Free initial consultation

Author: Auffenberg

Nov 10, 2025

Threats, Incidents, and Attacks Under DORA – What Financial Companies Need to Know

Since January 17, 2025, Regulation (EU) 2022/2554 – better known as DORA – has been compulsory for financial companies. A key objective of the regulation is to strengthen the digital operational resilience of the financial sector and create clear structures for dealing with ICT risks. But not all risks are the same: DORA makes a precise distinction between threats, incidents, and attacks – and attaches different obligations to each category. While threats as potential sources of danger are primarily to be analyzed internally, actual incidents and attacks trigger specific reporting and action obligations. This distinction becomes particularly relevant when it comes to the question of when financial companies are obliged to inform authorities or affected parties. The regulation not only defines what constitutes a cyber threat, an ICT-related incident, or a cyber-attack, but also specifies the steps that companies must take in each case. Precise classification is of central importance not only for compliance, but also for the strategic orientation of ICT risk management.

What Are Threats, Incidents, and Attacks Under DORA

DORA uses a number of different terms for attacks and incidents. These terms can be broadly divided into two categories: threats (which have the potential to cause damage) and incidents/attacks (the actual events that have caused or are causing damage). Threats refer to possible circumstances or actions that could affect network and information systems (ICT). According to Art. 3 No. 12 DORA, a cyber threat refers to a possible circumstance, event, or action that could harm, disrupt, or otherwise affect network and information systems, users of these systems, and other persons. According to Art. 3 No. 13 DORA, a significant cyber threat is a cyber threat whose technical characteristics indicate that it could have the potential to cause a serious ICT-related incident or a serious payment-related operational or security incident. An ICT-related incident is the most general category of a negative event in the ICT sector. It is defined in Article 3(8) of DORA as an unplanned event or a series of related events that compromises the security of network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data or on the services provided by the financial institution. ICT-related incidents are further subdivided into serious ICT-related incidents and serious payment-related operational or security incidents within the meaning of Article 3(10) and (11) DORA. In contrast, a cyberattack within the meaning of Article 3(14) DORA refers to a malicious ICT-related incident resulting from an attacker’s attempt to destroy, expose, alter, disable, steal, or gain unauthorized access to or use of an asset.

What Obligations Are Associated With Each Category?

DORA attaches different legal consequences and obligations to threats, incidents, and attacks. There is no external reporting obligation for cyber threats as a general threat category. The information is primarily used for internal analysis and further development of digital operational resilience. Reporting a significant cyber threat to the competent authorities is voluntary under Article 19(2) DORA. Financial companies may share this information if they consider the threat to be relevant to the financial system, service users, or customers. Both ICT-related incidents and cyberattacks only trigger an external reporting obligation if they reach a certain level of severity, i.e., if they are classified as serious. According to Art. 19 (1) DORA, financial companies must therefore report serious ICT-related incidents to the competent authority. Credit institutions, e-money institutions, payment institutions, and account information service providers must also report serious payment-related operational or security incidents in accordance with Article 23 of DORA. It follows from recitals 23 and 54 of DORA that this specific reporting obligation replaces the corresponding reporting obligations under PSD2 in order to avoid duplication of requirements. However, the obligations of financial companies are not limited to reporting requirements. Following disruptions to their main activities as a result of serious ICT-related incidents, financial companies must provide for subsequent reviews of the ICT-related incident. These reviews should investigate the causes and identify improvements to ICT processes or the ICT business continuity policy. In addition, financial companies that are not micro-enterprises must, upon request, notify the competent authorities of the changes made following the review of ICT-related incidents in accordance with Article 13 of DORA. Consequently, DORA focuses on proactive integration into risk management and voluntary information sharing in the event of threats, while clear reactive obligations such as reporting, damage limitation, recovery, and root cause analysis are at the forefront in the event of incidents/attacks.

Attorney Anton Schröder

I.  https://fin-law.de

E. info@fin-law.de

subscribe to Newsletter

This Blog Article as Podcast?

    Contact

    info@fin-law.de

    Oct 27, 2025

    Contract Drafting in the Context of the DORA Regulation – What Do Financial Companies Need to Observe?

    Since January 17, 2025, Regulation (EU) 2022/2554 – better known as DORA – has been binding for financial companies and third-party ICT service providers. The regulation not only sets high requirements for digital operational resilience, but also has a direct impact on contract drafting. A key question that arises in practice is: When is a service considered an ICT service within the meaning of DORA? This distinction is crucial because, according to Article 30 DORA, contracts for ICT services must contain certain minimum content. This includes, among other things, clear provisions on risk management, incident reporting, audit rights, and exit strategies. The classification of a service as an ICT service therefore has far-reaching consequences for contract negotiations between financial companies and their service providers. If services are incorrectly not classified as ICT services, this not only poses compliance risks, but also contractual gaps that can lead to liability issues in serious cases. At the same time, DORA shifts the balance of power in contract negotiations: financial companies are now obliged to impose strict requirements on their service providers – which redefines the scope for negotiation for both sides. But how can ICT services be clearly identified, and which contractual clauses are absolutely necessary to meet DORA requirements? These questions are the focus of current discussions and show that DORA represents not only a regulatory challenge, but also a contractual one.

    What are ICT Services?

    According to Article 3(21) of DORA, ICT services are digital services and data services that are provided on a permanent basis to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support provided by the hardware supplier by means of software or firmware updates, with the exception of traditional analog telephone services. The definition is very broad in order to cover as many ICT services as possible and effectively implement the objectives of DORA. A key limitation of the scope of application, as set out in the definition, is that only digital services and data services that are provided on a permanent basis are to be covered. This means that only continuing obligations are regularly covered, while one-off services are not. Annex III of Commission Implementing Regulation (EU) 2024/2956 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the information register (ITS on register of information). This contains a list of categories of ICT services, each with a brief description. This list can be used as an aid for initial classification. The services mentioned include: ICT project management, ICT development, ICT helpdesk and first-level support, ICT security management services, data provision, data analysis, ICT operating resources and hosting services (excluding cloud services), computing power, data storage outside the cloud, telecommunications providers, network infrastructure, hardware and physical devices, software licensing (excluding SaaS), ICT operations management (including maintenance), ICT consulting, ICT risk management, IaaS, PaaS and SaaS.

    Article 30 DORA Defines Clear Minimum Standards for ICT Contracts – Both for Standard and Critical Services

    Every contract for ICT services must first contain a precise description of the services, rights, and obligations, including the exact locations where data is processed and stored. Information security and data protection are key: Specific technical and organizational measures must be defined to ensure the availability, authenticity, integrity, and confidentiality of all data—regardless of whether it is personal data or not. In addition, regulations on data access in the event of insolvency or termination of the contract are essential to ensure continuity of service. Service level agreements (SLAs) with quantitative and qualitative performance targets are mandatory, as is the service provider’s obligation to provide support in the event of ICT incidents and to relieve the financial company of its reporting obligations. Cooperation with supervisory authorities must be contractually anchored, and the financial company’s termination rights – for example, in the event of violations of compliance requirements or deficiencies in risk management – must be explicitly defined. Finally, participation in digital resilience training should be agreed upon, unless the service provider already has its own qualifications. If critical or important functions are involved, the requirements become more stringent: in this case, extended reporting obligations, emergency plans, participation in penetration tests, and comprehensive audit rights for the financial company are mandatory. Exit management regulations that ensure an orderly transition at the end of the contract or when changing service providers are also particularly relevant. In addition, subcontracting must be strictly controlled and contractually secured in order to avoid unwanted risks.

    Attorney Anton Schröder

    I.  https://fin-law.de

    E. info@fin-law.de

    subscribe to Newsletter

    This Blog Article as Podcast?

      Contact

      info@fin-law.de

      Oct 20, 2025

      Payment Services in Online Gambling – Where Are the Limits for What Is Permissible?

      Gambling regulation in Germany is fundamentally a matter for the federal states. The rules governing the permissibility or impermissibility of gambling are therefore regulated separately in each of the federal states in their respective gambling laws. However, in the area of online gambling, the federal states of Germany have decided to introduce uniform regulations that apply to the entire German territory. The creation of uniform rules for online gambling makes sense, especially since access to it does not usually stop at state borders. To achieve this goal, the sixteen German federal states concluded the State Treaty on Gambling (GlüStV) in 2021. In addition to some general provisions concerning stationary offerings, it also contains provisions for common regulations in the area of internet-based gambling and strict compliance obligations for organizers and intermediaries of online gambling. In addition to the requirement to obtain prior permission to organize virtual slot machine games, online casino games, or sports betting, for example, Section 4 (1) sentence 2 GlüStV provides for a so-called prohibition of contribution, which prohibits the provision of payment services to providers of illegal gambling. However, Section 4 (1) sentence 3 GlüStV extends this comprehensible principle to the extent that contribution to payment transactions for other services of a provider is also prohibited if the provider mixes fundamentally permissible services with the offering of unauthorized gambling.

      Payment Institutions Must Fully Understand Their Customers’ Business Models

      Compliance with the prohibition of contribution under Section 4 (1) sentence 3 GlüStV can be quite challenging for payment institutions. In order not to violate the prohibition of contribution, the payment institution must have a comprehensive understanding of the customer’s business model and be able to classify it under gambling law. If the services offered by a payment institution’s customer include gamification elements or simply random chances of winning, the payment institution must determine with legal certainty whether the customer’s business model contains elements of illegal gambling. In such cases, if a mixture of fundamentally permissible services and illegal gambling means that payments relating to these services cannot be clearly separated from payments relating to illegal gambling, and illegal payment flows are therefore not clearly identifiable, the prohibition of contribution under Section 4 (1) sentence 3 GlüStV applies. As a consequence, the payment service provider may not execute such payments or provide payment services in relation to such transactions. Payment institutions must therefore thoroughly review the business models of their commercial customers to determine whether they contain any elements of illegal gambling.

      When is Gambling Considered Illegal?

      The general requirement to obtain a license for organizing or brokering public games of chance is set out in Section 4 (1) sentence 1 GlüStV. Unauthorized gambling within the meaning of the prohibition of contribution is therefore any organization or brokering of public games of chance without the necessary license within the meaning of Section 4 (1) sentence 1 GlüStV. Section 3 (1) GlüStV defines what exactly the State Treaty means by gambling. According to this, gambling is when a fee is charged for the opportunity to win in a game and the decision on the winnings depends entirely or predominantly on chance. The concept of chance can be difficult to interpret, particularly in the case of sports betting, horse betting, and online poker, but the State Treaty clarifies in this regard that dependence on chance is to be assumed in any case if the uncertain occurrence or outcome of future events is decisive. A game of chance is considered public if a large, non-closed group of people has the opportunity to participate, but also if it involves games of chance that are habitually organized in clubs or other closed societies. The question of whether a license is required can be difficult in individual cases, especially in cases where the customer of the payment service provider does not actually intend to organize a public game of chance, but rather it is a random by-product, for example, as part of marketing measures, that is part of the customer’s range of services.

      Attorney Dr. Lutz Auffenberg, LL.M. (London)

      I.  https://fin-law.de

      E. info@fin-law.de

      subscribe to Newsletter

      This Blog Article as Podcast?

      The Gist of It:

      Presentation

        Contact

        info@fin-law.de

        Oct 13, 2025

        Distributors within the Meaning of PSD3 – Are E-Money Agents a Disappearing Concept?

        Negotiations on the reform of European payment services law are already well advanced. In future, there will be two new European legal acts, the Payment Services Regulation (PSR) and the third Payment Services Directive (PSD3), which will set out both the private law regulations for payment services in Europe, directly applicable as a regulation (PSR), and the supervisory guidelines for the national legislators of the member states (PSD3). In addition to payment services, the new PSD3 will also regulate the supervisory requirements for companies that conduct business with e-money or issue it. Until now, the relevant provisions were regulated in the second E-Money Directive (EMD2), which is to be abolished when PSD3 comes into force. Art. 3 (4) EMD2 obliges Member States to grant e-money institutions in their respective national supervisory law the possibility of distributing and redeeming e-money via natural or legal persons, also known as e-money agents. However, the issuance of e-money units via e-money agents is not permitted. According to Art. 3 (5) EMD2, e-money units must be issued by the e-money institutions themselves. The German legislature has implemented these requirements in the Payment Services Supervision Act (ZAG). According to Section 1 (10) ZAG, an e-money agent is any natural or legal person who, as an independent commercial operator, distributes and redeems e-money on behalf of an e-money institution. Under the PSD3 regime, however, there will no longer be any e-money agents. The directive provides for the agent concept exclusively for payment services, but not for the new e-money services to be introduced. However, the new term “ distributor” is to be introduced.

        How is a Distributor Defined under PSD3?

        According to Article 2(36) of the European Commission’s draft directive (PSD3-E), a distributor is a natural or legal person who distributes or redeems e-money on behalf of a payment institution. This definition is very similar to the definition of e-money agents in the EMD2, which is to be replaced. As far as is apparent, the only difference between the definitions is the fact that distributors can be used by payment institutions and e-money agents by e-money institutions. However, since PSD3 also aims to abolish the concept of e-money institutions and instead allow payment institutions to apply for additional authorization to provide e-money services, the reference to payment institutions in the new definition is not surprising. The departure from the term “e-money agent” provided for in the draft PSD3 appears to serve the purpose of establishing a clearer conceptual distinction between agents that can be used for payment services and distributors that can be used for the distribution and redemption of e-money. It should be noted that, under the future PSD3 regime, e-money services are not intended to be payment services, but rather a separate type of regulated service for which payment institutions can obtain a license. Furthermore, it should be noted that distributors are not to be used to provide e-money services, but can only be subcontracted by payment institutions for the distribution and redemption of e-money. The two concepts differ significantly in this respect. The introduction of the concept of distributors therefore serves to clarify the situation.

        What May an Electronic Money Distributor Be Permitted to Do?

        According to Article 20(1) of the draft PSD3, Member States should allow payment institutions providing e-money services to use distributors for the distribution and redemption of e-money. In this context, Article 20(2) of the draft is, at the very least, misleadingly worded, as it stipulates that payment institutions must comply with the requirements for the use of payment agents set out in Article 19 PSD3-E if they intend to provide e-money services through distributors. Given the clear wording of the definition of distributor in Art. 2 para. 36 PSD3-E and the clear definition of e-money services in Annex II PSD3-E, which only covers the issuance of e-money, the management of payment accounts for e-money units, and the transfer of e-money units, but not the distribution and redemption thereof, the provision in Article 20(2) PSD3-E does not make sense. Until the final version of PSD3 is available, Article 20(2) of the draft should therefore be revised in any case. Instead, distributors should only be used for the distribution and redemption of e-money units. They will not be allowed to provide e-money services that require a license. In this respect, there will be little difference between e-money agents under EMD2 and distributors within the meaning of PSD3.

        Attorney Dr. Lutz Auffenberg, LL.M. (London)

        I.  https://fin-law.de

        E. info@fin-law.de

        subscribe to Newsletter

        This Blog Article as Podcast?

        The Gist of It:

        Presentation

          Contact

          info@fin-law.de

          Sep 29, 2025

          E-Money Services within the Meaning of PSD3 – What Exactly Will the New Activity Include?

          European legislators are working diligently to overhaul European payment services law. The final versions of the new Payment Services Regulation (PSR) and the third Payment Services Directive (PSD3) are expected to be adopted at the end of 2025 or early 2026. One of the main concerns of the proposed revisions is the abolition of the second E-Money Directive (EMD2) while incorporating the provisions on e-money into the new PSD3 and PSR. Under the current PSD2 and EMD2 regime, the EU Commission had found that there were differences in the practical interpretation of the directives by the supervisory authorities of the member states, particularly with regard to the distinction between payment and e-money products, which were exploited by applicant companies. In future, therefore, all supervisory and civil law provisions relating to payment services and e-money services are to be regulated uniformly by PSD3 and PSR. The term “e-money institution” will then no longer exist. Instead, payment institutions will be able to apply to BaFin or the competent authority in each individual case for a license to provide e-money services in addition to or exclusively for payment services. But what exactly will e-money services be in this context?

          E-Money Services as a New and Regulated Activity under Payment Services Law

          The regulatory treatment of e-money business is to be integrated in accordance with the current draft of PSD3 through the introduction of the new term “e-money services.” According to this, e-money services are to include the issuance of e-money, the maintenance of payment accounts for storing e-money units, and the transfer of e-money units. E-money services would thus not only be the original issuance of e-money, but also downstream services related to the storage of e-money and the transfer of e-money units. It is striking that the definition in the current PSD3 draft does not separate the three different activities of e-money services with an “or.” The draft’s provisions, for example, regarding the required initial capital that payment institutions providing e-money services must have, are also uniform at €400,000, regardless of whether e-money is issued or only transfer services are to be provided in relation to e-money that may not have been issued by the institution itself. Furthermore, the draft PSD3 distinguishes between whether a payment institution offers e-money services or not when calculating the required own funds. Institutions that exclusively offer e-money services must always apply Method D, according to which the institution’s own funds must always amount to at least 2% of the average e-money in circulation. These provisions lead to the conclusion that the provision of e-money services can only be uniform, meaning that, for example, simply offering a storage facility for third-party e-money units in a payment account would not be classified as an e-money service.

          Services Relating to E-Money Units without Issuer Characteristics Nevertheless Not Unregulated

          Services provided by payment institutions that do not themselves act as e-money issuers would nevertheless be covered by the new PSD3 and PSR regulations as regulated activities. This is because, according to the new definitions in PSD3, e-money units should always qualify as money. This means that e-money units are generally also potential subjects of traditional payment services. If, for example, a service provider wishes to offer to store e-money units issued by a third party in a payment account and to enable transfers of these units to and from the payment account, this activity could simply constitute deposit and withdrawal business within the meaning of No. 1 and/or 2 of Annex I to PSD3. The provider would then have to obtain a license as a payment institution for this activity. A license to provide e-money services would not be required. In the future, such demarcation issues could arise particularly frequently in the area of e-money tokens, which are also considered e-money under Article 48(2) MiCAR. It is in the nature of tokens that they cannot be held or transferred exclusively by the issuer. Consequently, it is also very likely that companies will use them to provide financial transfer services or other payment services, for example. In such cases, the additional question arises as to whether, in addition to a BaFin license for payment services, a license as a provider of crypto-asset services is also required.

          Attorney Dr. Lutz Auffenberg, LL.M. (London)

          I.  https://fin-law.de

          E. info@fin-law.de

          subscribe to Newsletter

          This Blog Article as Podcast?

          The Gist of It:

          Presentation

            Contact

            info@fin-law.de

            Sep 22, 2025

            FIN LAW Hosts the Annual Meeting of the Fintech Legal Network

            On Friday, our law firm was delighted to welcome the members of the FinTech Legal Network (FLN) to our offices in Senckenberganlage. Hosting this year’s Annual Meeting of the FLN, we welcomed numerous colleagues from the international legal community who specialize in advising on projects in the FinTech industry. The presentations held by Attorney Dr. Lutz Auffenberg, LL.M. (London), Attorney Anja von Rosenstiel, LL.M. (Boston University), M.A. (Viadrina), and our academic guest speaker Dr. Johannes Meier from the Institute for Digital Law (IRDi) at the University of Marburg dealt mainly with the regulation of so-called stablecoins and their regulation under MiCAR as e-money tokens (EMT) and asset-referenced tokens (ART). In addition to the expert presentations, the event was marked by exciting and fruitful discussions on selected legal issues relating to crypto regulation and digital payment solutions. The participants of the Annual Meeting ended the evening in a relaxed atmosphere with cocktails, wine, and good food, enjoying a breathtaking view over Frankfurt am Main.

            subscribe to Newsletter

              Contact

              info@fin-law.de

              Sep 15, 2025

              Which Payment Services do Crypto Custodians Provide with EMT?

              Since the end of last year, the custody of crypto assets has been regulated as a crypto asset service in the Markets in Crypto Assets Regulation (MiCAR). Providers of this service must obtain a license in accordance with Art. 62 MiCAR from their competent supervisory authority—in Germany BaFin— prior to being permitted to hold crypto assets for clients. With such a license, crypto custodians are authorized to hold all tokens for clients that qualify as crypto assets under MiCAR. In addition to traditional crypto assets such as Bitcoin and Ether, this also includes special forms of crypto assets regulated by MiCAR, such as asset-referenced tokens (ART) and e-money tokens (EMT). Both of the aforementioned types of so-called stablecoins are characterized by the fact that they are designed to achieve value stability by referring to another stable value. In the case of ART, the reference value may be derived from other official currencies, securities, other crypto assets, or other items. If, on the other hand, the reference value of the token is a single official currency such as the euro, US dollar, or Swiss franc, for example, the token is classified as an EMT. Crypto custodians face additional regulatory issues when storing e-money tokens for their customers, as e-money tokens are not only classified as crypto assets under MiCAR, but also as e-money within the meaning of the Second E-Money Directive (2009/110/EC) applicable in the European Union. As a result, they are also considered funds within the meaning of the second Payment Services Directive (PSD2), as recently confirmed once again by the European Banking Authority (EBA).

              Crypto Custodians Will Forthcoming Require Permission Under the ZAG for Handling E-Money Tokens in Business

              In its no-action letter dated June 10, 2025, the EBA advises the supervisory authorities of the member states to only require market participants to comply with the regulatory obligations under PSD2, which are implemented in Germany in the Payment Services Supervision Act (ZAG), after March 2, 2026. However, crypto custodians who wish to offer their customers the custody of e-money tokens should already start preparing for the second stage following March 2, 2026, and apply for a ZAG license. The EBA advises supervisory authorities to deprioritize some of the obligations imposed on payment service providers. However, the basic additional licensing requirement still applies in all cases. Crypto custodians who also want to offer their customers the option of keeping EMT in their wallets and sending it to other wallets or receiving EMT from other wallets will then also be providing payment services. In these cases, the payment services of the placement of funds on payment accounts (Section 1 (1) sentence 2 no. 1 ZAG) and the withdrawal of funds from payment accounts (Section 1 (1) sentence 2 no. 2 ZAG) are particularly relevant. Payment transactions pursuant to Section 1 (1) sentence 2 no. 3 ZAG and payment transactions involving the granting of credit pursuant to Section 1 (1) sentence 2 no. 4 ZAG may also be relevant if crypto custodians send EMT from customers to other wallets.

              What Are the Alternatives for Crypto Custodians to Obtaining Their Own ZAG License?

              Applying for a separate license under Section 10 (1) ZAG for the provision of payment services does not make sense in every case. In individual cases, crypto custodians may have problems with the fact that their managers may have the professional qualifications for crypto custody, but may not yet have professional experience in the payment services business. It is not unlikely that BaFin will require the management to be changed or expanded to include qualified managers with ZAG experience in the relevant licensing procedures. In such cases, it may be possible to have the additional payment services arising in connection with the custody of e-money tokens provided by another institution, for example, via an outsourcing solution. In this case, it is not necessary to obtain a separate license for the provision of payment services. If the crypto custodian wishes to offer payment services to its customers itself, it may also consider whether the crypto custodian should become a payment agent for the other payment institution. It can then perform the regulated payment services on behalf of the other institution as an independent trader. Its actions are then attributed to the payment institution for supervisory and civil law purposes.

              Attorney Dr. Lutz Auffenberg, LL.M. (London)

              I. https://fin-law.de

              E. info@fin-law.de

              subscribe to Newsletter

              This Blog Article as Podcast?

              The Gist of It:

              Presentation

                Contact

                info@fin-law.de

                Sep 08, 2025

                New Implementation Guidance from BaFin on the Simplified ICT Risk Management Framework

                The EU Regulation on Digital Operational Resilience in the Financial Sector (DORA) has been in force since January 17, 2025, and must be implemented by the companies it regulates. Even more than seven months after its enactment, not all legal issues arising from DORA have been clarified. The competent authority for most German financial companies is the Federal Financial Supervisory Authority (BaFin). The term “financial institution” as defined by DORA covers a wide range of different companies in the financial sector, including credit institutions, payment institutions, account information service providers, e-money institutions, investment firms, crypto service providers, insurance and reinsurance companies, data provision services, and many more. This makes DORA the central legal act for strengthening the digital operational resilience of the financial sector when using information and communication technologies (ICT). One of the cornerstones of DORA is the obligation for financial companies to establish, maintain, and continuously improve an ICT risk management framework. The risks to which a financial company is exposed in individual cases can be as diverse as the number of regulated companies that qualify as financial companies. DORA therefore relies on the principle of proportionality. This is expressly enshrined in Article 4 of DORA and requires, among other things, that the size and overall risk profile of the financial company as well as the nature, scope, and complexity of its services, activities, and transactions be taken into account when fulfilling the ICT risk management requirements. The principle of proportionality is further reflected in the distinction between the generally applicable ICT risk management framework and the simplified risk management framework, which applies only to certain, mostly smaller financial institutions. BaFin has now provided some helpful guidance on the simplified ICT risk management framework described in Article 16 of DORA in a new supervisory notice dated August 21, 2025.

                Which Financial Companies Are Covered by the Simplified ICT Risk Management Framework?

                The companies to which the simplified ICT risk management framework applies in Germany are determined directly by DORA on the one hand and by national laws on the other. According to Article 16 DORA, small, non-interconnected investment firms and small occupational pension institutions are covered in Germany. In addition, the simplified ICT risk management framework has been extended at national level to other financial companies in the banking and insurance sectors by the Act on the Digitization of the Financial Market (FinmadiG). For example, a revision of the Insurance Supervision Act (Section 293 (5) VAG) now also subjects certain insurance holding companies to the requirements of Article 16 DORA. Furthermore, an amendment to the Banking Act (Section 1a (2a) KWG) requires all institutions not already covered by DORA to apply the regulation from January 1, 2027. For the latter institutions, which include, for example, guarantee banks and financial services institutions such as leasing and factoring companies and crypto-securities registrars, the BAIT will continue to apply until the end of 2026.

                What Specific Advice Did BaFin Give, and What Do Financial Companies Need to Pay Attention to Going Forward?

                The BaFin supervisory notice includes an overview of the documentation requirements for financial companies in accordance with Art. 16 DORA. This overview indicates which documentation, security measures, procedures, plans, processes, and guidelines BaFin considers necessary to meet the requirements of Article 16 DORA and the supplementary technical regulatory standards (RTS) for specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework. In this context, BaFin emphasizes that this is non-binding guidance and that the overview does not represent a binding interpretation by BaFin. Nevertheless, the overview ultimately reflects how BaFin, as the competent supervisory authority, interprets the DORA Regulation and thus provides the financial companies concerned with a concrete roadmap on the path to DORA compliance. However, the overview leaves open how the content of the listed documents should be structured. This makes sense, as the requirements in each individual case must be determined in accordance with the principle of proportionality. Furthermore, even if they fall under the simplified ICT risk management framework, it is important for financial companies to bear in mind that, despite the simplifications provided by the ICT risk management framework, there are no simplifications with regard to the other requirements of DORA. For example, the companies concerned must still comply with the principles for sound management of third-party ICT risk set out in Articles 28 to 30 of DORA.

                Attorney Anton Schröder

                I. https://fin-law.de

                E. info@fin-law.de

                subscribe to Newsletter

                This Blog Article as Podcast?

                  Contact

                  info@fin-law.de

                  Aug 25, 2025

                  Will Supervisory Authorities Use AI Tools in Money Laundering Supervision?

                  The use of innovative technologies such as Natural Language Processing (NLP) and AI promises unprecedented efficiency gains for companies. There is a whole wave of new AI companies taking advantage of the newly opened opportunities and developing new business models. It is still unclear whether the technologies, which are constantly evolving thanks to massive investments, will live up to the hype or whether a bubble is forming that threatens to burst like the dot-com bubble. At the moment, however, it seems certain that AI is here to stay and can no longer be ignored. European supervisory authorities also seem to have realized this, as shown by a report by the European Banking Authority (EBA) on the use of supervisory technology tools (known as SupTech) in money laundering supervision by national supervisory authorities. But how far has the SupTech revolution progressed in national supervisory authorities so far, and what are the consequences for supervised companies?

                  AMLA and the Application of SupTech

                  The new EU package to combat money laundering and terrorist financing of June 19, 2024 established, among other things, a new European supervisory authority to support national supervisory authorities by coordinating national money laundering authorities and ensuring uniform application of EU laws. The Anti-Money Laundering Authority (AMLA) began operations on July 1, 2025. EBA has taken the establishment of the AMLA and the associated increase in cooperation between supervisory authorities as an opportunity to examine how national authorities are already using SupTech. It summarized the results of the investigation in a report dated August 12, 2025. This report provides a good overview of current developments. The use of SupTech tools in the fight against money laundering and terrorist financing (AML/CFT supervision) is still in its infancy in the EU. Many authorities are in the exploratory or early implementation phase. However, there are also great opportunities. The increasing adoption of SupTech signals a shift towards more efficient, data-driven approaches to combating financial crime. Technologies used include AI, blockchain analysis, and the generation of synthetic data to improve risk assessments and increase operational efficiency. SupTech tools are designed to improve the ability to analyze large amounts of data and gain comprehensive insights into the activities of supervised companies, automate processes, optimize resources, and increase cooperation between authorities. However, challenges remain, such as poor data quality and governance, which hinder effective use, limited budgets and necessary technological adjustments, a lack of clarity in the regulatory framework, resistance to change, and a lack of digital skills among agency staff.

                  FinTech Companies, Crypto Assets, and AI-Based Fraud in the Focus of the  Regulators

                  Despite the implementation difficulties outlined above, it seems inevitable that supervisory authorities will also adopt new technologies and thereby exercise even more efficient and comprehensive supervision over the companies concerned. As a result, companies should be even more careful than before to ensure that they comply with their anti-money laundering requirements. The focus of supervision also appears to be increasingly on FinTech companies. For example, the EBA’s Opinion of the European Banking Authority on money laundering and terrorist financing risks affecting the EU’s financial sector dated July 28, 2025 states that 70% of competent authorities in the EU report high or increasing ML/TF risks in the FinTech sector. The market share of FinTech companies is growing rapidly and promises to improve the customer experience by providing access to innovations in financial services. Supervisory authorities fear that this rapid growth will lead FinTech companies to prioritize innovation and customer acquisition over compliance, resulting in inadequate AML/CFT controls. For FinTech companies, this means that they must take a particularly careful approach to money laundering compliance. Even though this represents a high bureaucratic burden, especially for smaller companies, it is essential that the legal obligations are complied with.

                  Attorney Anton Schröder

                  I. https://fin-law.de

                  E. info@fin-law.de

                  subscribe to Newsletter

                  This Blog Article as Podcast?

                  The Gist of It:

                  Presentation

                    Contact

                    info@fin-law.de

                    Aug 18, 2025

                    Are Stablecoins Suitable as a Means of Payment in Limited Networks?

                    Stablecoins have been specifically regulated crypto assets since summer 2024 under the Markets in Crypto Assets Regulation (MiCAR). They can be issued either as E-Money Tokens (EMT) or as Asset Referenced Tokens (ART). In particular, the issuance of EMT or ART as an issuer is strictly and granularly regulated by MiCAR. The issuance of EMTs is reserved exclusively for electronic money institutions or credit institutions authorized in the European Union. The issuance of ARTs may only be carried out by companies explicitly authorized as ART issuers in accordance with Art. 16 ff. MiCAR or by credit institutions. However, it is not only the issuance of EMTs or ARTs that may be subject to licensing requirements. If EMTs or ARTs are accepted as means of payment, transaction support services may constitute activities subject to licensing that may not be provided without prior authorization from the competent supervisory authority, such as BaFin in Germany. It is not only MiCAR that plays a role in this, as crypto-asset services are regulated as activities subject to authorization. The provisions of the German Payment Services Supervision Act (ZAG), which is based on the requirements of the second Payment Services Directive (PSD2), may also have to be taken into account in individual cases.

                    E-Money Tokens are Both Crypto Assets and E-Money

                    Article 48(2) MiCAR provides for the special feature that E-Money Tokens are considered e-money. At the same time, however, they are also defined in Article 3(1)(7) MiCAR as crypto-assets whose value stability is to be maintained by reference to the value of an official currency. EMTs thus have a hybrid status for regulatory purposes. While they are subject to the provisions of MiCAR as a special form of crypto-asset, as electronic money within the meaning of Article 2(2) of the Second Electronic Money Directive (EMD2) and Section 1 (2) sentence 3 ZAG, they are also a form of monetary value within the meaning of Article 4 No. 25 PSD2 and can therefore be the subject of payment services requiring authorization. In this regard, the European Banking Authority (EBA) published a “no-action letter” on June 10, 2025, in which it advised national supervisory authorities in the European Union not to require compliance with the provisions of PSD2 in relation to the provision of payment services with EMT to affected companies until March 2, 2026. Currently, therefore, service providers offering customers custody or transaction-supporting services in connection with EMT must have authorization as a crypto asset service provider (CASP) pursuant to Art. 59 et seq. MiCAR. MiCAR does not provide for a sectoral exemption for limited networks, for exclusive use on enclosed business premises, or for limited ranges of services or goods. In this respect, there is no exemption from the general CASP authorization requirement in such constellations. However, for the period after March 2, 2026, business models falling under the exemptions for limited dealer networks may be able to avoid an additional licensing requirement under Section 10 (1) ZAG by making use of these exemptions.

                    ART are Mere Crypto Assets and are Not Subject to the ZAG

                    The situation is different for asset-referenced tokens in that, although they qualify as crypto assets under Article 3(1)(6) MiCAR, MiCAR does not contain any provision classifying ART as monetary amounts within the meaning of PSD2. ART are therefore not subject to the regulatory regime of the ZAG. Recital 62 MiCAR mentions, for example, that ART may pose a threat to the smooth functioning of payment systems, monetary policy transmission or monetary sovereignty, which at least places them in the realm of means of payment comparable to monetary amounts. However, in its “No-Action Letter” dated June 10, 2025, the EBA also clarified that it is of the opinion that ART should not be classified as monetary amounts within the meaning of PSD2. In light of this, based on the current legal situation, it can be assumed that only the provisions of MiCAR apply to the custody of and transaction support in connection with ART. Accordingly, service providers cannot take advantage of the exemptions under payment services law for closed networks or limited range of goods or services offerings. They must either obtain authorization under MiCAR as a CASP or seek to apply the exemptions set out in Art. 2 MiCAR to their business model, provided that this is possible in individual cases.

                    Attorney Dr. Lutz Auffenberg, LL.M (London).

                    I. https://fin-law.de

                    E. info@fin-law.de

                    subscribe to Newsletter

                    This Blog Article as Podcast?

                    The Gist of It:

                    Presentation

                      Contact

                      info@fin-law.de

                      Aug 11, 2025

                      AI Compliance in Companies (Part III) – Scope of the GDPR and AI Act?

                      With the rapid development of artificial intelligence, companies in the European Union are facing a complex regulatory landscape that is largely shaped by two pillars: the General Data Protection Regulation (GDPR) and the new Artificial Intelligence Regulation (AI Act). While the GDPR has been regulating the handling of personal data for years and has established itself as the standard for data protection, the AI Act is now the first comprehensive regulation specifically for AI systems. At first glance, both sets of regulations appear to pursue similar goals, such as protecting fundamental rights and building trust in new technologies. But how do these two comprehensive laws relate to each other? This question becomes particularly relevant when AI systems are trained or operate on the basis of personal data. Personal data is often the “fuel” of AI systems. This dual regulation raises crucial questions: Is compliance with one regulation sufficient, or are new, overlapping obligations emerging that could lead to costly pitfalls? If companies want to rely on the use of AI, they should first clarify the differences and similarities between the GDPR and the AI Act.

                      Scope of the GDPR and the AI Act

                      The GDPR focuses on the processing of personal data. Personal data is any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). Processing therefore includes virtually any handling of personal data, from reading and storing to transferring and deleting. The GDPR is designed to be technology-neutral, which means that its provisions apply regardless of the technology used, as long as personal data is processed. In contrast, the AI Act primarily regulates AI systems and AI models themselves. An AI system is defined as a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments;(Art. 3 No. 1 AI Act). The AI Act does not directly define what an AI model is. However, Recital 97 of the Regulation states that AI models are central components of an AI system, which become an AI system through additional components such as a user interface. In simple terms, the AI model is the neural network and thus the core of the AI system.

                      Differences and Similarities

                      The main objective of the GDPR is to protect the fundamental rights of natural persons against risks that may arise from data processing. The GDPR requires data controllers to take both technical and organizational measures to address the risks to data subjects (Articles 25 and 32 GDPR). Personal data may only be processed in accordance with the principles laid down in the GDPR. The controller is accountable to the data subjects in this regard (Art. 5(2) GDPR). The lawfulness of processing must be assessed in each individual case. In the case of the use of new technologies, which undoubtedly includes AI, a well-documented data protection impact assessment must also be considered (Art. 35 GDPR). The AI Act aims to ensure that AI is trustworthy and secure and is developed and used in accordance with fundamental rights. The AI Act is primarily product safety law that establishes uniform rules for the placing on the market, putting into service, and use of AI systems and AI models within the EU. In its implementation, the AI Act focuses primarily on classifying AI systems and AI models into specific risk categories, which are subject to different legal frameworks. The AI Act defines risk as the combination of the probability of damage occurring and the severity of that damage (Art. 3 No. 2 AI Act). The AI Act calculates the risks posed by AI by laying down specific rules for AI technologies and their application. Although the focus of the GDPR and the AI Act is different, they are closely linked in areas where AI systems process personal data. Both laws aim to minimize risk. The AI Act complements the GDPR by addressing specific risks posed by AI technologies. Although compliance with the AI Act can also help to meet the requirements of the GDPR, AI Act compliance alone is generally not sufficient for this purpose.

                      Attorney Anton Schröder

                      I. https://fin-law.de

                      E. info@fin-law.de

                      subscribe to Newsletter

                      This Blog Article as Podcast?

                      The Gist of It:

                      Presentation

                        Contact

                        info@fin-law.de

                        Jun 23, 2025

                        The Crypto Custody Agreement According to MiCAR – What Must Crypto Custodians Mandatorily Agree Upon With Their Customers?

                        The custody and management of crypto assets for others is a regulated crypto asset service under Art. 3 (1) No. 16 lit. a) MiCAR and Art. 3 (1) No. 17 MiCAR. It may therefore only be provided by companies that have been authorized as crypto asset service providers under Art. 59 MiCAR. In addition to the usual strict requirements that must be met by companies regulated under MiCAR in the European Union, such as sufficient initial regulatory capital, fit and proper managers, and proper business organization with regard to risk management, IT security, and money laundering prevention, among other things, crypto asset custodians must also fulfill specific supervisory compliance obligations. One of these special requirements for crypto custodians is the obligation to conclude a custody agreement with custody clients that includes the minimum content required under Article 75(1) MiCAR. Accordingly, MiCAR-compliant custody agreements must contain at least information on the identity of the contracting parties, a description of the type of crypto service offered, information on the custody strategy, the means of communication used and how customers authenticate themselves to the crypto custodian, the security systems used, the fees and costs, and the applicable law.

                        What Exactly Must a Crypto Custody Agreement Contain in Regard to the Custody Strategy?

                        MiCAR does not specify exactly what crypto custodians must agree with their custody clients with regard to the custody strategy. The development and implementation of a custody strategy is primarily a regulatory obligation that crypto custodians must demonstrate to the supervisory authorities that oversee them. Article 75(1) MiCAR, which regulates the minimum requirements for custody agreements, merely stipulates that the custody strategy is a minimum requirement for a crypto custody agreement. However, this provision is specified in more detail in Article 75(3) MiCAR, which provides for a right of custody account holders to receive a summary of the custody strategy in electronic form from their crypto custodians. In order to be able to meet this requirement, crypto custodians will have to maintain an electronic document summarizing the custody strategy. The actual agreement of the custody strategy with the customer or the attachment of the complete custody strategy, for example as an annex to the custody agreement, seems unnecessary, especially since any change to the strategy would require renegotiation or a new crypto custody agreement. This cannot have been in the interest of the MiCAR regulator. It should also be noted that, as a strategy document, the custody strategy should not contain any specific technical implementation measures or the names of employees or any third-party service providers that may be involved. A strategy generally formulates goals, objectives, and ways to achieve them.

                        What Details Regarding Security Systems Must Be Agreed Upon?

                        Art. 75 (1) (e) MiCAR requires that crypto custody agreements include a description of the security systems used by the custodian. In this respect, it is rather unlikely that there will be any room for negotiation, as crypto custodians will hardly be able to grant custody clients any leeway in this regard. In this regard, it is necessary to include details on the technologies used for the custody of private keys, information on any vulnerability tests and security audits carried out, the authentication mechanisms provided for clients, and other security measures used by the custodian to minimize the risk of loss of clients’ crypto assets or the associated private keys. Information may also be provided on how client crypto assets are separated from the crypto asset custodian’s own holdings in crypto assets or funds and are kept safe from insolvency. Here, too, it will not be necessary to name specific sub-custodians or banks that are used to segregate client assets. A description of the specific measures implemented by the crypto custodian to increase security for customers will in any case be sufficient for the purposes of the crypto custody agreement.

                        Attorney Dr. Lutz Auffenberg, LL.M. (London)

                        I. https://fin-law.de

                        E. info@fin-law.de

                        subscribe to Newsletter

                        This Blog Article as Podcast?

                        The Gist of It:

                        Presentation

                          Contact

                          info@fin-law.de

                          to top