
Non-EU firms entering the EU financial market: passporting, reverse solicitation, and third-country regimes
Passporting, reverse solicitation, and third-country regimes are the three concepts that most confuse non-EU firms planning EU market entry. This article explains what each mechanism actually does, where it applies, and where the gaps are that force firms toward full EU authorisation.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.
The three mechanisms non-EU firms always ask about
When a financial firm outside the EU begins planning EU market entry, three terms appear immediately in every regulatory conversation: passporting, reverse solicitation, and third-country regimes. Each is real. Each applies in specific and limited circumstances. And each is routinely misunderstood in ways that create material legal risk for firms that rely on them incorrectly.
This article explains what each mechanism actually does, regulation by regulation, where it applies and where it does not, and what the gaps mean in practice for US, UK, Singapore, and other non-EU firms trying to access EU clients.
The short version, developed in full below, is this: passporting is only available to firms that already hold EU authorisation; reverse solicitation is far narrower than most non-EU firms believe; and third-country regimes exist under some EU frameworks but not others, vary significantly in scope, and in some cases exist only on paper because the equivalence assessments required to activate them have never been completed. For most non-EU firms accessing EU clients on a systematic basis, the only sustainable route is establishing and authorising an EU entity.
For context on the EU licensing framework and the process of obtaining EU authorisation, see entering the EU financial market: a regulatory guide for non-EU firms.
What passporting is and what it is not
Passporting is a mechanism within the EU single market that allows a firm holding authorisation from one EU member state’s national competent authority (NCA) to provide services across all other EU member states, either by establishing a branch or on a cross-border basis, without obtaining separate licences in each member state.
The critical qualification is the first word: within. Passporting is an intra-EU mechanism. It operates between EU member states. A firm that is not authorised in any EU member state has no passport, because there is nothing to passport.
Non-EU firms that ask whether they can “passport into the EU” are asking a question that does not have a yes answer. The correct question is: how do we obtain an EU authorisation from which we can then passport? The answer to that question depends on the regulated activity and involves establishing an EU legal entity and obtaining authorisation from an NCA in the chosen home member state.
Once that EU entity holds authorisation, it can passport the licence across the rest of the EU through a notification process. Passporting is then the mechanism that makes it unnecessary to seek separate authorisation in each member state where the firm wants to operate. That is the value of the single market for financial services: one NCA, one licence, EU-wide access.
The choice of home member state matters for this reason. Because all subsequent EU activity flows from the single NCA authorisation, the NCA that grants the licence becomes the firm’s primary supervisor for EU purposes. Firms choose home member states based on NCA processing speed, supervisory culture, experience with specific business models, and available legal and operational infrastructure. Ireland, Luxembourg, the Netherlands, and Germany have historically been the primary choices for investment firm authorisation. Lithuania, Ireland, and the Netherlands have been active for payment institution and e-money institution authorisation. Luxembourg and Malta have been active for MiCA crypto-asset service provider authorisation.
Reverse solicitation: what it permits and what it does not
Reverse solicitation is the exception under MiFID II, as implemented in national law, that allows a non-EU investment firm to provide investment services to an EU client without EU authorisation, on the specific condition that the client initiates the contact with the firm exclusively at the client’s own initiative, without any form of solicitation, marketing, or outreach from the firm directed at that client or at EU clients generally.
The word exclusively is doing most of the work in that sentence. ESMA has been consistent and explicit that reverse solicitation is interpreted narrowly. The conditions under which it applies are cumulative:
The client must initiate contact. Not the firm. Not a partner or agent acting on the firm’s behalf. Not a referral arrangement structured to create the appearance of client-initiated contact. The client.
The contact must be exclusively at the client’s own initiative. If the firm has engaged in any form of marketing, advertising, or promotion directed at EU clients, any contact from an EU client who saw that marketing cannot be treated as exclusively the client’s own initiative, because the firm’s marketing was part of the causal chain that led to the contact.
The reverse solicitation exception applies to the specific service the client requested. It does not grant permission for the firm to market additional services to that client, to proactively contact the client about other opportunities, or to treat the initial contact as establishing an ongoing permission to serve the client across a broader service set.
Why firms misunderstand reverse solicitation
The misunderstanding arises because non-EU firms, particularly US broker-dealers and investment advisers, encounter EU clients who contact them directly, often because the client has an existing relationship with the firm’s US operation or found the firm through general market reputation. The firm reasonably asks whether it can serve this client without going through EU authorisation.
The answer, in the narrow circumstances described above, is yes: a single EU client who contacts a non-EU firm without any EU-directed marketing, to request a specific service, can in principle be served without EU authorisation under reverse solicitation.
The problem is that this exception does not scale into a market access strategy. A firm that is systematically receiving EU client inquiries, even if those inquiries are genuinely client-initiated, needs to examine why that is happening. If the firm has a website accessible to EU clients, attends financial conferences where EU clients are present, is mentioned in publications that EU clients read, or has any form of marketing presence that EU clients encounter, the sustainability of treating the resulting inquiries as reverse solicitation is questionable. ESMA has been explicit that the exception applies to truly exceptional individual circumstances, not to a pattern of EU client engagement that happens to be client-initiated.
Several NCAs have taken enforcement action against non-EU firms that structured their EU operations around broad claims of reverse solicitation. The enforcement risk associated with reliance on reverse solicitation as a market access strategy is real and well-documented.
Reverse solicitation under MiCA
MiCA (Regulation (EU) 2023/1114) contains a reverse solicitation provision at Article 61 that mirrors the MiFID II framework. A non-EU crypto-asset service provider can serve an EU client without MiCA authorisation where the client initiates contact exclusively at their own initiative and the service provided is limited to what the client requested. The same narrowness applies: it is an exception for specific client-initiated transactions, not a market access strategy.
ESMA’s guidance on MiCA reverse solicitation is consistent with its longstanding MiFID II position. NCAs are expected to apply the exception narrowly and to treat systematic reliance on it by non-EU CASPs as potential circumvention of the MiCA authorisation requirement.
Third-country regimes: where they exist and where they do not
A third-country regime is a mechanism within a specific EU regulatory framework that allows firms incorporated outside the EU to access the EU market or EU clients under defined conditions, typically involving an equivalence assessment of the regulatory framework in the firm’s home jurisdiction and some form of registration or notification rather than full EU authorisation.
Third-country regimes are framework-specific. They do not exist across all EU financial regulation. Where they do exist, they vary considerably in scope and in whether the equivalence conditions required to activate them have been met in practice.
MiFID II: no third-country passport
MiFID II does not contain a third-country passporting regime of the kind that would allow non-EU investment firms to access retail or professional EU clients on a systematic basis without EU authorisation.
There is a limited mechanism in Articles 46 to 49 of MiFIR, the Markets in Financial Instruments Regulation (Regulation (EU) 600/2014), that allows non-EU investment firms to provide services to professional clients and eligible counterparties across the EU on the basis of a European Commission equivalence decision, without establishing EU legal entities. This is sometimes described as the MiFIR third-country regime. However, the European Commission has issued equivalence decisions for only a small number of jurisdictions in this context, and the political conditions that would lead to broader equivalence decisions, including for the United States, have not materialised. For practical purposes, the MiFIR third-country regime is not a reliable market access route for most non-EU investment firms.
The United Kingdom lost its MiFID II equivalence following Brexit. UK investment firms no longer benefit from EU-wide passporting rights and must establish EU entities to access EU clients on a systematic basis. Some UK firms established EU subsidiaries before the end of the Brexit transition period. Those without EU entities must go through the standard authorisation process.
AIFMD: national private placement regimes
The Alternative Investment Fund Managers Directive (AIFMD), as amended by AIFMD II with transposition by April 2026, does not include a harmonised third-country passport. The AIFMD passport, which would have allowed non-EU AIFMs to market to professional investors across the EU on the basis of an ESMA opinion and Commission delegated act, has never been activated. ESMA issued opinions on individual third countries in 2016 and 2020 but the Commission never triggered the passport.
What exists instead is the national private placement regime (NPPR) framework. Each EU member state may maintain an NPPR that allows non-EU AIFMs to market funds to professional investors in that member state, subject to compliance with the conditions set by that member state’s NCA. NPPR requirements are not harmonised. They vary significantly across member states. Some member states have active and accessible NPPRs. Others have NPPRs that are difficult to access in practice. A small number have no NPPR at all.
Non-EU AIFMs using NPPRs must comply separately with the requirements of each member state in which they market. This typically involves registration with the relevant NCA, compliance with disclosure requirements (often including Annex IV reporting), compliance with selected AIFMD provisions that the member state requires, and in some jurisdictions, compliance with the host member state’s AML and marketing rules. NPPRs are a legitimate route for non-EU managers seeking access to professional investors in specific member states. They are not a single-market solution.
AIFMD II (Directive (EU) 2024/927) introduced changes relevant to non-EU managers, including tighter requirements around delegation arrangements. ESMA has increased scrutiny of delegation structures where the EU AIFM delegates portfolio management back to a non-EU entity, particularly where the EU entity lacks genuine operational substance. Non-EU managers operating through delegation to an EU-authorised AIFM need to review their structures against the updated AIFMD II requirements and ESMA’s guidance on substance.
UCITS: EU domicile required
There is no third-country regime for UCITS. UCITS is an EU-domiciled fund product. A UCITS fund must be established in an EU member state and must be managed by an EU-authorised management company. Non-EU managers can act as investment manager to a UCITS fund through a delegation arrangement from an EU-authorised management company, but the fund itself and its management company must be EU-based. Non-EU managers cannot offer UCITS funds from outside the EU.
Payment services: no third-country regime
PSD2, and the incoming PSD3/PSR framework, does not contain a third-country market access regime. Payment service providers, including payment institutions, e-money institutions, and account servicing payment service providers, must hold EU authorisation to provide services to EU payment service users. There is no mechanism equivalent to reverse solicitation or national private placement for payment services.
Non-EU payment firms must establish and authorise an EU entity. The EMI authorisation route has been the most common for non-EU fintech firms, given its lower capital requirements compared to a credit institution authorisation and its broad functional scope.
MiCA: no third-country passport, transitional provisions expiring
MiCA does not contain a third-country passport for CASPs. A non-EU CASP providing services to EU clients must obtain MiCA authorisation.
MiCA included transitional provisions for CASPs that were already providing crypto-asset services under applicable national law before MiCA applied. Those firms were allowed to continue operating under the transitional period while processing MiCA authorisation applications. The transitional period ends on 1 July 2026. After that date, all CASPs providing services to EU clients must hold MiCA authorisation.
For non-EU CASPs that were not already operating under pre-MiCA national law in any member state, the transitional provisions are not available. These firms must obtain MiCA authorisation before providing services to EU clients. A non-EU CASP that has been providing services to EU clients without authorisation under either national law or MiCA is in breach of MiCA’s requirements and is exposed to enforcement action by the NCAs of member states where it has been providing services.
The EU-US and EU-UK third-country landscape
The absence of formal EU third-country equivalence for US financial firms is a recurring source of difficulty. US broker-dealers regulated by FINRA and the SEC, US investment advisers regulated by the SEC, and US fund managers regulated by the SEC and CFTC do not have a pathway to EU clients based on US regulatory equivalence. The regulatory dialogue between the EU and the United States on financial services equivalence has been ongoing since the Transatlantic Economic Council process but has not produced the equivalence decisions that would activate MiFIR Article 47.
UK firms lost EU equivalence recognition following Brexit. The EU-UK Trade and Cooperation Agreement does not include financial services market access provisions of the kind that would provide substitute access to the single market. UK firms accessing EU clients systematically must, like US and other non-EU firms, establish EU-authorised entities.
Switzerland has some specific arrangements with the EU relating to financial services, but these do not extend to broad equivalence for Swiss investment firms accessing EU clients. Swiss banks, brokers, and fund managers serving EU clients face the same basic need for EU authorisation as US and UK firms.
What non-EU firms must do in practice
The practical conclusion from the above is straightforward. Non-EU firms that want to access EU clients on a systematic and sustainable basis need EU authorisation. The mechanism for obtaining it is establishing a legal entity in the chosen home member state and applying for authorisation as the relevant type of regulated firm.
The steps that follow from the decision to pursue EU market entry are:
Map activities and regulatory classification. Every activity the firm wants to carry out in the EU must be identified and mapped to the relevant regulatory framework. The licensing regime that applies follows from what you do, with whom, and in which member states, not from the name of the firm or its existing regulatory status outside the EU.
Select the home member state. The home member state is the jurisdiction in which the EU entity is incorporated and from which the licence is obtained. The choice affects processing timelines, supervisory culture, available talent pool, and ongoing compliance costs. It deserves careful analysis and regulatory counsel input rather than a default choice based on tax considerations alone.
Plan the authorisation timeline against the commercial timeline. Authorisation timelines for investment firm licences and EMI licences range from 6 to 18 months in most jurisdictions, and can be longer in high-volume periods. A commercial plan that assumes EU market access within three months of deciding to pursue authorisation is not realistic. Authorisation must be planned well in advance of planned commercial launch.
Apply cross-cutting obligations. Once an EU entity is established, DORA applies to that entity. If AI systems are used in EU operations, the AI Act’s high-risk provisions apply from August 2026. These obligations must be mapped against the operating model before authorisation, not after.
Build a continuing regulatory monitoring function. The EU regulatory framework changes continuously through regulatory technical standards, implementing technical standards, and supervisory guidance. A firm that enters the EU market and then tracks regulation only episodically will accumulate compliance gaps. Horizon scanning is the function that prevents this, and it needs to be built or procured before EU operations begin. For a full account of what horizon scanning means in practice, see what is regulatory horizon scanning and why compliance teams need it.
Frequently asked questions
Can a non-EU firm use passporting to access the EU?
No. Passporting is an intra-EU mechanism. It allows a firm that holds EU authorisation to extend that licence across other EU member states without seeking additional licences. A non-EU firm has no EU authorisation and therefore no passport. The correct question is how to obtain EU authorisation, from which the firm can then passport.
How narrow is the reverse solicitation exception under MiFID II?
Very narrow. It applies only where an EU client initiates contact exclusively at their own initiative, without any form of marketing or solicitation from the non-EU firm directed at EU clients. It covers only the specific service the client requested. It cannot be scaled into a market access strategy. ESMA has consistently interpreted it narrowly and NCAs have taken enforcement action against firms that have attempted to rely on it structurally.
Does the MiFIR third-country regime provide EU market access for US investment firms?
Not in practice. The MiFIR Articles 46 to 49 mechanism exists in the regulation, but it requires a European Commission equivalence decision for the relevant jurisdiction. Equivalence decisions covering US investment firm activities in the way that would activate the regime have not been issued. US investment firms serving EU professional clients on a systematic basis need EU authorisation.
What happened to UK passporting rights after Brexit?
UK financial firms lost EU passporting rights at the end of the Brexit transition period on 31 December 2020. The EU-UK Trade and Cooperation Agreement does not provide substitute market access. UK firms that want to provide regulated services to EU clients on a systematic basis must establish and authorise EU entities. Several major UK financial groups established EU subsidiaries in Ireland, Luxembourg, the Netherlands, Germany, and France for this purpose.
Can non-EU fund managers access EU investors through national private placement regimes?
Yes, but NPPRs are not a single-market solution. Non-EU AIFMs can use NPPRs to market non-EU funds to professional investors in individual EU member states that maintain accessible NPPRs. The requirements vary by member state and must be met separately in each jurisdiction where the manager wants to market. For EU-wide access, authorisation as an EU AIFM is required.
What is the deadline for non-EU CASPs to obtain MiCA authorisation?
Non-EU CASPs that were not already operating under pre-MiCA national law in any EU member state must obtain MiCA authorisation before providing services to EU clients. The transitional provisions that allowed some CASPs to continue operating while their applications were processed expire on 1 July 2026. After that date, all CASPs providing services to EU clients must hold MiCA authorisation.
Does establishing an EU entity trigger DORA?
Yes. Once a non-EU firm establishes an EU-authorised entity, DORA applies to that entity. This includes ICT risk management, incident reporting, resilience testing, and third-party risk management obligations. Intragroup ICT services from the non-EU parent to the EU entity must be managed as ICT third-party risk under Article 28 of Regulation (EU) 2022/2554.
Forseti monitors the EU financial regulatory developments that affect non-EU firms operating in the European market, anchored to verified official sources, continuously. Start for free.
Subscribe for news updates.
Steel is the largest sector in scope under the Carbon Border Adjustment Mechanism by volume of affected trade. This guide explains what the CBAM definitive phase requires from steel manufacturers exporting to the EU, how embedded carbon is calculated for steel, and what the default values mean for your commercial relationship with EU buyers.