Insights / EU financial regulation
How EU financial regulation actually works: regulations, directives, and technical standards explained

How EU financial regulation actually works: regulations, directives, and technical standards explained

Most compliance professionals track the headline regulation and miss the technical standards, which is where the actual compliance requirements live. This article explains the difference between a regulation and a directive, what implementing acts and delegated acts are, how ESMA, EBA, and EIOPA fit into the system, and why a CELEX number is more useful than a regulation name when you need to find the authoritative source.

10 min read
EU financial regulationRegulatory technical standardsDirectives and regulationsESMAEBACompliance methodology

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

The problem with tracking regulation by name alone

When DORA entered into application in January 2025, many compliance teams had spent months preparing. They had read the regulation, mapped their ICT risk management frameworks, and reviewed their third-party contracts. A significant number had not, however, fully tracked the regulatory technical standards that ESMA, EBA, and the other supervisory authorities had been issuing throughout 2024.

Those standards specified, among other things, the exact criteria for classifying ICT incidents, the content requirements for incident reports, and the contractual provisions that must appear in agreements with third-party ICT providers. None of that detail appears in the regulation itself. It lives in the secondary legislation, issued on a separate timeline by separate bodies, often after the regulation has already entered into force.

This is not unusual. It is how EU financial regulation works. Understanding the structure of the system is not an administrative exercise. It is a precondition for monitoring it effectively.

The EU produces two main types of binding legislative acts relevant to financial services: regulations and directives. The distinction matters practically.

A regulation is directly applicable across all EU member states without any action by national governments. When the EU adopts a regulation, it applies simultaneously and identically in every member state on its application date. MiCA is a regulation. EMIR is a regulation. The EU AI Act is a regulation. Once a regulation’s application date passes, there is no variation in legal requirement from one member state to another.

A directive sets out a legal objective that member states must achieve, but requires each member state to pass its own national legislation to implement it. This transposition process introduces two complications. First, there is a deadline for transposition, and member states do not always meet it. Second, directives give member states some discretion in how they implement the objective, which means the resulting national laws can differ from country to country even when they are implementing the same directive.

DORA is a regulation. PSD3 is a directive. AIFMD II is a directive. This distinction has direct consequences for compliance planning. A firm tracking its obligations under PSD3 cannot simply read the directive text and treat it as its compliance requirement. It needs to track the national implementing legislation in each jurisdiction where it operates, on potentially different timelines.

For directives, the practical compliance obligation is the national law, not the directive itself. The directive sets the ceiling, but national implementations may vary within it.

What “entering into force” and “applying” mean, and why the gap matters

EU legislation commonly passes through two key dates: the date it enters into force and the date it applies.

Entering into force refers to when the act becomes part of EU law, typically twenty days after publication in the Official Journal of the European Union. Applying (or entering into application) refers to when the substantive obligations take effect and can be enforced. For major financial regulations, there is often a gap of one to three years between these two dates, sometimes longer.

MiCA entered into force in June 2023. Full application, including CASP authorisation requirements, was December 2024. DORA entered into force in January 2023 and applied from January 2025. The interval is not a grace period in the colloquial sense. It is the period during which firms are expected to prepare, and during which the secondary legislation that fills in the detail is being developed and published.

The interval is also when the regulatory technical standards pipeline is most active, which brings us to the layer most commonly missed.

The secondary legislation layer: where compliance requirements actually live

The headline regulation or directive sets the framework: scope, objectives, principal obligations, and enforcement architecture. The operational detail lives in secondary legislation. For EU financial regulation, secondary legislation takes three primary forms.

Regulatory technical standards (RTS) are developed by the European supervisory authorities (ESAs) and adopted by the Commission. They are binding in their entirety and directly applicable across member states, like regulations. An RTS specifies exactly how a requirement in a parent regulation must be implemented. DORA’s RTS on ICT incident classification specifies the thresholds and criteria that determine whether an incident must be reported as a major incident, in what timeframe, and to which authority. That level of operational detail does not appear in DORA itself.

Implementing technical standards (ITS) also come from the ESAs, but where RTS establish the substance of requirements, ITS specify the uniform format, template, or procedure for implementation. An ITS might specify the exact data fields required in a regulatory report, or the standard template for a disclosure document. The distinction between RTS and ITS is sometimes described as: RTS tells you what to do, ITS tells you the exact format in which to do it.

Delegated acts and implementing acts are issued by the Commission, not the ESAs, typically to supplement or amend a regulation in areas where the Commission has been given specific power to act. SFDR’s detailed disclosure requirements, including the principal adverse impact indicators and the template for the periodic reports, came through a delegated regulation that took effect separately from the framework SFDR regulation.

For most regulated firms, the practical compliance burden is in the secondary legislation, not the framework regulation. The framework regulation tells you that you must have an ICT risk management framework. The RTS tells you what that framework must contain, how it must be documented, what it must cover, and how it must be tested.

The supervisory authorities: ESMA, EBA, EIOPA, and the ECB

Secondary legislation in EU financial services is developed primarily by three bodies: the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Insurance and Occupational Pensions Authority (EIOPA). Together they are referred to as the European supervisory authorities (ESAs). The European Central Bank (ECB) has supervisory authority over significant credit institutions through the Single Supervisory Mechanism, with a somewhat separate mandate.

The division of responsibility broadly follows sector lines.

ESMA covers capital markets and investment services. It develops standards under MiFID II, the Prospectus Regulation, EMIR, SFDR, and now MiCA (jointly with EBA for certain aspects). ESMA also issues supervisory convergence guidance, Q&As, and opinions that, while not legally binding, carry significant weight in practice. National competent authorities are expected to follow ESMA guidelines unless they have good reason not to, and departures must be notified to ESMA.

EBA covers banking, payment services, and electronic money. It develops standards under the Capital Requirements Regulation (CRR), PSD2 and PSD3, DORA (jointly with ESMA and EIOPA), and AML/CFT regulation. EBA is the primary authority for prudential requirements for banks and for payment institution oversight.

EIOPA covers insurance and occupational pensions. For most fintech founders and crypto-asset businesses, EIOPA is less immediately relevant than ESMA and EBA, but it becomes relevant for firms distributing insurance products or operating pension-related services.

All three authorities publish their output on their respective websites and feed into EUR-Lex, the official EU law database. Tracking what any one of them has published across the regulations relevant to a given firm’s activity is not a trivial monitoring task.

National competent authorities and what they add to the picture

The ESAs develop standards and provide supervisory convergence. Actual authorisation, supervision, and enforcement happen at the national level, through national competent authorities (NCAs).

Under MiCA, a crypto-asset service provider applies for authorisation with the NCA of the member state in which it is established. Once authorised, it can passport that authorisation to other member states. The NCA conducts the authorisation assessment, applies the MiCA requirements as its legal basis, and handles enforcement if those requirements are breached.

Under DORA, the ESAs directly supervise critical ICT third-party providers. For the financial entities using those providers, however, supervision sits with the relevant NCA: the banking supervisor for banks, the securities regulator for investment firms, and so on.

NCAs also publish their own guidance, which can supplement or clarify ESA-level requirements in jurisdiction-specific ways. An NCA may issue guidance on how it will assess MiCA authorisation applications, what documentation it expects, or how it interprets particular provisions. That guidance is not EU-level secondary legislation, but it is the authoritative view of the authority that will actually be making the decisions affecting a firm operating in its jurisdiction.

CELEX numbers: why they matter more than regulation names

Every document published in the EU’s legal system is assigned a unique identifier called a CELEX number. A CELEX number follows a structured format that encodes the type of act, the institution or body that issued it, the year, and a sequential number.

For example, Regulation (EU) 2023/1114, which is MiCA, has the CELEX number 32023R1114. The leading 3 indicates a secondary law act. The 2023 is the year. The R indicates a regulation. The 1114 is the sequential number for that year.

The CELEX number matters for one practical reason: it is the stable, unique identifier for a specific legal document in EUR-Lex. Regulation names are imprecise. Multiple regulations may share similar names. Regulations are amended, and the amended version may have a different common name but the same CELEX base. When you are trying to locate the authoritative text of a specific requirement, the CELEX number gets you there directly.

A future article in this series will cover how to read and use CELEX numbers in detail.

The monitoring problem this structure creates

Tracking EU financial regulation effectively means tracking several things simultaneously: the framework regulations and directives that set the principal obligations, the technical standards being developed and adopted on their own timelines, the NCA guidance specific to the jurisdictions where you operate, and the Q&As and supervisory statements that clarify how requirements will be interpreted in practice.

These items are published by different bodies, on different timelines, in different sections of EUR-Lex and on the ESAs’ own websites. A regulation may apply from a given date while several of its mandated technical standards are still in development. A firm that considers itself compliant with the regulation may be non-compliant with an RTS that entered into force six months later and which changed the operational requirement materially.

Manual monitoring of this landscape is feasible for a dedicated regulatory team with sufficient capacity. It is not feasible for a compliance function of two or three people managing a broad range of obligations across multiple frameworks. The monitoring problem is a structural feature of how EU financial regulation is produced, not a temporary condition of a fast-moving period.

Understanding the structure is the first step. Building a system that monitors the structure continuously is the second.

This article is part of the EU regulation series on this site. For an overview of the regulatory landscape, see EU financial regulation in 2026. For the methodology behind traceable regulatory intelligence systems, see AI belongs after the data is clean, not before.

Forseti, Citium’s EU regulatory intelligence platform, is in development and will continuously monitor the EU legislative pipeline via EUR-Lex, covering adopted regulations, directives, implementing acts, and delegated acts, each anchored to a verified CELEX-identified official source. If you want to be kept informed ahead of launch, get in touch.

Stay in the know!

Subscribe for news updates.

Next up

SFDR explained: sustainable finance disclosure for fund managers

The Sustainable Finance Disclosure Regulation requires fund managers to classify their products as Article 6, 8, or 9 and make structured disclosures accordingly. This guide explains what each classification means, what the disclosure obligations require in practice, and what the proposed overhaul means for funds operating today.