Insights / EU financial regulation
Entering the EU financial market: a regulatory guide for non-EU firms

Entering the EU financial market: a regulatory guide for non-EU firms

The EU financial regulatory framework is not a single gate to pass through. It is a layered system of licences, passporting rights, third-country regimes, and cross-cutting obligations that apply differently depending on what you do, where you are incorporated, and which member states you serve. This guide explains what non-EU firms need to understand before entering the market.

12 min read
EU financial regulationMarket entryPassportingMiCADORAThird-country regimesCompliance

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

The question non-EU firms ask too late

Most non-EU financial firms that run into regulatory problems in Europe do not do so because they ignored the rules. They do so because they began mapping the regulatory landscape after they had already made product, hiring, or go-to-market decisions that constrained their options. By the time they engaged a regulatory counsel, they had structured their offering around assumptions that turned out to be incorrect, and unwinding those assumptions was expensive.

The EU financial regulatory framework is not a single gate to pass through. It is a layered system of licences, passporting rights, third-country regimes, and cross-cutting obligations that interact with each other and that apply differently depending on what you do, where you are incorporated, and which member states you serve. A US broker-dealer entering the EU faces a different set of requirements than a Singapore-based fund manager, which faces a different set than a non-EU crypto exchange. The starting point is understanding which regime applies to your specific activity.

This article covers what non-EU firms need to understand before entering the EU financial market: how the licensing framework works, where third-country regimes exist and where they do not, what cross-cutting obligations apply regardless of activity type, and what the regulatory monitoring obligation looks like once you are operating in the market.

How the EU licensing framework works

The EU financial regulatory framework is built on the principle of harmonised rules with national authorisation. This means that the substantive requirements for operating as a particular type of financial firm are set at the EU level through regulations and directives, but the licence to operate is granted by a national competent authority (NCA) in a specific member state.

Once a firm holds a licence from any EU member state NCA, it can passport that licence across the rest of the EU. Passporting means the firm can provide services in other member states either by establishing a branch or by providing services cross-border without a local presence, subject to notification procedures. The passport is one of the fundamental advantages of the EU single market for financial services, and it is the primary reason why non-EU firms that intend to serve clients across multiple member states choose to establish a legal entity in one member state and passport from there rather than seeking licences in each country they want to operate in.

The choice of home member state matters. The licence requirements are substantially harmonised at the EU level, but NCAs vary in their speed of processing applications, their supervisory culture, their practical experience with particular business models, and their willingness to engage with novel structures. Ireland, Luxembourg, the Netherlands, and Germany have historically been the primary destinations for non-EU firms seeking EU authorisation, partly for practical reasons related to English-language supervision and partly because of the depth of financial sector infrastructure in those jurisdictions. That landscape shifts over time and the right choice depends on the specific activity and structure.

Investment services and fund management: MiFID II, AIFMD, and UCITS

For firms providing investment services or activities, the Markets in Financial Instruments Directive II (MiFID II), as implemented in national law, sets the authorisation requirements. Investment firms providing portfolio management, investment advice, reception and transmission of orders, execution of orders, or dealing on own account require authorisation as an investment firm by an NCA. Non-EU firms cannot passport into the EU under MiFID II. There is no third-country regime under MiFID II that grants market access equivalent to an EU licence. A non-EU firm that wants to provide MiFID-regulated services to EU clients on a systematic basis must either establish an authorised EU entity or rely on reverse solicitation.

Reverse solicitation is the exception that non-EU firms frequently misunderstand. Under MiFID II, a firm may provide investment services to an EU client without EU authorisation if the client initiates the contact with the firm exclusively at their own initiative. The key word is exclusively. Reverse solicitation does not permit any form of marketing or outreach directed at EU clients, any advertising that targets the EU, or any distribution arrangement designed to generate EU client interest. The European Securities and Markets Authority (ESMA) has consistently taken a narrow view of what constitutes genuine reverse solicitation, and reliance on this exception as a structural market access strategy is not consistent with how NCAs approach it.

For alternative investment fund managers, the Alternative Investment Fund Managers Directive (AIFMD) creates a different framework. Non-EU fund managers can market non-EU funds to professional investors in EU member states through the national private placement regimes (NPPRs) that each member state may maintain. NPPRs are not harmonised, vary in their requirements, and are available in some member states but not others. They are not a single-market solution. A manager using NPPRs must comply with the requirements of each member state in which it markets, which typically includes registration with the relevant NCA, compliance with disclosure requirements, and in some member states, compliance with selected AIFMD provisions. The AIFMD II amendments, which entered into force in 2024 with a transposition deadline of April 2026, introduced changes to the delegation framework, liquidity management requirements, and the loan origination regime that non-EU managers marketing into the EU need to incorporate into their compliance frameworks.

For managers wanting a full EU passport for marketing to professional investors across all member states, the only current route is authorisation as an EU AIFM, which requires establishing an EU entity of substance. ESMA’s substance requirements for EU AIFMs have tightened, and letterbox structures intended primarily to obtain a passport without genuine EU operational presence have come under increasing supervisory scrutiny.

UCITS authorisation requires an EU-domiciled fund and EU-authorised management company. Non-EU managers can act as investment manager to a UCITS fund by delegation from an EU-authorised management company, subject to cooperation arrangements between the relevant NCA and the home country regulator of the non-EU manager. This is a common structure for non-EU asset managers who want to distribute to retail investors in the EU through the UCITS brand.

Payment services and e-money: PSD3 and EMI licensing

For firms in the payments space, the regulatory framework is currently in transition. The Payment Services Directive 2 (PSD2) is being replaced by the Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR), which are in the legislative process. PSD3 and PSR will modernise the open banking framework, adjust strong customer authentication requirements, and clarify liability for fraud. The transition timetable means that firms entering the EU payments market now are entering under PSD2 rules, with changes coming.

Under the current framework, non-EU firms providing payment services to EU clients must do so through an EU-authorised entity. Payment institution authorisation and electronic money institution (EMI) authorisation are both obtained from NCAs and passport across the EU. There is no third-country regime that grants market access to non-EU payment service providers. A firm that wants to issue e-money, operate a payment account, execute payment transactions, or provide payment initiation or account information services must either hold EU authorisation or partner with an EU-authorised entity.

EMI authorisation in particular has become a common route for non-EU fintech firms entering the EU market. An EMI licence grants the right to issue e-money and provide associated payment services, and the regulatory capital requirements are lower than for credit institutions. Lithuania, Ireland, and the Netherlands have been active jurisdictions for EMI authorisation, though supervisory expectations around substance and governance have increased substantially following post-Brexit inflows of applications.

Crypto-assets: MiCA and what it changes for non-EU firms

The Markets in Crypto-Assets Regulation (MiCA), Regulation (EU) 2023/1114, introduces the first comprehensive EU-wide regulatory framework for crypto-assets. For non-EU firms, MiCA matters in two distinct ways: as a licensing regime for crypto-asset service providers serving EU clients, and as a regulatory framework that applies to stablecoin issuers regardless of where they are incorporated.

Crypto-asset service providers (CASPs) providing services to EU clients must be authorised under MiCA. The authorisation is granted by an NCA and passports across the EU. The full MiCA CASP authorisation requirements applied from 30 December 2024, though transitional provisions allowed firms that were already providing crypto-asset services under applicable national law to continue operating under a transitional regime while their authorisation applications are processed, with that transitional period running until 1 July 2026 at the latest for most member states.

For non-EU CASPs that were not already operating in the EU under national law before MiCA applied, the transitional provisions are not available. These firms must obtain CASP authorisation before providing services to EU clients. The authorisation process requires establishing an EU legal entity, meeting capital requirements, satisfying governance and organisational requirements, and submitting an application to the NCA of the chosen home member state. Processing times vary significantly across member states.

MiCA’s stablecoin provisions apply to issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs) based on where the tokens are offered or traded, not only on where the issuer is incorporated. Non-EU stablecoin issuers whose tokens are actively used or distributed in the EU need to assess whether MiCA’s ART or EMT requirements apply to them. For significant ARTs and EMTs, additional obligations apply under direct EBA supervision. The threshold calculations that determine whether a stablecoin is significant are set out in the regulatory technical standards under MiCA.

DORA: the cross-cutting obligation non-EU firms miss

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, applies to financial entities in the EU. The practical implication for non-EU firms is that once a firm has established an EU-authorised entity, whether as an investment firm, payment institution, EMI, CASP, or any other regulated financial entity, DORA applies to that entity. This includes ICT risk management requirements, incident reporting obligations, digital operational resilience testing, and third-party ICT risk management obligations.

The third-party risk provisions of DORA are particularly relevant for non-EU groups that will provide ICT services to their EU-authorised entities from outside the EU. Under Article 28 of Regulation (EU) 2022/2554, the EU entity is responsible for managing the ICT third-party risk created by those intragroup arrangements. The EU entity must maintain a register of all ICT third-party service providers including intragroup providers, ensure that contractual arrangements meet DORA’s minimum requirements, and maintain exit plans. Supervisors have made clear that the fact that a provider is a parent or affiliated entity does not reduce the EU entity’s obligations under DORA. For a full account of what DORA’s third-party risk requirements demand in practice, see DORA and ICT third-party risk: what financial firms must now prove.

Non-EU ICT service providers that are designated as critical third-party providers (CTPPs) by the ESAs under DORA’s oversight framework are subject to direct ESA oversight regardless of where they are incorporated. This is one of the few points at which EU financial regulation has direct extraterritorial reach over non-EU entities.

The AI Act: an emerging cross-cutting obligation

The AI Act, Regulation (EU) 2024/1689, introduces risk-based requirements for AI systems placed on the EU market or used in the EU. It applies to providers and deployers of AI systems regardless of where they are established. For non-EU financial firms, the implication is that if AI systems are used in connection with EU clients or EU operations, the AI Act’s requirements may apply.

The AI Act classifies AI systems used for creditworthiness assessment and credit scoring as high-risk. AI systems used in insurance risk assessment and pricing are also classified as high-risk. For financial firms, this means that AI systems used in client-facing credit or insurance decisions, or in trading and risk management systems that meet the high-risk classification criteria, are subject to requirements including conformity assessment, technical documentation, human oversight measures, and registration in the EU database. The provisions for high-risk AI systems applied from 2 August 2026. Non-EU firms deploying AI in EU financial services contexts need to have assessed their AI systems against the high-risk classification criteria in advance of that date.

Regulatory monitoring once you are operating

Entering the EU financial market is a point-in-time event. Staying compliant is a continuous obligation. The EU regulatory framework evolves through a multi-layered process in which the headline regulation is often less important for day-to-day compliance than the regulatory technical standards, implementing technical standards, guidelines, and supervisory expectations that are issued beneath it.

For non-EU firms that have established EU-authorised entities, the volume of regulatory output that is relevant to their operations is substantial. ESMA, EBA, the European Insurance and Occupational Pensions Authority (EIOPA), and the national competent authorities all issue guidance, consultations, and updates that may change what is required. The failure mode that most compliance teams experience is not missing the headline regulation but missing the RTS that specifies what the regulation actually requires in practice. For an explanation of how EU regulatory technical standards work and why they matter more than most firms realise, see what are regulatory technical standards and why do they matter more than the regulation itself.

For non-EU firms entering the EU market without large compliance teams, the practical challenge is building a monitoring function that does not depend on manually tracking EUR-Lex, ESA websites, and NCA publications. The horizon scanning approach, as distinct from point-in-time compliance assessment, is what separates firms that are consistently ahead of regulatory changes from those that are consistently reacting to them. For a full account of what regulatory horizon scanning means in practice and why most available tools do not serve it well, see what is regulatory horizon scanning and why compliance teams need it.

Where to start

The regulatory analysis for a specific market entry begins with activity mapping. The correct starting point is not “what licences exist in the EU” but “what activities are we conducting, with what counterparties, in which member states, and through which entities.” The regulatory framework that applies follows from those answers.

For most non-EU firms contemplating EU market entry, the practical sequence is: engage regulatory counsel in the target home member state early, before product or entity structure decisions are made; map the full set of applicable regimes based on the planned activity; assess whether any third-country regimes provide a less onerous route to market for the initial phase; plan the authorisation timeline against the commercial timeline; and build a regulatory monitoring function that will keep the EU entity current on the evolving requirements it will face once authorised.

The authorisation is the beginning of the regulatory relationship, not the end of it.

Forseti, Citium’s EU regulatory intelligence platform, is in development and will monitor EU financial regulatory developments continuously, anchored to verified official sources. If you want to be kept informed ahead of launch, get in touch.

Stay in the know!

Subscribe for news updates.

Next up

What experience actually means in an AI-assisted research practice

AI can process transcripts, surface patterns, and generate summaries faster than any researcher working alone. What it cannot do is accumulate the kind of knowledge that comes from running fifty projects inside the same organisation, understanding why the last set of findings was ignored, and knowing which stakeholder will kill a recommendation before it reaches the room. That knowledge is not a soft skill. It is the thing the work depends on.