Blog
Notes on regulatory practice.
Source-grounded pieces on horizon scanning, EU regulation and compliance operations. Every cited claim links to the primary source.
- Payment services / PSD28 min read
PSD3 and the PSR: what the EU payment-services overhaul changes — and when
The EU's 2023 payment-services package — PSD3 (a directive) plus the directly-applicable Payment Services Regulation (PSR) — reached a provisional political agreement on 27 November 2025 and is close to adoption, but is not yet law. What it would change (folding in e-money, fraud refunds, verification-of-payee, better API access) — and why you shouldn't calibrate to it until it's published in the Official Journal.
Read - EU AI Act10 min read
The EU AI Act and credit scoring: when a bank's model becomes high-risk
Annex III point 5(b) makes AI for assessing the creditworthiness of natural persons a high-risk system — and the Article 6(3) exemption never opens once the model profiles people. What that means for banks: the line between origination scoring (in scope) and IRB capital models (per the EBA, not directly), why building or retraining a model makes you a provider with the full Article 9–17 load, the fundamental-rights assessment even private banks owe under Article 27, and why 2 August 2026 still stands despite the proposed delay.
Read - EU AI Act9 min read
The EU AI Act timeline for financial services: what applies when — and what the Digital Omnibus would delay
As of 2 June 2026 the original timeline still applies: high-risk obligations under Annex III take effect on 2 August 2026. The Digital Omnibus on AI would push them to 2 December 2027 — but it is not yet adopted. What is binding today, what counts as high-risk for banks and insurers, and why you should plan for August 2026 until the delay becomes law.
Read - CSRD / Sustainability11 min read
CSRD for insurers after the Omnibus: who reports when (as of June 2026)
The Omnibus changed the CSRD twice — and both are now law: the “stop-the-clock” postponement (Directive (EU) 2025/794) and the scope-narrowing to > 1,000 employees (Directive (EU) 2026/470, in force since 18 Mar 2026). Only the revised ESRS draft remains open. What this concretely means for insurers as PIEs.
Read - NIS2 / Cybersecurity11 min read
NIS2 or DORA? What actually applies to insurers and financial entities
Banks, insurers and other financial entities ask whether they fall under NIS2 or DORA. The answer lies in the lex-specialis mechanism of NIS2 Art. 4 and DORA Art. 1(2) — and in an important nuance: not a blanket exemption but a displacement of the overlapping duties. Plus the transposition status: Germany (since 6 Dec 2025) and Austria (NISG 2026).
Read - DORA / ICT resilience10 min read
DORA reporting deadlines: the 4-hour rule for major ICT incidents
What DORA Art. 19 actually requires: the initial notification within 4 hours of classification (no later than 24 hours from awareness), the intermediate report within 72 hours, the final report within one month — and when an incident even counts as “major”. With the correct legal bases (RTS 2025/301, classification RTS 2024/1772).
Read - AML / Crypto11 min read
TFR Art. 14(5): verifying self-hosted wallets under the Crypto Travel Rule
Two EUR 1,000 thresholds that get constantly confused — and what Regulation (EU) 2023/1113 actually requires for self-hosted wallets: no de-minimis for transmitting the data, but an ownership verification above EUR 1,000 for which a mere self-declaration is not enough.
Read - EU AI Act14 min readUpdated
EU AI Act from 02 Aug 2026 — what insurers as deployers must do
On 2 August 2026 the obligations for high-risk AI systems under Regulation (EU) 2024/1689 become fully applicable — and insurers are deployers within the meaning of the AI Act in nearly every customer-facing AI application. Which use cases fall under Annex III, what Art. 26 concretely requires, when a Fundamental Rights Impact Assessment under Art. 27 becomes due, and how consistency with GDPR Art. 22, DORA and Solvency II is established.
Read - Solvency II13 min readUpdated
Solvency II 2024 review — what Directive (EU) 2025/2 changes from 30 Jan 2027
Directive (EU) 2025/2 amends Solvency II on ten counts — from a new proportionality threshold for small and non-complex undertakings, to a risk-margin reduction to 4.75 %, to an explicit liquidity risk management function. Member States have until 30 January 2027 to transpose; preparation inside insurers starts in 2026.
Read - MiCA10 min readUpdated
MiCA grandfathering 2026 — what transitional CASPs need now
MiCA's transitional provision (Art. 143(3)) lets incumbents keep operating under prior national law until 1 July 2026 at the latest — unless the member state shortened the window. How the transition works, where the national deadlines actually sit per ESMA's list, how the Art. 62/63 authorisation process runs, what the application substantively addresses, and what to monitor until the cut-off.
Read - DORA13 min readUpdated
DORA inspection readiness 2026 — what supervisors actually ask
Eighteen months after DORA's date of application, the supervisory focus is shifting from "is it set up?" to "is it complete and evidenced?". A source-grounded checklist of the seven 2026 inspection focus areas — third-party register, sub-outsourcing chain, incident-reporting time pressure, TLPT, board-engagement evidence, critical functions, and the ICT risk management framework.
Read - Methodology10 min readUpdated
What is horizon scanning — and what are the benefits?
A source-grounded primer on horizon scanning for compliance teams at European financial institutions: definition, intellectual origins, four evidence-backed benefits, the 2025 / 2026 penalty frames, and how EU supervisory authorities practise it themselves.
Read