Search Results

On 25 February 2026, the European Securities and Markets Authority (ESMA) published its Final Report setting out revised clearing thresholds under EMIR 3. This article explains what is changing, what the new numbers mean in practice, and what action you should be taking now.   The Big Picture: Why This Matters The European Market Infrastructure Regulation, commonly known as EMIR, sets the framework governing over-the-counter (OTC) derivative markets in the EU. At its core is the clearing obligation : the requirement for certain counterparties to clear eligible OTC derivative contracts through authorised Central Counterparties (CCPs) rather than settling bilaterally. Whether a counterparty is subject to this obligation depends on whether their OTC derivatives positions exceed defined clearing thresholds . Exceed the threshold in any asset class and mandatory clearing kicks in for all OTC derivatives in that class. EMIR 3 (Regulation (EU) 2024/2987), which entered into force on 24 December 2024, significantly overhauled how these thresholds are calculated. ESMA has now published the draft Regulatory Technical Standards (RTS) that set out the specific new threshold values, amending Commission Delegated Regulation (EU) No 149/2013. These RTS are now with the European Commission for endorsement, expected within three months. Until formally adopted, the current rules remain in force .   The Fundamental Change: From All OTC to Uncleared Only This is the most important conceptual shift and it is worth understanding clearly before looking at the numbers.     The regime also introduces different rules depending on whether you are a Financial Counterparty (FC) or Non-Financial Counterparty (NFC). For Financial Counterparties (FCs) FCs face a dual assessment. They must test their positions against: An uncleared positions threshold : measuring only uncleared OTC derivatives (shared with NFCs); and An aggregate backstop threshold : measuring both cleared and uncleared OTC derivatives, but applicable only for interest rate and credit derivatives (the asset classes currently subject to the clearing obligation). The backstop threshold exists to ensure that FCs with very large cleared portfolios, who may fall below the uncleared threshold, are still captured by the clearing obligation. For Non-Financial Counterparties (NFCs) Two important changes apply to NFCs: NFCs now test only against the uncleared threshold . There is no aggregate backstop for NFCs. Position calculation moves from group level to entity level . Previously, an NFC included the OTC derivatives of other NFCs in its group. Under EMIR 3, each NFC calculates based only on its own uncleared speculative transactions. Cleared positions and other group entities are excluded. For many NFCs, particularly those active in energy and commodity markets, this shift to entity-level calculation on an uncleared-only basis is likely to be a favourable change, potentially bringing them below the threshold.   3. The New Threshold Values ESMA consulted on proposed threshold levels in April 2025 and received 35 responses from a broad range of financial counterparties, non-financial counterparties and trade associations. The final values reflect upward revisions in certain asset classes to account for inflation, price developments and market growth since the original thresholds were set.   Uncleared OTC Positions Threshold — Applies to Both FCs and NFCs     Aggregate OTC Positions Threshold — FCs Only (Backstop) In addition to the uncleared threshold, FCs must also test against an aggregate threshold covering both cleared and uncleared OTC derivatives. This backstop applies only to the two asset classes subject to the clearing obligation:   What This Means The impact of these changes will vary significantly depending on your counterparty classification, your derivative activity, and the proportion of your positions that are currently cleared. If you are a Non-Financial Counterparty The shift to entity-level, uncleared-only calculation is likely to be favourable for many NFCs. Cleared positions and those of other group entities are now excluded. Energy companies and commodity market participants should re-assess their threshold position under the new methodology, the measured exposure may fall significantly even before the benefit of the higher commodity threshold is considered. NFCs relying on VPPAs or other structured hedging should note that these are not eligible for the hedging exemption under the current framework and this has not changed. If you are a Financial Counterparty Review both the uncleared threshold and  the aggregate backstop for interest rate and credit derivatives. You must satisfy both tests. FCs with large cleared portfolios in interest rate or credit derivatives should pay particular attention to the aggregate backstop, which remains at €3bn and €1bn, respectively. The reduced uncleared thresholds for interest rate (€2.2bn), credit (€0.8bn), and equity (€0.7bn) derivatives reflect the narrower scope of what is being measured, not a straightforward tightening of the regime.   Next Steps and Timeline     We recommend that regulated entities begin preparing now by: Modelling their positions under the new uncleared-only methodology to understand the change in their measured exposure; Reviewing group structure and the impact of the move from group-level to entity-level calculation (for NFCs); Assessing whether any current clearing obligation would continue under the new regime, or whether they may fall below a threshold; and Updating internal threshold monitoring and compliance processes ahead of the RTS coming into force.

1. The Big Picture: Why This Matters to You The European Union's payments landscape is undergoing its most significant transformation in over a decade. The Third Payment Services Directive (PSD3) and the new Payment Services Regulation (PSR) together replace the existing PSD2 framework, and the implications reach every institution that touches payments in the EU, from banks and FinTechs to insurance groups and investment firms. On 27 November 2025, the European Parliament and the Council of the EU reached a provisional political agreement on both texts. Formal adoption and publication in the Official Journal are expected in mid-2026, followed by an 18-to-21-month transition period. That puts the compliance deadline squarely in late 2027, but for organisations with complex operating models, that window will pass quickly. This is not a regulation to approach reactively. The institutions that start now will be better positioned, better protected, and better able to capture the competitive opportunities the new framework creates. 2. PSD3 vs PSR: Understanding the Two Forces One of the most important structural changes in this reform is the deliberate split between a Directive and a Regulation: PSD3: The Directive PSD3 primarily governs authorisation and supervision of payment service providers. As a directive, it must be transposed into national law by each EU Member State. It will address licensing frameworks, governance requirements, capital thresholds, and the regulatory relationship between payment institutions and national competent authorities. Critically, existing authorisations granted under PSD2 will remain valid for 24 months from PSD3's entry into force, but institutions will need to submit a new application demonstrating compliance with updated requirements. Plan for this re-authorisation process early. PSR: The Regulation The Payment Services Regulation is directly applicable across all EU Member States without national transposition. It covers the rules governing how payment services are delivered, security, strong customer authentication (SCA), open banking obligations, fraud prevention, and consumer rights. PSR obligations may become binding before PSD3 is transposed in certain jurisdictions. Compliance timelines for the two instruments may differ, and firms must plan accordingly. 3. Five Key Changes Boards Must Understand 1. Fraud Liability Has Shifted — Significantly Under the new framework, if a Payment Service Provider fails to implement appropriate fraud prevention mechanisms, it will be held liable for covering customer losses. PSPs are now required to verify that a payee's name and unique identifier match before processing a credit transfer. Where discrepancies exist, the payment must be refused and the payer informed. For impersonation fraud, where a criminal poses as a PSP employee to manipulate a customer into approving a transaction, PSPs must refund the full amount, provided the customer reports the fraud to the police. This is a substantial extension of liability and requires robust fraud detection infrastructure. Action Point:  Review your fraud prevention architecture, SCA implementation, and customer refund policies against the new liability standard now, do not wait for final texts. 2. Open Banking Gets a Meaningful Upgrade PSD2 introduced open banking, but its implementation was inconsistent across the EU. PSD3 and PSR aim to resolve this by standardising API access requirements, setting clear reliability and availability expectations, and introducing consent dashboards that give consumers visibility and control over who accesses their financial data. Firms that invest in high-quality, standards-compliant APIs will be better positioned in the competitive landscape for financial data services, especially as the proposed Financial Data Access (FIDA) framework develops in parallel. 3. A Level Playing Field Between Banks and Non-Banks PSD3 and PSR provide clearer and more consistent conditions for non-bank payment service providers to access payment systems and hold accounts at credit institutions. Banks face greater competitive pressure from fintechs and payment institutions. Non-bank PSPs face higher compliance obligations as their regulatory footing becomes equivalent. 4. Stronger Consumer Rights and Transparency The new framework significantly strengthens consumer-facing obligations: unexpected account blocks, unclear fee structures, and insufficient transparency on ATM charges and cross-border payment costs are all addressed. PSPs must offer customers clear spending limits and account-blocking tools, and consumers will have enhanced dispute resolution rights. 5. Crypto and MiCA Alignment PSD3 introduces a simplified authorisation pathway for providers already licensed under the EU Markets in Crypto-Assets Regulation (MiCA). For firms operating at the intersection of traditional payments and digital assets, this alignment reduces regulatory duplication, but requires careful analysis of which activities fall under which regime. 4. The Compliance Timeline: What to Do and When Now - Mid 2026: Monitor and Diagnose –      Conduct a preliminary gap analysis against the agreed political text, sufficient detail is available now to begin. –      Identify which parts of your business are in scope for PSR (directly applicable) versus PSD3 (transposition dependent). –      Map your fraud prevention and SCA architecture against the new liability standard. –      Engage with your national competent authority on the re-authorisation process timeline. Mid 2026 - End 2026: Detailed Impact Assessment –      Obtain and review the final published texts once available in the Official Journal. –      Commission a full regulatory impact assessment covering systems, processes, governance, and contracts. –      Begin API remediation projects if open banking access is material to your business. –      Update compliance monitoring programmes and internal audit plans to reflect new requirements. 2027: Implementation and Readiness –      Complete re-authorisation submissions ahead of national deadlines. –      Staff training and awareness programmes, regulators will expect documented evidence. –      Final testing of fraud detection, SCA, and customer-facing transparency tools. –      Pre-deadline internal audit to verify compliance readiness. 5. How ENAH Services Ltd Can Help ENAH Services Ltd has deep expertise in EU financial services regulation, internal audit, and compliance across payments, banking, and investment services. Our team has supported clients through PSD2 implementation and is already advising on PSD3 and PSR readiness. We offer a structured PSD3/PSR readiness programme tailored to your institution's size, business model, and regulatory footprint, including: –      Regulatory gap analysis and impact assessment –      Compliance programme design and policy drafting –      Internal audit readiness and independent review –      Tailored training for boards, senior management, and compliance teams –      Ongoing regulatory monitoring and horizon scanning Get in touch with ENAH Services Ltd to discuss your PSD3/PSR readiness. www.enaservicesltd.com   |  consulting@enaservicesltd.com

In November 2025, the European Commission presented the Digital Omnibus Regulation proposal (COM(2025) 837) as part of a broader drive to “simplify” EU digital compliance and reduce fragmentation. The proposal is presented as a pragmatic, technical package—yet it touches multiple sensitive areas: cookie rules, GDPR enforcement practicality, AI-related processing, and cybersecurity incident reporting. This article explains what is changing, what is being debated, and what organizations should do now. What is the Digital Omnibus? An “omnibus” legislative instrument is a package that amends multiple legal areas through a single proposal. The Digital Omnibus is designed to streamline the EU digital compliance environment and align certain elements across: GDPR (data protection) AI Act implementation Cybersecurity reporting / incident notification frameworks certain overlaps with the wider EU digital rulebook The central claim is “simplification.” The central question is whether simplification is achieved by reducing unnecessary burden while maintaining safeguards—or whether some changes risk weakening rights or enforcement effectiveness. What is changing (as proposed) A) Cookies and terminal equipment: closer to GDPR logic A major shift described in the proposal is moving rules around terminal equipment data (including cookies and similar identifiers) more clearly into a GDPR-style compliance and enforcement approach. Practical meaning : cookie compliance is likely to become more explicitly tied to GDPR concepts and enforcement consequences, potentially changing how organizations design consent, records, and user controls. B) Cookie consent redesign: fewer repeated prompts The proposal describes a consent model intended to reduce “banner fatigue,” including: clearer Accept / Reject choices if a user rejects, the website should not ask again for at least six months stronger emphasis on respecting central privacy preferences (e.g., browser/device-level settings) where applicable a limited “whitelist” logic for certain low-impact cookies (e.g., basic aggregated measurement) under strict conditions Practical meaning:  banner UX and consent management platforms may need redesign. Organizations should also re-check which cookies truly need consent vs. which may fall within narrowly defined low-impact categories. C) Pseudonymised data: clearer boundaries for recipients The proposal introduces clarification that pseudonymised data shared with third parties who cannot realistically or lawfully re-identify individuals may not be treated as personal data for those recipients. Practical meaning:  this could enable safer data sharing for analytics, research, and AI development—but it raises governance questions: who can re-identify, under what conditions, and how that is evidenced contractually and technically. D) AI development under GDPR: more explicit use of “legitimate interests” The proposal describes a more explicit route for processing personal data in the context of developing and operating AI systems/models using legitimate interests, with safeguards (e.g., minimisation, transparency, right to object, and impact assessments where needed). It also references limited processing of special category data in specific contexts such as bias detection and correction, subject to strict safeguards. Practical meaning: organizations building or deploying AI should expect intensified scrutiny of: legitimate interest assessments, transparency practices, objection handling, data minimisation and purpose limitation, and DPIA triggers. E) Right of access: addressing “manifestly abusive” requests The proposal introduces provisions allowing controllers to limit handling of access requests where there is manifest abuse (e.g., repeated, excessive, or clearly bad-faith requests). Practical meaning:  companies may gain more operational flexibility, but must apply the concept cautiously—because misuse could become a major enforcement and reputational risk. F) Automated decision-making (GDPR Article 22): clearer conditions The proposal clarifies/reframes the conditions under which decisions with legal or similarly significant effects may be solely automated (e.g., necessity for contract, authorization by law with safeguards, or explicit consent). Practical meaning : organizations using scoring, profiling, or automated eligibility decisions should re-check: whether Article 22 applies, whether there is meaningful human involvement, and whether safeguards and transparency are adequately documented. G) “Unified policies” across regimes The proposal describes a direction toward integrated policies and documentation across multiple regimes (e.g., GDPR + AI Act + cybersecurity reporting), reducing parallel paperwork. Practical meaning:  good governance programs (single control frameworks, shared risk registers, unified policies) become more valuable—especially for multi-country operations. Cybersecurity: one reporting “entry point” for incidents Another key element is the concept of a single entry point for incident reporting to reduce duplicate notifications across frameworks. A 96-hour window is referenced for the unified submission concept, while recognizing that existing obligations under specific laws (including earlier notifications where required) remain relevant. Practical meaning:  security and privacy teams should align incident response so that: one internal workflow supports multiple legal notifications, evidence and timelines are controlled, and decision-making is documented. Why this is controversial Although the package is described as simplification, stakeholders debate whether certain changes may: make enforcement harder or slower through procedural shifts narrow practical access to remedies or complaint pathways create uncertainty around rights (especially in AI-related processing) rebalance the system more toward administrative efficiency than fundamental rights EU-level privacy regulators have emphasized that simplification must not weaken effective protection and must preserve enforceability and rights in practice. What businesses should do now Even before the final text is adopted, the proposal is a strong signal: EU compliance will increasingly reward organizations that have clear governance, good records, and fast operational response. Recommended actions: Audit cookies and consent architectureMap cookies/SDKs, re-validate legal bases, and prepare for “reject = no re-ask for months” logic. Re-check pseudonymisation and sharingDocument re-identification risk, control access to keys, and ensure contracts reflect technical reality. Strengthen AI compliance documentationLegitimate interest assessments, DPIAs where appropriate, transparency and objection handling, model training data governance. Prepare for Article 22 questionsIdentify where automated decisions have significant effects; document safeguards and human oversight. Unify incident responseBuild a single internal workflow that can serve multiple notifications, with clearly assigned roles and timelines. Conclusion The Digital Omnibus is framed as a simplification initiative, but it introduces meaningful changes across cookies, pseudonymised data, AI-related processing, data subject rights operations, automated decision-making, and cybersecurity reporting. For organizations, the right strategy is structured readiness: strengthen governance now so you can adapt quickly once the final text is agreed.

On 25 February 2026, ESMA and the EBA published a consultation on revised joint guidelines for assessing the suitability of members of the management body and key function holders in banks and investment firms. The suitability guidelines themselves already exist: what’s new here is a set of targeted updates designed to reflect recent EU legal developments, expand and clarify supervisory expectations, and improve consistency across Member States. Below is a practical breakdown of the key changes. Alignment with updated EU prudential requirements (CRD) A major driver of the revision is alignment with the updated Capital Requirements Directive (CRD). The revised framework clarifies how institutions and supervisors should apply suitability requirements under the latest prudential rules, especially where the updated CRD introduces new expectations around governance and appointments. What this means in practice: more explicit links between legal requirements and the suitability process, clearer expectations on how assessments should be performed and evidenced. Wider focus on key roles beyond board membership The revised approach strengthens the focus on key function holders, including roles that may not sit on the board but have a critical impact on governance and control. In particular, the revisions emphasise suitability assessment expectations for senior control and financial roles (for example, internal control functions and senior finance leadership), reinforcing that governance risk isn’t limited to board appointments alone. Clearer approach for third-country branches The consultation also addresses how the suitability framework should apply in the context of third-country branches operating in the EU. This is important for groups with non-EU headquarters and EU branch structures, as it clarifies supervisory expectations around governance and key individuals in those branch setups. Stronger link to financial crime and AML/CFT considerations Another notable development is the clearer connection between suitability assessments and AML/CFT risk considerations. This doesn’t replace existing fit-and-proper principles, but it strengthens how institutions and supervisors should factor in integrity, reputation, and relevant risk signals when assessing individuals in senior positions. More harmonised documentation expectations Alongside the revised guidelines, the consultation package supports greater standardisation of what information is expected for suitability reviews (such as the structure/content of questionnaires, CV information, and supporting documentation). The practical outcome is likely to be: more consistent submissions to regulators, fewer jurisdiction-by-jurisdiction differences in what is considered “enough” evidence, clearer internal file standards for firms. Clarifications aimed at consistency and reduced friction The revised guidelines also include clarifications intended to improve: supervisory convergence (more consistent outcomes across the EU), operational clarity (who assesses what, when, and how), and overall efficiency, reducing avoidable administrative complexity where possible. Conclusion This consultation is a signal that EU supervisors want more consistent, better-documented, and more risk-aware suitability assessments, not only for boards, but also for senior roles that drive control, finance, and governance outcomes.

The Cyprus Securities and Exchange Commission (CySEC)  issued today its Circular C754 , introducing a targeted electronic cross-border reporting obligation for Cyprus Investment Firms (CIFs). The circular focuses on CIFs that provided cross-border investment services to retail clients  in other EEA Member States during 2025 . This development aligns with broader EU supervisory efforts to strengthen oversight of cross-border activities and enhance data consistency across Member States. Who Is in Scope? The requirement applies to CIFs that, between 1 January and 31 December 2025 , provided investment services on a freedom to provide services (FPS) basis to more than 50 active retail clients in at least one EEA Member State. Important clarification: “Retail clients” also include clients treated as professionals on request under MiFID II (opt-up clients). This means some firms may fall within scope even if their client base is not traditionally retail-focused. What Is Required? In-scope CIFs must participate in an electronic questionnaire  hosted on a dedicated EU reporting platform. The questionnaire will collect structured information on cross-border activities, enabling competent authorities to better assess scale, impact, and potential risks arising from such services. Immediate Action Required & Deadlines By Wednesday, 18 February 2026 , all CIFs must take one of the following actions : If in scope: Email riskstatistics.cifs@cysec.gov.cy  with a generic company email address  (e.g., compliance@ , info@ ). CySEC will then send the link to the electronic questionnaire. If not in scope: Formally notify CySEC at the same email address that the firm does not meet the threshold  (i.e., fewer than 50 active retail clients in any EEA Member State). Failure to respond whether in scope or not may be treated as non-compliance.

CySEC has issued Circular C751 , providing targeted operational guidance on specific obligations arising under Regulation (EU) 2022/2554 (DORA) . The Circular focuses on four practical areas: ICT-related incident reporting, the Register of Information submission format, governance of the ICT risk management framework, and mandatory entries in the CySEC Portal. ICT-related incident reporting CySEC states that it has identified deficiencies in how regulated entities classify and report ICT-related incidents. In particular: incidents that should have been classified and reported as “major” were not reported; incidents were reported but incorrectly classified as major. Regulated entities are required to apply the classification criteria and materiality thresholds in Commission Delegated Regulation (EU) 2024/1772 and to ensure timely reporting upon detection of a major ICT-related incident. Register of Information – XBRL-CSV only CySEC reiterates that the “Build in Excel” file is no longer accepted. The Register of Information must be submitted exclusively in XBRL-CSV format, which is the only format accepted by the EBA. Key operational points: use XBRL-compatible software supporting mapping and validation against EBA rules; generate fully compliant XBRL files; zip the files and submit them via the CySEC XBRL Portal; submit annually by 28 February , with reference date 31 December of the preceding year. ICT risk management framework – governance, review and audit CySEC reminds regulated entities of their obligations under Article 6 DORA to establish, implement and maintain a documented ICT risk management framework. In particular: for non-microenterprises, ICT risk management and oversight must be assigned to a control function with appropriate independence and segregation from internal audit; the framework must be reviewed at least annually and following major ICT incidents, supervisory instructions or resilience testing and audit findings; a report on the review must be submitted to CySEC upon request and should be based on Chapter V of Commission Delegated Regulation (EU) 2024/1774 ; for non-microenterprises, the framework must be subject to regular internal audit, with a formal follow-up process for critical ICT audit findings; small and non-interconnected (Class 3) investment firms remain subject to a simplified ICT framework. CySEC Portal – mandatory designations Circular C751 introduces two specific operational obligations in the CySEC Portal: designation of the ICT auditor (for non-microenterprises) under the Auditors section, selecting “Is ICT”; designation of the person responsible for the ICT risk control function under the Personnel section. How ENAH Services Can Support ENAH Services supports regulated entities across the banking, payments, investment and fintech sectors with: DORA implementation and gap assessments ICT risk governance frameworks Incident reporting workflows and simulations ICT third-party risk management and contract reviews Board-level DORA readiness reporting Regulatory engagement and remediation programmes For further information or tailored DORA support, please contact us at consulting@enaservicesltd.com .

In May 2023, the European Union adopted Directive (EU) 2023/970, a landmark piece of labour law aimed at tackling persistent gender-based pay disparities. Often referred to as the EU Pay Transparency Directive, its primary objective is to transform the principle of “equal pay for equal work or work of equal value” into enforceable practice through transparency, reporting, and accountability. Why This Directive Matters Despite decades of law promoting equal pay, wage inequalities across the EU persist. According to recent Eurostat figures, the average gender pay gap remains around 12 – 13 %, with notable differences across Member States. The Directive is designed to: Make pay practices transparent Equip workers with the right to information Expose unjustified pay gaps Encourage early correction and remedies In this way, transparency becomes a tool not just for disclosure, but for action. Key Deadlines Every Employer Should Know EU Member States must transpose the Directive into national law by 7 June 2026 . Only after this transposition will the specific obligations become enforceable at the national level. Once national laws are in place, employers need to prepare for phased pay gap reporting: 250+ employees: first reports due by 7 June 2027 (then annually) 150 – 249 employees: first report by 7 June 2027 (then every 3 years) 100 – 149 employees: reporting begins by 2031 (every 3 years) Member States may impose even stricter requirements or include smaller companies in reporting obligations. What Employers Will Be Required to Do Once implemented nationally, the Directive introduces several important duties: 1. Reporting on Gender Pay Gaps Employers with 100+ employees will need to publish detailed pay gap reports, covering: Average gender pay gap Gap in variable or supplementary pay Median and mean pay comparisons Distribution of men and women across pay quartiles   If a pay gap of 5 % or more  is identified and cannot be justified on objective, gender-neutral grounds, companies must take action to correct it within six months of reporting. 2. Salary Transparency in Recruitment Employers will be required to include salary ranges  in job postings and disclose the criteria used to determine pay. Potential and current employees should have the right to request information on pay comparisons for roles of equal value. This is intended to prevent discriminatory negotiation practices and reduce information asymmetry in hiring. 3. Objective Pay Setting The Directive strengthens the legal principle that equal work or work of equal value must be remunerated equally. Employers must rely on objective, gender-neutral criteria  when determining remuneration. How Employers Can Prepare Now With the June 2026 deadline approaching fast, preparation should begin immediately: Audit Current Pay Structures: Start collecting and analysing internal pay data by gender across all job categories. Establish Transparent Pay Policies : Create documented, objective criteria for salary decisions and ranges for roles. Engage HR, Legal & Compliance: Integrate reporting and compliance tasks into your HR and governance frameworks. Educate Leaders and Employees: Build internal understanding of the Directive’s requirements and expectations. Conclusion The EU Pay Transparency Directive marks a significant shift from “equal pay as a principle” toward equal pay as proof. It places employers and policymakers on a shared journey toward measurable gender pay equity, backed by enforceable transparency measures and accountability. For employers operating across the EU and HR professionals supporting them early action is not only wise, it’s essential. Compliance will require strategic planning, cultural change, and robust data management, but it also presents a unique opportunity to lead on fairness and equity in the workplace.

The Political Decision: Why This Agreement Matters Following prolonged negotiations, the European Parliament and the Council of the European Union reached a political agreement on the new Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3)  package on the basis of the proposal advanced by the European Commission. This agreement is politically significant for three reasons: It represents a strategic shift from minimum harmonisation to direct applicability, via the PSR. It responds to systemic weaknesses in fraud prevention, especially Authorised Push Payment (APP) fraud. It completes the post-PSD2 recalibration of EU payments law, aligning it with the Digital Finance Strategy, DORA, and broader consumer-protection objectives. What Was Agreed: Core Elements of the PSD3 / PSR Package A New Legal Architecture The framework is split deliberately: PSR (Regulation) : directly applicable rules on conduct of business, transparency, fraud liability, and operational requirements. PSD3 (Directive) : institutional and prudential matters (licensing, supervision, passporting, governance). This division aims to reduce national divergence that undermined PSD2’s effectiveness. Stronger Fraud Protection & Liability Rules A key political concession was enhanced consumer protection against fraud: Mandatory reimbursement for certain APP fraud cases, subject to limited exceptions. Reinforced obligations for PSPs on transaction monitoring and customer warnings. Greater emphasis on shared liability across the payment chain. This is one of the most contentious areas and will be heavily scrutinised in implementation. Transparency and Fee Disclosure The agreed text strengthens rules on: Hidden charges and opaque FX mark-ups. Pre-transaction and post-transaction disclosure obligations. Comparability of fees across providers. Open Banking / Open Finance Continuity While not revolutionary, the package: Consolidates access-to-account rules. Seeks to stabilise business models for third-party providers (TPPs). Addresses data-access friction without fully moving into “Open Finance” (reserved for future initiatives). What Happens Next: The Formal and Practical Timeline The political agreement must still pass through: Legal-linguistic finalisation Formal adoption by Parliament and Council Publication in the Official Journal Only then do the clocks start running. Indicatively: PSR : applies directly after a transition period (18–24 months). PSD3 : Member States will have a transposition deadline (typically ~18 months). For firms, the message is clear: Compliance will no longer be defensive. It will be operational, technological, and strategic. Early preparation, legal, compliance, IT, and governance-wise will be the decisive differentiator. The agreed measures must be formally adopted by the European Parliament and the Council of the European Union before they can come into force. The Council and the Parliament will continue working on the technical elements of the package before final adoption by the co-legislators. We anticipate that the final texts will be published in the Official Journal of the European Union in H1 2026.

The Cyprus Securities and Exchange Commission (CySEC) has issued Circular C741 to regulated market participants, signalling an important evolution in the post-trade landscape of European securities markets. This development aligns Cyprus with broader EU policy aimed at boosting market efficiency, reducing risk, and harmonising settlement practices with global standards. What’s Changing? Under the updated EU framework, specifically Regulation (EU) 2025/2075   amending the Central Securities Depositories Regulation (CSDR), the standard settlement cycle for most securities transactions in the EU will be shortened from T+2 to T+1. That means trades in equities, bonds, and other transferable securities executed on trading venues must be settled no later than one business day after the trade date. This is a significant acceleration compared to the traditional two-day cycle. Transition Timeline Regulation Entry into Force: 3 November 2025 Effective Application Date:  11 October 2027 Why T+1 Matters The move to T+1 settlement is driven by three key objectives : Operational Efficiency:  Shorter settlement cycles reduce the time between trade execution and settlement, streamlining the post-trade process. Risk Reduction:  By cutting the exposure window, market participants face lower counterparty and settlement risk - a major benefit during periods of market stress. Global Alignment : Many leading markets outside the EU, including the United States, already operate on a T+1 basis, and this shift harmonises European practices with international norms. What Transactions Are Covered? The T+1 requirement applies broadly to transferable securities executed on trading venues. However, the regulation clarifies that certain trades remain outside its scope, such as: Privately negotiated trades executed on trading venues Bilateral trades reported to trading venues Initial book-entry transactions under specific conditions Certain securities financing transactions (SFTs) Margin lending (as these are not considered transactions in transferable securities) Practical Implications for Firms Regulated entities, including Cyprus Investment Firms (CIFs), UCITS, AIFs, trading venues, and central securities depositories, are now encouraged to begin their readiness preparations. According to the Circular: Entities are urged to review the potential impact of the transition on internal systems, operational workflows, liquidity and treasury frameworks, client onboarding practices, and cross-border arrangements. This early engagement is especially important, as technological and procedural adjustments will be necessary to comply with the tighter settlement timeline. Industry Collaboration: T+1 Readiness Survey In addition to the regulatory timeline, the EU T+1 Industry Committee has launched a readiness survey to gauge the preparedness of market participants. CySEC’s Circular strongly encourages regulated entities to participate in this exercise in order to help identify challenges and operational bottlenecks ahead of implementation. What’s Next? As the countdown to October 2027 begins, market participants must take proactive steps to adapt: Upgrade systems to support T+1 clearing and settlement processes. Assess liquidity management practices to accommodate faster cash and securities flows. Coordinate across departments to ensure seamless transition. The shift to T+1 is more than a technical tweak; it represents a structural enhancement to EU financial markets that promises greater resilience and efficiency. For Cyprus-based firms under CySEC supervision, early planning and active engagement with the T+1 readiness initiatives will be key to complying with this new chapter in European capital markets.

On December 12, 2025, the Cyprus Securities and Exchange Commission (CySEC) published a Circular C740 , addressing the upcoming regulatory requirements under the European Market Infrastructure Regulation (EMIR). This circular sets out precise data-collection expectations for regulated entities in Cyprus that are subject to EMIR’s initial margin model authorisation and validation procedures. Background: EMIR and Initial Margin Models Under Article 11(3) of EMIR (Regulation (EU) No 648/2012), firms that exchange initial margin and use internal margin models—such as the ISDA Standard Initial Margin Model (SIMM)—must seek prior authorisation from their competent authority before implementing or continuing to use such models. Moreover, validation of these models by the European Banking Authority (EBA) is required before they can be adopted across the EU. What is Required The core purpose of Circular C740 is to ensure that regulated entities report the necessary information to CySEC by 16 January 2026 to facilitate: Identification of which entities need to apply for authorization and subsequent EBA validation. Onboarding of these entities to the EBA’s ISDA SIMM Validation System (under development). To this end, the circular instructs entities to send: The standard data set specified in the EBA’s opinion on initial margin model applications. A completed template (titled “EMIR IMM application for authorisation_LEI of Regulated Entity” and referenced as “EMIR IMM validation_LEI of Regulated Entity.xlsx”) — submitted to CySEC via email to emir@cysec.gov.cy . This information will then be transmitted by CySEC to the EBA for validation purposes. 📌 Key Takeaways for Compliance Teams For compliance officers in Cyprus-regulated entities (investment firms, UCITS, AIFs, non-financial counterparties), Circular C740 imposes urgent data submission requirements that must be prioritised to avoid regulatory gaps. Identify whether your entity exceeds EMIR initial margin thresholds. Prepare the required datasets and complete the CySEC/EBA templates. Submit all data to CySEC no later than 16 January 2026. Ensure readiness for the next phase: EBA validation of internal margin models. Deadline Regulated entities must submit their data to CySEC by 16 January 2026 , creating an immediate compliance priority for affected firms. Entities that fail to submit the required data will not be onboarded to the EBA validation system, effectively preventing them from applying for the EBA validation and thereby risking non-compliance with EMIR.

In the coming years, loan-originating Alternative Investment Funds (LO-AIFs) will continue to expand their presence across the European credit landscape. Although banks and LO-AIFs will both engage in lending, they will do so under fundamentally different business models, funding structures and regulatory regimes. Understanding these distinctions will become increasingly important for policymakers, investors and market participants as private credit grows into a mainstream financing channel. 1. Business Purpose and Economic Function Banks will remain financial intermediaries serving the wider public. They will continue accepting deposits, safeguarding money, facilitating payments and extending credit that supports the real economy. Their role will remain systemic and central to financial stability. LO-AIFs, meanwhile, will operate as investment funds designed to generate returns for professional investors. They will raise committed capital and deploy it into private lending opportunities without performing any public-intermediation or monetary-system function. Key distinction: Banks will continue serving depositors and the payment system. LO-AIFs will continue serving investors seeking yield. 2. Funding, Liquidity and Redemption Dynamics Banks will keep relying on deposits, wholesale markets, central-bank liquidity and bond funding. Their liabilities will remain short term and payable on demand, meaning that liquidity and funding management will continue to be essential to their resilience. LO-AIFs will operate with committed capital and controlled redemption mechanisms. Investors will continue accepting illiquidity as part of the private-debt strategy. Because LO-AIFs will not take deposits or guarantee instant withdrawals, their liquidity risk will evolve differently from that of banks. Banks will face: deposit withdrawals payment-system liquidity obligations systemic liquidity shocks LO-AIFs will face: liquidity constraints linked to loan portfolios redemption pressures only where the fund is open-ended no systemic run risk 3. Regulatory Frameworks: Prudential vs Investment-Fund Supervision Banks will remain subject to CRR/CRD, Basel III requirements, leverage ratios, supervisory stress testing and resolution planning. These rules will continue to exist because banks will remain “public crisis points,” requiring strong prudential oversight. Under AIFMD II, LO-AIFs will operate under a regulatory framework focused on investor protection and sound fund governance, not systemic risk. Although LO-AIFs will incorporate bank-style credit processes, their oversight will continue reflecting their nature as investment products. The LO-AIF regime will include: leverage limits risk-retention rules lending prohibitions to connected persons enhanced underwriting standards liquidity and redemption governance stress testing for open-ended funds Banks and LO-AIFs will both lend, but the regulatory logic behind each model will remain fundamentally different. 4. Lending Behaviour and Market Focus Banks will continue prioritising standardised, collateralised and low-risk lending, driven by capital requirements and risk-weighted asset considerations. They will maintain strength in relationship banking, retail lending and senior secured credit. LO-AIFs will increasingly focus on specialised, higher-yielding private credit, such as: SME growth finance real-estate mezzanine and development loans infrastructure and project finance distressed and opportunistic credit sponsor-backed private-debt transactions This flexibility will allow LO-AIFs to serve segments where banks will remain constrained by prudential rules or slower credit processes. 5. Risk Profiles and Risk Transmission Banks will continue carrying composite risks — credit, liquidity, systemic and interest-rate mismatch risks. Bank distress will remain capable of transmitting shocks across the financial system due to their public-facing and deposit-taking role. LO-AIF risks will remain contained within a closed group of professional investors. Losses will continue being absorbed by the fund’s capital without affecting depositors or requiring public intervention. While open-ended LO-AIFs will still face liquidity-management challenges, these will be controlled through redemption gates, notice periods and liquidity-management tools. Crucially, LO-AIF failures will not generate systemic contagion in the way bank failures could. 6. Complementarity: A Dual Credit Ecosystem In future years, banks and LO-AIFs will increasingly operate in a complementary  manner rather than competing directly. Banks will: originate senior or low-risk loans that LO-AIFs could acquire or participate in partner with LO-AIFs in syndicated lending use LO-AIFs as an outlet for NPL disposals or balance-sheet optimisation refer borrowers requiring complex or flexible financing LO-AIFs will: provide credit where banks will remain limited by capital rules support SMEs, real estate, infrastructure and transitional finance offer speed and structural flexibility co-lend with banks in multi-layered financing packages The strongest credit markets will be those where both channels operate in parallel. Conclusion: Divergent Structures, Converging Roles Although banks and LO-AIFs will both lend, their functions, incentives and regulatory foundations will remain distinct. Banks will continue to anchor financial stability and public trust. LO-AIFs will increasingly channel institutional capital into specialised private-credit opportunities, without taking on systemic responsibilities. As AIFMD II is implemented, and as private credit continues to evolve, Europe’s financing landscape will likely transition toward a dual-track credit system: one supported by prudentially regulated banks, and one driven by flexible, investor-funded LO-AIFs. The goal will not be to force convergence but to ensure that each model operates within a framework that reflects its risks, responsibilities and contribution to the economy.

Source: European Commission Press Release IP/25/2910 Date: 03 December 2025 On 3 December 2025, the European Commission (the “Commission”) officially added Russia to its list of “high-risk third countries with strategic deficiencies” in their anti-money laundering and counter-terrorist financing (AML/CFT) frameworks. The addition follows a technical assessment mandated by Delegated Regulation (EU) 2025/1393, under the scope of the Fourth Anti‑Money Laundering Directive (4AMLD). The evaluation considered public sources, inputs from Member States’ authorities, and information from the European External Action Service (EEAS). As a result, all entities and financial institutions within the EU that fall under the AML framework are now required to apply “enhanced vigilance / enhanced due diligence (EDD)” when dealing with transactions involving Russia (or counterparties connected to Russia). Find the European Commission - Press release here : https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_25_2910/IP_25_2910_EN.pdf   Next steps: The delegated regulation will enter into force after scrutiny and non-objection of the European Parliament and the Council within a period of one month. This can be prolonged for another month. The Commission will monitor the progress of all listed countries and will continue to follow relevant developments. For more information Directive on anti-money laundering and terrorist funding (AMLD IV) Anti-Money Laundering Authority (AMLA) The Financial Action Taskforce (FATF)