Insights / EU regulation
EU financial regulation in 2026: what it covers, who it affects, and why horizon scanning matters

EU financial regulation in 2026: what it covers, who it affects, and why horizon scanning matters

EU financial regulation has never moved faster. MiCA, DORA, PSD3, EMIR REFIT, AIFMD II, and the AI Act are reshaping the compliance landscape simultaneously. This article maps the regulatory terrain, identifies who is affected, and explains why tracking what is coming matters as much as managing what is already in force.

10 min read
EU financial regulationMiCADORAPSD3Regulatory complianceHorizon scanning

Why 2026 is a turning point

The EU’s approach to financial regulation has always been systematic. What has changed in the past three years is the pace. Legislation that spent years in consultation and political negotiation is now entering its application phase simultaneously across multiple domains: crypto-assets, digital operational resilience, payment services, derivatives reporting, fund management, and artificial intelligence.

For compliance professionals, fintech founders, and boutique investors, this creates a compound monitoring problem. Each regulation has its own scope, its own timeline, and its own enforcement architecture. Tracking all of them in isolation is expensive. Missing the interaction effects between them is a material risk.

This article offers a structured overview of the current EU financial regulatory landscape, outlining what each major framework covers, who it affects, and when the key deadlines fall. It is intended as a high-level reference rather than a comprehensive guide to any single regulation. This piece is part of a series in which each article will focus on a specific regulatory area.

The regulatory frameworks in force and in progress

MiCA: Markets in Crypto-Assets Regulation

MiCA is the EU’s unified regulatory framework for crypto-assets. It covers issuers of asset-referenced tokens and e-money tokens, as well as crypto-asset service providers (CASPs) offering custody, trading, exchange, and advisory services.

The regulation entered into force in June 2023. Provisions covering asset-referenced tokens and e-money tokens applied from June 2024. The full framework, including CASP authorisation requirements, applied from December 2024. National transitional periods allowed some existing operators to continue under prior national regimes until mid-2025.

MiCA is significant not only for the obligations it imposes but for what it replaces. Firms that previously operated under patchwork national frameworks in Germany, France, Malta, or elsewhere now face a single EU-wide standard. For firms authorised under one EU member state, MiCA provides passporting rights across the bloc.

The practical obligations include white paper disclosure requirements for token issuers, capital adequacy rules, custody and segregation standards, market abuse rules, and ongoing reporting. ESMA and EBA have issued, and continue to issue, extensive technical standards and guidelines that fill in the implementation detail.

A detailed guide to MiCA obligations, timelines, and affected entities will be published in this series.

DORA: Digital Operational Resilience Act

DORA establishes a unified framework for ICT risk management across financial services. It applies from January 2025 to banks, investment firms, insurance companies, payment institutions, crypto-asset service providers, and a broad category of ICT third-party service providers that serve regulated entities.

The regulation addresses five domains: ICT risk management, incident classification and reporting, digital operational resilience testing, third-party ICT risk management, and information sharing. The third-party provisions are among the most consequential: DORA extends compliance obligations down the supply chain to cloud providers, data analytics firms, and software vendors serving regulated financial entities.

DORA creates a new regulatory category of critical ICT third-party providers (CTPPs), subject to direct oversight by EU supervisory authorities. Firms that provide core infrastructure to multiple regulated entities simultaneously face heightened scrutiny under this designation.

For compliance teams, DORA requires documented ICT risk management frameworks, defined incident response and reporting procedures, and contractual clauses in third-party agreements that may require renegotiation of existing vendor contracts. The deadlines are not theoretical: ESMA and the ESAs have begun reviewing compliance postures.

A detailed compliance checklist for financial entities will be published in this series.

PSD3 and PSR: the next generation of payment services regulation

PSD2 opened the EU payments market and mandated strong customer authentication and open banking. PSD3, combined with the Payment Services Regulation (PSR), continues that trajectory while addressing problems that emerged during PSD2 implementation: inconsistent SCA enforcement, fraud liability gaps, and uneven access to payment infrastructure.

PSD3 was adopted in principle in 2023 and is expected to enter into application from 2026 onward, with member states requiring time to transpose the directive into national law. The PSR, as a directly applicable regulation, will take effect without transposition.

Key changes include stronger anti-fraud requirements and new liability rules, expanded open banking rights for third-party providers, clearer rules on access to payment account infrastructure, and updated strong customer authentication provisions. Fintech firms that built products on PSD2 open banking rails will need to review their technical and contractual arrangements.

A detailed guide to PSD3 changes for fintech product and compliance teams will be published in this series.

EMIR REFIT: updated derivatives reporting

The European Market Infrastructure Regulation (EMIR) governs the reporting, clearing, and risk mitigation of derivatives contracts. EMIR REFIT introduced a significant update to reporting requirements, with the new technical standards applying from April 2024.

The changes affect both financial and non-financial counterparties, as well as trade repositories and CCPs. The updated reporting fields, data formats, and reconciliation requirements represent a substantial operational lift for firms that have been reporting under the prior standards. Firms that have not completed their EMIR REFIT implementation should treat this as a current compliance gap, not a future obligation.

AIFMD II: revised rules for alternative fund managers

The revised Alternative Investment Fund Managers Directive (AIFMD II) was adopted in early 2024, with member states required to transpose it by April 2026. The changes affect alternative investment fund managers across private equity, hedge funds, real estate funds, and other alternative strategies.

The principal changes cover delegation arrangements (tightening the conditions under which fund management functions can be delegated outside the EU), liquidity risk management for open-ended funds, new loan origination rules for credit funds, and enhanced reporting and disclosure requirements.

Fund managers that have relied on delegation structures for portfolio management or risk oversight should review those arrangements against the updated requirements. The delegation rules are of particular relevance to non-EU managers who access EU markets through EU-domiciled management companies.

The EU AI Act: implications for financial services

The AI Act is not a financial services regulation, but its impact on the sector is direct and material. The regulation classifies AI systems by risk level and imposes proportionate obligations on providers and deployers of high-risk systems.

For financial services, the high-risk category includes AI systems used in credit scoring, insurance risk assessment, and certain customer-facing applications. Firms using automated decisioning in lending, underwriting, or fraud detection need to assess whether their systems fall within the high-risk category and, if so, implement the associated requirements: conformity assessments, documentation, human oversight provisions, and transparency obligations.

The AI Act applies from August 2024 in phases, with high-risk system requirements applying from August 2026. A detailed guide to the AI Act’s financial services implications will be published in this series.

Who needs to pay attention

The affected population is broader than it might initially appear. The obvious constituents are banks, asset managers, insurance companies, and payment institutions. But the practical scope extends significantly.

Fintech founders and product teams are affected by MiCA if their product touches crypto-assets, by PSD3 if it operates in the payments space, and by the AI Act if it uses automated decisioning in customer-facing or credit-related contexts. DORA affects any fintech that processes payments or holds client assets, as well as any technology firm that provides services to regulated entities.

Boutique investors and fund managers operating in the EU or accessing EU investors face AIFMD II compliance, EMIR reporting obligations if they trade derivatives, and potentially DORA-related requirements on their ICT vendors.

Compliance professionals at regulated firms face the compound monitoring challenge: multiple regulations, multiple application dates, multiple technical standards being issued on different timelines by ESMA, EBA, EIOPA, and national competent authorities.

International firms entering the EU market face an additional layer of complexity. The EU’s regulatory framework is designed as a self-contained system with passporting logic for authorised entities. Third-country firms accessing EU clients or markets typically need EU-based authorisation under one or more of these frameworks, or must rely on increasingly constrained equivalence decisions and reverse solicitation provisions.

Why horizon scanning matters as much as compliance management

There is a practical distinction between managing what is already in force and tracking what is coming. Compliance management addresses current obligations. Horizon scanning addresses emerging ones.

The distinction matters for several reasons.

Regulatory change in the EU follows a multi-year process: Commission proposal, trilogue negotiation, adoption, publication in the Official Journal, transposition periods (for directives), and then the phased application of technical standards and guidelines. A regulation adopted today may not apply in full for two or three years, but the decisions that affect compliance cost, product design, and market strategy need to be made now, not when the deadline arrives.

Technical standards and guidelines often contain the detail that determines actual compliance burden. The framework regulation sets the policy direction; the regulatory technical standards (RTS) and implementing technical standards (ITS) specify the operational requirements. Monitoring only the framework-level regulation and missing the standards pipeline is a common failure mode for teams without dedicated regulatory intelligence capacity.

There is also an interaction layer. DORA and MiCA overlap: CASPs are in scope for DORA as well as MiCA, meaning crypto-asset firms face operational resilience requirements that are distinct from their MiCA authorisation obligations. The AI Act intersects with the credit scoring and fraud detection systems that are already embedded in core banking operations. PSD3 interacts with DORA on operational resilience for payment institutions. Tracking these interactions requires monitoring the regulatory landscape as a system, not as a list of independent items.

The monitoring problem

The volume of regulatory output from ESMA, EBA, EIOPA, and the Commission is not manageable by manual review for most teams. In 2025 alone, the three European supervisory authorities published hundreds of consultation papers, final reports, Q&A updates, guidelines, and supervisory statements. Each item may or may not be relevant to a given firm, depending on its activity, size, and market position.

The alternative to systematic monitoring is reactive compliance: discovering obligations when they are already close to their application date, or worse, after enforcement action has begun. Regulatory penalties in the EU are structured to be proportionate to firm size and severity of breach, but the reputational cost of a public enforcement action typically exceeds the financial penalty.

Effective horizon scanning requires a system that continuously monitors the regulatory output of the relevant authorities, filters for relevance to a specific firm’s activity profile, and surfaces material developments with enough lead time to make considered decisions.

That is the problem this series of articles addresses in methodology terms. It is also the problem that tools designed specifically for regulatory intelligence exist to solve.

This article is the hub for the EU regulation content series on this site. As individual regulation guides are published, they will be linked from this page. For the research systems architecture that underpins how systematic regulatory monitoring works in practice, see AI belongs after the data is clean, not before.

Stay in the know!

Subscribe for news updates.