Skip to main content


EU fintech regulation: key themes and trends

The digital transformation of financial services has created not only new ways of paying, lending and transferring money but also the potential to expose firms’ technological frailties. In response, the EU is seeking ways to drive innovation in the financial sector while ensuring it can cope with cyber-related threats.

Europe's plans for digital finance

In September 2020, the European Commission launched its digital finance package, which includes:

  • strategies for digital finance and retail payments; and
  • proposed legislation for cryptoassets and digital operational resilience.

The package aims to:

  • make Europe a global leader in – and standard-setter for – financial services;
  • make more innovative financial products available to consumers; and
  • ensure customer protection and financial stability.

The Commission's plans – in detail

Regulating crypto markets

The proposed Markets in Crypto-Assets (MiCA) Regulation aims to:

  • define the regulatory treatment of all cryptoassets that aren´t covered in existing EU legislation;
  • support innovation and fair competition;
  • instil appropriate levels of consumer and investor protection and market integrity; and
  • ensure financial stability, especially in light of the emerging category of stablecoins.

Discussions between EU institutions and among member states on the proposals are ongoing.

Areas warranting further reflection include:

  • powers and co-operation between authorities;
  • supervisory responsibilities;
  • grandfathering of existing services; and
  • prevention of market abuse.

The proposed regulation on digital operational resilience aims to:

  • harmonise internet and communication technology (ICT) governance and risk management;
  • enhance and streamline reporting of ICT-related incidents and voluntary information sharing;
  • establish continuous testing of ICT tools and systems; and
  • ensure against and monitor ICT third-party risk.

Discussion of the legislation in the European Parliament and among member states is ongoing.

Areas warranting further reflection include:

To improve financial products for consumers, the Commission wants to help data-driven innovation in the sector.

To this end, the Commission – building on the ‘open banking’ concept introduced by the Payment Services Directive (PSD2) – intends to establish a common financial data space that allows real-time access to all regulated financial information and promotes business-to-business data sharing within the EU.

The Commission will propose legislation by mid-2022. This will build on and align with other EU initiatives focusing on data access, such as the European data strategy, the Data Act and the Digital Services Act. This will also be co-ordinated with the review of PSD2. 

There four policy options for this legislative intervention:

  1. ensure publicly disclosed information is standardised and machine-readable;
  2. set up EU-funded infrastructure for public disclosure;
  3. present a strategy on supervisory data; and
  4. present a new open-finance framework in full alignment with broader data-access initiatives.

The Commission hopes to have the framework in place by 2024.

More EU-wide supervision

The Commission’s plans, if implemented, will change the way financial firms and other ‘obliged entities’ are supervised. For example, the European Commission wants to:

Separate to the digital finance strategy, in July 2021, the Commission announced proposed reforms to the EU's anti-money-laundering regime, which include the creation a single EU AML supervisor.

The broader regulatory picture

While the above initiatives are aimed squarely at financial services, the sector will also be affected by broader EU policy and legislation.

  • In April 2021, the Commission published its proposals to regulate AI (including banning certain AI practices and improving the transparency of AI systems) and promote the development and use of ethical and trustworthy AI within the EU.
  • The EU is using competition policy to restrain the perceived over-reliance of tech companies based outside the EU. For example, the Commission wants platforms to open up access to their data, which, it believes, may lower switching costs, stimulate innovation, and drive market entry and competition.
  • The Commission is aiming for ‘open strategic autonomy’. While the EU will continue to work with its partners (eg by making it easier to share data with countries and entities outside the EU), it will not hesitate to go it alone (eg by boosting its tech sovereignty).

The direction of travel for EU policy and regulation suggests that big technology companies’ growing role in the financial services sector is going to face greater scrutiny. For example, the EU may subject the companies to antitrust investigations based on the ‘same activity, same risk, same rules’ principle. The companies could even be included in financial regulatory frameworks and supervisory mechanisms.

Cross-border digital IDs

In June 2021, the Commission published its proposed amendments to the 2014 digital identity regulation.

The new rules will require member states to develop a national digital ID system. This will give EU citizens access to a European digital wallet linked to their national ID documents. The wallet should:

  • make it easier to access public and commercial online services across the EU;
  • reduce the need to share personal data; and
  • make it easier for financial firms to check the identity of new customers.

The Commission wants member states to establish, by September 2022, a common toolbox that will include technical architecture, standards and best-practice guidelines. It will also work with member states and the private sector on the technical aspects of the European digital identity.

Levelling the international playing field?

Like the GDPR, which has driven global regulatory convergence, many of these initiatives are expected to set the tone at an international level.

However, the EU – when developing expansive new rules – must be sensitive to the realities of doing business both in Europe and elsewhere. This means establishing minimum legal standards that don’t stifle EU growth and recognising the regulatory and enforcement landscape in prominent export markets.

This will be a difficult balance to strike. But the ‘success’ of the GDPR suggests that it is achievable.