On 28 May 2025, the EU publishes Commission Regulation (EU) 2025/1047 of 27 May 2025 amending Regulation (EU) 2023/1803 as regards International Financial Reporting Standard 9 and International Financial Reporting Standard 7.

By Commission Regulation (EU) 2023/1803 certain international accounting standards and interpretations that were in existence on 8 September 2022 were adopted.

On 30 May 2024, the International Accounting Standards Board issued certain amendments to International Financial Reporting Standard 9 Financial Instruments (‘IFRS 9’) and International Financial Reporting Standard 7 Financial Instruments: Disclosures (‘IFRS 7’). The objective of those amendments was to address some of the findings from the 2022 post-implementation review of the classification and measurement requirements in IFRS 9 and to respond to stakeholders’ request to the IFRS Interpretations Committee.

Those amendments clarify the classification of financial assets with environmental, social and governance (‘ESG’) and similar features and the settlement of liabilities through electronic payment systems. Those amendments also impose disclosure requirements to increase transparency for investors in relation to investments in equity instruments measured at fair value through other comprehensive income (‘FVOCI’) and financial instruments with contingent features, such as features tied to ESG-linked targets.

Following a consultation with the European financial reporting advisory group EFRAG, the Commission has concluded that the amendments to IFRS 9 and IFRS 7 meet the conditions for adoption set out in Article 3(2) of Regulation (EC) No 1606/2002. EFRAG has also concluded that the benefits of those amendments outweigh the costs involved.

Regulation (EU) 2023/1803 should therefore be amended accordingly.

The measures provided for in this Regulation are in accordance with the opinion of the Accounting Regulatory Committee.

This Regulation enters into force on 17 June 2025.

On 12 May 2025, the EC published analysis of stakeholder feedback on AI definitions and prohibited practices public consultations.

The Commission published a report, prepared by the Centre for European Policy Studies (CEPS) for the EU AI Office, analysing stakeholder feedback from two recent public consultations.

These consultations focused on two AI Act regulatory obligations - the definition of AI systems and prohibited AI practices – which have been in application since 2 February 2025. 

The Commission drew on both these public consultations and other sources of feedback to draft its non-binding guidelines on prohibited practices and definition of AI systems, aimed at assisting providers and stakeholders in the effective application of the AI Act.   

The report presents a comprehensive analysis of responses to each of the 88 questions of the stakeholder consultation, organised into nine key sections. It shows that industry stakeholders accounted for the majority of responses to the public consultation (47.2% of nearly 400 replies), while citizen participation remained limited (5.74%). Respondents called for clearer definitions of technical terms such as "adaptiveness" and "autonomy", cautioning against the risk of inadvertently regulating conventional software. 

The guidelines on prohibited practices specifically address areas such as harmful manipulation, social scoring, and real-time remote biometric identification, and include legal clarifications and practical examples to support stakeholder understanding and compliance with the AI Act. 

Among other findings, the report highlights that prohibited practices - such as emotion recognition, social scoring, and real-time biometric identification - occasioned significant concern. Stakeholders called for concrete examples of what is prohibited and what not. 

By issuing guidelines on the AI system definition, the Commission aims to assist providers and other relevant persons in determining whether a software system constitutes an AI system to facilitate the effective application of the rules.? 

On 16 May 2025, the EBA repealed its Guidelines on specification of types of exposures to be associated with high risk due to the application of the new capital requirement regulation (CRR 3). The repeal of the Guidelines aims at providing legal certainty to the market. 

The Guidelines were published on the 15th of March 2019, as mandated per CRR article 128 last sub-paragraph. They clarified which exposures should be considered as “high risk exposures”. Given that this exposure class no longer exists in CRR 3, as Article 128 now only refers to ‘subordinated debt exposures’, the Guidelines are no longer applicable.

On 7 May 2025, the ESMA published final report on the technical advice concerning MAR and MiFID II SME GM.

This final report contains ESMA’s assessment and feedback received to the CP published in December 2024 on the disclosure of inside information in a protracted process, on situations of contrast between inside information to be delayed and the issuer's latest communications and on the requirements to be registered as an SME GM under Article 33 of MiFID II. 

The final report starts with an introduction in Section 3 which provides information on the Listing Act and the Commission request to ESMA for technical advice. Section 4 covers the technical advice dedicated to MAR, and Section 5 the technical advice relating to MiFID and SMEs GMs. 

The section on the MAR technical advice includes an introduction covering the changes brought to MAR and covers the disclosure of inside information in a protracted process, the conditions for delaying disclosure of inside information, including cases of conflict with previous public announcements, and the methodology and preliminary findings for identifying trading venues with significant cross-border activity for CMOB implementation. 

Following the introduction containing the background and the mandate, the section on MiFID provides technical advice on conditions for MTFs or their segments to qualify as SME GMs, reviewing relevant legal provisions and suggesting targeted adjustments to MiFID II.

On 6 May 2025, the EP adopted text on Amending Regulation (EU) 2016/1011 as regards the scope of the rules for benchmarks, the use in the Union of benchmarks provided by an administrator located in a third country, and certain reporting requirements.

European Parliament legislative resolution of 6 May 2025 on the Council position at first reading with a view to the adoption of a regulation of the European Parliament and of the Council amending Regulation (EU) 2016/1011 as regards the scope of the rules for benchmarks, the use in the Union of benchmarks provided by an administrator located in a third country, and certain reporting requirements.

• Approves the Council position at first reading;
• Notes that the act is adopted in accordance with the Council position;
• Instructs its President to sign the act with the President of the Council, in accordance with Article 297(1) of the Treaty on the Functioning of the European Union;
• Instructs its Secretary-General to sign the act, once it has been verified that all the procedures have been duly completed, and, in agreement with the Secretary-General of the Council, to arrange for its publication in the Official Journal of the European Union;
• Instructs its President to forward its position to the Council, the Commission and the national parliaments.

On 19 May 2025, the EU published Regulation (EU) 2025/914 of the European Parliament and of the Council of 7 May 2025 amending Regulation (EU) 2016/1011 as regards the scope of the rules for benchmarks, the use in the Union of benchmarks provided by an administrator located in a third country, and certain reporting requirements. 

Reporting requirements play a key role in ensuring proper monitoring and correct enforcement of legislation. It is therefore important to streamline those requirements in order to limit the administrative burden and to ensure that they fulfil the purpose for which they were intended.

Under Regulation (EU) 2016/1011 of the European Parliament and of the Council, all administrators of benchmarks, regardless of the systemic relevance of those benchmarks or the amount of financial instruments or contracts that use those benchmarks as reference rates or as performance benchmarks, are to comply with very detailed requirements, including requirements on their organisation, on governance and conflicts of interest, on oversight functions, on input data, on codes of conduct, on reporting of infringements, and on disclosures related to the methodology used and the benchmark statement. Those requirements have put a disproportionate regulatory burden on administrators of smaller benchmarks in the Union considering the aims of Regulation (EU) 2016/1011, i.e. to safeguard financial stability and to avoid negative economic consequences that result from the unreliability of benchmarks. It is therefore necessary to reduce that regulatory burden by focusing on those benchmarks that have the greatest economic relevance for the Union market, i.e. significant and critical benchmarks, and on those benchmarks that contribute to the promotion of key Union policies, i.e. EU Climate Transition and EU Paris-aligned Benchmarks. For that reason, the scope of application of Titles II, III, IV, V and VI of Regulation (EU) 2016/1011 should be reduced to those specific benchmarks. However, the specific provisions in Articles 23a, 23b and 23c serve the purpose of ensuring legal certainty and economic stability where a benchmark is being wound down and should therefore remain applicable to all benchmarks.

Administrators that would be excluded from the scope of application of Regulation (EU) 2016/1011 following the amendments introduced by this amending Regulation and that wish to opt into the regime should be allowed to make a reasoned request to their competent authority to designate one or more of the benchmarks that they offer as significant. That request should provide the competent authority with sufficient information to assess whether the benchmark meets the requirements for designation as significant under the opt-in regime. Where the information provided in the request is inaccurate or misleading, the authority should refuse to designate the benchmark concerned. Administrators of benchmarks that have been authorised to opt in should comply with all the requirements applicable to administrators of significant benchmarks set out in Regulation (EU) 2016/1011.

To ensure that benchmark administrators have sufficient time to adapt to the requirements that apply to significant benchmarks, they should only be subject to those requirements as from 60 working days from the date they submitted such a notification. In addition, benchmark administrators should, upon the request of the competent authority concerned or ESMA, provide that authority or ESMA with all the information necessary to assess the benchmark’s aggregate use in the Union.

In order to ensure a seamless transition to the application of the rules introduced under this amending Regulation, existing registrations, authorisations, recognitions or endorsements of administrators currently supervised under Regulation (EU) 2016/1011 should remain valid for 9 months from the date of application of this amending Regulation. That period is intended to give competent authorities and ESMA sufficient time to decide whether any of the currently supervised administrators should be considered to be an administrator of benchmarks designated in accordance with this amending Regulation. If that is the case, administrators previously authorised, registered, endorsing or recognised, or administrators of benchmarks that are designated upon request, should be allowed to retain their previous status without the need to reapply. Administrators of significant benchmarks should, in any case, be allowed to retain their status as authorised, registered, endorsing or recognised benchmark administrators. If not designated, existing authorisation, registration, recognition or endorsement holders should have the legal certainty that the designation period has lapsed and that their names can safely be removed from the ESMA register, while supervised entities will be able to continue to use these indices. Non-designation within this 9-month designation period also implies that a competent authority is no longer obliged to maintain an existing authorisation, registration, recognition or endorsement.

This Regulation enters into force on 8 June 2025.

On 22 May 2025, the EU published Commission Delegated Regulation (EU) 2025/1003 of 24 January 2025 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council as regards OTC derivatives identifying reference data to be used for the purposes of the transparency requirements laid down in Article 8a(2) and Articles 10 and 21.

Identifying reference data should enable market participants and competent authorities to identify OTC interest rate swaps and OTC credit default swaps for the purposes of the transparency requirements laid down in Article 8a(2), and Articles 10 and 21 of Regulation (EU) No 600/2014.

To identify OTC interest rate swaps that do not conform to the standard business terms associated with their underlying reference rates, identifying reference data should also allow for a determination of the business day adjustment convention, the fixing lag, the payment calendar and that the contract comprises no additional payments.

To allow for alignment between this Regulation and the Delegated Regulation adopted pursuant to Article 27(3) of Regulation (EU) No 600/2014 and to provide market participants and competent authorities with enough time to put in place the measures needed to comply with the requirements on reference data, OTC interest rate swaps and OTC credit default swaps should be identified with the identifying reference data set out in this Regulation from 1 September 2026.

Article 27da(1), fourth subparagraph, of Regulation (EU) No 600/2014 requires ESMA to initiate the selection procedure for the appointment of a single consolidated tape provider for OTC derivatives or relevant subclasses of OTC derivative within 3 months of the date of application of this Regulation and no earlier than 6 months from the initiation of the selection procedure for the appointment of a single consolidated tape provider for shares and exchange-traded funds. To ensure the timely launch of the selection procedure for the appointment of a single consolidated tape provider for OTC derivatives or relevant subclasses of OTC derivative, this Regulation should start to apply from the date of its entry into force.

This Regulation enters into force on 11 June 2025.

On 21 May 2025, the ESMA published consultation on the retail investor journey - understanding retail participation in capital markets.

The purpose of this Call for Evidence is to gather input from stakeholders on key aspects of the investor journey, particularly the MiFID II regulatory requirements that impact retail investors when engaging with capital markets. The CfE seeks to assess whether these requirements effectively support investor protection while also ensuring accessibility and ease of engagement. 

ESMA is particularly interested in understanding whether certain disclosure, suitability and appropriateness requirements - as designed or implemented - may create unintended obstacles for retail investors. While robust investor protection measures are essential, it is important to assess whether they remain effective and proportionate, especially in a digitalised investment environment. 

This paper is primarily addressed to investor and consumer organisations, which play an important role in representing retail investors’ interests. Their insights will help assess how investors experience these regulatory requirements in practice and whether any aspects of the process discourage participation in financial markets. The paper is also relevant to investment firms, credit institutions, and other entities subject to MiFID II, as well as to trade associations and other stakeholders involved in financial regulation, investor education, and retail investment market developments.

The Consultation closes on 21 May 2025.

On 14 May 2025, the EBA updated Report on the monitoring of the liquidity coverage ratio and net stable funding ratio in the EU.

This update is necessary in light of the banking turmoil experienced in March 2023, which highlighted the need for enhanced supervision of various liquidity aspects resulting from the change in the interest rate environment and related trends in deposit behaviour and concentrations.

In particular, this Report provides further clarification for the recognition in the LCR calculation of LCR inflows from open reverse repos without a maturity date within 30 days, following Q&A 2024_7053 (published on 3 May 2024). It builds on two approaches, the first of which builds on the occurrence of a trigger event to terminate the transaction, and the second one on historical experience. The Report also considers how recently, in some banks, operational deposits increased while excess operational deposits decreased, and how the interest rate environment changed. In this context, the Report supplements the guidance provided in the EBA’s 2019 Report on identifying operational deposits, the characteristics of the operational deposit trade cycle, and the material penalty for retail term deposits.

Lastly, an Addendum to the EBA’s 2023 Report on interdependent assets and liabilities in the NSFR is also included. It clarifies regulatory expectations regarding indirect client clearing activities, where affiliated institutions rather than an IPS structure – which is already covered in the 2023 Report – are involved.

On 5 May 2025, the EU published Commission Delegated Regulation (EU) 2025/855 of 28 January 2025 amending the regulatory technical standards laid down in Delegated Regulation (EU) 2021/931 as regards the specification of the formula for calculating the supervisory delta of call and put options mapped to the commodity risk category.

According to Article 279a(3), point (a), of Regulation (EU) No 575/2013, the formula that institutions are to use to calculate the supervisory delta of call and put options mapped to the commodity risk category compatible with market conditions in which commodity prices may be negative should also be specified in accordance with international regulatory developments, complementing the similar formula for call and put options mapped to the interest rate risk category.

Changes are related to the: 

• Article 4;
• Article 5.

The regulation enters into force on 25 May 2025.

On 23 May 2025, the EBA updated its Q&A on CRD.

The question contained in the update is as follows:

May or shall a competent or a designated authority from a Member State, that recognises a systemic risk buffer rate set by another Member State in accordance with Article 133 of the CRD, require its domestically authorised institutions to apply that rate on a consolidated basis, covering all exposures targeted by the recognised systemic risk buffer held through subsidiaries, branches or through cross-border lending, in accordance with Article 134 of the CRD ? Does the legal framework permit or require that exposures of domestically authorised institutions held through subsidiaries located in the Member State that sets the buffer rate as well as in other Member States are also included in the scope of recognition?

The recognition of a systemic risk buffer (SyRB) is primarily governed by Article 134(1) CRD, according to which “other Member States may recognise a systemic risk buffer rate set in accordance with Article 133 and may apply that rate to domestically authorised institutions for exposures located in the Member State that sets that rate.” Under this voluntary recognition framework established by Art.134 CRD, the national authorities of a Member State are granted the discretion to recognize a SyRB set by another Member State, by requiring domestically authorised institutions to apply that rate. The text of Article 134(1) of the CRD should nevertheless be read in conjunction with Article 133(4) of the CRD, which explicitly indicates that a SyRB can be applied on an individual, sub-consolidated or consolidated basis, as decided by the relevant authority designated in accordance with Art.133. Accordingly, the recognition of a SyRB follows the same regime and enables the designated authorities of other Member States to recognize a SyRB as well as to decide whether the recognized SyRB will apply to domestically authorized institutions at individual, sub-consolidated or consolidated. A decision to recognize a SyRB at consolidated level will result in the inclusion of all relevant exposures, including those of all subsidiaries located in the Member State that sets the buffer.

It remains, however, entirely within the discretion of a Member State to decide whether or not to recognise a SyRB of another Member State and determine the level at which the SyRB is reciprocated. If the ESRB issues a recommendation on the reciprocation of a SyRB specifying that a measure should be recognised, at a certain level (e.g., at individual and consolidated level) and for certain types of exposures, Member States are encouraged to reciprocate in accordance with this recommendation or explain their decision to not follow such an ESRB recommendation.

On 8 May 2025, the EBA updated its Q&A on Directive 2015/2366/EU (PSD2).

The question contained in update is as follows:

Where PIs and EMIs (referred to as non-bank PSPs) have direct access to central bank operated payment systems for settling payment transactions, would keeping a balance on a settlement account with the central bank/payment system, without the central bank maintaining a safeguarding account for the non-bank PSP, be compliant with the safeguarding requirements under Article 10 of PSD2?

Article 10(1) of Directive (EU) 2015/2366 (PSD2) prescribes that ‘Member States or competent authorities shall require payment institutions which provide payment services as referred to in points (1) to (6) of Annex I to this Directive and electronic money institutions as defined in Article 2, point (1), of Directive 2009/110/EC to safeguard all funds which have been received from the payment service users or through another payment service provider for the execution of payment transactions, in either of the following ways:

(a) funds shall not be commingled at any time with the funds of any natural or legal person other than payment service users on whose behalf the funds are held and, where they are still held by the payment institution or electronic money institution and not yet delivered to the payee or transferred to another payment service provider by the end of the business day following the day when the funds have been received, they shall be deposited in a separate account in a credit institution or in a central bank at the discretion of that central bank, or invested in secure, liquid low-risk assets as defined by the competent authorities of the home Member State; and they shall be insulated in accordance with national law in the interest of the payment service users against the claims of other creditors of the payment institution or electronic money institution, in particular in the event of insolvency;

(b) funds shall be covered by an insurance policy or some other comparable guarantee from an insurance company or a credit institution, which does not belong to the same group as the payment institution or electronic money institution itself, for an amount equivalent to that which would have been segregated in the absence of the insurance policy or other comparable guarantee, payable in the event that the payment institution or electronic money institution is unable to meet its financial obligations.’

In line with Q&A 5264, it is up to the payment institution or, as applicable, the e-money institution (together, referred to herein as “non-bank PSPs”) to decide whether it will fulfil the safeguarding requirement in Article 10(1) PSD2 via one of the two methods mentioned above (the segregation method or the insurance/guarantee method), or a combination of both.

Where a central bank operating a payment system offers accounts for safeguarding purposes, a payment institution or an e-money institution (non-bank PSPs) having direct access to that central bank-operated payment system can deposit funds as referred to in Article 10(1) PSD2 in these accounts and meet the obligations under Article 10(1)(a) of PSD2.

Where a central bank operating a payment system does not offer accounts for safeguarding purposes, keeping funds as referred to in Article 10(1) PSD2 on a settlement account with the payment system after the end of the business day following the day when the funds have been received, cannot be considered by itself a safeguarding measure in accordance with Article 10(1) of PSD2.

Relatedly, with regard to the safeguarding method in Article 10(1)(a) PSD2, it should also be noted that the requirement to deposit funds in a separate account in a credit institution or in a central bank at the discretion of that central bank, or invest them in secure, liquid low-risk assets only applies where those funds are still held by the non-bank PSP and not yet delivered to the payee or transferred to another payment service provider “by the end of the business day following the day when the funds have been received”.

The clarifications in this Q&A are without prejudice to any existing or future requirements of national law in accordance with Article 10(1)(a) that insulate funds in the interest of payment service users against the claims of other creditor of non-bank PSPs.

On 7 May 2025, the EBA updated technical standards on resolution planning reporting.

This comprehensive review of the ITS on the provision of information for the purposes of resolution plans seeks to achieve full harmonisation of reporting requirements in the EU and avoid duplication of data requests, thus reducing the cost of compliance with resolution planning reporting obligations by institutions. Proportionality has been a key driver of this regulatory product.

These ITS improve the usability of the data collected by resolution authorities reflecting the latest developments in resolution planning, crisis preparedness and policies, and delivering efficient practices. These ITS promote harmonisation, proportionality and simplification in resolution planning reporting by avoiding parallel data collections, and eliminating data points that are either redundant or of limited value. Proportionality has been enhanced with the streamlining of datapoints to avoid overlaps and the reporting requirements are based on the size and complexity of institutions. 

More specifically, measures to support simplification and proportionality include:

• relieving entities from parallel data collections based on legal obligations coming from different authorities;
• Implementing a modular core-plus-supplement approach that reduces the scope of reporting obligations for certain categories of reporting entities based on their size and complexity.;
• removing duplications and overlapping data points with MREL/TLAC, CoRep and FinRep, where the reporting entity has already submitted this data.

On 22 May 2025, the EBA launched consultation on proposed amendments to the European Commission’s Implementing Regulation on Pillar 3 disclosures under the CRR3.

The proposal specifies enhanced and proportionate disclosure requirements related to ESG-related risks, equity exposures and aggregate exposure to shadow banking entities. It also implements the new codes for the statistical classification of economic activities in the EU (NACE).  

This consultation paper finalises the implementation of the Pillar 3 disclosure requirements introduced by the banking package (CRR3), including the extension of the scope of application of ESG risks-related disclosures to all institutions and the disclosure of information on shadow banking and equity exposures.

In line with the European Commission’s omnibus proposal  to reduce reporting costs and simplify sustainability reporting, the EBA has designed a proportionate approach for ESG disclosures based on the institution’s type, size and complexity, with simplified disclosures for banks other than large, particularly for those that are small or non-listed.

Furthermore, the consultation does not introduce any new requirement on banks already disclosing ESG related information (large listed banks),  but aims to simplify the reporting process by clarifying the existing requirements based on the experience gained. It does this by introducing materiality considerations regarding the frequency of some of the disclosures and by ensuring full and permanent alignment with the Taxonomy Regulation in terms of scope and definition of the Green Asset Ratio (GAR) templates.

Transitional provisions have been introduced to support institutions and facilitate the initial implementation of the new requirements. For ESG disclosures, in particular, consistently with these transitional provisions, in order to clarify expectations, ensure consistency and reduce operational burden, for the period until the ITS now being consulted starts applying, the EBA is encouraging supervisory flexibility. For this purpose, the EBA is considering issuing a no action letter advising competent authorities not to prioritise the enforcement of the disclosure of certain templates related to the Green Asset Ratio and Taxonomy Regulation for large and listed institutions; nor the enforcement of the disclosure of any ESG-related templates for other institutions.

Finally, the EBA is further supporting institutions in their compliance with disclosure requirements by providing an updated mapping tool between Pillar 3 and supervisory reporting.

The Consultation closes on 22 August 2025.

On 22 May 2025, the EBA published onboarding plan to implement the Pillar 3 data hub.

This initiative is a significant milestone in the EBA’s commitment to enhancing transparency and consistency in Pillar 3 disclosures across the EU financial system and promoting market discipline.

The onboarding plan outlines the procedural steps that institutions need to follow to ensure timely and accurate submissions of Pillar 3 information. The onboarding plan provides a step-by-step guide for the identification of institutions and to give them access to the EBA’s EUCLID Regulatory Reporting Platform, through which the Pillar 3 data will be submitted. It also spells out the timeline for the process, which will follow a phased-in approach.

In addition to the onboarding plan, the EBA is publishing a list of FAQs that aim to help institutions during the first implementation and data submission process. The FAQs will be a living document that will be updated by the EBA as needed.

Furthermore, the EBA is introducing a phased-in approach and transitional provisions that should give institutions time to prepare for the process. This means that institutions will be able to continue to fulfil their Pillar 3 disclosure obligations during 2025 as usual, and the submissions to the P3DH will occur only at a later stage. This approach will give institutions with enough time to complete the onboarding process and align their internal processes, without impacting the compliance with the CRR requirements.

By providing a single, centralised platform for Pillar 3 data, the EBA will support all interested users—including institutions—by significantly enhancing access and comparability of prudential information. For the first time, users will be able to explore and visualise disclosures across institutions and over time in a single public platform, making it easier for institutions to benchmark themselves against peers and fostering market discipline. This will not only strengthen the transparency of the EU banking sector but also promote the soundness and resilience of the broader financial system. The P3DH information will be available to the public from December 2025.

The EBA encourages all relevant institutions to familiarise themselves with the onboarding process and begin preparations for the P3DH implementation.

On 23 May 2025, the EBA updated its Q&A on CRR.

The datapoint modeling for C_25.01.b does not align for rows 10 & 20 with that of C_25.01.a. The datapoint model for C_25.01.a lists (qAFF:qFI) Type of Financial Instruments while C_25.01.b does not. 

In the data point modelling of template C 25.01b,, column 0050, rows 0010 and 0020, in DPM 4.0, the data points have been modelled the same way. The modelling will be corrected in the next DPM release. In the meantime, the amounts corresponding to the definition of row 0010 shall be reported in the single data point. Validation rule v23074_m will be deactivated.

Should all the instruments or lending against Sovereigns, where the use of proceeds is unknown, be excluded from the numerator of Template 7 ESG Disclosure - row 460 - Sovereigns and moved to row 440 - Other assets (e.g. Goodwill, commodities etc.)?

Assets on lending or financing central governments, central banks and supranational issuers by the institutions irrespective of the use of proceeds, should be excluded from both the numerator and denominator of the GAR according to Article 7(1) of the Disclosures Delegated Act. Institutions should disclose them in row 46 – Sovereigns of Template 7.

On 28 May 2025, the EBA published final technical package for its 4.1 reporting framework.

This package will support the assessment and identification of significant crypto asset providers. It will also support the centralisation of institutions’ prudential disclosures in the EBA Pillar 3 data hub, which shall facilitate access and usability of this information to all users, including institutions. This framework will apply as of the second half of 2025.

The draft technical package provides the standard specifications which include the validation rules, the data point model (DPM) and the XBRL taxonomies to support the following reporting obligations:

• Pillar 3 templates included in the comprehensive Implementing Technical Standards (ITS) on Pillar 3 disclosures, for the purpose of the Pillar 3 data hub.
• Own initiative guidelines on reporting of data that competent authorities will need for the purpose of their supervisory tasks and for significance assessment (MiCAR reporting Guidelines).
• Integration of Instant Payments reporting ITS into DPM and taxonomy
• A series of validation rules have been added to the ESG ad-hoc data collection module.

On 8 May 2025, the EC published consultation on Savings & Investments Union – EU rules to foster market integration and efficient supervision.

As announced in the ‘Savings and Investments Union’ strategy, this directive aims to:

• foster more integrated, deeper and efficient EU capital markets by removing regulatory, supervisory and operational barriers hindering key market players and infrastructures;
• modernise and simplify the EU rules in this area; and
• reduce administrative burden.

The Consultation closes on 5 June 2025.

On 26 May 2025, the EU published Corrigendum to Regulation (EU) 2024/2987 of the European Parliament and of the Council of 27 November 2024 amending Regulations (EU) No 648/2012, (EU) No 575/2013 and (EU) 2017/1131 as regards measures to mitigate excessive exposures to third-country central counterparties and improve the efficiency of Union clearing markets (OJ L, 2024/2987, 4.12.2024).

The change relates to page 70, Article 3, point (3)(b).

On page 70, Article 3, point (3)(b):

for:

Where a reverse repurchase agreement is centrally cleared through a CCP authorised in accordance with Article 14 of Regulation (EU) No 648/2012 or recognised in accordance with Article 25 of that Regulation, the cash received by an MMF as part of each reverse repurchase agreement shall not exceed 15 % of the assets of the MMF.’

read:

Where a reverse repurchase agreement is centrally cleared through a CCP authorised in accordance with Article 14 of Regulation (EU) No 648/2012 or recognised in accordance with Article 25 of that Regulation, the cash provided by an MMF as part of each reverse repurchase agreement shall not exceed 15 % of the assets of the MMF.’

On 2 May 2025, the EC published consultation on revision of EU rules on sustainable finance disclosure.

The Sustainable Finance Disclosures Regulation (SFDR) has been in application since March 2021. It is part of a broader package of sustainability disclosure rules adopted to deliver on the objectives of the Green Deal. The SFDR interacts closely with the Taxonomy Regulation and the Corporate Sustainability Reporting Directive. More specifically, the SFDR sets out how financial market participants should disclose sustainability information to investors, in order to help the latter make informed choices about their investments. 

The initiative aims at reviewing EU rules on sustainable finance disclosure with the objective of simplifying the framework, enhancing its usability and preventing greenwashing.

The consultation closes on 30 May 2025.

On 20 May 2025, the FSMA published Common guidance on estimating aggregate annual costs and losses caused by major ICT.

This document relates to financial entities under the DORA Regulation and supervised by the FSMA. It addresses the Joint Committee of the European Supervisory Authorities' (ESAs) guidance on estimating the total annual costs and losses from major ICT incidents.

Under Article 16 of the ESA Regulations, ESAs may issue guidelines to ensure consistent supervision and uniform application of EU law. Competent authorities and financial institutions must make efforts to comply with these guidelines and report their compliance status within two months.

The guidance includes a proposed standard format for reporting these costs and losses.

BACKGROUND

On 6 May 2025, ANBIMA (the Brazilian Financial and Capital Markets Association) launched a comprehensive guide focused on the elaboration of the Provision for Doubtful Debts (PDD) methodology specifically for credit rights. This initiative supports the sustainable growth and sound management of the FIDCs (Receivables Investment Funds) industry in Brazil. The guide forms part of the broader “ANBIMA in Action” agenda, a strategic set of priorities for the 2025/2026 biennium aimed at strengthening the financial market infrastructure and best practices.

WHAT'S NEW?

The newly issued guide provides detailed recommendations to assist fund managers in estimating potential losses related to the expected cash flows from credit rights purchased by FIDCs. It emphasizes that while the guide offers a robust framework, each fund administrator should tailor the methodology to fit the specific characteristics of their portfolio and the classes under their administration.

Key highlights of the guide include:

• Instructions on how to factor in various credit rights events such as buybacks, substitutions, term extensions, and renegotiations into the PDD calculation.
• Emphasis on the periodic review of the methodology by managers to ensure ongoing appropriateness and to maintain comprehensive records of any changes in their loss estimation criteria.

WHAT'S NEXT?

Fund managers are expected to adopt and customize the methodology within their risk management frameworks. Regular evaluations of the chosen approaches will be critical to maintain accuracy and relevance amid evolving market conditions. The guide is likely to foster more consistent and transparent loss provisioning practices across the FIDC industry, supporting improved investor confidence and market stability.

BACKGROUND

On 6 May 2025, the Central Bank of Brazil (BCB) published Normative Instruction No. 617, which amends BCB Normative Instruction No. 85 of 10 March 2021. The original Instruction established procedures for submitting information related to the calculation of regulatory limits as per Article 3 of BCB Resolution No. 69 (dated 10 February 2021). It also defined the layout and filling instructions for the Code Document 2062, known as the Statement of Individual Operating Limits (DLI), which summarizes the monitored prudential limits for institutions under BCB supervision.

WHAT'S NEW?

The amendment responds to the publication of CMN Resolution No. 5,061 on 16 February 2023, which regulates the organization and functioning of service confederations, including minimum capital stock and equity requirements. Due to this, Normative Instruction No. 617 updates Instruction No. 85 to:

• Require the submission of limits related to CMN Resolution No. 5,061.
• Include new account groups in the DLI layout and filling instructions, allowing service confederations to report their paid-in share capital and shareholders’ equity.
• Update outdated normative references within the instruction.

These changes ensure that service confederations comply with the updated capital and equity reporting requirements and enhance the accuracy of regulatory reporting.

WHAT'S NEXT?

Normative Instruction No. 617 took effect immediately upon publication on 6 May 2025. Institutions under BCB supervision, particularly service confederations, must adjust their reporting processes to include the new data fields and comply with the updated submission requirements. This amendment aims to improve regulatory transparency and oversight of capital adequacy for service confederations, aligning prudential monitoring with recent regulatory developments.

BACKGROUND

On 9 May 2025, the AMF published six sets of guidelines to support the implementation of the MiCA Regulation. These orientations aim to clarify how MiCA will be applied in France, offering operational guidance to crypto-asset service providers and issuers.

WHAT'S NEW?

The six orientations cover the following key areas:

• Qualification of Crypto-Assets as Financial Instruments: Clarifies how to distinguish crypto-assets subject to MiCA from those qualifying as financial instruments under existing EU legislation (e.g., MiFID II).
• Reverse Solicitation: Defines when firms from third countries may serve EU clients without MiCA authorisation, highlighting that no marketing or active solicitation may be directed at EU clients.
• Crypto-Asset Transfers: Outlines rules for transparency on transfer execution timing, client information, fees, liability, and handling of transfer rejections—with emphasis on irreversibility.
• Suitability and Periodic Review: Requires providers to regularly assess client knowledge, experience, financial situation, and investment objectives to ensure service appropriateness.
• Security Access Protocols: Establishes cybersecurity and access control expectations for issuers and applicants (excluding stablecoins), covering key management, physical security, and governance.
• Standardised Explanation Models and Classification Tests: Introduces templates for whitepapers, legal opinions, and tests to determine whether a crypto-asset falls under MiCA or other EU frameworks.

WHAT'S NEXT?

These guidelines will serve as a foundation for consistent MiCA implementation in France. Crypto-asset service providers and issuers should align their practices with these orientations in preparation for the full application of MiCA by 30 June 2026. Further regulatory updates or complementary guidance may follow as the transition progresses.

Version française

BACKGROUND

Le 9 mai 2025, l'AMF a publié six séries d'orientations pour soutenir la mise en œuvre du règlement MiCA. Ces orientations visent à clarifier les modalités d'application du règlement MCA en France, en offrant des conseils opérationnels aux prestataires de services de crypto-actifs et aux émetteurs.

WHAT'S NEW?

Les six orientations couvrent les domaines clés suivants :

• Qualification des crypto-actifs en tant qu'instruments financiers : Clarifie comment distinguer les crypto-actifs soumis à MiCA de ceux qui sont qualifiés d'instruments financiers en vertu de la législation européenne existante (par exemple, MiFID II).
• Sollicitation inversée : Définit quand les entreprises de pays tiers peuvent servir les clients de l'UE sans autorisation MiCA, en soulignant qu'aucune commercialisation ou sollicitation active ne peut être dirigée vers les clients de l'UE.
• Transferts de crypto-actifs : Les règles de transparence sur les délais d'exécution des transferts, l'information des clients, les frais, la responsabilité et le traitement des rejets de transfert sont exposées, l'accent étant mis sur l'irréversibilité.
• Adéquation et examen périodique : Les prestataires sont tenus d'évaluer régulièrement les connaissances, l'expérience, la situation financière et les objectifs d'investissement des clients afin de s'assurer de l'adéquation des services.
• Protocoles d'accès à la sécurité : Ces protocoles définissent les attentes en matière de cybersécurité et de contrôle d'accès pour les émetteurs et les candidats (à l'exclusion des stablecoins), et couvrent la gestion des clés, la sécurité physique et la gouvernance.
• Modèles d'explication et tests de classification normalisés : Introduit des modèles pour les livres blancs, les avis juridiques et les tests visant à déterminer si un crypto-actif relève de la MiCA ou d'autres cadres de l'UE.

WHAT'S NEXT?

Ces lignes directrices serviront de base à une mise en œuvre cohérente de l'AMC en France. Les fournisseurs de services de crypto-actifs et les émetteurs devraient aligner leurs pratiques sur ces orientations afin de se préparer à l'application complète des MiCA d'ici le 30 juin 2026. D'autres mises à jour réglementaires ou des orientations complémentaires pourront suivre au fur et à mesure de la transition.

On 27 May 2025, AMF published a press release on MICA implementation in France.

The purpose of this publication is to:

• Update stakeholders on the initial implementation of the MiCA Regulation in France.
• Encourage early preparation from crypto-asset service providers (CAPS) ahead of the June 30, 2026 deadline.
• Highlight regulatory challenges and the importance of harmonized practices across EU member states.
• Share insights gained from processing initial MiCA license applications.
• Promote dialogue between the AMF, the industry, and European regulators to ensure a successful and consistent rollout of MiCA.

Key takeaways: 

• The MiCA Regulation has been in effect for five months.
• France opted for an 18-month transitional period, allowing PACTE-licensed entities to continue operating without MiCA approval until June 30, 2026.
• The AMF issued its first MiCA license recently; more applications are in progress.
• Early implementation revealed interpretation challenges, requiring harmonization at the EU level through ESMA.
• Ongoing dialogue with market participants and industry associations (e.g., ADAN) has proven constructive in addressing legal and operational issues.
• Many applicants are voluntarily exceeding MiCA requirements (e.g., conducting cybersecurity audits), reflecting growing industry maturity.

The main regulatory challenge is achieving convergence in authorization and supervision practices across Europe, vital for investor protection and effective passporting.

The AMF urges not to delay compliance efforts, stressing that no extension beyond June 30, 2026, will be granted.

Version française

Le 27 mai 2025, l'AMF a publié un communiqué de presse sur la mise en œuvre du MICA en France.

L'objectif de cette publication est de :

• Mettre à jour les parties prenantes sur la mise en œuvre initiale du règlement MiCA en France.
• Encourager les prestataires de services de crypto-actifs (CAPS) à se préparer en amont de l'échéance du 30 juin 2026.
• Mettre en évidence les défis réglementaires et l'importance de pratiques harmonisées entre les États membres de l'UE.
• Partager les enseignements tirés du traitement des premières demandes d'autorisation des ACM.
• Promouvoir le dialogue entre l'AMF, l'industrie et les régulateurs européens afin d'assurer un déploiement réussi et cohérent de MiCA.

Principaux enseignements : 

• Le règlement MiCA est en vigueur depuis cinq mois.
• La France a opté pour une période transitoire de 18 mois, permettant aux entités agréées PACTE de continuer à opérer sans approbation MiCA jusqu'au 30 juin 2026.
• L'AMF a récemment délivré son premier agrément MiCA ; d'autres demandes sont en cours.
• Les premières étapes de la mise en œuvre ont révélé des difficultés d'interprétation, nécessitant une harmonisation au niveau de l'UE par l'intermédiaire de l'ESMA.
• Le dialogue permanent avec les acteurs du marché et les associations professionnelles (par exemple, ADAN) s'est avéré constructif pour résoudre les problèmes juridiques et opérationnels.
• De nombreux candidats dépassent volontairement les exigences du MiCA (par exemple, en réalisant des audits de cybersécurité), ce qui témoigne de la maturité croissante du secteur.

Le principal défi réglementaire est de parvenir à une convergence des pratiques d'autorisation et de supervision à travers l'Europe, ce qui est essentiel pour la protection des investisseurs et l'efficacité du passeport.

L'AMF invite à ne pas retarder les efforts de mise en conformité et souligne qu'aucune prolongation au-delà du 30 juin 2026 ne sera accordée.

BACKGROUND

On 9 May 2025, the AMF updated its position to align with the latest ESMA guidelines on crisis simulation scenarios for money market funds, pursuant to Article 28 of the EU Money Market Funds Regulation (MMFR). This regulation requires fund managers to conduct regular stress tests to assess the resilience of their funds to adverse market conditions. Funds managing over €100 million in assets must submit results quarterly, while smaller funds report annually. These results are then forwarded by national authorities to ESMA.

WHAT'S NEW?

The updated AMF position incorporates ESMA’s February 2025 revised guidelines, which reflect market conditions observed in late 2024. Key updates include:

• Lower credit spread assumptions for corporate bonds
• Reduced liquidity shock assumptions for sovereign bonds

This is the fifth parameter revision since MMFR reporting was introduced in 2020. These new parameters are mandatory from 24 April 2025 and must be used for all reports due from 30 June 2025 onwards.

WHAT'S NEXT?

Money market fund managers must ensure they apply the updated parameters in their upcoming reports. The AMF has emphasized the importance of compliance and requests that any reports already submitted using outdated parameters be corrected and resubmitted promptly. Fund managers should also stay alert for future updates as part of the ongoing refinement of stress-testing practices under the MMFR framework.

Version française

BACKGROUND

Le 9 mai 2025, l'AMF a mis à jour sa position pour s'aligner sur les dernières lignes directrices de l'ESMA concernant les scénarios de simulation de crise pour les fonds monétaires, en application de l'article 28 du règlement européen sur les fonds monétaires (MMFR). Ce règlement impose aux gestionnaires de fonds d'effectuer régulièrement des tests de résistance afin d'évaluer la résilience de leurs fonds face à des conditions de marché défavorables. Les fonds gérant plus de 100 millions d'euros d'actifs doivent soumettre leurs résultats tous les trimestres, tandis que les fonds plus petits doivent le faire une fois par an. Ces résultats sont ensuite transmis par les autorités nationales à ESMA.

WHAT'S NEW?

La position actualisée de l'AMF intègre les orientations révisées de février 2025 de l'AEMF, qui reflètent les conditions de marché observées à la fin de l'année 2024. Les principales mises à jour sont les suivantes :

• Des hypothèses de spreads de crédit plus faibles pour les obligations d'entreprises.
• Des hypothèses de choc de liquidité réduites pour les obligations souveraines

Il s'agit de la cinquième révision des paramètres depuis l'introduction du reporting MMFR en 2020. Ces nouveaux paramètres sont obligatoires à partir du 24 avril 2025 et doivent être utilisés pour tous les rapports dus à partir du 30 juin 2025. 

WHAT'S NEXT?

Les gestionnaires d'OPCVM monétaires doivent s'assurer qu'ils appliquent les paramètres mis à jour dans leurs prochains rapports. L'AMF a souligné l'importance de la conformité et demande que tout rapport déjà soumis en utilisant des paramètres obsolètes soit corrigé et soumis à nouveau rapidement. Les gestionnaires de fonds doivent également rester attentifs aux futures mises à jour dans le cadre de l'amélioration continue des pratiques de simulation de crise en vertu du cadre du MMFR.

On 12 May 2025, AMF published a communication on AMF designated as Competent Authority under EU Women on Boards Directive.

As part of the transposition of the EU directive on improving gender balance among directors of listed companies, the Autorité des marchés financiers (AMF) has been designated as the competent authority in France. This follows the ordinance of 15 October 2024 and the DDADUE law of 30 April 2025.

Starting 30 June 2026, the AMF will be responsible for collecting and reviewing annual data from listed companies exceeding certain thresholds (250+ employees and turnover > €50M or balance sheet > €43M) regarding the representation of women and men on their boards. It will then publish and regularly update the list of companies that comply with the gender balance requirements set out in the French Commercial Code.

This directive requires companies to ensure that:

• Either 40% of non-executive board positions,
• Or 33% of all board positions (executive and non-executive) are held by the underrepresented gender.

The AMF will work closely with the High Council for Gender Equality to promote and support gender parity in corporate governance. This new framework complements existing French legislation (notably the Copé-Zimmermann law), which already imposes a 40% minimum representation of each gender on boards of listed and large companies.

Version française

Le 12 mai 2025, l’AMF a publié une communication sur sa désignation comme autorité compétente au titre de la directive européenne sur les femmes aux conseils d’administration.

Dans le cadre de la transposition de la directive européenne visant à améliorer l’équilibre entre les femmes et les hommes au sein des conseils d'administration des sociétés cotées, l’AMF a été désignée autorité compétente en France. Cette désignation fait suite à l’ordonnance du 15 octobre 2024 et à la loi DDADUE du 30 avril 2025.

À compter du 30 juin 2026, l’AMF sera responsable de la collecte et de l’analyse des données annuelles transmises par les sociétés cotées dépassant certains seuils (plus de 250 salariés et un chiffre d'affaires supérieur à 50 M€, ou un total de bilan supérieur à 43 M€), concernant la représentation des femmes et des hommes dans leurs conseils.

Elle publiera ensuite la liste des sociétés conformes aux exigences du Code de commerce en matière de représentation équilibrée et la mettra régulièrement à jour.

La directive impose aux entreprises de garantir :

• soit 40 % de membres du sexe sous-représenté parmi les administrateurs non exécutifs,
• soit 33 % pour l’ensemble des membres du conseil (exécutifs et non exécutifs).

L’AMF collaborera avec le Haut Conseil à l’Égalité entre les femmes et les hommes pour promouvoir la parité dans la gouvernance des entreprises. Ce nouveau cadre vient compléter les dispositifs existants, notamment la loi Copé-Zimmermann.

BACKGROUND

On 19 May 2025, the AMF published a communication confirming its application of the Joint Guidelines issued by the European Supervisory Authorities (ESAs) under the Digital Operational Resilience Act (DORA – Regulation (EU) 2022/2554), which entered into force on 17 January 2025. These guidelines aim to create a unified framework for assessing and reporting the financial impact of major ICT-related incidents across the EU financial sector.

WHAT'S NEW?

The AMF announced that financial entities under its supervision—excluding microenterprises—must now provide annual estimates of the aggregated costs and losses caused by major ICT incidents, upon request by competent authorities. The key elements of the framework include:

• Cost Categories: Entities must report direct costs (e.g., IT repair, remediation), indirect losses (e.g., revenue loss), legal expenses, regulatory fines, recovered amounts, and accounting provisions.
• Estimation Methodology: The guidelines set out how to calculate and document these costs, including the need to specify the relevant reference year (typically the calendar or financial year).
• Update Requirements: Entities must update estimates regularly to reflect any changes in impact assessment or financial provisions.
• Timeline: The AMF will apply the guidelines starting 19 July 2025, two months after their official EU publication.

This reporting framework is designed to improve supervisory authorities’ insight into the financial consequences of ICT disruptions and contribute to more robust operational risk management practices.

WHAT'S NEXT?

Supervised financial entities must prepare to implement internal processes to track, estimate, and report ICT-related costs in line with the ESA guidelines. The AMF may request these estimates as part of its supervisory activities. Entities should ensure readiness by the 19 July 2025 compliance deadline, and expect this framework to play an increasing role in oversight of ICT risk and operational resilience in the future.

Version française

BACKGROUND

Le 19 mai 2025, l'AMF a publié une communication confirmant son application des lignes directrices conjointes publiées par les autorités européennes de surveillance (AES) en vertu de la loi sur la résilience opérationnelle numérique (DORA - règlement (UE) 2022/2554), qui est entrée en vigueur le 17 janvier 2025. Ces lignes directrices visent à créer un cadre unifié pour l'évaluation et la déclaration de l'impact financier des incidents majeurs liés aux TIC dans l'ensemble du secteur financier de l'UE.

WHAT'S NEW?

L'AMF a annoncé que les entités financières sous sa supervision - à l'exclusion des microentreprises - doivent désormais fournir des estimations annuelles des coûts et pertes agrégés causés par des incidents majeurs liés aux TIC, à la demande des autorités compétentes. Les éléments clés du cadre sont les suivants :

• Catégories de coûts : Les entités doivent déclarer les coûts directs (par exemple, réparation informatique, remédiation), les pertes indirectes (par exemple, perte de revenus), les frais de justice, les amendes réglementaires, les montants recouvrés et les provisions comptables.
• Méthodologie d'estimation : Les lignes directrices précisent comment calculer et documenter ces coûts, y compris la nécessité de spécifier l'année de référence pertinente (généralement l'année civile ou l'exercice financier).
• Exigences de mise à jour : Les entités doivent régulièrement mettre à jour les estimations afin de refléter tout changement dans l'évaluation de l'impact ou dans les dispositions financières.
• Calendrier : L'AMF appliquera les lignes directrices à partir du 19 juillet 2025, deux mois après leur publication officielle dans l'UE.

Ce cadre de reporting est conçu pour améliorer la compréhension par les autorités de contrôle des conséquences financières des perturbations des TIC et contribuer à des pratiques de gestion du risque opérationnel plus robustes.

WHAT'S NEXT?

Les entités financières contrôlées doivent se préparer à mettre en œuvre des processus internes pour suivre, estimer et déclarer les coûts liés aux TIC conformément aux lignes directrices de l'AES. L'AMF peut demander ces estimations dans le cadre de ses activités de surveillance. Les entités doivent s'assurer d'être prêtes pour la date limite de conformité du 19 juillet 2025, et s'attendent à ce que ce cadre joue un rôle croissant dans la surveillance des risques liés aux TIC et de la résilience opérationnelle à l'avenir.

On 7 May 2025, the BaFin published news on Handling, classification and reporting of ICT-related incidents.

Chapter III DORA also includes the obligation to implement a management process which, in addition to dealing with ICT-related incidents, also includes monitoring, logging and, if necessary, reporting ICT-related incidents. The reporting obligation exists in particular also for serious payment-related operational and security incidents. This includes incidents that have a negative impact on the provision of payment-related services (cf. Art. 3 No. 9 & 11 DORA).

Similar reporting and reporting obligations currently exist on the one hand by the Second Payment Services Directive (PSD II Directive) for payment service providers and on the other hand by the NIS Directive for financial companies that are critical infrastructures within the meaning of the Act on the Federal Office for Information Security (BSIG). DORA extends this obligation to the entire financial sector, standardises it – and stipulates that BaFin, insofar as it is the competent authority, is the recipient of such reports. BaFin immediately forwards the reports to the Federal Office for Information Security (BSI), to the respective European Supervisory Authority (EIOPA, ESMA or EBA) and, if necessary, to other stakeholders (e.g. the ECB).

In view of the current reporting obligation to the BSI for companies belonging to critical infrastructure, the lex specialis regulation comes into play. It regulates the cases in which both DORA and NIS2 Directive, (national implementation in the BSIG, among others) define requirements: If the requirements in DORA are more specific, they must be observed as a priority compared to the requirements of the NIS2 Directive. As a result, financial companies that fall under both the NIS2 Directive and DORA are only obliged to report an incident to BaFin in accordance with DORA. In such cases, BaFin ensures that these reports are also immediately available to the BSI so that no information gaps arise.

On 5 May 2025, the BaFin updated its Q&A on the Agreement on the Exchange of Information and Cyber Crisis and Emergency Exercises.

The updates to the questions are as follows:

• Are financial companies now required to share information and insights on cyber threats with other market participants?
• What is an exchange of information and intelligence on cyber threats between financial entities within the meaning of Article 45 DORA?
• When is a notification to BaFin required under Article 45 (3) DORA?
• How is the notification to BaFin made in accordance with Article 45 (3) DORA?
• Does BaFin conduct dedicated cyber crisis and emergency drills for all financial companies?

On 5 May 2025, the BaFin announced that it will apply ESMA guidelines on stress test scenarios under MMF Regulation.

The purpose of the guidelines is to ensure a common, uniform and consistent application of the provisions in Article 28 of the MMF Regulation. They establish common reference parameters of the stress test scenarios to be included in the stress tests. 

In accordance with Article 28(7) of the MMF Regulation, ESMA will update the guidelines at least every year, taking into account the latest market developments. Managers of MMFs thus have the information needed to fill in the corresponding fields in the reporting template referred to in Article 37 of the MMF Regulation, as specified by Commission Implementing Regulation (EU) 2018/7082. This information includes specifications on the relevant types of stress tests and their calibration.

On 15 May 2025, the GFSC published Amendments to the Financial Crime Returns Rules.

The Commission has published amendments to the Financial Crime Returns Rules (“the FC Returns Rules”) which makes mandatory the filing of periodic returns for accountants, lawyers and estate agents (prescribed businesses), ending the disparity with other sectors where such filings are mandatory.

The amendments also introduce the requirement for non-bank money services businesses to submit the quarterly Financial Flows Return.

The consultation responses received were positive and recognised that these amendments largely formalise the requirement to file returns, which was already happening in practice.

These Rules come into force on 2 May 2025.

On 29 May 2025, the Central Bank of Ireland issued a Guidance Note outlining the Fund Profile V3 reporting requirements for Irish authorised investment funds.

Scope and Applicability:

The Fund Profile V3 return applies to all Irish-authorised UCITS, Alternative Investment Funds (AIFs), and Standalone Funds, as well as those seeking authorisation. It must be completed:

• Upon authorisation of each Sub-Fund or Standalone Fund (within 10 working days), and
• Annually, to confirm or update Sub-Fund information based on any changes to offering documents.

Annual Reporting Timeline:

The annual Fund Profile V3 return is required for all Irish authorised Sub-Funds as at 31 December, and is due by 31 May of the following year.

Key Requirements:

• The return must reflect the Sub-Fund’s investment policy, operations, and governance, as outlined in its offering documents.
• Completion is the responsibility of the Fund, and should be done by someone with detailed knowledge of the Sub-Fund (e.g. investment manager or legal advisor).
• All Sub-Funds authorised in a calendar year must submit a return at year-end.

Transition:

Fund Profile V3, introduced in Q2 2025 (replacing Fund Profile V2 from Q2 2022), will itself be replaced by the Fund Metadata Return in Q3 2025.

On 9 May 2025, Ireland's Department of Finance published its Anti-Money Laundering Steering Committee Work Plan 2025.

The Anti-Money Laundering Steering Committee (AMLSC) Work Plan for 2025 outlines Ireland's strategic initiatives to enhance its anti-money laundering (AML), counter-terrorist financing (CTF), and counter-proliferation financing (CPF) framework. Chaired by the Department of Finance, the AMLSC comprises both Standing and Associate members from various public and private sector entities. 

Key Themes and Actions for 2025

1. National Level Coordination

2. Preparation for Mutual Evaluation Review (MER)

3. Measuring and Reporting

4. Disseminating Best Practices

5. Preparing for the European Anti-Money Laundering Authority (AMLA)

The different initiatives are either ongoing or planned to be executed on H1 and H2 2025.

On 8 May 2025, Ireland's Department of Finance published its Public Consultation Feedback Statement on the Directive (EU) 2024/927 of the European Parliament and of the Council of 13 March 2024 amending Directives 2011/61/EU and 2009/65/EC as regards delegation arrangements, liquidity risk management, supervisory reporting, the provision of depositary and custody services and loan origination by alternative investment funds (AIFMD II).

The transposition of Directive (EU) 2024/927 will be led by the Department of Finance (“the Department”) with technical assistance provided by the Central Bank of Ireland (“the Central Bank”). The vast majority of the domestic legal measures required to give effect to Directive (EU) 2024/927 will be included in transposing legislation to be devised by the Department.

Minister’s Decisions:

• Discretion 1 - Article 1(2) of Directive (EU) 2024/927 : Exercise in full - The Central Bank will be permitted to authorise external AIFMs to engage in the ancillary activities and non-core services provided for in Article 1(2) of the amending Directive.
• Discretion 2 - Article 1(7) of Directive (EU) 2024/927 : Exercise in full - All AIFs that originate loans, whether domiciled in Ireland or elsewhere, will be prohibited from granting loans to Irish consumers.

• Discretion 3 - Article 1(10) of Directive (EU) 2024/927 :  Not to exercise - The Central Bank will not be permitted to allow an Irish-domiciled AIF to appoint a depositary established outside of Ireland.
• Discretion 4 - Article 2(2) of Directive (EU) 2024/927 : Exercise in full - The Central Bank will be permitted to authorise UCITS management companies to engage in the ancillary services and non-core services provided for in Article 2(2) of the amending Directive.

Department Officials will bring forward the necessary legislation required to transpose Directive (EU) 2024/927 into Irish law by the transposition deadline of 16 April 2026.

The Irish Department of Finance also published the Regulatory Impact Analysis (RIA) of AIFMD II,  giving first a Description of the Policy Context and Objectives,  Identification of Policy Options (of the 5 different national discretions), following with an Analysis of the Costs, Benefits and Impacts of each Option.

On 15 May, the Irish Funds Industry Association (Irish Funds) published the report Change 2025 on Industry Insights: When Outsourcing is Optimising.

The global investment industry is undergoing profound transformation, with outsourcing emerging as a key strategic response. Based on insights from hundreds of C-suite asset managers and institutional investors, the report highlights three main drivers behind this trend:

1. Rising investor expectations and regulatory scrutiny
2. Growth ambitions and product innovation
3. Pressure to reduce costs – especially critical for smaller firms

Increased Scrutiny and the Rise of Outsourcing

Asset managers face heightened scrutiny from both clients and regulators, particularly around transparency, reporting, and governance. Notably, 87% of institutional investors rejected a manager in the past three years due to poor governance. In response, managers are:

• Improving internal governance structures.
• Increasing reliance on third-party specialists to raise standards and meet reporting demands.
  -  88% plan to boost outsourcing in the next year.
  - 49% expect a dramatic increase.

Outsourcing enables managers to access expertise, infrastructure, and technology that enhance efficiency and compliance.

Optimism and Growth Strategies

The outlook for fund inflows is bullish:

• 81% of managers expect increased inflows in 2025.
• Over two-thirds forecast 10–25% growth; 27% predict up to 50% more than in 2024.

To support this growth, managers plan to:

• Launch more new funds (84% expect an increase).
• Expand internationally (88% aim to raise assets overseas).
• Focus on ETFs, now transitioning from tactical tools to core portfolio components.
  - 97% of equity/fixed income managers see ETFs as critical to long-term success.
  - Many outsource ETF launches to overcome regulatory and operational challenges.

Survival for Smaller Firms

With regulation expected to become even more complex by 2027, consolidation looms:

• 88% foresee increased consolidation across asset classes.
• Smaller firms face a strategic choice: merge or outsource to stay independent.

By leveraging third-party providers, smaller firms can stay competitive, meet compliance standards, and focus resources on performance and client service.

On 13 May 2025, Ireland’s Department of Finance announced the passing of the Finance (Provision of Access to Cash Infrastructure) Bill 2024.

This marks the final legislative stage before the Bill is signed into law by the President. Once enacted, the law will establish a regulatory framework to ensure continued, fair, and effective access to cash across Ireland.

The legislation will:

• Set regional requirements for access to ATMs and cash service points;
• Make retail banks responsible for maintaining minimum access levels;
• Empower the Central Bank of Ireland to monitor compliance, address local deficiencies, and regulate ATM and cash-in-transit providers.

The Bill implements key recommendations from the 2022 Retail Banking Review and aims to maintain cash infrastructure at pre-2023 levels, especially following recent market exits by Ulster Bank and KBC.

On 13 May 2025, Ireland’s Department of Finance issued the European Union (Settlement Finality) (Amendment) Regulations 2025 (S.I. No. 170 of 2025) to align national legislation with recent amendments to Directive 98/26/EC on settlement finality in payment and securities settlement systems, as last amended by Regulation (EU) 2024/886.

This instrument updates key definitions in the original 2010 Irish Regulations (S.I. No. 624/2010), which transposed the Settlement Finality Directive into national law. The amendments reflect the evolving scope of participants in financial market infrastructure and aim to enhance legal certainty in the execution of transfer orders.

Key changes include:

• Updated definition of “credit institution” to align with Regulation (EU) No 575/2013 (CRR), now explicitly including entities listed in Article 2(5) of Directive 2013/36/EU (CRD IV).
• Expanded definition of “institution” to include:
  - Investment firms,
  - Public authorities and publicly guaranteed undertakings,
  - Third-country entities with equivalent functions to EU credit institutions or investment firms,
  - Payment institutions and electronic money institutions that participate in systems executing transfer orders.
• Revised definition of “investment firm” aligned with Directive 2014/65/EU (MiFID II), with exclusions per Article 2(1).
• Updated reference to the “Settlement Finality Directive” to include all relevant amendments up to and including Regulation (EU) 2024/886.

These changes may affect investment firms, credit institutions, payment and e-money institutions, particularly those involved in clearing and settlement systems. Entities newly falling within the expanded definitions may now be subject to the protections and obligations of the settlement finality framework, including the irrevocability and enforceability of transfer orders.

On 5 May 2025, Italy published cybersecurity guidelines for strategic IT procurement.

The  Decree of the President of the Council of Ministers implements Article 14 of Law No. 90 of 28 June 2024 and introduces specific criteria and obligations for both public and certain private entities when sourcing technologies deemed critical (as per Article 1, paragraph 2-bis of the decree-law September 21, 2019, No. 105, which was converted into law November 18, 2019, No. 133, 'The Perimeter Decree'. The Perimeter Decree complements the NIS Decree, to strengthen and complement the national information security framework).

In particular, the DPCM identifies essential cybersecurity requirements (Annex 1), such as default secure configurations, secure update mechanisms, resilience against denial-of-service attacks, and strict access controls; defines a list of 22 categories of IT goods and services (Annex 2) that are subject to these requirements, ranging from identity management systems to smart meters and cloud services; it also sets out a trustworthiness criterion, providing preferential treatment for bids relying on cybersecurity technologies originating from Italy, the EU, NATO countries, or the six selected third countries enlisted in Annex 3 (Australia, South Korea, Japan, Israel, New Zealand, Switzerland). 

The Decree is framed as a dynamic instrument, subject to periodic updates to account for technological and international developments. This new framework will have significant implications on both public procurement strategies and vendor selection processes, particularly for operators in sensitive sectors.

This Decree enters into force on 5 May 2025.

On 5 May 2025, the CONSOB published notice on adoption of ESMA guidelines on procedures and policies, including clients' rights, in the context of crypto-asset transfer services, under the MiCA Regulation on investor protection.

On 26 February 2025, ESMA published on its website "Guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets under the MiCA on investor protection", also in the official translation into Italian (hereinafter, "the Guidelines") - adopted by the European Authority, pursuant to Article 16 of Regulation No. 1095/2010/EU ("ESMA Regulation").

The Guidelines provide interested operators with guidance on policies and procedures in the context of crypto-asset transfer services. In particular, they provide for general provisions on policies and procedures relating to the transfer of crypto-assets; indications on the detailed information to be provided on individual transfers of crypto-assets as well as with respect to execution times and deadlines; provisions on the refusal or suspension of an instruction to transfer crypto-assets or the case of return of transferred crypto-assets; clarifications with respect to the liability of the crypto-asset service provider.

In compliance with paragraph 3 of the aforementioned Article 16 of the ESMA Regulation, Consob has notified the European Authority that it complies with the Guidelines in question, integrating them into its supervisory practices.

Crypto-asset service providers subject to Consob supervision are therefore required to comply with the application guidelines issued by ESMA through the Guidelines referred to in this Notice.

On 15 May 2025, the CONSOB published notice on compliance with the Joint Guidelines on the estimation of aggregate annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 (DORA).

Consob has notified ESMA, pursuant to Regulation (EU) No. 1095/2010, of compliance with the Joint Guidelines of the European Supervisory Authorities (ESAs) "Joint Guidelines on the estimation of aggregate annual costs and losses caused by major ICT-related incidents pursuant to Regulation (EU) 2022/2554 (DORA)" (JC/GL/2024/34).

The Guidelines, which are addressed to the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554 and the financial institutions referred to in Article 4(1) of Regulation (EU) No 1093/2010, Article 4(1) of Regulation (EU) No 1094/2010 and Article 4(1) of Regulation (EU) No 1095/2010, provide a common model for the estimation of aggregated annual costs and losses caused by major information technology-related incidents and communication (ICT).

The Guidelines apply from 19 May 2025 and are also available on the Consob institutional website in the Italian version.

On 19 May 2025, CSSF published updates on the FAQ on CBDF regulation.

CSSF has released Version 9 of its FAQ on Cross-Border Distribution of Funds (CBDF) – Notification Procedures, providing updated guidance on notification processes under the CBDF Regulation. This version incorporates clarifications and procedural updates to assist fund managers in complying with cross-border marketing requirements.

Key Updates in Version 9:

• Pre-Marketing Notifications: Clarifies the requirements for Alternative Investment Fund Managers (AIFMs) regarding pre-marketing activities, including the submission of a pre-marketing notification letter to the CSSF within two weeks of initiating pre-marketing.
• Notification Procedures: Outlines the steps for UCITS and AIFMs to notify the CSSF when marketing funds in other EU Member States, emphasizing the use of standardized notification letters and the importance of timely communication.
• De-Notification Process: Provides guidance on the procedure for de-notifying marketing activities, including the conditions under which de-notification is permissible and the necessary documentation to be submitted to the CSSF.
• Use of eDesk Portal: Highlights the requirement to use the CSSF's eDesk portal for submitting notifications and related documents, ensuring a streamlined and efficient process.
• Documentation Requirements: Specifies the documents to be included in notification files, such as the latest prospectus, key information documents, and confirmation of payment where applicable

Version française

Le 19 mai 2025, la CSSF a publié une mise à jour de la FAQ sur le règlement CBDF.

La version 9 de la FAQ sur la distribution transfrontalière des fonds (CBDF – procédures de notification) fournit des précisions sur les démarches à suivre pour respecter les exigences du règlement CBDF.

Éléments clés de la version 9 :

• Notifications de pré-commercialisation : précisions sur les obligations des AIFM, notamment la soumission d’une lettre de notification dans les deux semaines suivant le début de la pré-commercialisation.
• Procédures de notification : étapes à suivre pour notifier la CSSF lors de la commercialisation de fonds dans d'autres États membres, en mettant l'accent sur l'utilisation de lettres normalisées.
• Procédure de dénotification : conditions à remplir et documents à soumettre pour mettre fin à la commercialisation.
• Utilisation du portail eDesk : obligation de transmettre les notifications via eDesk.
• Pièces justificatives : liste des documents à joindre, comme le prospectus à jour, les documents d’informations clés et les preuves de paiement si nécessaire.

On 20 May 2025, The CSSF published update on FAQ related to AIFM law. 

Version 24, updated on 20 May 2025, provides comprehensive guidance on the application of the Luxembourg Law of 12 July 2013 concerning Alternative Investment Fund Managers (AIFMs). This version addresses key aspects of the AIFM regulatory framework, including authorisation, registration, operational requirements, and cross-border activities.

1. Authorisation Regime:

Luxembourg entities that qualify as AIFMs must obtain authorisation under Chapter 2 of the 2013 Law, unless they meet the criteria for the registration regime. The authorisation application must be submitted to the CSSF and should include:

• A completed application form.
• Supporting documents as specified in the application guidelines.
• Compliance with the provisions outlined in Circular CSSF 18/698, which details the authorisation and organisation requirements for investment fund managers.

2. Registration Regime for Below-Threshold AIFMs:

Entities managing assets below certain thresholds may opt for registration instead of full authorisation. The thresholds are:

• €100 million, including assets acquired through leverage.
• €500 million, for portfolios consisting of unleveraged AIFs with no redemption rights exercisable within five years after initial investment.

Registration applications must be submitted to the CSSF and should include:

• A completed registration form.
• An AML/CFT IFM market entry form, submitted via the CSSF's eDesk Portal.

Detailed instructions and forms are accessible on the CSSF website.

3. Cross-Border Management and Marketing:

The FAQ outlines procedures for Luxembourg AIFMs intending to manage or market AIFs across EU Member States, leveraging the European passport under the AIFMD. Key points include:

• Notification requirements for cross-border activities.
• Conditions for marketing to professional and retail investors in other EU countries.
• Compliance with national provisions governing marketing requirements.
• AIFMs must adhere to the notification procedures and provide necessary documentation as specified by the CSSF.

4. Ongoing Obligations and Compliance:

AIFMs are required to maintain compliance with ongoing obligations, including:

• Regular reportingto the CSSF.
• Adherence to governance and organisational requirements.
• Implementation of effective risk management and internal control systems.
• Ensuring transparency and investor protection measures are in place.

The FAQ provides detailed guidance on these obligations to assist AIFMs in maintaining compliance with the regulatory framework.

Version française

Le 20 mai 2025, la CSSF a publié une mise à jour de la FAQ relative à la loi sur les gestionnaires de fonds d'investissement alternatifs (AIFM). 

La version 24, mise à jour le 20 mai 2025, fournit des orientations complètes sur l'application de la loi luxembourgeoise du 12 juillet 2013 relative aux gestionnaires de fonds d'investissement alternatifs (AIFM). Cette version aborde les principaux aspects du cadre réglementaire des gestionnaires, notamment l'agrément, l'enregistrement, les exigences opérationnelles et les activités transfrontalières.

1. Régime d'agrément:

Les entités luxembourgeoises qui se qualifient en tant que gestionnaires de fonds alternatifs doivent obtenir un agrément en vertu du chapitre 2 de la loi de 2013, à moins qu'elles ne remplissent les critères du régime d'enregistrement. La demande d'agrément doit être soumise à la CSSF et doit comprendre :

• un formulaire de demande dûment rempli
• Les documents justificatifs tels que spécifiés dans les lignes directrices pour la demande d'agrément.
• La conformité avec les dispositions de la circulaire CSSF 18/698, qui détaille les exigences d'agrément et d'organisation pour les gestionnaires de fonds d'investissement.

2. Régime d'enregistrement pour les gestionnaires dont les actifs sont inférieurs à certains seuils:

Les entités gérant des actifs inférieurs à certains seuils peuvent opter pour l'enregistrement au lieu de l'agrément complet. Les seuils sont les suivants:

• 100 millions d'euros, y compris les actifs acquis par effet de levier.
• 500 millions d'euros pour les portefeuilles constitués de fonds alternatifs sans effet de levier et sans droit de rachat exerçable dans les cinq ans suivant l'investissement initial.

Les demandes d'enregistrement doivent être soumises à la CSSF et doivent comprendre :

• un formulaire d'enregistrement complété
• Un formulaire d'entrée sur le marché AML/CFT IFM, soumis via le portail eDesk de la CSSF.

3. Gestion et commercialisation transfrontalières:

La FAQ décrit les procédures à suivre par les gestionnaires de fonds alternatifs luxembourgeois qui souhaitent gérer ou commercialiser des fonds alternatifs dans les États membres de l'UE, en s'appuyant sur le passeport européen prévu par la directive sur les fonds alternatifs. Les points clés sont les suivants :

• Les exigences de notification pour les activités transfrontalières.
• Conditions de commercialisation auprès d'investisseurs professionnels et de détail dans d'autres pays de l'UE.
• Conformité avec les dispositions nationales régissant les exigences en matière de commercialisation.
• Les gestionnaires doivent se conformer aux procédures de notification et fournir la documentation nécessaire telle que spécifiée par la CSSF.

4. Obligations permanentes et conformité:

Les gestionnaires sont tenus de se conformer à des obligations permanentes, notamment:

• La communication régulière d'informations à la CSSF.
• Le respect des exigences en matière de gouvernance et d'organisation.
• La mise en œuvre de systèmes efficaces de gestion des risques et de contrôle interne.
• La mise en place de mesures de transparence et de protection des investisseurs.

La FAQ fournit des conseils détaillés sur ces obligations afin d'aider les gestionnaires à se conformer au cadre réglementaire.

BACKGROUND

On 21 May 2025, the CSSF published Circular CSSF 25/891, implementing ESMA guidelines on portfolio management involving crypto-assets under the Markets in Crypto-Assets Regulation (MiCAR). These guidelines focus on investor protection and supervisory consistency across the EU. The circular is part of Luxembourg’s broader strategy to align its regulatory practices with evolving European standards and to promote convergence among national competent authorities.

WHAT'S NEW?

Circular CSSF 25/891 introduces key requirements for portfolio managers offering services involving crypto-assets:

• They must perform thorough suitability assessments of their clients before providing portfolio management services.
• They are required to deliver clear, comprehensive, and transparent periodic statements that include portfolio performance, costs, fees, and any material changes in portfolio composition or investment strategy.
• The CSSF has formally incorporated the ESMA guidelines into its administrative practices and supervisory approach, reinforcing Luxembourg’s alignment with EU-wide regulatory expectations.

This circular aims to improve the transparency and quality of crypto asset management services, while ensuring investors are adequately informed and protected.

WHAT'S NEXT?

Portfolio managers in Luxembourg must now review and, where necessary, adjust their processes to comply with the suitability and reporting obligations set out in Circular CSSF 25/891. Firms should ensure that their client documentation, periodic statements, and internal compliance procedures meet the new standards. The CSSF may monitor implementation as part of its supervisory activities, and further regulatory guidance may follow as MiCAR continues to be phased in across the EU.

Version française

BACKGROUND

Le 21 mai 2025, la CSSF a publié la circulaire CSSF 25/891, mettant en œuvre les lignes directrices de l'AEMF sur la gestion de portefeuille impliquant des crypto-actifs en vertu du règlement sur les marchés des crypto-actifs (MiCAR). Ces lignes directrices mettent l'accent sur la protection des investisseurs et la cohérence de la surveillance à travers l'UE. La circulaire fait partie de la stratégie plus large du Luxembourg visant à aligner ses pratiques réglementaires sur les normes européennes en évolution et à promouvoir la convergence entre les autorités nationales compétentes.

WHAT'S NEW?

La circulaire CSSF 25/891 introduit des exigences clés pour les gestionnaires de portefeuille offrant des services impliquant des crypto-actifs :

• Ils doivent procéder à des évaluations approfondies de l'adéquation de leurs clients avant de fournir des services de gestion de portefeuille.
• Ils sont tenus de fournir des relevés périodiques clairs, complets et transparents qui incluent la performance du portefeuille, les coûts, les frais et tout changement important dans la composition du portefeuille ou la stratégie d'investissement.
• La CSSF a formellement intégré les lignes directrices de l'ESMA dans ses pratiques administratives et son approche prudentielle, renforçant ainsi l'alignement du Luxembourg sur les attentes réglementaires de l'UE.

Cette circulaire vise à améliorer la transparence et la qualité des services de gestion d'actifs cryptographiques, tout en veillant à ce que les investisseurs soient correctement informés et protégés. 

WHAT'S NEXT?

Les gestionnaires de portefeuille au Luxembourg doivent maintenant revoir et, le cas échéant, ajuster leurs processus pour se conformer aux obligations d'adéquation et de déclaration énoncées dans la circulaire CSSF 25/891. Les sociétés doivent s'assurer que leur documentation client, leurs déclarations périodiques et leurs procédures internes de conformité répondent aux nouvelles normes. La CSSF peut contrôler la mise en œuvre dans le cadre de ses activités de surveillance, et d'autres orientations réglementaires pourraient suivre au fur et à mesure de la mise en œuvre progressive du MiCAR dans l'UE.

On 16 April 2025, the CSSF published guide on ESA validation errors and warnings.

New guide has been released  to assist financial entities in complying with DORA.

This publication responds to market demand for clearer information regarding the error and warning messages issued by the ESAs following their validation checks on submitted information registers.

The guide focuses on the most common validation failures encountered by financial institutions. It provides detailed descriptions of these recurring issues and offers practical guidance on how to resolve them effectively. This aims to improve the quality of data submissions and reduce the risk of rejection or delays in reporting.

Based on the latest validation checks as of 28 April 2025, the document is a key resource for ensuring proper compliance with DORA requirements and strengthening operational resilience across the financial sector.

Version française

Le 16 avril 2025, la CSSF a publié un guide sur les erreurs et avertissements de validation des ESA.

Un nouveau guide a été publié pour aider les entités financières à se conformer au règlement DORA.

Cette publication répond à la demande du marché pour une meilleure compréhension des messages d'erreurs et d'avertissements émis par les ESA lors de la validation des registres d'informations soumis.

Le guide se concentre sur les erreurs de validation les plus fréquemment rencontrées par les institutions financières. Il fournit des descriptions détaillées de ces problèmes récurrents et propose des recommandations pratiques pour les résoudre efficacement. L’objectif est d’améliorer la qualité des soumissions de données et de réduire le risque de rejet ou de retard dans les rapports.

Basé sur les contrôles de validation les plus récents au 28 avril 2025, ce document constitue une ressource essentielle pour garantir la conformité avec les exigences DORA et renforcer la résilience opérationnelle du secteur financier.

BACKGROUND

On 28 May 2025, the CSSF published Circular CSSF 25/892, which applies the Joint Guidelines issued by the ESAs on estimating aggregated annual costs and losses caused by major ICT-related incidents. The circular is part of the implementation of Regulation (EU) 2022/2554 on DORA. It targets all financial entities under the CSSF’s supervision and aims to strengthen operational resilience by improving the consistency and accuracy of financial impact reporting related to significant ICT disruptions.

WHAT'S NEW?

Circular CSSF 25/892 introduces the following key requirements:

• Scope and Definitions: Clarifies the definition of a "major ICT-related incident" and provides criteria for determining when an incident must be reported.
• Cost and Loss Categories: Offers detailed guidance on identifying and categorizing types of financial impact, including direct financial losses, operational costs, reputational harm, and potential regulatory fines.
• Estimation Methodologies: Describes how institutions should aggregate costs and losses over the course of a year, factoring in both individual and cumulative effects of incidents.
• Reporting Requirements: Specifies the timelines and formats for submitting aggregated annual cost and loss estimates to the CSSF, ensuring alignment with the ESAs’ joint framework.

The circular is intended to support enhanced supervision and oversight of ICT risk, while promoting transparency and comparability across reporting entities.

WHAT'S NEXT?

Financial institutions must implement internal procedures to identify, track, and estimate the financial impact of major ICT-related incidents, in accordance with the guidance provided. The CSSF is expected to monitor adherence to the circular and may request additional data or clarifications during its supervisory activities. This initiative contributes to broader EU efforts under DORA to ensure that the financial sector remains resilient in the face of evolving digital threats.

Version française

BACKGROUND

Le 28 mai 2025, la CSSF a publié la circulaire CSSF 25/892, qui applique les lignes directrices conjointes émises par les AES sur l'estimation des coûts annuels agrégés et des pertes causées par des incidents majeurs liés aux TIC. Cette circulaire s'inscrit dans le cadre de la mise en œuvre du règlement (UE) 2022/2554 relatif au DORA. Elle s'adresse à toutes les entités financières sous la supervision de la CSSF et vise à renforcer la résilience opérationnelle en améliorant la cohérence et la précision des rapports d'impact financier liés aux perturbations significatives des TIC.

WHAT'S NEW?

La circulaire CSSF 25/892 introduit les exigences clés suivantes :

• Champ d'application et définitions : Clarifie la définition d'un « »incident majeur lié aux TIC« » et fournit des critères pour déterminer quand un incident doit être rapporté.
• Catégories de coûts et de pertes : Offre des conseils détaillés sur l'identification et la catégorisation des types d'impact financier, y compris les pertes financières directes, les coûts opérationnels, l'atteinte à la réputation et les amendes réglementaires potentielles.
• Méthodes d'estimation : Décrit comment les institutions doivent agréger les coûts et les pertes au cours d'une année, en tenant compte des effets individuels et cumulatifs des incidents.
• Exigences en matière de rapports : Précise les délais et les formats de soumission à la CSSF des estimations annuelles agrégées des coûts et des pertes, en veillant à l'alignement sur le cadre commun des AES.

La circulaire vise à renforcer la supervision et la surveillance des risques liés aux TIC, tout en promouvant la transparence et la comparabilité entre les entités déclarantes.

WHAT'S NEXT?

Les institutions financières doivent mettre en œuvre des procédures internes pour identifier, suivre et estimer l'impact financier des incidents majeurs liés aux TIC, conformément aux orientations fournies. La CSSF devrait contrôler le respect de la circulaire et pourrait demander des données supplémentaires ou des clarifications dans le cadre de ses activités de surveillance. Cette initiative s'inscrit dans le cadre des efforts déployés par l'UE au titre du programme DORA pour garantir la résilience du secteur financier face à l'évolution des menaces numériques.

BACKGROUND

On 28 May 2025, the CSSF published Circular CSSF 25/893, establishing the reporting procedures for major ICT-related incidents and significant cyber threats under the Digital Operational Resilience Act (DORA – Regulation (EU) 2022/2554). The circular targets financial entities under CSSF supervision that fall within the scope of DORA, as well as certain PSPs not directly subject to DORA but supervised under the Law of 10 November 2009 on Payment Services (LPS).

WHAT'S NEW?

Circular CSSF 25/893 introduces the following key provisions:

• Scope Extension to PSPs: PSPs not covered by DORA are now required to report ICT-related incidents in line with DORA obligations, not limited to payment-related incidents. This aims to harmonize reporting obligations and prevent duplication across frameworks.
• Unified Classification and Reporting: All DORA entities and relevant PSPs must follow a consistent approach for classifying and reporting ICT incidents and significant cyber threats to the CSSF.
• Six-Month Transition Period: Non-DORA PSPs are granted a six-month adaptation phase to implement the necessary processes and tools for compliance.
• Interaction with Circular CSSF 24/847: Until NIS 2 is transposed at national level, Circular CSSF 24/847 continues to apply to entities outside DORA’s scope and to PSPs during the transition. Once Circular 25/893 becomes applicable, reporting under Circular 24/847 is no longer required for the covered entities.

The circular promotes a coordinated and consistent ICT incident reporting framework, strengthening the ability of the CSSF to monitor and respond to cyber threats across the financial ecosystem.

WHAT'S NEXT?

DORA entities and affected PSPs must prepare for the full application of Circular CSSF 25/893 by reviewing and adapting their internal processes, incident classification methodologies, and reporting tools. The CSSF is expected to provide further technical guidance and may assess compliance during supervisory reviews. Entities currently relying on Circular 24/847 must ensure a smooth transition before the national implementation of the NIS 2 Directive.

Version française

BACKGROUND

Le 28 mai 2025, la CSSF a publié la circulaire CSSF 25/893, établissant les procédures de notification des incidents majeurs liés aux TIC et des cybermenaces significatives en vertu de la loi sur la résilience opérationnelle numérique (DORA - Règlement (UE) 2022/2554). La circulaire vise les entités financières sous surveillance de la CSSF qui tombent dans le champ d'application de la DORA, ainsi que certains PSP qui ne sont pas directement soumis à la DORA mais qui sont surveillés en vertu de la loi du 10 novembre 2009 relative aux services de paiement (LPS).

WHAT'S NEW?

 La circulaire CSSF 25/893 introduit les dispositions clés suivantes :

• Extension du champ d'application aux PSP : Les PSP qui ne sont pas couverts par DORA sont désormais tenus de signaler les incidents liés aux TIC conformément aux obligations de DORA, sans se limiter aux incidents liés aux paiements. L'objectif est d'harmoniser les obligations de déclaration et d'éviter les doubles emplois entre les différents cadres.
• Classification et rapport unifiés : Toutes les entités DORA et les PSP concernés doivent suivre une approche cohérente pour classer et rapporter à la CSSF les incidents liés aux TIC et les cyber-menaces significatives.
• Période de transition de six mois : Les PSP non DORA bénéficient d'une phase d'adaptation de six mois pour mettre en place les processus et outils nécessaires à leur mise en conformité.
• Interaction avec la circulaire CSSF 24/847 : Jusqu'à ce que la NIS 2 soit transposée au niveau national, la circulaire CSSF 24/847 continue à s'appliquer aux entités hors du champ d'application de DORA et aux PSP pendant la période de transition. Une fois que la circulaire 25/893 sera d'application, le reporting au titre de la circulaire 24/847 ne sera plus requis pour les entités couvertes.

La circulaire promeut un cadre coordonné et cohérent de reporting des incidents ICT, renforçant la capacité de la CSSF à surveiller et à répondre aux cyber-menaces dans l'ensemble de l'écosystème financier. 

WHAT'S NEXT?

Les entités DORA et les PSP concernés doivent se préparer à la pleine application de la circulaire CSSF 25/893 en révisant et en adaptant leurs processus internes, leurs méthodes de classification des incidents et leurs outils de reporting. La CSSF devrait fournir des orientations techniques supplémentaires et pourrait évaluer la conformité lors des contrôles de surveillance. Les entités qui s'appuient actuellement sur la circulaire 24/847 doivent assurer une transition en douceur avant la mise en œuvre nationale de la directive NIS 2.

On 21 May 2025, the CSSF updated its FAQ on Market Entry Form. The CSSF's FAQ (Version 8) provides comprehensive guidance on completing the AML/CFT Market Entry Form via the eDesk portal. This form is required for all investment funds and investment fund managers (IFMs) at the time of market entry or onboarding in Luxembourg.

The purpose of the Form: The Market Entry Form collects key information on how new funds and IFMs intend to comply with Luxembourg’s anti-money laundering and counter-terrorist financing (AML/CFT) framework.

Scope: The FAQ clarifies that the form applies to a wide range of entities, including UCITS, AIFs, and authorised or registered IFMs, whether established in Luxembourg or entering from another jurisdiction.

Filing Instructions: It outlines how to navigate the eDesk system, including the roles and responsibilities of users, how to submit the form, and how to amend or correct previous submissions.

Content Requirements: The FAQ explains what is expected in sections such as:

• Identification of the RC (responsable du contrôle) and RR (responsable du respect)
• Description of the AML/CFT governance and procedures
• Delegation arrangements (if applicable)
• Use of technology in AML/CFT controls
• Common Issues: The CSSF addresses frequent mistakes or omissions, such as incomplete information, outdated documentation, or misuse of delegation functionalities in eDesk.

Updates in Version 8: This latest version incorporates clarifications on:

• Filing obligations for sub-funds
• Cross-border scenarios
• Enhanced expectations for due diligence and internal controls

Version française

Le 21 mai 2025, la CSSF a mis à jour sa FAQ sur le formulaire d'entrée sur le marché. La FAQ de la CSSF (version 8) fournit des conseils détaillés sur la manière de remplir le formulaire d'entrée sur le marché AML/CFT via le portail eDesk. Ce formulaire est requis pour tous les fonds d'investissement et gestionnaires de fonds d'investissement (GFI) au moment de l'entrée sur le marché luxembourgeois.

L'objectif du formulaire : Le formulaire d'entrée sur le marché recueille des informations clés sur la manière dont les nouveaux fonds et gestionnaires de fonds d'investissement ont l'intention de se conformer au cadre luxembourgeois de lutte contre le blanchiment de capitaux et le financement du terrorisme (LBC/FT).

Champ d'application : La FAQ précise que le formulaire s'applique à un large éventail d'entités, y compris les OPCVM, les fonds alternatifs et les gestionnaires de fonds agréés ou enregistrés, qu'ils soient établis au Luxembourg ou qu'ils entrent sur le marché à partir d'une autre juridiction.

Instructions de dépôt : Elles expliquent comment naviguer dans le système eDesk, y compris les rôles et responsabilités des utilisateurs, comment soumettre le formulaire et comment modifier ou corriger les soumissions précédentes.

Exigences en matière de contenu : La FAQ explique ce qui est attendu dans des sections telles que :

• l'identification du RC (responsable du contrôle) et du RR (responsable du respect)
• Description de la gouvernance et des procédures en matière de LBC/FT
• Dispositions en matière de délégation (le cas échéant)
• l'utilisation de la technologie dans les contrôles LAB/CFT.
• Questions communes : La CSSF traite des erreurs ou omissions fréquentes, telles que des informations incomplètes, une documentation obsolète ou une mauvaise utilisation des fonctionnalités de délégation dans eDesk.

Mises à jour de la version 8 : Cette dernière version apporte des clarifications sur :

• les obligations de dépôt pour les compartiments
• les scénarios transfrontaliers
• les attentes accrues en matière de diligence raisonnable et de contrôles internes

On 20 May 2025, CSSF published update on the FAQ on KIID ( Key Investor Information Document)

The update provides essential guidance for UCITS and AIFMs in Luxembourg regarding the preparation, submission, and compliance of KIIDs.

Key Updates in Version 5:

• Deletion of Question 5: The FAQ has removed Question 5, which previously addressed whether the final version of a KIID requires formal CSSF approval (visa stamping) before the fund is allowed to use it.
• Updated Procedures for Filing KIIDs: The FAQ outlines the procedures for filing the final version of a KIID with the CSSF, referencing Circular CSSF 23/833. It emphasizes the use of the eDesk portal for submissions and provides detailed instructions on the submission process.
• Responsibility for KIID Content: The FAQ reiterates that investment companies and management companies are responsible for the content of the KIIDs they make available, as per Article 159 of the 2010 Law. The CSSF is competent for controlling compliance with the KIID rules at any time and has the power to require the withdrawal of any KIID that does not comply with the legal provisions in force.
• Language Requirements: For UCITS established in Luxembourg or marketing their units/shares in Luxembourg, the CSSF requires the KIID to be drafted in Luxembourgish, French, German, or English. However, the FAQ specifies that the CSSF does not require the translated versions of a KIID used in another EU host Member State, except in the notification process.
• Website Requirements for KIID Availability: The FAQ clarifies that the KIID must be made available on the website of the UCITS or its management company. It also mentions that other websites may be acceptable, provided they meet certain criteria.

Version française

Le 20 mai 2025, la CSSF a publié une mise à jour de la FAQ sur le Document d’Informations Clés (KIID).

Cette version fournit des orientations pour les UCITS et AIFM luxembourgeois sur la préparation, la soumission et la conformité des KIID.

Éléments clés de la version 5 :

• Suppression de la question 5 : cette question portait sur la nécessité d’un visa CSSF avant utilisation du KIID final.
• Procédures de dépôt mises à jour : référence à la circulaire CSSF 23/833 et obligation de soumettre via eDesk.
• Responsabilité du contenu : rappel que les sociétés de gestion sont responsables du contenu des KIID, conformément à l’article 159 de la loi de 2010.
• Exigences linguistiques : le KIID doit être rédigé en luxembourgeois, français, allemand ou anglais pour les UCITS établis ou commercialisés au Luxembourg.
• Disponibilité sur site web : le KIID doit être mis à disposition sur le site internet de l’OPC ou de sa société de gestion, ou sur un autre site respectant certains critères.

On 20 May 2025, CSSF published guidance on communication procedures between UCI Departments and UCI Directors.

The CSSF has announced a change in how it communicates with UCI Directors (covering UCITS, Part II UCIs, SIFs, SICARs, and ELTIFs) regarding specific communications such as surveys, data collection, and event invitations. From now on, emails from the UCI Departments will only be sent to the eDesk users designated as “Board Member”.

For AML/CFT-related matters, the “Board Member” may be contacted alongside the “AML/CFT responsible officer”, a role reserved for the RR and RC (and their backups) with appropriate eDesk rights.

For other communication types, such as those relating to the UCI file, the current process remains unchanged, and the designated contact person will continue to be contacted directly.

The CSSF emphasizes that UCI Directors are responsible for keeping email addresses of eDesk users up to date to ensure proper receipt of CSSF communications.

Version française

Le 20 mai 2025, la CSSF a publié des lignes directrices sur les procédures de communication entre les départements OPC et les administrateurs d’OPC.

Désormais, les communications (enquêtes, collectes de données, invitations à des événements) seront envoyées uniquement aux utilisateurs eDesk désignés comme « Board Member ».

Pour les sujets LBC/FT, le « Board Member » pourra être contacté avec le « responsable LBC/FT » (RR ou RC).

Pour les autres sujets (dossier OPC, etc.), le processus actuel reste inchangé.

La CSSF rappelle aux administrateurs d’OPC qu’ils doivent maintenir à jour les adresses e-mail des utilisateurs eDesk pour garantir la bonne réception des communications.

On 21 May 2025, CSSF published a communication related to the update on Key Information Document (KID) delegation management functionality.

Starting from 26 June 2025, the CSSF will implement a new delegation management system for the submission of Key Information Documents (KIDs). This update allows a declarant to delegate fund management responsibilities to a legal entity sender (instead of an individual). The designated sender can then submit KIDs on behalf of the declarant either via the eDesk platform (using a list of sender-defined users) or through an API solution (S3 protocol) for automation.

Previous delegations will be deactivated on this date but will remain visible for one month to ease the transition. The updated user guide includes detailed information on the new process.

Version française

Le 21 mai 2025, la CSSF a publié une communication relative à la mise à jour de la fonctionnalité de gestion des délégations pour les documents d'informations clés (KID).

A partir du 26 juin 2025, la CSSF mettra en place un nouveau système de gestion des délégations pour la soumission des documents d'informations clés (KID). Cette mise à jour permet à un déclarant de déléguer ses responsabilités en matière de gestion de fonds à une personne morale expéditrice (au lieu d'une personne physique). L'expéditeur désigné peut alors soumettre des KIDs au nom du déclarant soit via la plateforme eDesk (en utilisant une liste d'utilisateurs définis par l'expéditeur), soit via une solution API (protocole S3) pour l'automatisation.

Les délégations précédentes seront désactivées à cette date mais resteront visibles pendant un mois pour faciliter la transition. Le guide de l'utilisateur mis à jour contient des informations détaillées sur le nouveau processus.

BACKGROUND

On 28 May 2025, the CSSF published a communication announcing the release of two new circulars—CSSF 25/892 and CSSF 25/893—updating the ICT-related incident classification and reporting framework in the context of the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554). These circulars form part of Luxembourg's implementation of DORA and aim to streamline the management, classification, and reporting of ICT-related incidents across financial entities.

WHAT'S NEW?

The two circulars introduce the following key changes:

Circular CSSF 25/893:

• Defines practical rules for DORA entities (financial institutions and other supervised entities falling under DORA’s scope) on reporting major ICT-related incidents and significant cyber threats to the CSSF.
• Extends the reporting obligations to Payment Service Providers (PSPs) supervised under the Law of 10 November 2009 on Payment Services—even if they are not directly subject to DORA. These PSPs must adopt the same incident classification and reporting framework as DORA entities.
• A six-month transition period is granted to non-DORA PSPs for compliance.

Circular CSSF 25/892:

• Implements the Joint ESA Guidelines for estimating aggregated annual costs and losses from major ICT incidents.
• Applies to all DORA entities except microenterprises.Establishes a harmonized methodology to quantify financial losses, covering categories such as direct costs, operational disruptions, reputational damage, and regulatory sanctions.

Circular CSSF 24/847:

• Remains applicable for entities outside the scope of DORA and for PSPs during their transition period.
• Will cease to apply to DORA entities and the relevant PSPs once they are fully aligned with Circulars 25/892 and 25/893.

WHAT'S NEXT?

DORA entities and affected PSPs must adapt their internal governance, risk assessment, and reporting processes to comply with the new requirements under Circulars CSSF 25/892 and 25/893. The CSSF may issue further guidance to support implementation and expects full compliance once the transition period concludes. Entities not covered by DORA should continue applying Circular 24/847 until the national transposition of the NIS 2 Directive, after which additional updates may be issued.

Version française

BACKGROUND

Le 28 mai 2025, la CSSF a publié une communication annonçant la publication de deux nouvelles circulaires - CSSF 25/892 et CSSF 25/893 - mettant à jour le cadre de classification et de déclaration des incidents liés aux TIC dans le contexte de la loi sur la résilience opérationnelle numérique (DORA, règlement (UE) 2022/2554). Ces circulaires font partie de la mise en œuvre de DORA par le Luxembourg et visent à rationaliser la gestion, la classification et le rapport des incidents liés aux TIC dans les entités financières.

WHAT'S NEW?

Les deux circulaires introduisent les changements clés suivants :

Circulaire CSSF 25/893 :

• Définit les règles pratiques pour les entités DORA (institutions financières et autres entités supervisées relevant du champ d'application de DORA) en matière de notification à la CSSF des incidents majeurs liés aux TIC et des cyber-menaces importantes.
• Etend les obligations de reporting aux prestataires de services de paiement (PSP) supervisés en vertu de la loi du 10 novembre 2009 relative aux services de paiement, même s'ils ne sont pas directement soumis à la loi DORA. Ces prestataires de services de paiement doivent adopter le même cadre de classification des incidents et de déclaration que les entités DORA.
• Une période de transition de six mois est accordée aux PSP non soumis à DORA pour se mettre en conformité.

Circulaire CSSF 25/892 :

• Met en œuvre les lignes directrices conjointes de l'AES pour l'estimation des coûts et pertes annuels agrégés résultant d'incidents majeurs liés aux technologies de l'information et de la communication.
• S'applique à toutes les entités DORA, à l'exception des microentreprises.
• Etablit une méthodologie harmonisée pour quantifier les pertes financières, couvrant des catégories telles que les coûts directs, les perturbations opérationnelles, les atteintes à la réputation et les sanctions réglementaires.

Circulaire CSSF 24/847 :

• Reste applicable aux entités hors du champ d'application DORA et aux PSP pendant leur période de transition.
• Elle cessera de s'appliquer aux entités DORA et aux PSP concernés une fois qu'ils seront entièrement alignés sur les circulaires 25/892 et 25/893 

WHAT'S NEXT?

Les entités DORA et les PSP concernés doivent adapter leurs processus de gouvernance interne, d'évaluation des risques et de reporting pour se conformer aux nouvelles exigences des circulaires CSSF 25/892 et 25/893. La CSSF peut publier des orientations supplémentaires pour soutenir la mise en œuvre et s'attend à une conformité totale une fois la période de transition terminée. Les entités non couvertes par DORA devraient continuer à appliquer la circulaire 24/847 jusqu'à la transposition nationale de la directive NIS 2, après quoi des mises à jour supplémentaires pourraient être publiées.

On 14 May 2025,  NVB published communication on Banks’ support for new Government anti-money laundering approach.

The Dutch Banking Association (NVB) supports the government’s new approach to combat money laundering, which aims to reduce the burden on legitimate businesses and citizens while focusing more on high-risk cases. The approach aligns with proposals made by the NVB in the NextGen Gatekeeper plan, which emphasizes risk-based measures to protect well-intentioned customers while tackling serious money laundering risks.

Key points include:

• Banks will concentrate more on major money laundering risks, with sufficient guidance from regulators to allow flexibility for lower-risk cases.
• Improved cooperation with investigative agencies like the FIU, police, and Public Prosecution Service to better target high-risk transactions.
• Integration with the Personal Records Database to reduce the need for banks to request excessive customer data.
• The UBO register will be improved for better reliability, reducing customer burdens.
• Later in the year, the NVB will propose ways to ensure that legitimate businesses can more easily access bank accounts.

The NVB expresses a commitment to collaborate closely with regulators and authorities to create a more effective anti-money laundering system while easing burdens on legitimate parties.

On 20 May 2025, Overheid publishes a notice on implementation of amendments to Directives 2013/36/EU and (EU) 2019/1937

The Dutch Minister of Finance has formally communicated that the Netherlands has completed the national implementation of Regulation (EU) 2023/1114 on crypto-asset markets (MiCA) as well as the associated amendments to Directive 2013/36/EU (Capital Requirements Directive IV) and Directive (EU) 2019/1937 (Whistleblower Protection Directive).

The minister confirms via an official communication and accompanying correlation table that:

• The amended EU directives entered into Dutch law and became applicable on 30 December 2024.
• Existing Dutch laws already cover the required provisions (mainly the Financial Supervision Act for CRD and the Whistleblower Protection Act), meaning no additional new national measures were needed.
• This communication fulfills the legal obligation to notify the European Commission under Article 148 of MiCA.

In practice, this means Dutch financial institutions, crypto-asset providers, and whistleblowing functions are now fully subject to the EU rules as transposed, and compliance with MiCA and the updated directives is mandatory.

On 13 May 2025, the CNMV adopted five development guidelines of the MiCA regulation.

The CNMV has notified ESMA of its adoption of five MiCA Regulation development guidelines, which it will supervise in Spain. 

The first guideline covers suitability assessments and account statements in crypto portfolio management. It mirrors MiFID II but adapts to crypto-specific factors, such as omitting sustainability preferences, requiring updates at least every two years, and detailing client knowledge expectations and staff qualifications. It also outlines standardized formats for periodic account reporting.

The second guideline, based on MiCA Article 82, requires crypto-asset service providers to maintain clear policies on asset transfers. These include informing clients of service terms, transfer execution procedures, timeframes, and liabilities for unauthorized or incorrect transfers.

The third guideline offers tools (e.g. templates, flowcharts) for crypto-asset classification, helping offerors determine whether their instruments fall under MiCA and, if so, classify them as asset-referenced tokens, electronic money tokens, or other crypto-assets.

The fourth guideline targets circumvention of the reverse solicitation exemption, defining when non-EU firms are seen as acquiring EU clients and setting practices to detect such cases.

The fifth guideline establishes security standards for systems and access protocols for entities offering or listing crypto-assets, ensuring robust and secure digital infrastructure across the EU.

On 27 May 2025, BOE published the Multilateral Agreement between Competent Authorities on Automatic Exchange of Information under the Crypto-Asset Reporting Framework. Although Spain signed this agreement on November 21, 2024, and it entered into force for the country on November 26, 2024, the recent publication marks its formal domestic acknowledgment and dissemination. 

Technical Implementation Tools Released: The OECD has developed and released the CARF Status Message XML Schema. This technical tool is designed to support the transmission of information between tax authorities, allowing them to report and rectify errors in a structured manner. 

Timeline for Implementation: Jurisdictions are preparing their legislative, operational, and IT frameworks to facilitate the first exchanges under the CARF, scheduled for September 2027. 

Implications:

For Crypto-Asset Service Providers: Entities operating within jurisdictions that have signed the MCAA under the CARF should prepare for enhanced reporting obligations. This includes establishing systems to collect, verify, and report relevant transaction data in compliance with the new framework.

news.bloombergtax.com

For Tax Authorities: The publication and technical tool releases signify a move towards greater international cooperation in tax matters related to crypto-assets. Authorities should ensure they have the necessary infrastructure and legal provisions in place to participate effectively in the automatic exchange of information.

On 29 May 2025, Spain’s Ministry of Finance issued a Ministerial Order establishing reporting obligations for the new Tax on the Income from Interest and Fees of Certain Financial Institutions. This tax was introduced by Law 7/2024 of 20 December, transforming a previously temporary levy into a structured, time-limited direct tax applicable to the first three tax years beginning on or after 1 January 2024.

Applicable to Spanish credit institutions, branches of foreign credit institutions, and financial credit establishments, the tax targets income from interest and commissions generated in Spain. Taxpayers must file a self-assessment (Form 780) and make an advance instalment payment (Form 781), both of which are electronic-only and subject to deadlines and procedures defined in Law 7/2024 and this Order.

Key details include:

• Form 780 (Self-assessment): Obligatory unless the taxable base is negative. Filing must follow the schedule in section fifteen of Law 7/2024's final provision.
• Form 781 (Instalment payment): Requires a payment of 40% of the expected tax. Filing deadlines follow section fourteen, with a special 2025 filing window (1–17 June) for periods ending 31 December 2024 if direct debit is used.

Annexes I and II of the Order detail the formats of Forms 780 and 781. The Order also:

• Amends existing rules (Orders EHA/2027/2007, EHA/1658/2009, and HAP/2194/2013) to accommodate the new forms,
• Specifies electronic-only submission and payment via the State Tax Administration Agency's online services,
• Takes effect the day after publication and applies to returns beginning in the 2025 tax year.

On 8 May 2025 Federal Data Protection and Information Commissioner published  Update - Current data protection legislation is directly applicable to AI.

The Swiss Federal Data Protection and Information Commissioner (FDPIC) has clarified that the Federal Data Protection Act (FADP), in force since 1 September 2023, applies directly to AI-supported data processing. This means manufacturers, providers, and users of AI systems in Switzerland — including those in financial services — must ensure compliance with data protection requirements, regardless of upcoming specific AI laws.

Key obligations under the FADP include:

• Ensuring transparency about the purpose, functionality, and data sources of AI systems.
• Informing users if they are interacting with a machine.
• Disclosing whether user data is used for training AI models.
• Conducting data protection impact assessments for high-risk applications.
• Avoiding unlawful AI uses like real-time facial recognition or social scoring.

This follows Switzerland’s March 2025 signing of the Council of Europe Convention on AI and Human Rights, with planned legal adjustments to align with it. The Swiss AI approach aims to balance innovation, fundamental rights, and public trust

Version française

Le 8 mai 2025, le Préposé fédéral à la protection des données et à la transparence (PFPDT) a publié une mise à jour : la législation actuelle sur la protection des données est directement applicable à l’intelligence artificielle (IA).

Le PFPDT a précisé que la Loi fédérale sur la protection des données (LPD), en vigueur depuis le 1er septembre 2023, s’applique directement aux traitements de données impliquant l’IA. Cela signifie que les fabricants, fournisseurs et utilisateurs de systèmes d’IA en Suisse – y compris dans les services financiers – doivent respecter les obligations de la LPD, indépendamment de futures lois spécifiques sur l’IA.

Obligations principales :

• Transparence sur les finalités, le fonctionnement et les sources de données des systèmes d’IA.
• Information des utilisateurs lorsqu’ils interagissent avec une machine.
• Indication de l’utilisation des données des utilisateurs pour entraîner les modèles d’IA.
• Évaluation d’impact sur la protection des données pour les cas à haut risque.
• Interdiction d’usages illicites comme la reconnaissance faciale en temps réel ou le scoring social.

Cette clarification fait suite à la signature par la Suisse en mars 2025 de la Convention du Conseil de l’Europe sur l’IA et les droits humains. Des ajustements législatifs sont prévus pour s’y conformer. La Suisse cherche un équilibre entre innovation, droits fondamentaux et confiance du public.

BACKGROUND

On 28 May 2025, the Swiss Financial Market Supervisory Authority (FINMA) published the 2025 census on asset management data. This initiative applies to all licensed financial service providers operating in Switzerland, including banks, insurance companies, securities firms, fund managers, and asset managers. The census forms part of FINMA’s efforts to enhance its understanding of the asset management industry’s structure, business models, and risk exposure.

WHAT'S NEW?

The data collection focuses on statistical information across various types of asset management and advisory services. The required data includes:

• Collective investment schemes (Swiss and foreign) under asset or portfolio management
• Collective investment schemes (Swiss and foreign) under advisory mandates
• Individual asset management for both Swiss and foreign clients
• Advisory mandates for Swiss and foreign clients
• Execution-only services for Swiss and foreign clients
• Services related to structured products
• Asset management and advisory services for pension fund assets (in line with Article 34 para. 2 let. a of the OEFin)

Only the assets directly managed, advised, or sub-delegated by the reporting institution are to be included—group-level consolidated data is excluded.

Institutions not active in any of the listed areas may validate the census with minimal input.

The census must be submitted by 30 June 2025 via FINMA’s EHP platform.

WHAT'S NEXT?

Financial institutions must gather the relevant data and ensure timely submission through the EHP platform. Those not involved in any covered activities should still complete the census by confirming their status. FINMA will use the collected data to refine its supervision strategies, assess market trends, and evaluate risk exposures within the Swiss asset management sector. Further reporting obligations or sector analyses may follow based on the findings.

Version française

BACKGROUND

Le 28 mai 2025, l'Autorité fédérale de surveillance des marchés financiers (FINMA) a publié le recensement 2025 des données relatives à la gestion de fortune. Cette initiative s'applique à tous les prestataires de services financiers autorisés opérant en Suisse, y compris les banques, les compagnies d'assurance, les maisons de titres, les directions de fonds et les gestionnaires de fortune. Le recensement fait partie des efforts de la FINMA pour améliorer sa compréhension de la structure, des modèles d'affaires et de l'exposition aux risques du secteur de la gestion de fortune.

WHAT'S NEW?

La collecte de données se concentre sur les informations statistiques relatives à divers types de services de gestion d'actifs et de conseil. Les données requises comprennent

• les placements collectifs de capitaux (suisses et étrangers) sous gestion de fortune ou de portefeuille
• les placements collectifs de capitaux (suisses et étrangers) faisant l'objet d'un mandat de conseil
• Gestion de fortune individuelle pour des clients suisses et étrangers
• Mandats de conseil pour les clients suisses et étrangers
• Services d'exécution seule pour les clients suisses et étrangers
• Services liés aux produits structurés
• Gestion de fortune et conseil en matière de fonds de pension (selon l'art. 34 al. 2 let. a de l'OEFin)

Seuls les actifs directement gérés, conseillés ou sous-délégués par l'institution déclarante doivent être inclus - les données consolidées au niveau du groupe sont exclues.

Les institutions qui ne sont pas actives dans l'un des domaines énumérés peuvent valider le recensement avec un minimum de données.

Le recensement doit être remis d'ici au 30 juin 2025 via la plateforme EHP de la FINMA.

WHAT'S NEXT?

Les établissements financiers doivent collecter les données pertinentes et veiller à les transmettre dans les délais via la plateforme EHP. Les personnes qui ne sont pas impliquées dans des activités couvertes doivent tout de même compléter le recensement en confirmant leur statut. La FINMA utilisera les données collectées pour affiner ses stratégies de surveillance, évaluer les tendances du marché et l'exposition aux risques dans le secteur suisse de la gestion de fortune. D'autres obligations de déclarer ou analyses sectorielles pourront suivre sur la base des résultats obtenus.

On the 2 May 2025, the FCA published consultation on DP25/1, Regulating cryptoasset activities.

Clear crypto regulation will boost confidence in the sector, supporting growth. In this latest discussion paper, the FCA is seeking views on intermediaries, staking, lending and borrowing, and decentralised finance.  

With more people using credit to purchase crypto, the DP also considers whether restrictions should be applied in that area. 

Crypto is a growing industry. Currently largely unregulated, FCA want to create a crypto regime that gives firms the clarity they need to safely innovate, while delivering appropriate levels of market integrity and consumer protection. FCA aims to drive sustainable, long-term growth of crypto in the UK. FCA is asking whether they have got the balance right. 

This is the latest policy publication in the FCA’s Crypto Roadmap which provides a clear timeline for consulting on future crypto regulation. Other areas in the roadmap include market abuse and admissions and disclosures, stablecoins and custody, and prudential considerations.  

This discussion paper follows the publication of draft legislation by the Treasury that, once passed, will bring specific crypto asset activities within the FCA’s regulation. The DP reflects insights gained from a series of FCA-led industry roundtables. 

It comes shortly after the publication of its new 5-year strategy. From 2025-2030, the FCA will prioritise smarter regulation, supporting sustained economic growth, helping consumers navigate their financial lives, and fighting financial crime. 

Consultation ends on 13 June 2025.

On 9 May 2025, the FCA published PS25/4: Investment research payment optionality for fund managers.

These new rules help UK markets to be more efficient to support growth. High-quality, easily accessible investment research is crucial for fund managers to make informed investment decisions for the benefit of investors.

As a pro-growth regulator, FCA aims to improve competition in the market, especially for smaller fund managers, and make it easier for firms to buy research across borders where bundled payments are standard practice.

The final rules will:

• Promote effective competition in the interests of investors.
• Secure an appropriate degree of consumer protection.
• Enhance the competitiveness of UK fund managers.

FCAs final rules will affect:

• UK undertakings for collective investment in transferable securities management companies.
• Full-scope UK alternative investment fund managers.
• Small authorised UK AIFMs and residual collective investment scheme operators.

The rules might also be of interest to:

• Depositaries of authorised funds or alternative investment funds.
• Investment platforms.
• Financial advisers.
• Investment consultants.
• Investors in authorised funds or alternative investment funds.

FCA have implemented rules allowing fund managers to pay for research with a joint payment option. Firms that decide to take up the joint payment option should familiarise themselves with FCA final rules on joint payments in COBS 18 Annex 1 and relevant rules in COLL for authorised funds.

In 2023, the UK Investment Research Review recommended several measures to improve the investment research market.

To take forward the recommendation, we introduced a joint payment option for MiFID firms, including those managing segregated investments.  

CP24/21 proposed changes to the existing rules, allowing fund managers to pay for investment research using a joint payment option for research and execution services, subject to a set of guardrails. This joint payment option for fund managers is based on the rules introduced for MiFID investment firms.

On the 29 May 2025, the FRC published consultation on introduction of International Standard on Sustainability Assurance (UK) 5000.

The Financial Reporting Council has issued a consultation on a proposed UK version of the International Standard on Sustainability Assurance (ISSA) 5000.

The consultation proposes ISSA (UK) 5000 for use on a voluntary basis by assurance providers. The FRC proposes alignment with the international standard in order to minimise burdens for firms carrying out assurance engagements across multiple jurisdictions. The profession-agnostic Standard supports application by both professional accountants and other assurance practitioners, provided they meet the relevant quality management and ethical requirements.

During its recent study of the UK sustainability assurance market, stakeholders expressed support for an assurance framework that provides a clear and internationally consistent approach to sustainability assurance.

The consultation ends on 31 July 2025.

On 15 May 2025,the UK published The Financial Services and Markets Act 2023 (Private Intermittent Securities and Capital Exchange System Sandbox) Regulations 2025.

These Regulations establish a dedicated Financial Market Infrastructure sandbox, known as the Private Intermittent Securities and Capital Exchange System, under the Financial Services and Markets Act 2023. The PISCES sandbox permits testing of a new multilateral trading system for shares. A PISCES is defined as a system for intermittent trading periods that matches multiple buying and selling interests under non-discretionary rules, allowing companies to set when, by whom, and under what price restrictions their shares may be traded, and who may access trading information.

Eligible PISCES operators include UK established recognised investment exchanges and persons with Part 4A permissions to arrange deals or operate multilateral and organised trading facilities. Other participants encompass eligible companies limited by shares or overseas equivalents, holders and prospective purchasers of PISCES shares, specified PISCES investors, such as professional clients, high net worth individuals, self-certified sophisticated investors, and qualifying individuals connected to the issuer’s group, financial intermediaries, and service providers involved in trading or related services. Financial intermediaries must verify client eligibility before placing buy orders, and both intermediaries and operators are barred from placing orders that cause a company to trade in its own shares.

Prospective operators apply to the Financial Conduct Authority with details of their operational model, trading frequency, duration of intermittent periods, proposed restrictions, issuer requirements, disclosure arrangements, abuse prevention measures and a risk assessment. The FCA may approve applications, impose conditions or reject them, issue PISCES approval notices, and subsequently modify, suspend or cancel PANs if operators breach conditions or for sandbox implementation purposes. Operators must publish their PAN or approval scope and conditions. A bespoke liability regime applies to companies making “PISCES statements” through FCA, mandated disclosure arrangements may face compensation claims for misleading statements, subject to exemptions for reasonable belief, correction efforts, expert and forward-looking statements, and official communications.

The FCA is empowered to make and waive rules or modify technical standards to support sandbox operation, publish rules and directions on its website, and supervise or direct PISCES operators with information and engagement requirements. The Treasury may instruct the FCA to impose qualitative or quantitative restrictions on PISCES operators. Amendments are made to existing legislation, including FSMA 2000, the Financial Promotion Order, the Companies Act 2006 and relevant EU derived regulations to accommodate PISCES, and the regime will lapse on 5 June 2030, with a report due by 5 June 2029 on the sandbox’s operation.

It enters into force on 5 June 2025.

On 13 May 2025, the UK published The Financial Services and Markets Act 2023 (Commencement No. 9) Regulations 2025.

The Treasury has issued these regulations under powers granted by section 86(3) and (4) of the Financial Services and Markets Act 2023. The aim is to commence the repeal and revocation of specific EU derived financial legislation and provisions from earlier UK financial laws.

The following provisions of the 2023 Act that enter into effect on the 14 May 2025:

1. Revocation of assimilated law, but only in relation to the specific provisions listed below.

2. Revokes of the Commission Delegated Regulation (EU) 2017/583: This regulation supplemented MiFIR by setting transparency requirements for trading venues and investment firms dealing with:

• Bonds
• Structured finance products
• Emission allowances
• Derivatives

3.Repeals certain provisions from the Financial Services and Markets Act 2000

4.Revokes of the Financial Services and Markets Act 2000 (Regulated Activities) (Amendment) (No. 2) Order 2003.

Further provisions of the 2023 Act that will enter into force on the 31 July 2025.

Revokes the Capital Requirements (Capital Buffers and Macro-prudential Measures) Regulations 2014, which relate to the EU’s Capital Requirements Directive IV regime on additional capital buffers for financial institutions.

On 22 May 2025, the ISDA published ISDA SIMM methodology, version 2.7+2412.

This version of the ISDA SIMM has updates that are based only on the full recalibration of the model and marks the first ISDA SIMM version publication of the new semiannual calibration cycle in 2025.

The effective date is 12 July 2025.

The ISDA SIMM methodology remains a central part of the SIMM Governance Framework that ISDA SIMM users are expected to adhere to.

The effective date of July 12, 2025 means that ISDA SIMM users should use SIMM version 2.7+2412 to calculate the initial margin for Close of Business (COB) on Friday July 11, 2025 onwards. This means that the first day for exchange of initial margin calculated using SIMM version 2.7+2412 would be on Monday July 14, 2025.

On 7 May 2025, the ISDA announced extension of DRR to cover MIFID/MIFIR Reporting.

ISDA has announced it will extend the ISDA Digital Regulatory Reporting (ISDA DRR) solution to cover reporting requirements under the EU and UK Markets in Financial Instruments Directive (MIFID) and Markets in Financial Instruments Regulation (MIFIR), and is working with The Depository Trust & Clearing Corporation (DTCC) to integrate the ISDA DRR into DTCC’s Global Trade Repository (GTR) MIFID/MIFIR Approved Reporting Mechanism (ARM).

DTCC recently announced it would launch an ARM within its GTR service to support transaction reporting requirements under MIFID/MIFIR in the EU and UK, subject to regulatory approval. The collaboration between ISDA and DTCC aims to streamline transaction reporting processes, with a focus on improving accuracy and acceptance rates. Revised transaction reporting requirements under the MIFID/MIFIR Review are anticipated to be implemented in the EU and the UK over the course of 2027. DTCC plans to allow firms to submit transaction reports under current UK MIFID/MIFIR rules from the first quarter of 2026, subject to regulatory approvals.

The ISDA DRR uses the Common Domain Model (CDM) – an open-source data standard for financial products, trades and lifecycle events – to transform an industry-agreed interpretation of new or amended transaction reporting rules into unambiguous, machine-executable code, making implementation more efficient and cost-effective. Using the ISDA DRR enables firms to implement changes to regulatory reporting requirements cost-effectively and accurately and reduces the risk of regulatory penalties for misreported data.