will be aggregated and analysed together to generate deeper insight into the topic, allowing for targeted follow-ups on both national and EU levels.

On 14 March 2025, the European Union published the Commission Delegated Regulation (EU) 2025/416 supplementing MiCA with RTS specifying the content and format of order book records for CASPs operating a trading platform for crypto-assets.

To enable competent authorities to perform effective and efficient collation, comparison and analysis of the order data, CASPs operating platforms for crypto-assets should keep records of relevant data relating to all orders (order book records) in accordance with this Regulation. They should record the data in an electronic and machine-readable JSON format developed in accordance with the ISO 20022 methodology. An order book should be considered an organised list of buy and sell orders for a specific crypto-asset.

To properly monitor the integrity and stability of the markets in crypto-assets, competent authorities need reliable, consistent and standardised information on the crypto-assets that are traded. Such information should allow them to identify the individual crypto-asset being traded according to internationally established principles. In addition, they should be able to retrieve the main characteristics of the crypto-assets, including their technology-specific features. Crypto-asset service providers should therefore use an appropriate asset identifier to identify crypto-assets in the order and transactions records that they provide to competent authorities. In light of that objective, the use of the Digital Token Identifier (DTI) managed by the Digital Token Identifier Foundation, or alternative eligible identifiers is provided for in Commission Delegated Regulation establishing technical standards adopted pursuant to Article 68(10), first subparagraph, point (b) to identify crypto assets that are the subject of an order or transaction to be recorded by the crypto-asset service provider. In light of those considerations and to ensure a consistent supervisory approach, it is appropriate to provide for the use of asset identifiers in this Regulation under the same conditions as in Commission Delegated Regulation establishing technical standards adopted pursuant to Article 68(10), first subparagraph, point (b).

It is possible that market abuse behaviours, including market manipulation, are carried out through various means, including algorithmic trading. Therefore, to ensure effective market surveillance, where investment decisions are made by a person other than the client or by a computer algorithm, that person or algorithm should be identified in the order and transaction records using unique, robust and consistent identifiers. Where more than one person make an investment decision, the crypto-asset service provider should identify in its records the person with primary responsibility for the decision.

To ensure unique, consistent and robust identification of natural persons referred to in order records, those should be identified by a concatenation of the country of their nationality followed by identifiers assigned by the country of nationality of those persons. Where those identifiers are not available, natural persons should be identified by identifiers created from a concatenation of their date of birth and name. The identification of natural persons should be conducted following the level of prioritisation of different identifiers detailed in Annex II of Commission Delegated Regulation (EU) 2017/590.

The Regulation enters into force on 4 April 2025.

On 19 March 2025, the ESMA published translations of Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments.

The guidelines apply to competent authorities and to financial market participants, including issuers as defined in Article 3(1), point (10), offerors as defined in Article 3(1), point (13) of MiCA, crypto-asset service providers as defined in Article 3(1), point (15) of MiCA, investors and all persons engaging in activities relating to crypto-assets.

The purpose of these guidelines is to specify conditions and criteria for determining whether a crypto-asset should qualify as a financial instrument and therefore ensuring the common, uniform and consistent application of the provisions in Article 2(4)(a) of MiCA. Furthermore, these guidelines provide clarifications on certain features of utility tokens, NFTs and hybrid tokens.

These guidelines apply 60 calendar days from the date of their publication on ESMA’s website in all official EU languages (19 May 2025).

On 31 March 2025, the EU published RTS and ITS under MiCA.

The Regulations are as follows:

• Commission Delegated Regulation (EU) 2025/300 of 10 October 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards on information to be exchanged between competent authorities.
  The information to be exchanged by competent authorities pursuant to Article 95(1) of Regulation (EU) 2023/1114 should therefore allow those authorities to effectively carry out their investigation, supervision and enforcement actitivites under that Regulation. Consequently, it is necessary to specify the information that competent authorities may need to exchange to be able to perform those tasks.
• Commission Delegated Regulation (EU) 2025/305 of 31 October 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information to be included in an application for authorisation as a crypto-asset service provider.
  The application for authorisation should contain data about the identity of the applicant, the governance arrangements and internal control mechanisms, the suitability of the members of the management body and the sufficiently good repute of the shareholders or members with qualifying holdings. In compliance with the principle of data minimisation as expressed in Article 5(1), point (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council such information should be sufficient to enable competent authorities to carry out a comprehensive assessment of applicants, and of their ability to comply with the relevant requirements of Regulation (EU) 2023/1114. Furthermore, that information should be sufficient to enable competent authorities to verify that there are no objective and demonstrable grounds for refusal of the authorisation as referred to in Article 63(10), points (a) to (d), of that Regulation.
• Commission Delegated Regulation (EU) 2025/413 of 18 December 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of information necessary to carry out the assessment of a proposed acquisition of a qualifying holding in an issuer of an asset-referenced token.
  The information contained in the notification submitted by the proposed acquirer should be true, accurate, complete and up-to-date from the moment of submission of the notification until the completion of the assessment by the competent authority. For that purpose, the proposed acquirer should inform the competent authority of any changes to the information provided in the notification.
• Commission Delegated Regulation (EU) 2025/414 of 18 December 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of information necessary to carry out the assessment of a proposed acquisition of a qualifying holding in a crypto-asset service provider.
  Where the proposed acquirer is a legal person, information on the identity of the ultimate beneficial owners and on the reputation and experience, over the last 10 years, of the persons who effectively direct the business of the proposed acquirer is also necessary to perform the prudential assessment. Therefore, the proposed acquirer should submit that information to competent authorities.
• Commission Delegated Regulation (EU) 2025/422 of 17 December 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content, methodologies and presentation of information in respect of sustainability indicators in relation to adverse impacts on the climate and other environment-related adverse impacts.
  Transactions relating to crypto-assets, including their issuance, are validated and recorded via consensus mechanisms, namely the rules and procedures to reach an agreement on the validation of a transaction among distributed ledger technology (DLT) network nodes, which are also responsible for holding records of all transactions on a distributed ledger. The achievement of consensus, which requires the use of materials and computing power, comes with impacts on the climate and environment, which differ across DLTs depending on their specific features.
• Commission Implementing Regulation (EU) 2025/306 of 31 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to standard forms, templates and procedures for the information to be included in the application for authorisation as a crypto-asset service provider.
  To ensure a prompt and timely handling of applications for the authorisation of crypto-asset service providers, competent authorities should confirm the receipt of the application by sending electronically, on paper, or in both forms, an acknowledgement of receipt to the applicant. That acknowledgement of receipt should include the contact details of the persons or function in charge of handling the application for authorisation.

The Regulations enter on 20 April 2025.

On 18 March 2025, the ESMA published translations of Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents.

Joint Guidelines set out the ESAs’ view of appropriate supervisory practices within the European System of Financial Supervision or of how Union law should be applied in a particular area. Competent authorities to whom the Joint Guidelines apply should comply by incorporating them into their supervisory practices as appropriate (e.g. by amending their legal framework or their supervisory processes), including where the Joint Guidelines are directed primarily at institutions.

These guidelines are aimed at fulfilling the mandate given to the ESAs under Article 11(11) of DORA, to develop common guidelines on the estimation of aggregated annual costs and losses of major ICT-related incidents referred to Article 11(10) of that Regulation. These guidelines also specify a common template for the submission of the aggregated annual costs and losses.

These guidelines are addressed to competent authorities as defined in Article 46 of Regulation 2022/2554 and to financial institutions as defined in Article 4(1) of Regulation (EU) 1093/2010, Article 4(1) of Regulation (EU) 1094/2010 and Article 4(1) of Regulation (EU) 1095/2010 .

These Guidelines apply from 19 May 2025.

On 24 March 2025, the European Commission adopted a Commission Delegated Regulation supplementing DORA with regard to RTS specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

One of the objectives of DORA is to strengthen the outsourcing rules governing the indirect oversight of ICT third-party service providers. This objective aims to address the challenges for financial entities to assure compliance with the regulatory framework when certain functions are outsourced or further sub-outsourced.

Articles 1 and 2 establish the rules on proportionality and group application. 

Article 3 sets out rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions. 

Article 4 establishes the description and the conditions under which ICT services supporting a critical or important function may be subcontracted.

Articles 5-7 contain the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions, the provisions on the termination of the contractual arrangement, as well as the final provisions on entry into force.

On 28 March 2025, the EBA updates its Q&A on DORA.

The questions are as follows:

• Data point B_06.01.0050 is missing from the official ITS templates. Is this data point no longer applicable?
• How to report data fields in case of missing values?
• How to report data field B_05.02.0060 if the ICT third-party service provider is a direct provider (rank =1)?
• How to report type of identification code in data field B_05.01.0020 when using codes other than LEI or EUID?
• How to report data field B_04.01.0040 if the financial entity is not a branch?
• How to report data field B_02.02.0160 where the ICT service is not based or does not foresee data processing?
• How to report field B_02.02.0150 where the ICT service is not related to storage of data (B_02.02.0140 = 'No')?
• How to report field B_02.02.0130 where the ICT service is not supporting a critical or important function considering that according to the data model this data field is a primary key?
• What should be reported in case the financial entity does not have a direct parent undertaking (for example, is the parent undertaking itself) or reports the register on an individual basis?
• What does ‘where applicable’ mean in the title of data field B_02.01.0050?  What should be reported in this field in case the entity that is being reported in this template is not a financial entity (i.e., option 22, 23, or 24 was selected in field B_01.02.0040 for the entity type)?

On 6 March 2025, the European Central Bank (ECB) published its monetary policy decisions.

The Governing Council decided to lower the three key ECB interest rates by 25 basis points. In particular, the decision to lower the deposit facility rate – the rate through which the Governing Council steers the monetary policy stance – is based on its updated assessment of the inflation outlook, the dynamics of underlying inflation and the strength of monetary policy transmission.

The disinflation process is well on track. Inflation has continued to develop broadly as staff expected, and the latest projections closely align with the previous inflation outlook. Staff now see headline inflation averaging 2.3% in 2025, 1.9% in 2026 and 2.0% in 2027. The upward revision in headline inflation for 2025 reflects stronger energy price dynamics. For inflation excluding energy and food, staff project an average of 2.2% in 2025, 2.0% in 2026 and 1.9% in 2027.

The Governing Council today decided to lower the three key ECB interest rates by 25 basis points. Accordingly, the interest rates on the deposit facility, the main refinancing operations and the marginal lending facility will be decreased to 2.50%, 2.65% and 2.90% respectively, with effect from 12 March 2025.

On 19 March 2025, the European Commission published a communication on SIU strategy.

The European Commission has adopted its strategy for the SIU, a key initiative to improve the way the EU financial system channels savings to productive investments. It seeks to offer EU citizens broader access to capital markets and better financing options for companies. This can foster citizens' wealth, while boosting EU economic growth and competitiveness.

The SIU is a horizontal enabler that will create a financing ecosystem to benefit investments in the EU's strategic objectives. As highlighted in the Competitiveness Compass, Europe's capacity to address current challenges – such as climate change, rapid technological shifts and new geopolitical dynamics – demands significant investments, which the Draghi report estimates at an additional €750-800 billion per year by 2030, and which is further impacted by increased defence needs. Much of these additional investment needs relate to SMEs and innovative companies, which cannot rely solely on bank financing. By developing integrated capital markets - alongside an integrated banking system – the SIU can effectively connect savings and investment needs.

The EU is equipped with a talented workforce, innovative companies and a large pool of household savings of around €10 trillion in bank deposits. Bank deposits are safe and easy to access, but they usually earn less money than investments in capital markets. The SIU can support the well-being of our citizens, by offering them the choice and opportunities to pursue better returns by putting their savings to work in capital markets.

At the same time, more investments in capital markets support the real economy by enabling companies across Europe to grow and thrive. This can create better jobs with more competitive salaries for European workers, and drive investment and growth across all economic sectors - especially in areas that the EU has identified as strategically important, such as technological innovation, decarbonisation and security.

Delivering the SIU is a shared responsibility of EU institutions, Member States and all key stakeholders, requiring concerted efforts and close collaboration across four strands of work:

1. Citizens and Savings: Retail savers already play a central role in financing the EU economy via bank deposits, but they should have the opportunity, if they wish, to hold more of their savings in higher-yielding capital-market instruments including in view of retirement.
2. Investment and Financing: To stimulate investments, and in particular those in critical sectors, the Commission will introduce initiatives aimed at improving capital availability and access for all businesses, including small and medium enterprises.
3. Integration and Scale: Reducing inefficiencies stemming from fragmentation will entail important efforts to remove any regulatory or supervisory barriers to cross-border operations of market infrastructures, asset management and distribution of funds. This will enable businesses to scale efficiently across the EU.
4. Efficient Supervision in the Single Market: The Commission will propose measures to ensure all financial market participants receive similar treatment, irrespective of their location in the EU. This will entail reinforcing the use of convergence tools as well as a reallocation of supervisory competences between national and EU levels.

Finally, the SIU also aims at enhancing the integration and competitiveness of the EU banking sector, including through the deepening of the Banking Union. The Commission will also assess the overall situation of the banking system in the Single Market, including its competitiveness.

The actions proposed in this strategy will be further developed in the period ahead, in continued dialogue with stakeholders. Packages of measures will be taken in a limited range of areas, with a clear link to boosting competitiveness in the EU economy, with the most impactful actions being given priority in 2025.

Implementing the SIU will rest on both legislative and non-legislative measures, and on measures to be developed by the Member States themselves. Future success will require collaborative efforts from all stakeholders, including the Member States, European Parliament, private sector and civil society.

In Q2 2027, the Commission will publish a mid-term review of the overall progress in achieving the Savings and Investments Union.

On 5 March 2025, the European Union published a Commission Notice on the interpretation and implementation of certain legal provisions of the EU Taxonomy Environmental Delegated Act, the EU Taxonomy Climate Delegated Act and the EU Taxonomy Disclosures Delegated Act.

This notice contains technical clarifications responding to frequently asked questions (FAQs) on the TSC set out in the Taxonomy Climate Delegated Act (including the amendments to the Taxonomy Climate Delegated Act) and the Taxonomy Environmental Delegated Act, as well as the disclosure obligations for the non-climate environmental objectives laid down in the amendments to the Taxonomy Disclosures Delegated Act.

The aim of this notice is to help stakeholders comply with the regulatory requirements in a cost-effective way and to ensure that the reported information is comparable and useful in scaling up sustainable finance.

On 26 March 2025, the Council of the European Union agreed on its position on the ‘Stop-the-clock’ mechanism to enhance EU competitiveness and provide legal certainty to businesses.

Member states’ representatives (Coreper) approved the Council’s position (‘negotiating mandate’) on one of the Commission’s proposals to simplify EU rules and thus boost EU competitiveness. This proposal (the so-called ‘Stop-the-clock’ directive) postpones the dates of application of certain corporate sustainability reporting and due diligence requirements, as well as the transposition deadline of the due diligence provisions.

The proposal forms part of the ‘Omnibus I’ package adopted by the Commission at the end of February 2025 to simplify EU legislation in the field of sustainability. In view of significant implications for the business community, the Polish presidency has treated this proposal with utmost priority with the aim of providing EU companies with the necessary legal certainty as regards their reporting and due diligence obligations. Member states have broadly shared the presidency’s sense of urgency and, in that view, supported the Commission’s proposal to postpone:

• by two years the entry into application of the Corporate Sustainability Reporting Directive (CSRD) requirements for large companies that have not yet started reporting, as well as listed SMEs, and
• by one year the transposition deadline and the first phase of the application (covering the largest companies) of the Corporate Sustainability Due Diligence Directive (CSDDD).

A possible swift agreement between the co-legislators will provide them with time to agree on substantive changes to the CSRD and CSDDD, also proposed by the Commission as part of the ‘Omnibus I’ package on sustainability.

Following the approval of the Council’s negotiating mandate by Coreper, the presidency is enabled to enter interinstitutional negotiations with a view to reaching a provisional agreement with the European Parliament on this proposal. For its part, the European Parliament has scheduled on 1 April a vote on request for urgent procedure on this proposal.

On 17 March 2025, the ESMA announced its decision to temporarily extend the application of the recognition decisions under Article 25 of the EMIR for CCPs established in the UK and signed a Memorandum of Understanding with BoE.

On 30 January 2025, the European Commission adopted a new equivalence decision in respect of the regulatory framework applicable to CCPs in the UK.

Subsequently, ESMA has prolonged the tiering determination decisions and recognition decisions for the three recognised UK CCPs - ICE Clear Europe Ltd, LCH Ltd (as Tier 2) and LME Clear Ltd (as Tier 1) – that were adopted by ESMA on 25 September 2020, to align with the expiry date of the new equivalence decision.

The application of the tiering determination decisions and recognition decisions is temporarily extended until 30 June 2028.

ESMA has also signed a revised Memorandum of Understanding (MoU) with the Bank of England as required by EMIR 3.

This action follows the recent European Commission decision to extend the equivalence for the UK CCPs for a period of three years until 30 June 2028. At the same time, ESMA has also extended the tiering determination and recognition decisions in respect of the UK CCPs until that date.

According to EMIR, one of the conditions for recognition of a third-country CCP (TC-CCP) by ESMA is the establishment of cooperation arrangements between ESMA and the relevant third-country authority. 

The revised MoU follows the amendments introduced by EMIR 3 on the requirements concerning the content of such cooperation arrangements, in particular, cooperation in respect of systemically important TC-CCPs (Tier 2 TC-CCPs). 

The revised MoU replaces the earlier version that ESMA and the BoE concluded in 2020.

On 6 March 2025, the European Securities and Markets Authority (ESMA) published a letter on prioritisation of its 2025 deliverables.

As part of its ambitious work programme, ESMA is delivering on several demanding new legal mandates in 2025 including preparation for new direct supervision mandates, while at the same time continuing its work to promote supervisory convergence and to complement and strengthen the single rulebook.

ESMA recently carried out an assessment of the tasks and commitments that were outlined in its 2025 Annual Work Programme (AWP) submitted to the European Institutions in September 2024. As part of a wider effort to continually increase efficiency within ESMA, the prioritisation exercise aims to ensure that resources are appropriately allocated, also in light of external factors impacting on ESMA’s workload since the publication of the 2025 AWP. The primary external factor affecting ESMA this year is the coincidence of a large number of reviewed legislative files with the need to prepare for implementation of new responsibilities. Several new mandates are not accompanied by additional resources for preparatory work and resource redeployment opportunities have been exhausted.

In order to deliver most effectively on our 2025 AWP, taking into account the resource limitations, ESMA identified among its planned work a set of deliverables which could be deprioritised or postponed. The key criteria considered as part of this prioritisation exercise were the expected impact relative to the resources required to deliver it, the time-sensitivity and the interaction with other deliverables.

With this letter, and in the spirit of full transparency, the President of ESMA would like to bring to the attention the delayed and deprioritised deliverables which relate to ESMA’s commitments vis-à-vis the European Commission. The resources freed up from postponing and deprioritising the deliverables listed below will be diverted towards delivering on the highest priority workstreams for ESMA, amongst which: the implementation of EMIR 3, MiFID/MiFIR Review, Listing Act, CSDR Review, T+1 project, AIFMD Review as well as the preparation for new supervisory responsibilities relating to Consolidated Tape Providers, Green Bond verifiers and ESG Rating providers and oversight powers under DORA.

Both high priority and deprioritised deliverables have been identified in dialogue with the colleagues in DG FISMA, taking into account also the Commission’s political priorities on Savings and Investment Union, competitiveness and burden reduction. The reprioritisation of ESMA’s deliverables has been approved by the ESMA Board of Supervisors.

Among the delayed and deprioritised deliverables are:

• AIFMD Review – Regulatory technical standards (RTS) on open ended loan originating alternative investment funds – initial deadline 16 April 2025 – delay by 6 months.
• Central Securities Depositaries Regulation – RTS on buy-in – initial deadline 17 January 2025 – delay until T+1 implementation is complete.
• European Market Infrastructure Regulation 3 – RTS on central counterparty interoperability and RTS on post trade risk reduction services – initial deadline 4 December 2025 – delay by 6 months.
• MiFIR/D Review – RTS on order execution policies – initial deadline 29 December 2024 – delay by 6 months.

On 31 March 2025, the ESAs published Spring 2025 Joint Committee update on risks and vulnerabilities.

The ESAs warn that growing geopolitical tensions and rising cyber risks present significant challenges to financial stability. These include trade disputes, rapidly shifting policies, ongoing international conflicts and the prospect of economic fragmentation which are reshaping global markets, requiring heightened vigilance and adaptability from supervisors and financial entities alike.

Financial institutions must navigate growing uncertainties, including exposure to international markets, liquidity risks and the evolving role of artificial intelligence (AI). Ensuring resilience in the face of these developments is crucial.

The ESAs, therefore, emphasise the need for proactive risk management, stronger cyber resilience and a close monitoring of global financial linkages. As financial markets continue to evolve, international cooperation and regulatory preparedness will be key to maintaining stability. Against a background of high geopolitical risks, the ESAs recommend that supervisors and financial entities prepare for continued market volatility, consider the potential materialisation of liquidity risks and stand ready to adapt to adverse developments, including by provisioning adequately.

To better manage cyber and digitalisation risks, supervisors and financial institutions should continue to strive for robust data governance, critically assess AI solutions and their compliance with the AI Act, and support the timely implementation of the Digital Operational Resilience Act’s provisions.

On 16 March 2025, Belgium published a Royal Decree transposing certain provisions of CSRD, with regard to corporate sustainability reporting, and laying down various provisions on corporate sustainability reporting, and laying down miscellaneous provisions.

The first chapter aims to address the following aspects of the Royal Decree of 14 November 2007 on the obligations of issuers of financial instruments admitted to trading on a regulated market (hereinafter referred to as "the Royal Decree of 14 November 2007"), to be amended:

Transposition of Article 2 of Directive 2022/2464 (CSRD) :

In accordance with the authorisation referred to in Article 10, § 2, 4° bis, of the Law of 2 August 2002 on the supervision of the financial sector and financial services, this chapter clarifies the obligations applicable to Belgian or foreign issuers whose periodic information is provided by the FSMA - on the sustainability information they are required to provide to the public.

This refers to the sustainability information that listed companies (except micro-enterprises) are required to publish under the CSRD in the form of a sustainability report (sometimes also called a 'sustainability statement').

This also includes the information on environmentally sustainable economic activities, as required by European Regulation 2020/852 of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and Delegated Regulation 2021/2178 of 6 July 2021, which explains the content, presentation of that information and the methodology to be followed to comply with this reporting obligation. These provisions are referred to here as "the taxonomy regulations".

This Royal Decree thus makes the necessary amendments to the Royal Decree of 14 November 2017 in order to (1) oblige listed companies (except micro-enterprises) to include sustainability information in their annual report in accordance with the CSRD Directive, the reporting standards adopted by the European Commission in implementation of the CSRD Directive (the so-called "ESRS standards"), and the taxonomy regulations, and (2) to provide for the supervision by the FSMA of compliance with those obligations.

This draft makes a number of amendments to the Royal Decree of 21 August 2008 laying down detailed rules for certain multilateral trading facilities (hereinafter referred to as "the Royal Decree Alternext").

A first series of amendments aims to exclude the application to companies listed on Alternext of the provisions of the Royal Decree of 14 November 2007 on the sustainability information resulting from the CSRD Directive and on the information on environmentally sustainable economic activities that must be prepared in accordance with the taxonomy regulations.

This approach is proposed for reasons of proportionality. After all, it seems disproportionate to impose such information requirements on the companies listed on Alternext.

Art. 15. Articles 2, 3, 4, 6, 7, 11, 1° of this Decree shall enter into force from the opening date of the first financial year in which each issuer referred to in Article 3 of the Royal Decree of 14 November 2007 will have to publish the sustainability information in accordance with Article 116 of the Law of 2 December 2024, or in accordance with the equivalent provisions of the national legislation to which it is subject.

On 25 March 2025, the ACPR updated its FAQ on DORA.

In the context of the implementation of DORA (Digital Operational Resilience Act), the ACPR (Autorité de Contrôle Prudentiel et de Résolution) has updated its FAQ to clarify certain information regarding the new obligations that apply to financial entities. This includes details on the procedures for submitting the information register, the execution of penetration tests, and the scope of this new regulation.

Version française

Le 25 mars 2025, l'ACPR a mis à jour sa FAQ sur la loi DORA.

Dans le cadre de la mise en œuvre de la loi DORA (Digital Operational Resilience Act), l'ACPR (Autorité de Contrôle Prudentiel et de Résolution) a mis à jour sa FAQ afin de clarifier certaines informations concernant les nouvelles obligations qui s'appliquent aux entités financières. Il s'agit notamment de précisions sur les modalités de dépôt du registre d'information, la réalisation de tests d'intrusion et le champ d'application de cette nouvelle réglementation.

BACKGROUND

On 12 March 2025, Ordinance no. 2025-230 concerning collective investment schemes (OPC) was published in the Official Journal. The Ordinance addresses issues related to the interpretation, complex application, and legal uncertainties arising from the interplay between company law and the specific regulations on investment funds organized as commercial companies.

WHAT'S NEW?

Title Ier: Rules Related to Corporate Life, Governance, and Operations of UCIs:

Chapter I (Art. 2 to 7):

• Modernizes rules and formalities for meetings (digital meetings and documentation).
• Simplifies quorum and voting rules.
• Harmonizes publication and closing of accounts and dividend distribution timelines.
• Clarifies definitions of capital and profit appropriation.
• Amends distribution rules.
• Simplifies threshold crossing rules for listed investment funds.

Chapter II (Art. 8 and 9):

• Modernizes governance body composition and meetings (videoconferencing).
• Redistributes powers between UCIs' corporate bodies and management companies.

Chapter III (Art. 10): Introduces the concept of "sub-fund meeting" for operations at the sub-fund level.

Chapter IV (Art. 11 and 12): Corrects cross-references between codes regarding threshold crossing declaration obligations.

Title II: Liquidation Regime for UCIs:

Chapter I: Clarifies concepts of dissolution and liquidation of UCIs and their causes (Art. 13 and 14).

Chapter II:

• Provides administrative liquidation procedure.
• Gives AMF power to appoint a liquidator without court involvement (Art. 15 and 16).

Chapter III: Addresses the pre-liquidation regime (Art. 17).

WHAT'S NEXT?

UCIs structured as companies (e.g., SICAVs, SPPICAVs) must adapt their internal procedures and documentation in line with the clarified rules on governance, threshold crossings, and liquidation. Management companies should assess the impact of redistributed powers and ensure readiness to apply the new administrative liquidation procedure under AMF authority.

Version française

BACKGROUND

Le 12 mars 2025, l’Ordonnance n° 2025-230 relative aux organismes de placement collectif (OPC) a été publiée au Journal officiel. Cette ordonnance traite des difficultés d’interprétation, d’application complexe et d’insécurité juridique résultant de l’articulation entre le droit des sociétés et les règles spécifiques applicables aux fonds d’investissement constitués sous forme de sociétés commerciales.

WHAT'S NEW?

Titre Ier : Règles relatives à la vie sociale, à la gouvernance et au fonctionnement des OPC

Chapitre I (articles 2 à 7) :

• Modernise les règles et formalités relatives à la tenue des assemblées (réunions numériques et documentation).
• Simplifie les règles de quorum et de vote.
• Harmonise les délais de publication et de clôture des comptes ainsi que ceux relatifs à la distribution des dividendes.
• Clarifie les définitions relatives au capital et à l’affectation du résultat.
• Modifie les règles de distributionSimplifie les règles de franchissement de seuils applicables aux fonds d’investissement cotés.

Chapitre II (articles 8 et 9) :

• Modernise la composition et le fonctionnement des organes de gouvernance (visioconférence).
• Redistribue les pouvoirs entre les organes sociaux des OPC et les sociétés de gestion.

Chapitre III (article 10) :

• Introduit la notion d’« assemblée de compartiment » pour permettre des opérations au niveau du compartiment.

Chapitre IV (articles 11 et 12) :

• Corrige les renvois entre codes en matière d’obligations de déclaration de franchissement de seuils.

Titre II : Régime de liquidation des OPC

Chapitre I :

• Clarifie les notions de dissolution et de liquidation des OPC ainsi que leurs causes (articles 13 et 14).

Chapitre II :

• Précise la procédure de liquidation administrative.
• Confère à l’AMF le pouvoir de nommer un liquidateur sans intervention judiciaire (articles 15 et 16).

Chapitre III :

• Traite du régime de pré-liquidation (article 17).

WHAT'S NEXT?

Les OPC structurés sous forme de sociétés (par exemple, les SICAV et SPPICAV) doivent adapter leurs procédures internes et leur documentation conformément aux règles clarifiées en matière de gouvernance, de franchissements de seuils et de liquidation. Les sociétés de gestion doivent évaluer l’impact de la redistribution des pouvoirs et s’assurer qu’elles sont prêtes à appliquer la nouvelle procédure de liquidation administrative sous l’autorité de l’AMF.

On 25 March 2025, the AMF issued a reminder on the obligations of financial investment advisors who utilize financial product listing platforms. 

The AMF observed that CIFs often use these platforms, which generally hold a regulated status, to access a variety of analyzed financial products. Although this practice is not inherently contrary to regulations, CIFs are still required to fulfill their professional duties.

The AMF highlighted specific obligations for CIFs employing these platforms. CIFs must perform their own due diligence on the listed products rather than relying solely on the platforms’ analyses without further assessment. They must exercise their activities with competence, care, and diligence, ensuring that their services are tailored and proportionate to their clients' needs and objectives, including understanding the financial instruments they recommend and evaluating their compatibility with their clients' profiles.

Additionally, CIFs are required to gather essential information from clients about their financial situation, investment experience, risk tolerance, and sustainability preferences. They must provide clients with clear, accurate, and non-misleading information regarding the risks associated with the recommended financial instruments. Transparency regarding the remuneration received and conflicts of interest management mechanisms must also be ensured.

The AMF emphasized the necessity for CIFs to undertake annual training relevant to their activities and experience, enabling them to perform adequate analysis and comprehension of the proposed products. If CIFs do not fully understand the characteristics of the referenced products, they should refrain from providing advice on them.

Finally, the AMF noted that the contractual relationship between CIFs and financial product listing platforms must not lead CIFs to recommend products that are unsuitable for their clients. Addressing ambiguous client communications concerning relationships with platforms is crucial for maintaining transparency.

Version française

Le 25 mars 2025, l'AMF a rappelé les obligations des conseillers en investissements financiers qui utilisent les plateformes de référencement de produits financiers. 

L'AMF a constaté que les CIF ont souvent recours à ces plateformes, qui ont généralement un statut réglementé, pour accéder à une variété de produits financiers analysés. Si cette pratique n'est pas en soi contraire à la réglementation, les CIF sont néanmoins tenus de respecter leurs obligations professionnelles.

L'AMF a mis en évidence des obligations spécifiques pour les CIF qui utilisent ces plateformes. Les CIF doivent effectuer leurs propres diligences sur les produits listés et ne pas se fonder uniquement sur les analyses des plateformes sans évaluation complémentaire. Ils doivent exercer leurs activités avec compétence, soin et diligence, en veillant à ce que leurs services soient adaptés et proportionnés aux besoins et objectifs de leurs clients, notamment en comprenant les instruments financiers qu'ils recommandent et en évaluant leur compatibilité avec les profils de leurs clients.

En outre, les CIF sont tenus de recueillir auprès de leurs clients des informations essentielles sur leur situation financière, leur expérience en matière d'investissement, leur tolérance au risque et leurs préférences en matière de développement durable. Ils doivent fournir aux clients des informations claires, précises et non trompeuses sur les risques associés aux instruments financiers recommandés. La transparence sur les rémunérations perçues et les mécanismes de gestion des conflits d'intérêts doit également être assurée.

L'AMF a souligné la nécessité pour les CIF de suivre une formation annuelle adaptée à leurs activités et à leur expérience, leur permettant d'effectuer une analyse et une compréhension adéquates des produits proposés. Si les CIF ne comprennent pas parfaitement les caractéristiques des produits référencés, ils doivent s'abstenir de les conseiller.

Enfin, l'AMF rappelle que la relation contractuelle entre les CIF et les plateformes de référencement de produits financiers ne doit pas conduire les CIF à recommander des produits inadaptés à leurs clients. Le traitement des communications ambiguës des clients concernant les relations avec les plateformes est essentiel au maintien de la transparence.

On 17 March 2025, the AFG responded to ESMA's consultation on the regulation of open-ended loan funds (OE LO AIFs). AFG supports ESMA's proposed approach for liquidity management that avoids parametric criteria and emphasizes the need for flexibility for asset managers in designing their funds while ensuring adequate investor protection.

In its response, AFG highlights the importance of:

• Avoiding additional regulation that would complicate the managers' tasks, combining with existing ones like AIFM and ELTIF.
• Focusing on the cash flows generated by loans, which play a crucial role in liquidity management and reduce the need for asset sales.
• Leveraging asset managers' expertise in structuring loans to optimize liquidity, with the option of using ex-post management tools if necessary.
• Not imposing minimum liquidity thresholds by regulation, given recent reports by the FSB and IOSCO do not recommend such thresholds.
• Strengthening the proportionality of the obligations issued by the text.
• Not adding specific stress test requirements, arguing that ESMA's current rules on open-ended funds suffice.

In conclusion, AFG advocates for a practical and proportionate approach, providing managers with the necessary flexibility to structure their funds and support the economy.

Version française

Le 17 mars 2025, l'AFG a répondu à la consultation de l'ESMA sur la réglementation des fonds de prêt ouverts (OE LO AIFs). L'AFG soutient l'approche proposée par l'ESMA pour la gestion de la liquidité qui évite les critères paramétriques et souligne le besoin de flexibilité pour les gestionnaires d'actifs dans la conception de leurs fonds tout en assurant une protection adéquate des investisseurs.

Dans sa réponse, l'AFG souligne l'importance de :

• d'éviter une réglementation supplémentaire qui compliquerait la tâche des gestionnaires, en la combinant avec les réglementations existantes telles que l'AIFM et l'ELTIF.
• se concentrer sur les flux de trésorerie générés par les prêts, qui jouent un rôle crucial dans la gestion des liquidités et réduisent la nécessité de vendre des actifs.
• tirer parti de l'expertise des gestionnaires d'actifs en matière de structuration des prêts pour optimiser la liquidité, avec la possibilité d'utiliser des outils de gestion ex post si nécessaire.
• ne pas imposer de seuils minimaux de liquidité par voie réglementaire, étant donné que les rapports récents du CSF et de l'OICV ne recommandent pas de tels seuils.
• renforcer la proportionnalité des obligations prévues par le texte.
• ne pas ajouter d'exigences spécifiques en matière de stress tests, arguant que les règles actuelles de l'ESMA sur les fonds ouverts suffisent.

En conclusion, l'AFG plaide pour une approche pratique et proportionnée, offrant aux gestionnaires la flexibilité nécessaire pour structurer leurs fonds et soutenir l'économie."

pulished a L'AMF a rappelé les obligations des conseillers en investissements financiers utilisant les plateformes de cotation de produits financiersLe 18 mars 2025, la CSSF a publié un communiqué concernant les déclarations rejetées dans le cadre d'EMIR. 

Avec l'entrée en vigueur des rapports EMIR REFIT le 29 avril 2024, en particulier l'application des RTS 2022/1858, il y a une expansion du rôle des référentiels centraux pour assurer la qualité des données. La nouvelle norme technique codifie légalement les contrôles que les référentiels centraux doivent effectuer, y compris la fourniture de mécanismes de réponse en fin de journée et de nouveaux rapports tels que les rapports de rejet aux entités et aux autorités nationales compétentes. La CSSF souligne l'importance d'éviter les rapports rejetés et la nécessité pour les entités de suivre les contrôles recommandés afin d'éviter les motifs de rejet les plus courants lors de l'établissement des rapports en vertu de l'article 9 de l'EMIR.

Le communiqué met en évidence l'analyse des rapports de rejet reçus jusqu'au 31 décembre 2024, identifiant les erreurs fréquentes et encourageant les entités à adhérer aux meilleures pratiques dans la déclaration de leurs produits dérivés. Il s'agit notamment de s'assurer que les produits dérivés sont déclarés avec les bons types d'action tels que « Nouveau » ou « Composante de position », d'empêcher les modifications des champs de transaction immuables et de respecter les exigences en matière d'horodatage de la déclaration et de date d'événement. Les déclarations rejetées indiquent une non-conformité avec l'article 9 de l'EMIR, à moins qu'elles ne soient rectifiées et soumises à nouveau dans les délais impartis.

En améliorant leurs contrôles internes, les entités peuvent réduire le taux de rejet de leurs déclarations de transactions sur dérivés. La CSSF rappelle également aux entités luxembourgeoises de lui notifier les problèmes de reporting importants, comme l'exigent les normes techniques de mise en œuvre (ITS) 2022/1860. EMIR 3, en vigueur depuis le 24 décembre 2024, accorde aux autorités nationales compétentes des pouvoirs supplémentaires pour imposer des sanctions administratives en cas de non-respect des obligations de déclaration lorsque les erreurs sont systématiquement manifestes.

On 7 March 2025, the AMF shared insights from its latest experiments on the automated exploitation of regulatory data. Following an initial study in 2022 on automating the processing of risk mentions in listed companies' documents, the AMF continued its research in 2023 and 2024 to explore the potential of artificial intelligence and automated extraction tools in the analysis of regulatory reports. 

This phase of research utilized the AMF’s Big Data ICY platform to assess the capability of regulators to finely and efficiently exploit information published by listed companies and regulated entities. Under European regulatory developments, the number of documents under AMF’s supervision has significantly increased, adding pressure that these technologies aim to alleviate.

The AMF's experiments focused on two document types mandated by European sustainable finance regulations: Taxonomy reports published in 2022, detailing the eligibility of economic activities based on EU-defined sustainability criteria, and SFDR annexes introduced in 2023, outlining the environmental and social characteristics of financial products. These documents exemplify the challenges in automating regulatory data processing due to their varied formats and structures. The insights gained from this analysis can be generalized to other financial reports.

Key findings from the AMF’s work suggest several practices to enhance the exploitability of regulatory documents and guide normative developments. Firstly, pairing images with descriptive text or tables is crucial; images containing data for machine processing should be accompanied by a textual or tabular representation to prevent information loss and improve automatic data extraction. Secondly, standardized document structures are easier to process; harmonizing document plans and information fields is essential for automatic exploitation, improving data comparability and market actors' processing efficiency. Additionally, ensuring optimal data exploitability requires associating "machine-readable format" standards with specific rules; unstructured formats can hinder automated processing despite being theoretically suited for machine reading. Finally, reinforcing technical standardization of documents is necessary; precise requirements should be defined within technical standards for regulatory reporting to enhance readability and interoperability.

Further research by the AMF, particularly on U.S. practices and broader web content standards, highlights the benefits of standardized formats like XHTML compliant with W3C standards, which would ensure effective exploitation of regulatory documents. Adopting such approaches for future regulations without iXBRL tags could ensure better data accessibility.

These findings contribute to the ongoing discussion on evolving norms and standards for regulatory reporting in Europe. The AMF will continue its work to support this dynamic and contribute to the development of future supervision frameworks, emphasizing the efficiency of automated processing and the quality of accessible data for regulators.

Version française

Le 7 mars 2025, l’AMF a partagé les résultats de ses dernières expérimentations sur l’exploitation automatisée des données réglementaires. À la suite d’une première étude en 2022 sur l’automatisation du traitement des mentions de risque dans les documents des entreprises cotées, l’AMF a poursuivi ses recherches en 2023 et 2024 pour explorer le potentiel de l’intelligence artificielle et des outils d’extraction automatisée dans l’analyse des rapports réglementaires. Cette phase de recherche a utilisé la plateforme Big Data ICY de l’AMF pour évaluer la capacité des régulateurs à exploiter de manière fine et efficace les informations publiées par les entreprises cotées et les entités réglementées. Dans le cadre des évolutions réglementaires européennes, le nombre de documents sous supervision de l’AMF a considérablement augmenté, ce qui met sous pression ces technologies pour y répondre. Les expérimentations de l’AMF se sont concentrées sur deux types de documents imposés par les réglementations européennes en matière de finance durable : les rapports Taxonomy publiés en 2022, détaillant l’éligibilité des activités économiques selon des critères de durabilité définis par l’UE, et les annexes SFDR introduites en 2023, décrivant les caractéristiques environnementales et sociales des produits financiers. Ces documents illustrent les défis de l’automatisation du traitement des données réglementaires en raison de leurs formats et structures variés. Les enseignements tirés de cette analyse peuvent être généralisés à d’autres rapports financiers.  

Les conclusions clés du travail de l’AMF suggèrent plusieurs pratiques pour améliorer l’exploitabilité des documents réglementaires et orienter les évolutions normatives. Premièrement, associer des images à des textes descriptifs ou des tableaux est essentiel ; les images contenant des données pour le traitement automatisé doivent être accompagnées d’une représentation textuelle ou tabulaire pour éviter toute perte d’information et améliorer l’extraction automatique des données. Deuxièmement, les structures de documents standardisées sont plus faciles à traiter ; l’harmonisation des plans de documents et des champs d’informations est essentielle pour l’exploitation automatique, ce qui améliore la comparabilité des données et l’efficacité du traitement par les acteurs du marché. De plus, pour garantir une exploitation optimale des données, il est nécessaire d’associer des standards de format « lisible par machine » à des règles spécifiques ; les formats non structurés peuvent entraver le traitement automatisé bien qu’ils soient théoriquement adaptés à la lecture par machine. Enfin, renforcer la normalisation technique des documents est nécessaire ; des exigences précises doivent être définies dans les normes techniques pour le reporting réglementaire afin d’améliorer la lisibilité et l’interopérabilité.  

De nouvelles recherches menées par l’AMF, notamment sur les pratiques américaines et les normes plus larges des contenus web, mettent en avant les avantages des formats standardisés comme XHTML conforme aux normes W3C, ce qui garantirait une exploitation efficace des documents réglementaires. Adopter de telles approches pour les futures réglementations sans balises iXBRL pourrait garantir une meilleure accessibilité des données.  

Ces conclusions contribuent à la discussion en cours sur l’évolution des normes et des standards pour le reporting réglementaire en Europe. L’AMF poursuivra ses travaux pour soutenir cette dynamique et contribuer au développement des futurs cadres de supervision, en mettant l’accent sur l’efficacité du traitement automatisé et la qualité des données accessibles pour les régulateurs.  

ON 30 March 2025, Legifrance issued order of 19 March 2025 approving modifications to the general regulation of the AMF. 

The changes, detailed in the annex, include updates to various articles and sections concerning portfolio management services and financial operations. The amendments notably involve prohibitions on certain fees and commissions related to financial instrument transactions initiated within portfolio management services from 1 January 2027 for new mandates and 1 January 2028 for existing mandates. Further amendments prohibit subscription and redemption fees for collective investments managed by the same service provider or linked entities when operating on behalf of individual portfolios.

Version française

Le 30 mars 2025, Legifrance a publié l'arrêté du 19 mars 2025 portant homologation de modifications du règlement général de l'Autorité des marchés financiers. 

Les modifications, détaillées en annexe, comprennent des mises à jour de différents articles et sections concernant les services de gestion de portefeuille et les opérations financières. Les modifications portent notamment sur l'interdiction de certains frais et commissions liés aux transactions sur instruments financiers initiées dans le cadre du service de gestion de portefeuille à compter du 1er janvier 2027 pour les nouveaux mandats et du 1er janvier 2028 pour les mandats existants. D'autres amendements interdisent les commissions de souscription et de rachat pour les placements collectifs gérés par le même prestataire de services ou par des entités liées lorsqu'elles opèrent pour le compte de portefeuilles individuels.

On 6 March 2025, the BaFin updated its interpretation and application notes on AML. 

The basis for this was the announcement of the Financial Market Digitization Act of 27 December, 2024.

The updated version replaces the previous interpretation and application notes on the Money Laundering Act (GWG). Among other things, information on increased due diligence obligations for crypto asset transfers from or to self-hosted addresses has been added. Other updates:

• -Transaction Execution Following Suspicion Reports:
  Transactions must not be executed until approval is received from FIU or the prosecution office, or until three working days have passed without prohibition from these entities. The calculation excludes Saturdays and extends deadlines due to legal holidays.
• Monitoring and Updating Customer Data:
  CASPs now must use blockchain analysis software and general transaction monitoring with electronic data processing systems if services include exchanging cryptocurrencies for fiat currencies.
• Periodic and Event-Based Data Verification:
  Regular updates should follow risk classification and specific events, now including undeliverable mail and customer-reported changes. The periodic updates must adhere to risk-oriented frequencies and adapt to new EU regulations. It also specifies event-based checks at least annually for heightened risks.
• Documentation and Review of Risk Analysis:
  Methodology and documentation of risk analysis must be updated regularly, at least annually, or as needed based on internal/external risk factors.

The information applies to all obligated entities under the Money Laundering Act that BaFin supervises. 

On 7 March 2025, the CBI published the Fiftieth Edition of the AIFMD Q&A.

The Fiftieth Edition clarifies the application of the prohibition on AIFs acting as guarantors for third parties.

Q&A ID 1160 confirms that guarantees are permissible in respect of investments and/or intermediate vehicles for such investments in which the QIAIF has a direct or indirect economic interest subject to a number of important safeguards and investor disclosures.

Q&A ID 1161 confirms that the definition of financial institution in the AIF Rulebook is aligned with that set out in the revised AIFMD loan origination rules which cross refers to EU Directive 2009/138/EC (Solvency II) that is transposed into Irish law through the European Union (Insurance and Reinsurance) Regulations 2015.

Q&A ID 1162 clarifies that the prohibition on lending to persons intending to invest in equities or other traded investments or commodities, does not prevent lending to a borrower with the intention of acquiring a controlling interest in a target company.

On 4 March 2025, the Irish government approved the implementation of a distributed regulatory model for enforcing the EU Artificial Intelligence (AI) Act. This model designates eight public bodies as competent authorities under Article 70 of the AI Act, ensuring compliance across various sectors.

Regulatory Designations and Responsibilities:

Under Article 70, the following authorities have been assigned AI oversight responsibilities:

• Central Bank of Ireland
• Commission for Communications Regulation
• Commission for Railway Regulation
• Competition and Consumer Protection Commission
• Data Protection Commission
• Health and Safety Authority
• Health Products Regulatory Authority
• Marine Survey Office of the Department of Transport

A lead regulator will be designated later to coordinate enforcement efforts and ensure uniform implementation of the AI Act in Ireland.

Compliance Obligations for Businesses:

Under Article 70, businesses operating AI systems in regulated sectors must prepare for regulatory oversight. Companies should:

• Map their AI deployments to identify if their systems fall into high-risk categories, such as AI used in employment, finance, healthcare, or law enforcement.
• Engage with their sector’s competent authority to understand specific compliance requirements.
• Implement risk mitigation measures, including data governance, algorithmic transparency, and documentation of AI decision-making processes.
• Ensure readiness for market surveillance by maintaining compliance records and technical assessments for regulatory scrutiny.

Next Steps for AI Regulation in Ireland:

Under Article 70, Ireland must formally notify the European Commission of its designated authorities by 2 August 2025. These authorities must have the technical, financial, and human resources to enforce AI regulations effectively.

On 5 March 2025, Ireland's Department of Finance issued the Criminal Justice Act 2005 (Section 42) Regulations 2025, introducing restrictive measures against individuals and entities associated with ISIL (Da’esh) and Al-Qaida. 

The regulation enforces Council Regulation (EC) No. 881/2002, and aims at combating terrorism through the adoption of specific restrictive measures, directed at persons, groups or entities, for the identification, detection, freezing or seizure of their assets of any kind.

Section 42 of the Criminal Justice (Terrorist Offences) Act 2005 creates an offence for breach of the provisions of these Regulations, provides for appropriate penalties, and empowers the Minister for Finance to make regulations providing for such incidental, supplementary and consequential provisions as appear to the Minister to be necessary.

The Regulations revoke a previous domestic instrument created under Section 42 of the Criminal Justice (Terrorist Offences) Act 2005 in relation to Council Regulation (EC) No. 881/2002 of 27 May 2002, as amended. 

On 24 March 2025, the Central Bank of Ireland published the Consumer Protection Code 2025 ("CPC 2025"), which consists of:

• The Consumer Protection Code Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations 2025 ("Standards for Business Regulations"); and
• The Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025 ("Consumer Protection Regulations").

The new provisions will take effect on 24 March 2026. Until then, the Consumer Protection Code 2012 ("CPC 2012") remains applicable to regulated firms.

Consumer Protection Regulations:

CPC 2025 builds upon the protections established in CPC 2012, modernizing the framework to align with the evolving digital financial landscape. The updated code emphasizes firms' responsibility to act in the best interest of consumers, reinforcing their duty to proactively ensure consumer protection.

Key updates include provisions on digitalization, effective consumer communication, mortgage lending and switching, unregulated activities, fraud prevention, support for vulnerable consumers, and climate risk considerations. Additionally, the definition of "consumer" has been expanded by increasing the maximum annual turnover threshold from €3 million to €5 million.

CPC 2025 does not apply to:

• Services provided by regulated entities to clients outside Ireland,
• MiFID services (except where Regulation 4(3) of the European Union (Markets in Financial Instruments) Regulations 2017 applies),
• Reinsurance business.

Beyond incorporating updates to CPC 2012, the Consumer Protection Regulations also integrate revised versions of the Code of Conduct on Mortgage Arrears, the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Insurance Requirements) Regulations 2022, and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Licensed Moneylenders) Regulations 2020.

Standards for Business Regulations:

The Central Bank introduced the Standards for Business Regulations under powers granted by the Central Bank (Individual Accountability Framework) Act 2023. These standards set governance, resource management, and risk management requirements for regulated firms, alongside conduct standards.

Exemptions apply for:

• MiFID services (except where Regulation 4(3) of the European Union (Markets in Financial Instruments) Regulations 2017 applies),
• Credit union activities (unless the credit union is acting as an insurance intermediary),
• Crowdfunding services,
• Reinsurance business.

Furthermore, the Central Bank’s guidance on securing customers’ interests states that firms providing MiFID services are expected to consider and apply this guidance to meet their obligation to act "honestly, fairly, and professionally in accordance with the best interests of [their] clients," as required by Regulation 31 of the European Union (Markets in Financial Instruments) Regulations 2017.

BACKGROUND

On 11 March 2025, Italy published the Decree on Adaptation of National Legislation to EU Regulations on Financial Sector Resilience. This Decree integrates Regulation (EU) 2022/2554 (DORA) into the national legal framework. It forms part of Italy’s implementation of the Digital Operational Resilience Act, aimed at ensuring financial entities can withstand and recover from ICT-related disruptions. The Decree amends multiple legislative texts, including the Consolidated Law on Banking and the Consolidated Law on Finance.

WHAT'S NEW?

The Decree formally designates the Bank of Italy, Consob, IVASS, and COVIP as national competent authorities under DORA. It introduces new obligations for financial entities to report ICT-related incidents not only to their respective supervisory authority but also to CSIRT Italy, part of the National Cybersecurity Agency. The authorities are granted investigative and enforcement powers under Articles 42(6) and 50(2) of DORA, including conducting on-site inspections, requesting data, and interviewing staff. Provisions also include administrative sanctions and corrective measures for non-compliance.

The Decree entered into force on 12 March 2025. 

WHAT'S NEXT?

Entities subject to the new ICT incident reporting obligations must notify both the competent national authority and CSIRT Italy, in accordance with the procedures set out in the Decree. National authorities may initiate inspections or request data to verify compliance with the new rules.

On 17 March 2025, the Consiglio dei Ministri published news on mandatory registration of the digital domicile (PEC) for company directors in the business register. The Ministry of Enterprise and Made in Italy provided the first interpretative and operational indications concerning the obligation to register the digital domicile of directors in the Register of Companies, as introduced by Law no. 207 of 30 December 2024.

The Ministry's note definitively clarified interpretative doubts, specifying that the obligation to communicate the digital domicile is extended to directors of all companies established in any corporate form that engage in entrepreneurial activities. This includes mutual aid companies, consortia under the Italian Civil Code, and consortium companies, except for simple companies that engage in agricultural activities.

The Ministry also specified that the obligation to communicate the digital domicile applies not only to directors of companies established after 1 January 2025 but also to directors and liquidators of companies already existing before the law came into force.

Therefore, the Ministry has specified that the communication of the certified email of the directors must take place:

• for companies established after 1 January 2025 (or that submit the application for registration after that date) at the same time as the filing of the application for registration in the Register of Companies; and
• for companies already established before 1 January 2025, by 30 June 2025. In the event of a new appointment or renewal of the director, the PEC address must be communicated at the time of registration of the appointment itself.

Finally, with regard to the possibility of indicating, similarly to what happens for the physical domicile, the digital domicile of the company, the Ministry has denied the previous interpretative guidelines of some Chambers of Commerce, clarifying that each director will have to provide his or her own personal PEC address.

BACKGROUND

On 12 March 2025, Italy’s financial markets regulator CONSOB published Resolution no. 23463, updating its Issuers’ Regulation to align with the EU Corporate Sustainability Reporting Directive (CSRD).

This update follows Italy’s national implementation of the CSRD, which replaces the previous non-financial reporting rules. The CSRD introduces more detailed and standardised sustainability reporting requirements for listed companies.

WHAT'S NEW?

New supervisory article (Art. 89-quinquies): Introduced to set out how CONSOB will review sustainability reports from listed issuers with Italy as their home Member State. Reviews will be risk-based and sample-based, in line with EU standards.

Mandatory certification using a standard format: The manager responsible for financial reporting—or a designated manager—must now certify the sustainability disclosures using a specific template (Diagram No. 3 in Annex 3C-ter). This aligns with the new Article 154-bis(5-ter) of the Consolidated Law on Finance.

In force since 22 March 2025: The changes apply to sustainability reports for financial years starting on or after 1 January 2024. Older reports remain under the previous regime.

WHAT'S NEXT?

Annual guidelines from CONSOB will define how reports are selected for review

Issuers should ensure their internal processes and documentation align with the new structure and template.

Further EU-level simplifications of sustainability reporting are under discussion and may lead to future updates.

BACKGROUND

On 25 February 2025, the AED launched a campaign to invite the AML/CFT compliance officer (Responsable du contrôle) (“RC”) and the person responsible for compliance with the professional obligations as regards the fight against money laundering and terrorist financing (Responsable du respect) (“RR”) all AIFs to fill in and transmit the “AIF AML/CFT Questionnaire 2024” , pursuant to their obligation to cooperate with the authorities in accordance with article 5 of the AML/CFT Law.

WHAT'S NEW?

All unregulated AIFs supervised by the AED must fill in and transmit the “AIF AML/CFT Questionnaire 2024” with data as of 31 December 2024. The deadline for the submission of the “AIF AML/CFT Questionnaire 2024” is 30 June 2025 CoB.

The “AIF AML/CFT Questionnaire 2024” has undergone a number of changes, with the addition of several new questions and an all-new “Section 4 - TF” tab. In this context, the AED has published updated guidelines for AIFs to help them complete the questionnaire.

All unregulated AIFs must now submit:

• A signed RC Report on AML/CFT purposes for the year under review,
• An AML/CFT Questionnaire (to be submitted by the RR),
• The form appointing the RR and RC 
• Supporting documents, including evidence of board approval (e.g. board minutes).

These documents must present a detailed and coherent view of the fund’s AML/CFT risk management practices and compliance framework.

WHAT'S NEXT?

The questionnaire must be submitted on a yearly basis, with 2024 data as of 31 December 2024.

Submission deadlines:

• RAIFs: 31 May 2025
• Other unregulated AIFs: 30 June 2025

The RC Report must cover a wide range of topics, such as:

• AML/TF risk assessments, including risk tolerance;
• Customer Due diligence (CDD), fund initiators, portfolio managers, and politically exposed persons (PEPs);
• Monitoring of delegated services and compliance breaches;
• Reporting of suspicious transactions and financial sanctions.

The Questionnaire complements this with structured data points on governance, customer due diligence practices, intermediary relationships, and fund exposure to high-risk areas. The updated version also includes questions related to terrorist financing.

Version française

BACKGROUND

Le 25 février 2025, l’AED a lancé une campagne invitant le Responsable du contrôle (“RC”) et le Responsable du respect (“RR”) de tous les AIF à compléter et transmettre le « Questionnaire LBC/FT AIF 2024 », conformément à leur obligation de coopération avec les autorités, en vertu de l’article 5 de la Loi LBC/FT.

WHAT'S NEW?

Tous les AIF non réglementés supervisés par l’AED doivent remplir et transmettre le « Questionnaire LBC/FT AIF 2024 » avec des données à jour au 31 décembre 2024. La date limite de soumission du « Questionnaire LBC/FT FIA 2024 » est fixée au 30 juin 2025, fin de journée.

Le « Questionnaire LBC/FT FIA 2024 » a subi plusieurs modifications, avec l'ajout de nouvelles questions et un tout nouveau onglet « Section 4 - TF ». Dans ce cadre, l’AED a publié des lignes directrices mises à jour pour aider les AIF à remplir le questionnaire.

Tous les AIF non réglementés doivent désormais soumettre : 

• Un rapport signé du RC sur les objectifs LBC/FT pour l'année examinée, 
• Un questionnaire LBC/FT (à soumettre par le RR), 
• Le formulaire désignant le RR et le RC,
• Des documents justificatifs, y compris la preuve de l’approbation du conseil (par exemple, les procès-verbaux du conseil).

Ces documents doivent présenter une vue détaillée et cohérente des pratiques de gestion des risques LBC/FT et du cadre de conformité du fonds.

WHAT'S NEXT?

Le questionnaire doit être soumis chaque année, avec des données pour l'année 2024 au 31 décembre 2024.

Dates limites de soumission : 

• RAIFs : 31 mai 2025 
• Autres AIF non réglementés : 30 juin 2025

Le rapport RC doit couvrir un large éventail de sujets, tels que : 

• Évaluations des risques LBC/FT, y compris la tolérance au risque ; 
• Diligence raisonnée sur la clientèle (CDD), initiateurs de fonds, gestionnaires de portefeuille et personnes politiquement exposées (PEP) ; 
• Suivi des services délégués et des violations de la conformité ; 
• Signalement des transactions suspectes et des sanctions financières.

Le questionnaire complète cela avec des points de données structurés sur la gouvernance, les pratiques de diligence raisonnée sur la clientèle, les relations avec les intermédiaires, et l'exposition du fonds à des zones à haut risque. La version mise à jour inclut également des questions liées au financement du terrorisme.

On 28 March 2025, Legilux published the Law of 25 March 2025 on cross-border transformations, mergers, and divisions.

The "Loi du 25 mars 2025" modifies the Code du travail (Labor Code) to transpose Directive (EU) 2019/2121, which amends Directive (EU) 2017/1132 concerning cross-border transformations, mergers, and divisions. The law emphasizes the importance of workers' rights during corporate restructuring, including stipulations for information, consultation, and participation.

The amendments focus on ensuring that workers are adequately informed and consulted during cross-border corporate changes. Book IV, Title II, Chapter VI of the Labor Code is revised, with section 4 being repealed and replaced by a new Chapter VIbis. This new chapter broadly defines regulations for worker participation in cases of cross-border mergers, transformations, and divisions of companies. Specific articles within the chapter detail the requirement for companies to inform and consult with their employees during these processes, ensuring that workers' rights are maintained and protected.

Articles like L. 426-13 and L. 426-23 outline the general applicability of information and consultation provisions found in previous sections of the Labor Code. Provisions also elaborate on the specific legal triggers for employee participation in corporate governance, setting thresholds for this participation and ensuring continued protection of such rights during any subsequent restructuring within a defined period. Companies must communicate the outcomes of negotiations regarding worker participation promptly, ensuring transparency and compliance.

Overall, the transposition of Directive (EU) 2019/2121 into Luxembourg law seeks to align national regulations with European standards, fostering a more integrative approach to worker participation in corporate restructuring processes.

Version française

Le 28 mars 2025, Legilux a publié la loi du 25 mars 2025 relative aux transformations, fusions et scissions transfrontalières.

La « Loi du 25 mars 2025 » modifie le Code du travail pour transposer la directive (UE) 2019/2121, qui modifie la directive (UE) 2017/1132 concernant les transformations, fusions et scissions transfrontalières. La loi souligne l'importance des droits des travailleurs lors des restructurations d'entreprises, y compris les dispositions relatives à l'information, à la consultation et à la participation.

Les amendements visent à garantir que les travailleurs soient informés et consultés de manière adéquate lors des transformations transfrontalières des entreprises. Le livre IV, titre II, chapitre VI du code du travail est révisé, la section 4 étant abrogée et remplacée par un nouveau chapitre VIbis. Ce nouveau chapitre définit de manière générale les règles relatives à la participation des travailleurs en cas de fusions, transformations et scissions transfrontalières de sociétés. Des articles spécifiques du chapitre détaillent l'obligation pour les entreprises d'informer et de consulter leurs travailleurs au cours de ces processus, garantissant ainsi le maintien et la protection des droits des travailleurs.

Les articles L. 426-13 et L. 426-23 précisent l'applicabilité générale des dispositions relatives à l'information et à la consultation figurant dans les sections précédentes du code du travail. Ces dispositions précisent également les éléments juridiques spécifiques qui déclenchent la participation des travailleurs au gouvernement d'entreprise, en fixant des seuils pour cette participation et en garantissant le maintien de la protection de ces droits lors de toute restructuration ultérieure au cours d'une période définie. Les entreprises doivent communiquer rapidement les résultats des négociations concernant la participation des travailleurs, afin de garantir la transparence et le respect des règles.

Dans l'ensemble, la transposition de la directive (UE) 2019/2121 en droit luxembourgeois vise à aligner les réglementations nationales sur les normes européennes, en favorisant une approche plus intégrative de la participation des travailleurs aux processus de restructuration des entreprises.

The CSSF has been made aware of a recent malspam attack, that starts with the compromise of workstations via unwanted installation of Remote Management and Monitoring (RMM) tools, and ultimately resulting to fraudulent Multiline transactions.

CIRCL, the Computer Incident Center Luxembourg, published a technical report on this subject, including recommendations, available at this URL: circl.lu/pub/tr-93/.

The CSSF strongly recommends all supervised entities concerned to take duly note of this report and to take actions as appropriate.

Version française

La CSSF a été informée d'une récente attaque de malspam, qui commence par la compromission de postes de travail via l'installation non désirée d'outils de gestion et de surveillance à distance (RMM), et qui aboutit finalement à des transactions multilignes frauduleuses.

Le CIRCL, le Computer Incident Center Luxembourg, a publié un rapport technique sur ce sujet, incluant des recommandations, disponible à l'adresse suivante : circl.lu/pub/tr-93/.

La CSSF recommande vivement à toutes les entités supervisées concernées de prendre bonne note de ce rapport et de prendre les mesures qui s'imposent.

BACKGROUND

On 6 March 2025, the CSSF announced a reform of the electronic VISA procedure for prospectuses of UCITS, Part II UCIs, SICARs, and SIFs. This is part of ongoing efforts to streamline regulatory workflows and enhance digital traceability.

WHAT'S NEW?

Starting in April 2025, the new "e-Identification" system will replace the current VISA procedure. This system will feature two key elements prominently displayed on the first page of the prospectus:

• A unique identification number (YYYY/NNNNNN-NNNNNN-N-PC) and;
• An e-Identification date 

The submission process for new or amended prospectuses will utilize the dedicated eDesk e-Identification Prospectus application.

The implementation of the new e-Identification Prospectus application is accompanied by a change in CSSF’s administrative procedure. There are two types of change authorization:

• Changes Requiring Prior Approval: The process remains the same and will be conducted via email exchange. The current administrative procedure for requests and amendments that require prior review by the CSSF for the purpose of authorization or non-objection, as stipulated by applicable laws and regulations, remains applicable.
• Changes Not Requiring Prior Approval: A list of such amendments, which do not legally require CSSF authorization or prior reviews, will be created and can be incorporated into the prospectus without prior approval from the CSSF.

Electronic Submission Process:

• Changes Requiring Prior Approval: After receiving validation from the CSSF, the prospectus needs to be uploaded to eDesk with the fields containing the changes filled in.
• Changes Not Requiring Prior Approval: These amendments can be directly submitted via eDesk starting from 1 April.

WHAT'S NEXT?

A detailed guide will outline the updated procedure, provide the list of amendments which do or do not require a prior approval, explain the applicable conditions, include a technical section for IT implementation, and feature a FAQ section. This guide will be exclusively available to users via eDesk and will be published on 20 March 2025.

Version française

BACKGROUND

Le 6 mars 2025, la CSSF a annoncé une réforme de la procédure électronique de VISA pour les prospectus de UCITS, UCI de la Partie II, SICARs, et SIFs. Cela fait partie des efforts continus pour rationaliser les flux de travail réglementaires et améliorer la traçabilité numérique.

WHAT'S NEW?

À partir d’avril 2025, le nouveau système d’"e-Identification" remplacera la procédure actuelle de VISA. Ce système comportera deux éléments clés affichés de manière visible sur la première page du prospectus :

• Un numéro d’identification unique (YYYY/NNNNNN-NNNNNN-N-PC) ;
• Une date d’e-Identification

Le processus de soumission des prospectus nouveaux ou modifiés se fera via l’application dédiée eDesk "e-Identification Prospectus".

La mise en œuvre de cette nouvelle application "e-Identification Prospectus" s’accompagne d’un changement dans la procédure administrative de la CSSF. Deux types d’autorisations de modifications sont prévus :

• Modifications nécessitant une approbation préalable : Le processus reste inchangé et s’effectuera par échange d’e-mails. La procédure administrative actuelle applicable aux demandes et modifications soumises à un examen préalable de la CSSF en vue d’une autorisation ou d’une absence d’objection, conformément aux lois et règlements applicables, demeure en vigueur.
• Modifications ne nécessitant pas d’approbation préalable : Une liste de ces modifications, qui ne requièrent pas légalement d’autorisation ou de revue préalable par la CSSF, sera établie et pourra être intégrée au prospectus sans approbation préalable de la CSSF.

Processus de soumission électronique :

• Modifications nécessitant une approbation préalable : Après validation par la CSSF, le prospectus devra être téléchargé dans eDesk avec les champs contenant les modifications dûment complétés.
• Modifications ne nécessitant pas d’approbation préalable : Ces modifications pourront être directement soumises via eDesk à partir du 1er avril.

WHAT'S NEXT?

Un guide détaillé présentera la procédure mise à jour, fournira la liste des modifications nécessitant ou non une approbation préalable, expliquera les conditions applicables, inclura une section technique pour la mise en œuvre informatique, ainsi qu’une section FAQ. Ce guide sera exclusivement accessible aux utilisateurs via eDesk et sera publié le 20 mars 2025.

On 12 March 2025, ALFI responded to ESMA’s consultation on draft regulatory technical standards on open-ended loan-originating AIFs under the AIFMD.

The revised AIFMD provides that ESMA shall develop draft RTS to determine the requirements with which loan-originating AIFs are to comply in order to maintain an open-ended structure. According to the mandate in the AIFMD, those requirements shall include a sound liquidity management system, the availability of liquid assets and stress testing, as well as an appropriate redemption policy having regard to the liquidity profile of loan-originating AIFs. Those requirements shall also take due account of the underlying loan exposures, the average repayment time of the loans and the overall granularity and composition of the portfolios of loan-originating AIFs.

In its response, ALFI welcomes ESMA’s conclusion that the existing AIFMD liquidity management regime is robust, as no gaps were identified.

ALFI is of the view that a required level of liquid assets should not be defined on a pre-launch/product basis, as various criteria need to be considered to assess the liquidity of a fund. Generally, ALFI stresses in its submission that AIFMs are best positioned to assess the liquidity and determine a suitable liquidity management system for their funds. In this regard, it is worth noting that AIFMs typically have redemption/liquidity policies for groups of funds of the same type, so ALFI would not see a need to draft separate policies for each single fund.

Version française

Le 12 mars 2025, l'ALFI a répondu à la consultation de l'ESMA sur les projets de normes techniques réglementaires relatives aux fonds alternatifs ouverts à l'origine de prêts dans le cadre de l'AIFMD.

L'AIFMD révisée prévoit que l'ESMA développe des projets de RTS pour déterminer les exigences auxquelles les fonds alternatifs originant des prêts doivent se conformer afin de maintenir une structure ouverte. Conformément au mandat de l'AIFMD, ces exigences comprennent un système solide de gestion des liquidités, la disponibilité d'actifs liquides et des tests de résistance, ainsi qu'une politique de remboursement appropriée au regard du profil de liquidité des fonds alternatifs initiateurs de prêts. Ces exigences tiennent également compte des expositions de prêt sous-jacentes, du délai moyen de remboursement des prêts et de la granularité et de la composition globales des portefeuilles des fonds alternatifs émetteurs de prêts.

Dans sa réponse, l'ALFI accueille favorablement la conclusion de l'ESMA selon laquelle le régime existant de gestion de la liquidité de l'AIFMD est robuste, puisqu'aucune lacune n'a été identifiée.

L'ALFI est d'avis qu'un niveau requis d'actifs liquides ne devrait pas être défini sur une base pré-lancement/produit, étant donné que plusieurs critères doivent être pris en compte pour évaluer la liquidité d'un fonds. De manière générale, l'ALFI souligne dans sa soumission que les gestionnaires sont les mieux placés pour évaluer la liquidité et déterminer un système de gestion de la liquidité approprié pour leurs fonds. A cet égard, il convient de noter que les gestionnaires ont généralement des politiques de rachat/liquidité pour des groupes de fonds du même type, de sorte que l'ALFI ne verrait pas la nécessité de rédiger des politiques séparées pour chaque fonds individuel.

On 18 March 2025. the CSSF issued a communiqué concerning EMIR Rejected Reports. 

With the entry into force of EMIR REFIT reporting on 29 April 2024, especially the application of RTS 2022/1858, there is an expansion of the Trade Repositories' role in ensuring data quality. The new technical standard legally codifies the controls Trade Repositories must perform, including providing end-of-day response mechanisms and new reports such as rejection reports to entities and national competent authorities. The CSSF emphasises the importance of avoiding rejected reports and the need for entities to follow recommended controls to prevent common rejection reasons when reporting under Article 9 of EMIR.

The communiqué highlights the analysis of rejection reports received until 31 December 2024, identifying frequent errors and encouraging entities to adhere to best practices in reporting their derivatives. This includes ensuring derivatives are reported with the correct action types such as “New” or “Position Component,” preventing modifications to immutable transaction fields, and compliance with the reporting timestamp and event date requirements. Rejected reports indicate non-compliance with Article 9 of EMIR unless rectified and resubmitted within the reporting deadlines.

Through improved internal controls, entities can reduce the rejection rate of their derivative transaction reports. The CSSF also reminds entities in Luxembourg to notify them of significant reporting issues as required by Implementing Technical Standards (ITS) 2022/1860. EMIR 3, in effect since 24 December 2024, grants National Competent Authorities additional powers to impose administrative penalties for non-compliance with reporting obligations when errors are systematically manifest.

Version française

Le 18 mars 2025, la CSSF a publié un communiqué concernant les rapports rejetés dans le cadre d'EMIR. 

Avec l'entrée en vigueur des rapports EMIR REFIT le 29 avril 2024, en particulier l'application des RTS 2022/1858, il y a un élargissement du rôle des référentiels centraux pour assurer la qualité des données. La nouvelle norme technique codifie légalement les contrôles que les référentiels centraux doivent effectuer, y compris la fourniture de mécanismes de réponse en fin de journée et de nouveaux rapports tels que les rapports de rejet aux entités et aux autorités nationales compétentes. La CSSF souligne l'importance d'éviter les rapports rejetés et la nécessité pour les entités de suivre les contrôles recommandés afin d'éviter les motifs de rejet les plus courants lors de l'établissement des rapports en vertu de l'article 9 de l'EMIR.

Le communiqué met en évidence l'analyse des rapports de rejet reçus jusqu'au 31 décembre 2024, identifiant les erreurs fréquentes et encourageant les entités à adhérer aux meilleures pratiques dans la déclaration de leurs produits dérivés. Il s'agit notamment de s'assurer que les produits dérivés sont déclarés avec les bons types d'action tels que « Nouveau » ou « Composant de position », d'empêcher les modifications des champs de transaction immuables et de respecter les exigences en matière d'horodatage de la déclaration et de date d'événement. Les déclarations rejetées indiquent une non-conformité avec l'article 9 de l'EMIR, à moins qu'elles ne soient rectifiées et soumises à nouveau dans les délais impartis.

En améliorant leurs contrôles internes, les entités peuvent réduire le taux de rejet de leurs déclarations de transactions sur dérivés. La CSSF rappelle également aux entités luxembourgeoises de lui notifier les problèmes de reporting importants, comme l'exigent les normes techniques de mise en œuvre (ITS) 2022/1860. EMIR 3, en vigueur depuis le 24 décembre 2024, accorde aux autorités nationales compétentes des pouvoirs supplémentaires pour imposer des sanctions administratives en cas de non-respect des obligations de déclaration lorsque les erreurs sont systématiquement manifestes.

On 24 March 2025, the CBL updated its statistical reporting of investment funds FAQ. 

CBL added question 18 in relation to reporting S2.20.

18.1 Item 4110 “Investor base” 

At what frequency should the item 4110 “Investor base” be reviewed? 

We do not expect changes from one quarter to another. Hence, this item must be reassessed periodically and at least once a year. 

18.2 Items related to “Charges” 

How should an “all-in” fee in the items related to “Charges” be reported? 

In cases where the fee structure is an “all-in” fee, which implies that only one compensation amount is paid out of the assets of the fund to a recipient (commonly the management company) who will afterwards pay the other service providers to the fund, we recommend to adopt the same caption as used in the annual accounts, based on the counterparty status, e.g. “6061 - Advisory and/or management commissions and/or fees”.

Version française

Le 24 mars 2025, la CBL a mis à jour sa déclaration statistique des fonds d'investissement FAQ. 

La CBL a ajouté la question 18 relative au reporting S2.20.

18.1 Poste 4110 « Base d'investisseurs » 

A quelle fréquence le poste 4110 « Base d'investisseurs » doit-il être revu ? 

Nous ne nous attendons pas à des changements d'un trimestre à l'autre. Ce poste doit donc être réévalué périodiquement et au moins une fois par an. 

18.2 Postes liés aux « frais » 

Comment les frais « tout compris » doivent-ils être déclarés dans les postes liés aux « frais » ? 

Dans les cas où la structure des frais est une commission " all-in ", ce qui implique qu'un seul montant de compensation est payé à partir des actifs du fonds à un bénéficiaire (généralement la société de gestion) qui paiera ensuite les autres prestataires de services au fonds, nous recommandons d'adopter le même intitulé que celui utilisé dans les comptes annuels, en fonction du statut de la contrepartie, par exemple " 6061 - Commissions et/ou frais de conseil et/ou de gestion.

On 28 March 2025, CBL published updated templates and report for S2.20 reporting.

The update to the report concerns the addition of Item 1030 – Intentionally left blank . This item is not used for the S 2.20 report but is displayed to mirror the U1.1 report schema.

Version française

Le 28 mars 2025, le CBL a publié des modèles et un rapport mis à jour pour les rapports S2.20.

La mise à jour du rapport concerne l'ajout de l'élément 1030 - Intentionnellement laissé en blanc. Cet élément n'est pas utilisé pour le rapport S 2.20 mais est affiché pour refléter le schéma du rapport U1.1.

On 31 March 2025, the CSSF updated its reporting handbook for IFR. 

The changes made are the following: 

• Sections 3.1.2, 3.2.2 and 5.1: Minor changes to COREP templates reported by class 2 investment firms due to CRR3/CRD6. From 2025-03, official applicability of V 4.0 for CIFCL2 and SIFCL2.
• Sections 4.1 and 4.2.2.2.: Precision on the request and treatment of adjusted reporting reference and remittance dates.

Version française

Le 31 mars 2025, la CSSF a mis à jour son manuel de reporting pour les IFR. 

Les modifications apportées sont les suivantes : 

• Sections 3.1.2, 3.2.2 et 5.1 : Modifications mineures des modèles COREP déclarés par les entreprises d'investissement de la classe 2 en raison de CRR3/CRD6. A partir de 2025-03, applicabilité officielle de la V 4.0 pour CIFCL2 et SIFCL2.
• Sections 4.1 et 4.2.2.2 : Précision sur la demande et le traitement des dates de référence et de remise ajustées.

LBR would like to inform that the specific formality of filing with the RCS, which allows the update of the Luxembourg national identification number of natural persons registered with the RCS, will remain free of charge until 31 May 2025.

From 1 June 2025, this service will be subject to a fee.

If the Luxembourg national identification numbers are not updated by the deadline, LBR reserves the right to restrict access to the filing formalities for the entities concerned until these numbers have been communicated to LBR and their situation has been regularized.

This restriction will apply from 1 October 2025, the date on which the blocking of filings comes into effect.

Version française

La LBR souhaite informer que la formalité spécifique de dépôt au RCS, qui permet la mise à jour du numéro d'identification national luxembourgeois des personnes physiques inscrites au RCS, restera gratuite jusqu'au 31 mai 2025.

A partir du 1er juin 2025, ce service sera payant.

Si les numéros d'identification nationaux luxembourgeois ne sont pas mis à jour dans les délais, le LBR se réserve le droit de restreindre l'accès aux formalités de dépôt pour les entités concernées jusqu'à ce que ces numéros aient été communiqués au LBR et que leur situation ait été régularisée.

Cette restriction s'appliquera à partir du 1er octobre 2025, date à laquelle le blocage des dépôts entrera en vigueur.

On 27 March 2025, the SC Malaysia published revised guidelines on advertising for capital market products and services.

The Guidelines was revised to update certain requirements and guidance taking into account advertising and promotional trends globally and domestically, including the growing prominence of social media and financial influencers (finfluencers).

This is towards ensuring responsible advertising activities in relation to capital market products and services.

The revised framework will include:

• new requirements relating to finfluencers who are not engaged as marketing agents by an advertiser yet on their own accord undertake advertising activities for any capital market products and services. They will be subject to the requirements under the Guidelines as they would be regarded as advertisers for the purposes of the Guidelines;
• enhancement of requirements relating to advertisers’ duty to ensure the advertising activities conducted by their marketing agent comply with the Guidelines. The advertisers will otherwise be held accountable for the conduct of their marketing agent; and
• enhancement of requirements relating to use of social media to address its growing use for financial promotions.

The Guidelines will also impose a prohibition against advertising services in Malaysia, of persons who are not authorised by the SC.

The Guidelines is part of the SC’s ongoing efforts to promote responsible advertising on new channels of advertising such as social media, ultimately protecting investors.

In reviewing and formulating the revised Guidelines, the SC has, amongst others, benchmarked against other jurisdictions such as Australia, the UK and Singapore, and considered the feedback received from engagement with relevant stakeholders including finfluencers.

The revised Guidelines will come into effect on 1 November 2025 to allow sufficient time for advertisers to familiarise and make the necessary preparations to meet the new requirements.

On 21 March 2025, the Overheid published a Notice of implementation of the amendment to Directive (EU) 2015/849, Ministry of Finance.

The Ministry of Finance has implemented Regulation (EU) 2023/1113 of the European Parliament and the Council on transfers of funds and certain information to be added to crypto-assets, amending Directive (EU) 2015/849. This regulation entered Dutch law on 4 February 2025. The correlation table accompanying this communication outlines the provisions incorporated into existing law. The Communication will be sent to the European Commission to satisfy Article 67(3) of the Directive.

On 25 march 2025, the DNB published instructions for the DORA registers submission.

Starting 1 April 2025, Dutch financial institutions must report DORA information registers using an xBRL-CSV file. For those unable to implement this standard on time, a standardised Excel template is available. The reporting deadline is 23 April 2025. Key points for completing the report include maintaining the structure of the "TOC" tab, entering the LEI code followed by .IND or .CON, and ensuring all templates are reported, even when empty. Validation errors must be corrected before resubmission, possible until 28 May 2025. More details and resources are provided by the European supervisory authorities.

On 21 March 2025, NVB announced the creation of a joint T+1 Taskforce has been established with the Dutch Advisory Committee Securities Industry (DACSI) to facilitate the transition to shortening the securities settlement cycle from 2 days to 1 day by 2027 in the Netherlands. The task force will share knowledge from the T+1 European partnership and address specific challenges for the Dutch market. Participants from the entire market infrastructure, including observers from DNB and the AFM, are involved.

The acceleration of securities trading settlement from two days to one day will begin in October 2027 across the EU. This transition aims to enhance the efficiency of European capital markets, making them safer and more predictable by reducing counterparty risk and enabling faster access to funds for investors. Aligning the EU's settlement cycle with other major financial centers, such as the US, will facilitate cross-border transactions. The transition will be complex, requiring the coordination of policymakers, supervisors, and the entire financial sector.

On 7 March 2025, the Government published a consultation on the transposition of Directive (EU) 2024/1640 on the mechanisms to be established by Member States for the prevention of the use of the financial system for the purpose of money laundering or terrorist financing.

This proposal aims to transpose Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 into Spanish law, as well as to adapt the national legal regime on the prevention of money laundering to Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024, supplementing the Directive. This Regulation, in addition to being directly applicable, includes several provisions in which Member States retain a certain degree of discretion regarding its scope.

The transposition of the Directive is phased into force, with 10 July 2027 being the deadline for having the necessary legal and regulatory mechanisms in place for its implementation in Spain. As an exception, the legal, regulatory, and administrative provisions necessary to comply with Article 74 must be in force by 10 July 2025; Articles 11, 12, 13, and 15 by July 10, 2026, and Article 18 by July 10, 2029.

The draft legislation aims to contribute to the harmonization of obligations for obliged entities and to strengthen institutional frameworks for the prevention of money laundering and terrorist financing, harmonizing and reinforcing the powers and independence of the competent authorities, as well as their cooperation.

It also seeks to strengthen the registers of beneficial owners and their transparency, and creates a single access point for real estate in each Member State. The objective is to identify who is behind legal entities and legal instruments to prevent the misuse of these entities in money laundering or terrorist financing. The measures aim to ensure that these central registries are easily accessible and contain high-quality data. They introduce consistent rules on the collection, updating, and retention of such information by the registries, thereby unifying the methodology and criteria for central registries in all Member States.

The consultation closes on 27 March 2025.

On 29 March 2025, Spain published a Resolution of 26 March 2025, of the General Secretariat of the Treasury and International Financing, which publishes the effective annual interest rate for the second calendar quarter of 2025, for the purpose of tax classification of certain financial assets.

For the purposes of the provisions of Articles 63 and 91 of the Corporate Income Tax and Personal Income Tax Regulations, respectively, the reference rates resulting for the second calendar quarter of 2025 are 1.990 per cent for financial assets with a term of four years or less, 2.146 per cent for those with a term of more than four years but equal to or less than seven years and, in the case of assets with a longer term, 2.706 per cent for a term of ten years and 2.953 per cent for a term of thirty years, with the application in all other cases of the rate corresponding to the term closest to that of the issue to be made.

Notwithstanding the foregoing, in the case of public debt with a mixed yield, whose coupons and redemption amount are calculated with reference to a price index, the reference rates resulting for the second calendar quarter of 2025 are 0.995 per cent for financial assets with a maturity equal to or less than four years, 1.073 per cent for those with a term of more than four years but equal to or less than seven years and, in the case of assets with a longer term, 1.353 per cent for a term of ten years and 1.476 per cent for a term of thirty years, with the application in all other cases of the rate corresponding to the term closest to that of the issue to be made.

In March 2025, the Government published a 2nd Hearing on the Draft Royal Decree establishing the legal regime applicable to electronic invoicing between entrepreneurs and professionals.

Small and medium-sized enterprises (SMEs) play a fundamental role in economic growth, job creation, and promoting the competitiveness of the Spanish economy, providing added value to all sectors. In numerical terms, they constitute approximately 99% of the productive fabric, represent just over 62% of Gross Value Added (GVA), and 66% of employment.

In this regard, within the framework of Component 13 "Boosting SMEs," Reform 1 "Improving Regulation and the Business Climate" of the Recovery, Transformation, and Resilience Plan, Law 18/2022, of September 28, on business creation and growth, was approved. This law aims to improve regulation and the business climate; eliminate obstacles to the development of economic activities; reduce commercial defaults; and optimize access to financing.

Among its main measures are those aimed at advancing the fight against late payment in commercial transactions, one of the causes that most impacts the liquidity and profitability of many Spanish companies, particularly SMEs. To this end, the law strengthens public procurement regulations to ensure that contractors pay the price agreed upon with subcontractors on time, and requires companies wishing to access a public subsidy or become a collaborating entity in its management to comply with the payment deadlines established in Law 3/2004, of December 29, which establishes measures to combat late payment in commercial transactions.

It also stipulates the creation of a State Observatory on Private Late Payments, responsible for monitoring and analyzing payment deadline data and promoting good practices in this area, currently regulated in its specific regulations.

However, and notably, Law 18/2022, of September 28, on the creation and growth of companies, proceeds in its article 12 to modify article 2 bis of Law 56/2007, of December 28, on Measures to Promote the Information Society, to extend the obligation to issue and send electronic invoices to all commercial relationships between entrepreneurs and professionals.

First, Article 1 describes the purpose of the regulation, which is to develop Article 2 bis of Law 56/2007, of December 28, on Measures to Promote the Information Society, as amended by Article 12 of Law 18/2022, of September 28, on the creation and growth of companies, with regard to the technical and information requirements of the Spanish electronic invoicing system for entrepreneurs and professionals.

Article 2 then includes a series of definitions necessary for the correct implementation of the new obligation. Articles 3 and 4 contain the provisions relating to the subjective and objective scope of the regulation, maintaining, in general terms, the current typology of agents required to issue invoices in accordance with the Regulation governing invoicing obligations, approved by Royal Decree 1619/2012, of November 30, as well as the transactions that must be documented through an invoice in accordance with said regulation.

The regulation then dedicates its Article 5 to defining the basic characteristics of the future Spanish electronic invoicing system, which will consist of private electronic invoice exchange platforms and the public electronic invoicing solution.

The feedback period closes on 7 April 2025.

In March 2025, the Government published a consultation draft Order approving the classification of Pension Funds according to their investment policy.

The purpose of this order is to develop the authorisation contained in article 69.10 of the Pension Plans and Funds Regulation, thus determining the classification of pension funds by their investment policy.

Article 16 of the consolidated text of the Law on the Regulation of Pension Plans and Funds approved by Royal Legislative Decree 1/2002, of 29 November, establishes in paragraph 8 that the pension fund control committee, with the participation of the management entity, will be responsible for preparing a written statement of the principles of its investment policy.

The development of this order is intended to clarify the different investment vocations, establishing a definition for each of them. This will make it possible to group those funds with similar characteristics in terms of investment policy, which will result in better comparability of the funds by the participants.

The development of this order is intended to clarify the different investment vocations, establishing a definition for each of them. These definitions make it possible to specify these investment vocations in order to comply with the obligations set out in the Pension Plans and Funds Regulation and the Circular of 19 February 2024, of the Directorate General of Insurance and Pension Funds, in the case of certain investment policies.

The feedback period closes on 9 April 2025.

On 17 March 2025, Spain published CNMV Circular 1/2025, of 5 March, amending the other three circulars regarding the investment fund performance management fees and the information provided by venture capital entities and depositories.

More specifically, the Circular published consists of three rules:

• The first amends Circular 6/2008, of 26 November, on determining the net asset value and operational aspects of collective investment schemes. The modification adjusts the rules regarding performance management fees to the requirements set on such fee by Article 5 of the CIS Regulation following its last amendment and to the ESMA Guidelines on performance fees of such type of entities (ESMA34-39-992 ES).
  The second amends Circular 11/2008, of 30 December, on accounting standards, annual accounts and financial reporting of venture capital entities, to include the requirement of European long-term investment funds (ELTIFs), which have recently been included in the CNMV’s register, to submit models of financial reporting to the CNMV. Additionally requiring the submission of follow-up reports on qualified auditor’ opinion regarding valuation of venture capital entities via the CIFRADOC/CNMV service. Moreover, the models of financial reporting included in the Circular to introduce more adequate breakdowns considering supervisory experience and to adapt them to the last regulatory changes.
  The third rule amends Circular 4/2016, of 29 June, on the functions of the depositories of collective investment schemes and entities regulated by Spanish Law 22/2014, of 12 November, establishing the provision of the annual report regarding the depositary´s monitoring and supervision function via the CIFRADOC/CNMV service.

This Circular shall enter into force 20 days after its publication in the Spanish Official Gazette (6 April 2025), excluding the financial reporting mentioned in Rule Two. Accordingly, the first required financial reporting will be that corresponding by 31 December 2025.

On 7 March 2025, the Federal Council decided to implement the obligation to report cyberattacks against critical infrastructures starting from 1 April 2025. From this date, operators of critical infrastructures are required to report cyberattacks to the Federal Office for Cybersecurity (OFCS) within 24 hours of detection. These reports will enable the OFCS to aid affected companies in managing the cyberattacks and alert other critical infrastructure operators at an early stage. The increasing threat posed by cyber incidents has led Switzerland to introduce this reporting requirement. The Federal Council decided to enact the amendments to the Federal Act on Information Security within the Confederation (Information Security Act, LSI) on 1 April 2025, as adopted by Parliament on 29 September 2023. The LSI stipulates that authorities and organizations subject to the act, including companies in the sectors of energy supply, potable water supply, transport, and cantonal or municipal authorities, must report cyberattacks to the OFCS within 24 hours of detection. A cyberattack must be reported if it jeopardizes the functioning of the critical infrastructure, leads to the manipulation or leakage of information, or involves acts of blackmail, threats, or coercion. The law provides for fines if the reporting obligation is not met, but the relevant legal basis for fines will only come into effect on 1 October 2025 to allow authorities and organizations time to adapt to the new system. During the first six months, the reporting obligation applies without sanctions for non-compliance.

To simplify the process, the OFCS has prepared a special form on the platform created for information exchange with critical infrastructure operators. Organizations that do not have access to the platform can report via email using a form available on the OFCS website. If all required information cannot be provided within 24 hours, the deadline to complete the report is 14 days. Additionally, the Federal Council approved the Cybersecurity Ordinance (OCyS) with effect from 1 April 2025. The OCyS contains implementation rules for the reporting obligation, including exceptions under art. 74c of the LSI. It also includes provisions related to the national cyber strategy, the tasks of the OFCS, and the exchange of information between the OFCS, authorities, and organizations. The draft OCyS was consulted between 22 May and 13 September 2024 and received broad support to strengthen cybersecurity in Switzerland. Concerns were raised about the simplicity and harmonization of the reporting form with other reporting obligations, such as data protection. This request was accommodated, enabling the OFCS reporting form to quickly capture necessary information and transmit it to other authorities under reporting obligations, for example, the Federal Financial Market Supervisory Authority or the Federal Data Protection and Information Commissioner. Another ordinance concerns the renaming due to the transformation of the National Cybersecurity Center (NCSC) into a federal office within the DDPS, which will be enacted on 1 April 2025.

Version française

Le 7 mars 2025, le Conseil fédéral a décidé d'implémenter l'obligation de signaler les cyberattaques contre les infrastructures critiques à partir du 1er avril 2025. À partir de cette date, les opérateurs d'infrastructures critiques devront signaler les cyberattaques à l'Office fédéral de la cybersécurité (OFCS) dans les 24 heures suivant leur détection. Ces rapports permettront à l'OFCS d’aider les entreprises affectées à gérer les cyberattaques et d’alerter d'autres opérateurs d'infrastructures critiques à un stade précoce. L'augmentation de la menace posée par les incidents cybernétiques a conduit la Suisse à introduire cette obligation de signalement. Le Conseil fédéral a décidé d’adopter les modifications de la loi fédérale sur la sécurité de l'information au sein de la Confédération (LSI) à partir du 1er avril 2025, telles qu'adoptées par le Parlement le 29 septembre 2023.

La LSI stipule que les autorités et organismes soumis à la loi, y compris les entreprises des secteurs de l'approvisionnement en énergie, de l’approvisionnement en eau potable, des transports, ainsi que les autorités cantonales ou municipales, doivent signaler les cyberattaques à l’OFCS dans les 24 heures suivant leur détection. Une cyberattaque doit être signalée si elle met en péril le fonctionnement des infrastructures critiques, entraîne la manipulation ou la fuite d'informations, ou implique des actes de chantage, de menaces ou de coercition. La loi prévoit des amendes en cas de non-respect de l'obligation de signalement, mais la base légale pour les amendes n'entrera en vigueur que le 1er octobre 2025 afin de permettre aux autorités et aux organisations de s'adapter au nouveau système. Au cours des six premiers mois, l'obligation de signalement s'applique sans sanctions en cas de non-respect.

Pour simplifier le processus, l’OFCS a préparé un formulaire spécial sur la plateforme créée pour l'échange d'informations avec les opérateurs d'infrastructures critiques. Les organisations qui n'ont pas accès à cette plateforme peuvent signaler par courrier électronique en utilisant un formulaire disponible sur le site web de l’OFCS. Si toutes les informations requises ne peuvent être fournies dans les 24 heures, le délai pour compléter le signalement est de 14 jours. De plus, le Conseil fédéral a approuvé l'Ordonnance sur la cybersécurité (OCyS) avec effet au 1er avril 2025. L’OCyS contient des règles de mise en œuvre pour l'obligation de signalement, y compris des exceptions selon l'art. 74c de la LSI. Elle comprend également des dispositions relatives à la stratégie nationale de cybersécurité, les tâches de l’OFCS et l'échange d'informations entre l’OFCS, les autorités et les organisations. Le projet d’OCyS a été consulté entre le 22 mai et le 13 septembre 2024 et a reçu un large soutien pour renforcer la cybersécurité en Suisse. Des préoccupations ont été soulevées quant à la simplicité et à l'harmonisation du formulaire de signalement avec d'autres obligations de signalement, telles que la protection des données. Cette demande a été prise en compte, permettant au formulaire de signalement de l’OFCS de recueillir rapidement les informations nécessaires et de les transmettre à d'autres autorités soumises à des obligations de signalement, par exemple, l’Autorité fédérale de surveillance des marchés financiers ou le Préposé fédéral à la protection des données et à l’information.

Une autre ordonnance concerne le changement de nom dû à la transformation du Centre national de cybersécurité (NCSC) en un office fédéral au sein du DDPS, qui sera promulguée le 1er avril 2025.

BACKGROUND

On 7 March 2025, the Swiss Federal Council passed the Cybersecurity Ordinance (OCyS). The reporting obligation aligns with Switzerland's broader cybersecurity strategy. While the Information Security Act enacted in early 2024 laid the groundwork for stronger digital defenses, it did not include mandatory reporting of cyber attacks. 

The OCyS addresses this gap, with regulations shaped by a public consultation process that supported enhanced cybersecurity measures. Concerns about making reporting procedures simple and in line with existing obligations led to the design of the FOCS reporting form, which allows quick submission of necessary details and can forward information to relevant authorities upon request.

WHAT'S NEW?

Under the OCyS, operators of critical infrastructure in Switzerland are required to report cyber attacks to the Federal Office for Cyber Security (FOCS). This regulation was confirmed by the Swiss Federal Council to enhance national cybersecurity by ensuring quick responses to cyber threats. 

Entities subject to the Banking Act, the Insurance Supervision Act, and the Financial Infrastructure Act must report cyber incidents within 24 hours of detection. These incidents include those that endanger the operation of critical infrastructure, result in data manipulation or information leaks, or involve extortion, threats, or coercion. Reporting can be done via a dedicated form on the FOCS platform or through email. 

The OCyS specifies exemptions for organizations where cyber incidents would not directly impact economic stability or public welfare. These include small businesses with fewer than 50 employees and annual revenue or assets below CHF 10 million, municipal administrations serving fewer than 1,000 residents (unless they provide services related to election infrastructure), and cloud computing providers, search engine operators, and data centres headquartered in Switzerland, provided they offer services to third parties for compensation.

The Ordinance applied since 1 April 2025.

WHAT'S NEXT?

For the first six months, non-compliance will not be penalized, but from October 2025, fines will be imposed for failure to report incidents.

Recognizing that many companies remain uncertain about their reporting obligations, the Swiss government allows businesses to contact FOCS for clarification. Companies seeking exemption or inclusion must submit relevant documentation and reassess their obligations in case of significant operational changes. The FOCS has also categorized reportable cyber attacks to help businesses understand which incidents must be disclosed and when.

Version française

BACKGROUND

Le 7 mars 2025, le Conseil fédéral suisse a adopté l’Ordonnance sur la cybersécurité (OCyS). L’obligation de signalement s’inscrit dans le cadre de la stratégie nationale de cybersécurité de la Suisse. Bien que la Loi sur la sécurité de l’information, entrée en vigueur début 2024, ait posé les bases d’un renforcement de la défense numérique, elle n’intégrait pas de mécanisme obligatoire de notification des cyberattaques.

L’OCyS comble cette lacune. Élaboré à la suite d’une procédure de consultation publique favorable à un renforcement des mesures de cybersécurité, le texte tient compte des préoccupations relatives à la simplicité des procédures de signalement et à leur cohérence avec les obligations existantes. Il en résulte un formulaire mis à disposition par l’OFCS (Office fédéral de la cybersécurité) permettant une transmission rapide des informations essentielles, avec possibilité de les faire suivre aux autorités compétentes sur demande.

WHAT'S NEW?

En vertu de l’Ordonnance sur la cybersécurité (OCyS), les exploitants d’infrastructures critiques en Suisse sont tenus de signaler les cyberattaques à l’Office fédéral de la cybersécurité (OFCS). Cette réglementation, confirmée par le Conseil fédéral suisse, vise à renforcer la cybersécurité nationale en garantissant une réaction rapide face aux menaces numériques.

Les entités soumises à la Loi sur les banques, à la Loi sur la surveillance des assurances et à la Loi sur les infrastructures des marchés financiers doivent déclarer tout incident cybernétique dans un délai de 24 heures après sa détection. Sont concernés les incidents mettant en péril le fonctionnement d’une infrastructure critique, entraînant une manipulation de données, une fuite d’informations, ou impliquant un chantage, une menace ou une contrainte. La déclaration peut être effectuée via un formulaire dédié sur la plateforme de l’OFCS ou par courriel.

L’OCyS prévoit des exemptions pour les organisations dont les incidents cybernétiques n’auraient pas d’impact direct sur la stabilité économique ou le bien-être public. Cela inclut les petites entreprises de moins de 50 employés, avec un chiffre d’affaires annuel ou un total de bilan inférieur à 10 millions de CHF, les administrations communales desservant moins de 1 000 habitants (sauf si elles gèrent des services liés aux infrastructures électorales), ainsi que les prestataires de services de cloud, les moteurs de recherche et les centres de données ayant leur siège en Suisse, à condition qu’ils proposent leurs services à des tiers contre rémunération.

L’ordonnance est entrée en vigueur le 1er avril 2025.

WHAT'S NEXT?

Durant les six premiers mois d’application, aucune sanction ne sera imposée en cas de non-conformité. Toutefois, à partir d’octobre 2025, des amendes seront appliquées en cas de non-déclaration des incidents.

Conscientes que de nombreuses entreprises demeurent incertaines quant à leurs obligations en matière de déclaration, les autorités suisses autorisent les entités concernées à contacter l’OFCS pour obtenir des éclaircissements. Les entreprises souhaitant être exemptées ou incluses dans le champ d’application doivent soumettre la documentation pertinente et réévaluer leurs obligations en cas de modifications opérationnelles significatives.

L’OFCS a également établi une typologie des cyberattaques soumises à déclaration afin d’aider les entreprises à identifier les incidents devant être signalés et à quel moment.

On 11 March 2025, FINMA published a press release on the the status of licenses issued to portfolio managers and trustees.

Since the beginning of 2020, portfolio managers and trustees operating on a commercial basis have needed a licence from FINMA, which came into force with the Financial Institutions Act (FinIA). Most institutions subject to this new licensing requirement were granted a transitional period of three years. By the end of 2022, FINMA had received 1,699 applications, more than 94% of which were processed by the end of February 2025.

FINMA established high quality standards to protect investors from unfair business practices and strengthen the reputation of the Swiss financial centre. Despite recommendations to commence the licensing process in good time, over half of the applications were submitted in the last four months of the transitional period, many of poor quality, which delayed approvals. Of the 94 pending applications, around half are under investigation due to involvement in criminal proceedings.

As at 28 February 2025, FINMA approved 1,532 of the 1,864 applications submitted since the licensing requirement was introduced. Specifically, 1,428 out of 1,699 applications submitted by end-2022 and 104 out of 165 applications submitted from the beginning of 2023 were approved. About 8% of applications (131) were withdrawn by the institutions.

The licensed institutions have reported a number of changes requiring FINMA’s prior approval, with a total of 3,221 change requests received to date. FINMA expects around 1,700 change requests annually moving forward.

The two-tier supervisory model involves ongoing supervision, including auditing, by supervisory organisations (SOs) authorised and supervised by FINMA. If SOs identify irregularities they cannot remedy, they escalate the case to FINMA for further supervisory measures. The number of cases escalated to FINMA and the number of institutions under intensive supervision increased significantly in the second half of 2024.

Version française

Le 11 mars 2025, la FINMA a publié un communiqué concernant l’état des licences délivrées aux gestionnaires de portefeuille et trustees. Depuis le début de l’année 2020, les gestionnaires de portefeuille et trustees opérant à titre commercial doivent être titulaires d’une licence de la FINMA, entrée en vigueur avec la loi sur les institutions financières (FinIA). La plupart des institutions soumises à cette nouvelle exigence de licence ont bénéficié d’une période transitoire de trois ans. À la fin de l’année 2022, la FINMA avait reçu 1 699 demandes, dont plus de 94 % ont été traitées à la fin du mois de février 2025.  

La FINMA a établi des normes de haute qualité pour protéger les investisseurs contre les pratiques commerciales déloyales et renforcer la réputation du centre financier suisse. Malgré les recommandations de commencer le processus de licence à temps, plus de la moitié des demandes ont été soumises dans les quatre derniers mois de la période transitoire, dont beaucoup étaient de mauvaise qualité, ce qui a retardé les approbations. Parmi les 94 demandes en attente, environ la moitié sont en cours d’enquête en raison de procédures pénales.

Au 28 février 2025, la FINMA avait approuvé 1 532 des 1 864 demandes soumises depuis l'introduction de l'exigence de licence. Plus précisément, 1 428 des 1 699 demandes soumises avant la fin de l'année 2022 et 104 des 165 demandes soumises depuis le début de 2023 ont été approuvées. Environ 8 % des demandes (131) ont été retirées par les institutions.

Les institutions agréées ont signalé un certain nombre de changements nécessitant l'approbation préalable de la FINMA, avec un total de 3 221 demandes de changement reçues à ce jour. La FINMA s'attend à environ 1 700 demandes de changement par an à l'avenir.

Le modèle de supervision à deux niveaux implique une supervision continue, y compris des audits, par des organisations de surveillance (SO) autorisées et supervisées par la FINMA. Si les SO identifient des irrégularités qu'elles ne peuvent pas résoudre, elles escaladent le cas vers la FINMA pour des mesures de surveillance supplémentaires. Le nombre de cas escaladés vers la FINMA et le nombre d'institutions sous supervision intensive ont considérablement augmenté dans la seconde moitié de 2024.

On 10 March 2025, FINMA published the guidance for audit firms of banks, securities firms, and financial groups on conducting prudential audits. This guide aims to assist in using investigation forms for risk analysis, standard audit strategy, and prudential audit reports. It also provides additional principles and directives for conducting audits. Built on the Supervisory Audit Ordinance of 31 October 2024 (SR 956.161.1) and FINMA Circular 2025/1 "Audit Activities," the guide provides templates via FINMA’s electronic submission and request platform (EHP), which audit firms must use for inputting risk analyses, audit strategies, and prudential audit reports. These forms are electronically submitted through the EHP. For single institution audits, only the "individual level" section is filled out, while audits involving parent structures require additional documentation such as AML investigation forms, group structure diagrams showing participation percentages, and organizational charts indicating responsible persons by business area or department. The guide includes legal foundations for basic audits, a periodic overview of audit requirements, and specifies audit coverage according to Articles 30 and 32 of the Supervisory Audit Ordinance. Standardized audit points apply to some areas, and audit firms must justify any deviations from these points in their working papers.

Version française

Le 10 mars 2025, la FINMA a publié des lignes directrices pour les sociétés d’audit de banques, d’entreprises de valeurs mobilières et de groupes financiers sur la réalisation d’audits prudentiels. Ce guide vise à aider à l’utilisation des formulaires d’enquête pour l’analyse des risques, la stratégie d’audit standard et les rapports d’audit prudentiels. Il fournit également des principes et directives supplémentaires pour la réalisation des audits. Basé sur l’ordonnance d’audit de supervision du 31 octobre 2024 (SR 956.161.1) et la circulaire FINMA 2025/1 « Activités d’audit », le guide fournit des modèles via la plateforme de soumission et de demande électronique de la FINMA (EHP), que les sociétés d’audit doivent utiliser pour saisir les analyses de risques, stratégies d’audit et rapports d’audit prudentiels.

Ces formulaires sont soumis électroniquement par l'intermédiaire de l'EHP. Pour les audits portant sur un seul établissement, seule la section "niveau individuel" est remplie, tandis que les audits impliquant des structures mères nécessitent des documents supplémentaires tels que des formulaires d'enquête AML, des diagrammes de structure de groupe indiquant les pourcentages de participation, et des organigrammes indiquant les personnes responsables par domaine d'activité ou par département. Le guide comprend les fondements juridiques des audits de base, un aperçu périodique des exigences en matière d'audit et précise la couverture de l'audit conformément aux articles 30 et 32 de l'ordonnance sur l'audit de surveillance. Des points d'audit standardisés s'appliquent à certains domaines, et les cabinets d'audit doivent justifier tout écart par rapport à ces points dans leurs documents de travail.

On 19 March 2025, FINMA published the new Circular 2025/4 “Consolidated supervision of financial groups under the BA and FinIA,” which details its supervisory practice regarding the scope and content of consolidated supervision. The circular aims to provide clarity on the interpretation of the scope and content of consolidated supervision of financial groups under the Banking Act and the Financial Institutions Act. The primary purpose is to ensure that all risks undertaken by a financial group are covered by supervision. Previously, the supervisory practice was communicated on a case-by-case basis, but the circular solidifies this practice.

The circular specifies requirements for including group companies in consolidated supervision, focusing on their activities in the financial sector and the existence of economic or legal obligations (Art. 3c para. 1 BA). Activities in the financial sector encompass the provision and intermediation of financial services and are not limited to those requiring a license or registration under Swiss financial market legislation. Inclusion in the regulatory scope of consolidation is independent of legal form, covering entities like special purpose vehicles if they meet the criteria.

Based on provisions of the Banking Ordinance (Art. 24 BO), consolidated supervision includes both quantitative and qualitative aspects, including elements of corporate governance at the group level. The circular will come into effect on 1 July 2025.

Version française

Le 19 mars 2025, la FINMA a publié la nouvelle circulaire 2025/4 » Surveillance consolidée des groupes financiers au sens de la LB et de la LFINMA ", qui détaille sa pratique de surveillance concernant l'étendue et le contenu de la surveillance consolidée. La circulaire vise à clarifier l'interprétation de l'étendue et du contenu de la surveillance consolidée des groupes financiers selon la loi sur les banques et la loi sur les établissements financiers. L'objectif principal est de s'assurer que tous les risques encourus par un groupe financier sont couverts par la surveillance. Auparavant, la pratique de surveillance était communiquée au cas par cas, mais la circulaire renforce cette pratique.

La circulaire précise les conditions d'inclusion des sociétés du groupe dans la surveillance consolidée, en mettant l'accent sur leurs activités dans le secteur financier et sur l'existence d'obligations économiques ou juridiques (art. 3c al. 1 BA). Les activités du secteur financier englobent la fourniture et l'intermédiation de services financiers et ne se limitent pas à celles qui requièrent une autorisation ou un enregistrement en vertu de la législation suisse sur les marchés financiers. L'inclusion dans le champ réglementaire de la consolidation est indépendante de la forme juridique, et couvre des entités telles que les structures d'accueil si elles remplissent les critères.

Sur la base des dispositions de l'ordonnance sur les banques (art. 24 BO), la surveillance consolidée comprend à la fois des aspects quantitatifs et qualitatifs, y compris des éléments de gouvernance d'entreprise au niveau du groupe. La circulaire entrera en vigueur le 1er juillet 2025.

On 3 March 2025, the United Kingdom published the Register of Overseas Entities (Protection and Trusts) (Amendment) Regulations 2025.

These Regulations make provision relating to the register of overseas entities (“the ROE”) kept by the registrar of companies for England and Wales (“the registrar”) in accordance with Part 1 of the Economic Crime (Transparency and Enforcement) Act 2022 (c. 10). The provisions relate to the protection of information, the disclosure of trust information and additional required information from overseas entities and registrable beneficial owners which are legal entities.

Part 2 amends the Register of Overseas Entities (Delivery, Protection and Trust Services) Regulations 2022 (S.I. 2022/870) to allow for anyone to make an application for protection whose information could be published or disclosed by the registrar under ROE. This is because Part 3 will allow for information about trusts to be disclosed which could not otherwise be. Regulation 3(2)(a) and (b) allows for a wider range of people to make an application and regulation 6 includes additional grounds under which an application for protection may be made. Part 2 also removes reference to “specified public authorities” in the 2022 Regulations as this has been superseded by section 25(6) of the Economic Crime (Transparency and Enforcement) Act 2022, which was substituted by section 168 of the Economic Crime and Corporate Transparency Act 2023 (c. 56).

Part 3 allows for anyone to apply to the registrar for disclosure of trust information. Regulation 4(2) imposes a condition that applicants have to demonstrate they have a legitimate interest, set out in regulation 4(3)(f), if they want to make a bulk application or if the information relates to minors. Regulation 4(3) sets out the information that needs to be included in an application. Regulation 4(4) allows for the registrar to tell an applicant that they need to satisfy the condition in regulation 4(2). This is because an applicant may not know when first making the application that it would result in the disclosure of information relating to minors. Regulation 4(5) sets out the reasons the registrar may refuse an application and regulation 4(8) states that the registrar may impose conditions relating to the disclosure.

These Regulations come into force on 28 February 2025, except for Part 3 which comes into force on 31 August 2025.

On 7 March 2025, the FCA published review and good practice and areas for improvement on firms' treatment of customers in vulnerable circumstances.

The FCA conducted a comprehensive review to assess how firms are supporting customers in vulnerable circumstances and to determine if the existing guidance remains appropriate. This process involved gathering data on actions taken by firms, understanding the outcomes experienced by these customers, and obtaining various stakeholders' perspectives. Interviews with experts in vulnerability and financial services, as well as both quantitative and qualitative consumer research, played a critical role. The FCA also analyzed Financial Lives survey data alongside responses from firms.

The findings showed that many firms had indeed taken positive action and made good progress in supporting customers in vulnerable circumstances. These actions were reflected in firms' changing attitudes, cultures, and heightened awareness regarding vulnerability. Consumers reported good examples of firms responding flexibly to meet their needs and providing tailored support.

However, despite these positive changes, the review also highlighted areas that still need improvement. These include products and services, outcomes monitoring, and guidance on data-monitoring methods and measurable outcomes. The FCA noted that the current guidance cannot cover all possible scenarios, but suggested that additional case studies for specific sectors and for treating customers with specific vulnerability characteristics would be beneficial. Furthermore, more detailed guidance on how to handle customers who do not disclose their vulnerability, whether detectable by firms or not, was recommended.

Additionally, findings from the Financial Lives survey indicated that consumers in vulnerable circumstances, particularly those with multiple characteristics of vulnerability, continue to experience poorer outcomes compared to other consumers. External factors such as coronavirus and increases in the cost of living were acknowledged as possibly impacting these outcomes, though the review was unable to measure these impacts directly.

The FCA concluded that while the existing guidance remains useful and should not be revised, firms can benefit from more case studies and practical examples to better support vulnerable customers. The Consumer Duty was recognized as complementary to the Guidance, reinforcing the importance of focusing on vulnerability and driving positive change in firms' approaches. The FCA expressed its commitment to working with firms to ensure continuous improvement and better outcomes for consumers in vulnerable circumstances.

On 5 March 2025, the FCA released a multi-firm review on private market valuation practices. 

The UK remains the largest center for private market asset management in Europe, offering diversification and new sources of return. Asset managers are investing in private market capabilities due to rising demand. Supporting the UK's status as an international investment hub and fostering growth is a priority for the FCA. Robust valuation practices ensure fairness and confidence in private markets.

The review assessed firms' valuation processes and governance, including checks and balances to mitigate risks and harm to investors. Firms typically use Level 3 inputs as defined by IFRS 13 and ASC 820 for fair value estimates. The review had two phases: a questionnaire in Phase 1 and an in-depth review in Phase 2 through document requests and on-site visits. The findings are relevant to asset managers, AIFMs, investment and portfolio managers, advisers, and other stakeholders.

Good Practices:

Clear Objectives and Governance: All Phase 2 firms outlined valuation process objectives to ensure assets are appropriately valued and established roles, responsibilities, and governance arrangements.

Valuation Policies: Firms documented valuation policies, including methodologies and relevant investment strategies.

Use of Established Methodologies: Firms used another established methodology as a sense check.

Periodic Review: Firms performed periodic reviews of policies and procedures.

Independent Fairness Opinions: Firms obtained independent fairness opinions for the transfer price when moving assets to continuation funds.

Transparency: Firms managing NAV financing noted the scrutiny that lenders gave to valuations as a control over conflicts.

Actions for Firms:

Valuation Methodologies and Sense Checks: Firms should apply valuation methodologies consistently with clear rationales and incorporate established methodologies as a sense check.

Governance and Record-Keeping: Firms should have robust governance arrangements, including valuation committees and detailed record-keeping of valuation decisions.

Transparency and Disclosure: Firms should adopt practices to enhance transparency and reporting, disclosing the nature, strengths, and limitations of third-party services used in valuations.

Conflicts of Interest: Firms should meticulously manage potential conflicts in the valuation process, ensuring functional independence and robust control over valuation-related conflicts.

Engagement and Reporting: Firms should enhance investor engagement by increasing transparency on valuations, including both qualitative and quantitative information.

Third-Party Valuation Services: Firms should oversee third-party valuation advisers appropriately and manage potential commercial conflicts, retaining responsibility for valuation decisions.

Ad Hoc Valuations: Firms should define processes for ad hoc valuations to mitigate the risk of stale valuations, specifying thresholds and events that trigger ad hoc valuations.

Automated Valuation Software: Firms should introduce automated third-party valuation software to improve consistency and reduce the risk of human error

On 18 March 2025, the UK Government announced Preliminary Market Engagement Exercise for the Digital Gilt Instrument (DIGIT) Pilot.

HMT has published additional information, engagement questions and has issued a Preliminary Market Engagement Notice through the contract finder service. This provides further information on the scope of the DIGIT pilot and seeks views from potential suppliers including the financial services sector, to inform the development and delivery of DIGIT.

In November 2024, the Chancellor of the Exchequer announced at Mansion House the launch of a pilot Digital Gilt Instrument (DIGIT) issuance, leveraging cutting-edge distributed ledger technology (DLT). This announcement was followed by a Written Statement to Parliament, outlining further details of the issuance and highlighting the Government’s commitment to engaging with the sector in 2025.

The announcement represents the first step of the Government’s work with the sector towards achieving a successful DIGIT issuance. This exercise will allow the Government to understand the current landscape of services available, or in development, in the UK, as well as to gain insight into what potential investors want to see from a DIGIT issuance to help inform HMT’s commercial strategy.

DIGIT will support the Government’s commitment to maintain the UK as a world-leading and global financial centre. As other financial hubs explore DLT, the potential for significant growth in this area is clear. By launching now, the Government is positioning the UK financial services sector to take advantage of this opportunity.

The pilot is seeking to:

• Enable the Government to explore how DLT can be applied to UK sovereign debt issuance processes.
• Catalyse the development of UK based DLT infrastructure and the adoption of DLT across UK financial markets.

HMT and the DMO are seeking responses to the questions in the Preliminary Market Engagement Notice by 13 April 2025.

On 17 March 2025, the UK Government published a new approach to ensure regulators and regulation support growth.

The Government will overhaul its regulatory system so that it:

• Supports growth.
  The Government wants a regulatory system that not only protects consumers and supports competition, but also encourages new investment, innovation, and growth. When regulation is designed well, and implemented well by regulators, it can protect consumers while supporting investment and growth. Regulators also have an important role in delivering international regulatory cooperation which also supports UK's international objectives.
• Is targeted and proportionate.
  The Government should regulate only where necessary and allow space for discretion and good behaviour. In most cases, businesses operate in a responsible and sensible manner. The current regulatory system too often focuses on regulations and regulatory practices designed to prevent a few bad actors, or very low probability events, rather than trusting and helping most businesses that want to comply.
• Is transparent and predictable.
  To foster the certainty essential for investment, it is vital that UK's regulatory regime is stable, predictable and consistent. Regulation will need to change where it is not fit for purpose; but the Government must be clear about where that is the case and give business the necessary time to adapt to new rules.
• Adapts to keep pace with innovation.
  The Government's approach to regulation must allow the UK to take advantage of new technologies and innovations, including artificial intelligence, digitalisation, decarbonisation and increased automation. Effective regulation can create the environment and clarity for innovation to take place. Regulators attuned to the challenges facing business should also be able to adapt to new industries and to the challenges posed by new technologies and avoid disproportionate risk averse behaviour.

This Action Plan sets out the next steps to the Government's approach, alongside a range of pledges from regulators to support this effort. It will enable a regulatory system that supports innovation and economic growth while ensuring accountability for the quality of regulations introduced, as well as the way in which independent regulators implement and enforce them.

In addition to the immediate actions in this Action Plan, realising this vision means making real, system-wide reforms over the course of the Parliament that focus on: simplifying the structure of the system; ensuring regulation is proportionate and at a minimum cost for business; driving regulator performance and capability, as well as ensuring accountability is robust; and making sure that the purpose and duties of all the regulators are clear, so they are empowered to focus on what matters.

The Government also continues to recognise the importance of economic regulation for the growth mission, and are continuing to assess the effectiveness of the UK’s overall approach in delivering essential infrastructure and investment.

On 25 March 2025, the FCA published a 5-year strategy to support growth and improve lives.

The FCA will focus on 4 priorities:

• Be a smarter regulator; predictable, purposeful and proportionate. The FCA will improve its processes and embrace technology to become more efficient and effective.
• Support sustained economic growth, by enabling investment, innovation and ensuring the continued competitiveness of the UK’s world-leading financial services.
• Help consumers navigate their financial lives by working with industry to boost trust, product innovation and ensuring the right information and support is available for people to take financial decisions.
• Fight financial crime, focusing on those who seek to use the fact they are regulated to do harm. It will go further to disrupt criminals and support firms to be an effective line of defence.

The strategy sets out how the FCA will change how it supervises to be more efficient. This includes taking a less intensive approach for those firms seeking to do the right thing, significantly streamlining how it sets its supervisory priorities, and reviewing whether it can stop requiring certain data returns. It will also digitise and simplify the authorisation processes so it is easier and quicker to apply, the information received is better quality and follow-up requests are reduced.

The regulator also plans to invest in its technology, people and systems. It will support its people to build their digital capability and adopt new approaches to allow it to better handle the 100,000 cases it assesses every year. This will enable it to act faster and more assertively where harm is greatest.

As the FCA integrates the Payment Systems Regulator and many of its functions, it will build on the success of Open Banking and launch Open Finance. This will allow for more seamless data-sharing which could unlock product innovation and deliver lower costs, more choice and better information for consumers.

The new strategy builds on the FCA’s achievements over the course of its previous 3-year strategy. These include making the biggest changes to the listing regime in over 3 decades so it’s easier for companies to raise money, introducing the Consumer Duty to set higher standards of consumer protection, authorising firms that meet the regulator’s high standards more quickly, and keeping more potentially harmful firms out of financial services.

On 12 March 2025, the IOSCO published a report on AI in capital markets - use cases, risks, and challenges.

In 2021, IOSCO released a report addressing the use of AI by market intermediaries and asset managers.  The 2021 AI Report identified key potential risks related to AI and included guidance to assist IOSCO members in supervising market intermediaries and asset managers that use AI. The 2021 AI Report highlighted the transformative nature of AI technologies relating to investment strategies, operational efficiency, and the development of new financial products. It also identified key AI-related challenges that IOSCO members may face, including with respect to governance and oversight; algorithm development, testing, and ongoing monitoring; data quality and bias; transparency and explainability; outsourcing; and ethical concerns. In its 2021 AI Report, IOSCO published six measures that reflect expected standards of conduct by market intermediaries and asset managers using AI (Annex I). The 2021 IOSCO AI Report was the most comprehensive IOSCO publication to date that discusses the potential risks, issues, and challenges posed by AI systems in the financial sector. However, it is not the sole IOSCO publication that may relate to the use of AI technologies in the financial sector. Other IOSCO publications also discuss AI-related topics as they relate to outsourcing, robo-advisory services, and investor education, among other topics (Annex II).

Since the publication of the 2021 AI Report, the landscape of AI systems in financial products and services has continued to evolve, enabled by innovations and developments in theory, hardware, software, algorithmic efficiency, compute power, data, and end-user applications. Among other advancements in AI technologies have been the emergence of significant foundation models and large language models (LLMs).

Since the publication of the 2021 AI Report, the landscape of AI systems in financial products and services has continued to evolve, enabled by innovations and developments in theory, hardware, software, algorithmic efficiency, compute power, data, and end-user applications. Among other advancements in AI technologies have been the emergence of significant foundation models and large language models (LLMs).

Section IV of the Report details risks, challenges, and other issues associated with AI technologies— building on a similar discussion from the 2021 AI Report. In particular, this section focuses primarily on recent advancements in AI, and outlines what these developments may mean for investor protection, market integrity, and financial stability.

Section V analyzes how certain market participants are approaching the development, deployment, and maintenance of AI systems, and how recent advancements in AI are impacting certain market participants’ considerations for policies, procedures, and controls around their use of AI. Section V also identifies certain risk management and governance principles that are emerging in the industry from these observations.

In Section VI, the Report provides an overview of surveyed IOSCO members’ existing and proposed responses to the use of AI systems in the financial sector, along with specific examples of IOSCO members’ responses. The section also examines efforts by regulators to assess the resources and skills required to analyze and supervise market participants’ uses of AI. The section also outlines actions taken by IOSCO members to address the use of AI by market participants by enforcing existing rules and regulations. The section reports primarily on the results of IOSCO’s information-gathering efforts; however, this Report does not endorse a particular approach, nor does it make policy recommendations.

The Report concludes in Section VII by noting considerations and areas of potential future exploration by IOSCO to best address the issues, risks, and challenges identified in the Report.

On 6 March 2025, the International Capital Markets Association (ISDA) updated its Guide to Best Practice in the European Repo Market.

The European Repo and Collateral Council (ERCC) Guide is a flagship document for ICMA and provides detailed guidance, best practice recommendations, and clarifications that are intended to support the well-organised trading and settlement of repos. Comprising 170 pages, the ERCC Guide is among the most substantial and well-established industry self-regulatory guidance across the entire financial market.

By setting standards and best practices, the Guide helps to avoid uncertainty and disagreements among market participants, helping to foster a more efficient and orderly repo market in Europe and beyond.

This latest document reflects in-depth discussions and consultations with ERCC members which led to updates in several key areas of best practice including:

• Resilience and recovery of trading and post-trading infrastructure.
• The impact of CSD and SSS outages.
• Template agreement for bilateral pair-offs.
• Sanctions.
• Cancellation of trades made in error on automatic trading systems.
• Making prices on automatic trading systems.
• Off-market prices on automated (RFQ) trading systems.
• Repo portfolio transfers between LDI pension fund managers.
• Buy-outs of LDI repo portfolios.