Feb 24, 2025

News on Financial Entities as ICT Third-Party Service Providers and on Subcontracting under DORA

The EU Regulation 2022/2554 (DORA) has come into force and financial firms must comply with the new requirements. The regulation focuses on addressing the challenges posed by digital transformation and growing interconnectedness in the financial industry, which will intensify in the future. DORA aims to further reduce risks arising from cyber-attacks and business interruptions, for example. Specific obligations that DORA places on financial entities are complex. The bureaucratic burden that DORA places on financial entities should not be underestimated. At the same time, however, DORA helps to promote appropriate minimum standards in the area of digital operational resilience. DORA is supplemented by regulatory technical standards (so-called RTS), which are regularly drafted by the ESAs (EBA, EIOPA and ESMA) in cooperation with the national supervisory authorities and adopted by the Commission in accordance with the relevant requirements. Most RTS have already entered into force in this way. The RTS are intended to provide financial entities with specific guidelines on how the requirements of the DORA are to be understood and implemented in the areas regulated by the RTS. Although DORA and almost all RTS are already applicable, there is still some uncertainty regarding the interpretation of DORA in individual cases. EIOPA has now provided interpretation notes via the ESA’s joint Q&A on one of the major questions concerning DORA – namely, when a financial entity is to be classified as an ICT third-party service provider in relation to other financial entities. There is also uncertainty regarding the outsourcing by ICT third-party service providers of critical or important functions or significant parts thereof to subcontractors. The draft RTS on this from the ESA is still at the drafting stage despite the fact that the DORA has already come into force, and now the Commission has announced its intention to partially reject the draft. The following comments address these issues surrounding DORA.

Clarification: When Financial Entities May Be Qualified as Third-party ICT Service Providers

One of the most pressing questions for many financial companies is whether DORA applies when a financial entity provides digital services to another financial entity. At what point are the services between financial entities classified as ICT services? If the services are ICT services within the meaning of DORA, a financial entity can also be considered an ICT third-party service provider within the meaning of DORA. This is explicitly clarified in recital 63 of the DORA. On behalf of the ESAs, EIOPA is now providing legal practitioners with an interpretative guide. In EIOPA’s view, financial services may also include an ICT component. If financial entities provide ICT services to other financial entities in connection with their financial services, the financial entity receiving the ICT services should check whether, firstly, the services constitute an ICT service as defined by DORA and, secondly, whether the financial entity providing the services and the financial services it offers are regulated under EU law or the national law of a member state or a third country. Should both tests be passed, the ICT service in question should be considered predominantly a financial service and not an ICT service within the meaning of Article 3 subsection 21 DORA. If the service is provided by a regulated financial entity offering regulated financial services, but the service is unrelated or independent of such regulated financial services, the service should be considered an ICT service for the purposes of Article 3 subsection 21 DORA. This interpretation is to be endorsed as it is in line with the objectives of the DORA, is consistent with the guiding principles of recital 79 and avoids additional red tape in the area of ICT third-party risk management between financial entities, each of which is already subject to the requirements of the DORA.

Further Uncertainty Regarding RTS on Subcontracting

On January 21, 2025, the European Commission rejected the draft regulatory technical standards (RTS) related to subcontracting of ICT services supporting critical or important functions. These RTS are urgently needed, among other things, so that financial entities know how far-reaching contractual agreements with third-party ICT service providers need to be with regard to subcontracting. The Commission considers that the requirements in Article 5 of the draft RTS go beyond the powers granted to the ESAs by Article 30 subsection 5 DORA. In particular, it concerns the conditions for monitoring the chain of ICT subcontractors that are not specifically linked to the conditions for subcontracting. The Commission is asking for the removal of Article 5 and associated Recital 5 from the draft RTS to ensure that the draft is consistent with the mandate. The corresponding article will therefore no longer be part of the rules to be observed by financial entities. Unfortunately, this also delays the binding adoption of the RTS, and financial entities are still only able to work with the draft. At least the Commission is only proposing editorial changes that are intended to improve the quality of the legal act without affecting the substance of the act. The ESAs have six weeks to revise the draft based on the proposed amendments by the Commission and resubmit it. If the ESAs do not amend the draft in line with the Commission’s suggestions or do not submit a revised draft within this period, the Commission may adopt the RTS with the amendments it has proposed or reject them altogether. It is therefore clear that more legal certainty will probably soon prevail. Until then, financial entities should use the existing draft and refrain from the requirements in Article 5 of the RTS.

Attorney Anton Schröder

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Feb 20, 2025

Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna

On 16 December 2024, the book launch party for the recently published Kalss/Krönke/Völkel commentary “Crypto Assets” took place at the premises of our partner law firm STADLER VÖLKEL in Vienna. The authorship – to which our partner Lutz Auffenberg, LL.M. (London)belongs – celebrated together with representatives of C.H. Beck respectively Manz Verlag the cross-border cooperation for the commentary on the new MiCAR and accompanying laws and in the course of the introduction amended legal acts with wine, snacks and chestnuts over the roofs of the city center with a view at St. Stephen’s Cathedral. A short statement by Attorney Lutz Auffenberg, LL.M. (London) on the provisions of Art. 36 to 47 MiCAR on which he commented and on the entire work, as well as visual impressions of the book launch event in Vienna, can be seen here:

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Attorney Lutz Auffenberg, LL.M. (London) has Once Again been Awarded
Lexology, the renowned online portal specializing in the evaluation and recommendation of lawyers, has included our founding partner, Attorney Lutz Auffenberg, LL.M.(London), as one of the leading experts in Germany in its Lexology Index: Fintech & Blockchain (formerly known as Who’s Who Legal).

Feb 17, 2025

Token Sale in the MiCAR Era – How Can a Token Issuance be Advertised?

Since the new Regulation on Markets in Crypto Assets (MiCAR) came into full legal force at the end of last year, the regulatory requirements for token sale events and initial coin offerings have also expanded considerably. This applies in particular to issuers of e-money tokens (EMT) and asset-referenced tokens (ART), but also to issuers of other crypto assets. Provided that no exemptions provided for by MiCAR can be utilized, the provider of the crypto assets must prepare and publish a detailed crypto asset whitepaper prior to the public offering via a token sale event. In addition, providers of new crypto assets must now meet compliance requirements and, in particular, identify, avoid and disclose any conflicts of interest. MiCAR also requires providers to draft their marketing communications for a public offering in compliance with certain minimum requirements and publish them on their website prior to the launch of the token sale. Marketing communications must be clearly recognizable as such and must contain a specific reference, pre-formulated in MiCAR, to the fact that they have not been reviewed or approved by an authority and that the provider bears sole responsibility for their content. In any case, any marketing communications must be consistent with the details and information in the underlying crypto asset whitepaper. But what exactly are marketing communications within the meaning of MiCAR?

What Constitutes a Marketing Communication Under MiCAR?

Modern marketing for token sale events is difficult to compare with advertising measures that issuers and distribution service providers carry out for traditional capital market issues. The usual marketing measures prior to MiCAR coming into force took place almost entirely online and ranged from content marketing via articles placed in specific portals, community building on social media channels or the provision of digital giveaways such as NFTs. Under MiCAR, the question therefore arises as to whether these marketing measures also qualify as marketing communications and are therefore subject to the corresponding labeling and publication obligations under MiCAR. However, MiCAR itself does not contain an independent definition of the term marketing communication. However, it can be inferred from the recitals preceding the text of the regulation that marketing communications should at least also include advertising messages and marketing materials that are disseminated via social media platforms. According to this statement, not only text messages would be covered by the term marketing communication, but possibly also other modern advertising measures such as memes or images. The term must be further substantiated by interpretation. In this respect, for example, recourse can be made to the definition of advertising in securities law, which in any case requires a certain promotion of the willingness to subscribe through a measure that relates to a specific public offer of securities. This objective could also be used for the interpretation of the marketing communication within the meaning of MiCAR.

How Can Providers Label Memes and NFTs as Marketing Communications?

The more modern and unconventional the individual advertising measure, the more difficult it becomes to comply with the MiCAR requirements for the labeling of marketing communications. In particular, the affixing of the provider’s unambiguous and clearly recognizable declaration of responsibility in accordance with the textual requirements of MiCAR causes difficulties where only a very limited number of characters may be possible or even where communication is to take place exclusively via an image. Ultimately, BaFin or ESMA would have to clarify whether short links or asterisk references may be used in this respect, as long as such aids do not restrict the clear recognizability of the declaration. In individual cases, such reference solutions could even be conducive to the visibility of the markings required by supervisory law if, for example, a presentation in small font size or in a less conspicuous color design could be avoided in this way. As long as there is no official administrative practice on the details of the design of marketing communications under MiCAR, the provider will have to assess for each individual advertising measure for token sales if it constitutes a marketing communication and how specifically the applicable design obligations are to be implemented.

Attorney Lutz Auffenberg, LL.M. (London)

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Feb 10, 2025

AiaaS – Proven Solution for New Breakthrough Technologies

Artificial intelligence (AI) is already revolutionizing numerous areas of society and the economy. It opens up new opportunities for growth and innovation by automating processes, using resources more efficiently and enabling completely new business models. Accordingly, the demand for AI is high. Developing and operating your own AI models is costly and time-consuming, and requires high initial investments and extensive specialist knowledge. To meet the demand for cost-effective alternatives, the market has found a solution that has been used in the IT sector for a long time. Under the catchy name Software-as-a-Service (SaaS), software and hardware resources are offered as cloud-based solutions. This means that resources can be provided to users in a scalable and cost-effective way. The new star in the sky of cloud-based services is called AI-as-a-Service (AIaaS). This service allows companies to use predefined or self-trainable AI models that run on the infrastructure of large cloud providers via API. The advantages in terms of cost, time, scalability and access to the latest AI technologies are immense. This means that even small or medium-sized companies can implement AI projects that would otherwise only be available to large technology companies. Although it is similar to SaaS solutions, AIaaS raises a number of legal issues that need to be addressed before AIaaS projects can be implemented.

A Fresh Take on Old Favorites

A range of different AI applications are already on the market, serving a variety of functions. These range from chatbots to document processing and innovative investment tools. As with SaaS, the right contract design plays a crucial role in AIaaS. The contract must meet the requirements of the respective application. In particular, the contractual parties’ performance obligations must be regulated. The contractual parties should take the time to clearly describe the services in order to avoid misunderstandings and to create clarity for the interpretation and legal classification. Service level agreements should be concluded to ensure sufficient availability and quality of the AIaaS service, maintenance times and response times in the event of disruptions. Another important topic is the correct handling of data protection in accordance with the GDPR, since personal data is usually processed. Often, the use of cloud-based AIaaS solutions also involves a transfer of personal data to a third country, which is only permitted under the strict conditions of the GDPR. It must be clarified who is the responsible party, whether there is joint responsibility or order processing. Also, it needs to be clarified whether the use of the AIaaS is to be regarded as an outsourcing from the own company to the AIaaS service provider and whether this results in specific legal obligations. IT security also plays an important role. This applies in particular to financial companies that are subject to Regulation (EU) 2022/2554 (DORA). AIaaS providers are likely to regularly qualify as third-party ICT service providers within the meaning of DORA, which is why the far-reaching requirements of DORA must be observed. The requirements for contract design, project organization and monitoring can be high in individual cases, but there are also many design options that can best be used for a successful implementation of the project through careful planning and close exchange between the parties involved.

New Territory: Artificial Intelligence Act

In addition to the aspects mentioned above, the Regulation (EU) 2024/1689 (AI Act) is another piece of legislation that has been introduced recently at the European level and that the parties involved in an AIaaS relationship must comply with. In some cases, the requirements can be very extensive. For example, the AI Act prohibits certain practices in the field of AI. It also defines special risk management requirements for high-risk AI systems and obligations for actors in relation to such systems. It also imposes transparency requirements on certain AI systems and requires providers and operators of AI systems to take measures to ensure to the best of their ability that their personnel and other persons involved in the operation and use of AI systems on their behalf have an adequate level of AI competence. This may also mean that appropriate training is necessary. In most cases, the requirements for companies that integrate AIaaS solutions into their business are limited and do not present any significant obstacles. It is also a stated aim of the regulation to promote innovation and employment and to give the Union a leading role in the introduction of trustworthy AI.

Attorney Anton Schröder

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Jan 20, 2025

DORA Is Live – When Do the First Reports Have to Be Made to BaFin?

The time has come: the two-year transitional period since the entry into force of DORA on 16 January 2023 has expired and DORA is applicable since 17 January 2025. The financial firms and ICT third-party service providers affected must now meet the new requirements introduced by DORA. Financial firms must measure their digital operational resilience against the provisions of DORA. DORA comprises 64 articles, which are supplemented by a series of Regulatory Technical Standards (so-called RTS). The RTS create uniform standards across the EU, so that all affected financial firms throughout the Union must meet the same requirements. This is intended to strengthen the freedom of establishment and the digital operational resilience of the entire European financial market. DORA addresses ICT risks by setting out specific requirements for ICT risk management capabilities, incident reporting, operational resilience testing, and monitoring of risks associated with the use of third-party ICT service providers. BaFin has already stated on several occasions that there will be no further transition period after the two-year transition period. This means that financial companies must already fulfill the DORA requirements. But what about specific reporting and notification requirements that financial companies must submit to BaFin? The main focus here lies on the Register of Information, which refers to all contractual agreements for the use of ICT services provided by third-party ICT service providers and must be maintained by financial companies as part of their ICT risk management.

What is the DORA Register of Information?

An important part of the DORA regulation is the requirement for financial firms to establish sound management of third-party ICT risk. This includes, for example, a strategy for managing ICT third-party risk and, optionally, a strategy for using multiple ICT providers. In addition, guidelines must be created for the use of ICT third-party services, in particular for ICT services that support critical or important functions. The Register of Information is also a key component of ICT third-party risk management. Financial companies must maintain this register of information for all contractual agreements for the use of ICT services provided by third-party ICT service providers. A distinction must be made between ICT services that support critical or important functions and those that do not. The requirements for the Register of Information (RoI) are specified in detail by the Regulation on implementing technical standards with regard to standard templates for the Register of Information (ITS RoI). Financial undertakings must provide the competent authority – in Germany BaFin – with the complete Register of Information or, upon request, certain parts of this register, together with all information deemed necessary for the effective supervision of the financial undertaking. BaFin has now announced that it will require financial companies to submit the Register of Information to BaFin for the first time by 11 April 2025 at the latest. To this effect, BaFin published a series of articles on its website just a few days ago. The background to this is that BaFin must transmit the Registers of Information to the European Supervisory Authorities by 30 April 2025 so that they can classify the third-party ICT service providers requiring supervision as critical ICT service providers within the meaning of the DORA, which are subject to special supervision under the DORA.

How Should the Register of Information be Submitted in Accordance with the Regulation?

For financial companies that have already completed the implementation of DORA, submitting the Register of Information to BaFin should not pose a problem. Financial companies that have not yet fully adapted to the DORA requirements should not panic either, but should quickly start creating the Register of Information so that it is ready as soon as BaFin requests it. In a recently published article, BaFin also called on the financial companies concerned to prepare to submit the Registers of Information to BaFin for the first time by no later than 11 April 2025. However, the authority also promised to provide the companies with close support until then and to try to clarify as many open questions as possible. BaFin has published detailed information on its website. The Registers of Information are transmitted to BaFin via BaFin’s reporting and publication platform (MVP). When creating the registers, financial companies must follow the guidelines of the European Supervisory Authorities (ESAs). The registers are to be submitted as structured files that correspond to the taxonomy specified by the ESAs. In order to make the conversion easier for smaller finance companies in particular, BaFin plans to provide a special Excel template on its website in the near future. This template can then be used by financial companies instead of a structured file, provided that the given structure of the Excel template is strictly adhered to. As an alternative to submitting the Register of Information as a structured file, financial companies should be able to submit the completed Excel template via the MVP. It is also essential for companies that plan to apply to BaFin for a license to operate as a financial service provider in the near future to ensure that the requirements of DORA have been implemented. This is the best way to avoid delays in the processing of the license application. The requirements of DORA are very complex. However, they do not fundamentally differ from the requirements that BaFin has already placed on financial companies prior to the entry into force of DORA. Provided that a solid information security management system (ISMS) already exists within the company, the adjustments should be able to be implemented quickly in most cases.

Attorney Anton Schröder

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Jan 06, 2025

Units of Account and MiCAR – Can Crypto Tokens Still be Units of Account?

On 18 December 2024, the German Bundestag passed the Financial Markets Digitization Act (FinmadiG) on the last legs of the current minority government consisting of the SPD and the Greens. It passed the Bundesrat before Christmas without any further amendments, meaning that it entered into force after publication in the Federal Law Gazette just in time to implement the transition to the regulatory regime of the EU Markets in Crypto Assets Regulation (MiCAR) under national law. The previous definition of crypto assets under national law in the German Banking Act (KWG) and Investment Firms Act (WpIG) has thus finally been deleted and consigned to the realm of legal history. Crypto assets within the meaning of the KWG and the WpIG are now, for the purposes of national law, exclusively crypto assets as defined by MiCAR and therefore digital representations of a value or a right that can be electronically transferred and stored using distributed ledger technology or similar technology. However, the previous definition of crypto assets in accordance with the KWG and WpIG was not the only unilateral move by German legislators in matters of crypto regulation prior to the MiCAR regime. Since 2011, BaFin has consistently taken the view that Bitcoins and similar cryptocurrencies i.e. so-called currency tokens are also to be classified as units of account and thus as financial instruments within the meaning of the KWG and WpIG. The question is whether the qualification of currency tokens as units of account is still possible after the FinmadiG came into force or whether the application of the new regulatory regime for crypto assets under the FinmadiG and MiCAR has led to the silent departure of units of account from crypto regulation.

Prior to MiCAR Crypto Assets and Units of Account Could Both Be Given at the Same Time

Under the superseded national crypto regulation, crypto assets were designed as a so-called catch-all provision, meaning that tokens could qualify as both a crypto asset and another form of financial instrument from the KWG or WpIG instrument catalog. In principle, this hybrid classification was not harmful and could even be helpful in individual cases. For example, cryptocurrencies that had the legal status of money could not fall under the definition of crypto assets under the KWG and WpIG, but could still qualify as a unit of account and therefore still be a regulated financial instrument. In such cases, regulation under the KWG and WpIG could apply to business activities with corresponding tokens, as intended by the legislator. Under the new regulation based on MiCAR, this is more difficult, especially as the regulation under KWG and WpIG differs from that under MiCAR in terms of its regulatory content. It is therefore necessary to be able to assign tokens to one of the two regulatory regimes in a legally secure and unambiguous manner. The legal situation following the going into force of the FinmadiG therefore no longer provides for crypto assets under German law and clarifies that crypto assets within the meaning of the KWG and the WpIG are crypto assets within the meaning of MiCAR. Tokens that are not classified as crypto assets under MiCAR may qualify as cryptographic instruments in individual cases. However, it remains problematic that bitcoins, for example, clearly qualify as a unit of account and thus as a financial instrument under the KWG and WpIG according to the administrative practice not yet abandoned by BaFin, but at the same time also as a crypto asset within the meaning of MiCAR. Which regulatory regime should apply in such cases?

BaFin Should Prioritize MiCAR over National Regulation

It is obvious that MiCAR should take precedence over purely national regulation under the KWG and the WpIG for the regulatory classification of tokens. Unfortunately, the German legislator has failed to include a clarification in the law in this regard, which would have been possible without any problems as part of the far-reaching amendments to the two federal laws. However, sufficient clarification could also be achieved in practice by BaFin finally abandoning its administrative practice of classifying bitcoins and comparable clones as units of account. It dates back to a time when there was no codified regulation for crypto tokens and has done its duty at the latest since the FinmadiG and MiCAR came into force. As far as can be assumed, there would be no regulatory gaps. A departure from the classification of currency tokens as units of account would also be expedient and welcome with regard to the standardization of the law applicable in the EU, which is necessary for the realization of the European single market.

Attorney Lutz Auffenberg, LL.M. (London)

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Dec 16, 2024

Interoperability Through Token Bridges – Are Wrapped Tokens Crypto Assets under MiCAR?

Blockchain technology has established itself as a promising technical infrastructure for numerous applications since the emergence of the smart contract economy. Investment products and capital market issues in particular are now increasingly being mapped and processed via smart contracts implemented on blockchains. The tokenization of so-called real-world assets (RWA tokens) or rights is also increasingly being implemented to enable the digital transfer of the underlying assets. One of the biggest challenges of blockchain-based projects, however, is the fact that blockchains are essentially closed networks that are not compatible with each other. The use of bitcoins or their equivalent value to interact with a smart contract implemented on the Ethereum blockchain, for example, is not technically possible at first glance. So-called token bridges can provide a remedy in such cases. These are smart contracts that enable their users to use value units from other blockchain infrastructures on other blockchains. Technically, this works by users transferring cryptocurrencies of a certain type to a blockchain address managed by the token bridge in order to receive wrapped tokens in return, which are generated on the target blockchain and can therefore be used there. Wrapped tokens usually represent the value of the deposited cryptocurrency at a ratio of 1:1.

Can Wrapped Tokens Represent Asset-Referenced Tokens?

Under MiCAR, digital representations of values or rights that can be transferred and stored electronically using distributed ledger technology or similar technology are regulated as crypto assets. Wrapped tokens certainly meet these very broadly formulated requirements. However, MiCAR also recognizes special forms of crypto assets that may be associated with further obligations for issuers and providers of crypto services. An asset-referenced token (ART) exists, for example, if a crypto asset attempts to maintain a stable value by referring to another asset or another right or a combination thereof, including one or more official currencies. As wrapped tokens usually represent the value of another crypto asset on a 1:1 basis, they will in most cases qualify as ART. For the issuer of the wrapped token, this may mean in particular that the wrapped token may not be issued without the necessary authorization under MiCAR. In addition, the issuer of ART is obliged to create an asset reserve, which must be held in accordance with the specific requirements set out in MiCAR. Furthermore, depending on the design of the underlying smart contracts, providers of token bridges may trigger licensing obligations under MiCAR. For example, the safekeeping of deposited crypto assets may constitute crypto custody subject to authorization. The retransfer of deposited crypto assets may also be subject to authorization under MiCAR if it is to be carried out to a different blockchain address than the one from which the crypto assets were originally transferred to the token bridge.

Can Token Bridge Models Also Be Realized in an Unregulated Way?

Providers of token bridges and issuers of wrapped tokens may therefore be subject to far-reaching regulatory obligations. One way to avoid these considerable administrative burdens may be to decentralize the token bridge and the issuance of wrapped tokens to such an extent that there is no sufficiently responsible person for the operation of the token bridge and the issuance of wrapped tokens. In this respect, it would be necessary for the token bridge to function in a completely decentralized manner and for no identifiable person to have control or influence over the operation or issuance of wrapped tokens. In this case, there would be no addressee for the regulatory obligations provided for under MiCAR and the token bridge would be able to operate outside the scope of MiCAR.

Attorney Lutz Auffenberg, LL.M. (London)

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Dec 02, 2024

Getting Ready for DORA (Part VII) – Which Financial Companies Benefit From the Simplified ICT Risk Management Framework?

From 17 January 2025, affected companies will have to comply with the new requirements introduced by DORA. The main objective of DORA is to fully and consistently harmonize digital operational resilience and ICT security. The need for this arises, among other things, from the fact that legal differences and varying national regulatory and supervisory approaches to ICT risk create obstacles to the functioning of the internal market for financial services. This makes it considerably more difficult for financial companies operating across borders to exercise their freedom of establishment and freedom to provide services without hindrance. Furthermore, competition between the same types of financial companies operating in different member states has also been severely distorted by these differences. DORA addresses ICT risks through targeted requirements for ICT risk management capabilities, incident reporting, operational resilience testing, and monitoring of ICT third-party risk. When dealing with DORA, the principle of proportionality must be taken into account. This means that the size, overall risk profile, nature, scale and complexity of the financial services must be taken into account when implementing the requirements. This is also reflected in the requirements for ICT risk management: DORA provides for a so-called simplified ICT risk management framework for certain financial firms. But to whom exactly does this apply?

Which Companies Can Implement a Simplified ICT Risk Management Framework?

The simplified ICT risk management framework is significantly scaled back compared to the general framework otherwise provided by the DORA and places fewer specific requirements on the implementation of ICT risk management. To put it bluntly, ICT risk management is reduced from fifteen articles to one. This simplified framework applies exclusively to the financial institutions explicitly named by DORA. These include, for example, small and non-interconnected investment firms, small institutions for occupational retirement provision, and institutions excluded under the Capital Requirements Directive (CRD IV). These exclusions are particularly welcome in light of the considerable effort involved in implementing the DORA requirements. Smaller companies that fall under the exemption can thus operate an ICT risk management system that is appropriate in relation to their size and overall risk profile. An adequate level of protection is ensured by the requirements of the simplified ICT risk management framework in conjunction with the regulatory technical standards (RTS RMF). These standards define the tools, methods, processes and guidelines for ICT risk management and for the simplified framework. The simplified ICT risk management framework should also apply to payment institutions and e-money institutions that have been excluded from the respective member states’ implementation under the Payment Services Directive (PSD2) or the E-Money Directive. However, there is inconsistent implementation here by the individual member states.

Unequal Requirements for Payment Institutions in Different Member States

Despite DORA’s harmonization efforts, gaps still exist. These are particularly evident in the case of payment institutions and e-money institutions. This is because the member states had a certain amount of leeway when implementing the PSD2 and the E-Money Directive. It is therefore possible that when transposing the directive into national law, the option of “exempting” certain payment institutions or e-money institutions and subjecting them to simplified requirements in national law will be used. Consequently, in these cases, the DORA refers to an exemption that only applies to financial companies if the respective member state has implemented this exemption in its national law. However, this is in strong contrast to the DORA’s objective of creating a level playing field for all market participants. Recital 42 of the DORA shows that the European legislator has recognized this problem and ultimately accepted the unequal treatment of comparable financial companies. One example of this is that a payment institution regulated in Germany must comply with the general ICT risk management framework, while a comparable payment institution in another member state that has made use of the exemption may apply for the simplified ICT risk management framework. It is therefore necessary to check in each individual case whether and to what extent the simplified ICT risk management framework can be applied for. Even if this is not the case, the general ICT management framework must still be implemented proportionately.

Attorney Anton Schröder

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Nov 26, 2024

Attorney Lutz Auffenberg, LL.M. (London) has Once Again been Awarded

Lexology, the renowned online portal specializing in the evaluation and recommendation of lawyers, has included our founding partner, Attorney Lutz Auffenberg, LL.M. (London), as one of the leading experts in Germany in its Lexology Index: Fintech & Blockchain (formerly known as Who’s Who Legal). Attorney Lutz Auffenberg has thus once again made it into this prestigious ranking. The leading legal advisors were identified through an extensive market analysis and survey of market participants and lawyers advising on blockchain and fintech law.

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Nov 25, 2024

Attorney Anja von Rosenstiel Contributes Chapter to MiCAR Handbook

The European Markets in Crypto Assets Regulation (MiCAR) will soon have legal effect in its entirety. MiCAR will also have an impact on cross-border crypto-asset services and their regulatory treatment. Thus, a comparative legal analysis and classification of the new regulation is an important contribution that will enable effective advice on cross-border crypto-asset services in the future. Attorney Anja von Rosenstiel, LL.M. (Boston University), M.A. (Viadrina) and of counsel at FIN LAW, has provided a comparative legal analysis of the MiCAR with US regulations in the handbook MiCAR, edited by Johannes Meier, which is expected to be published in February 2025. Interested parties can pre-order the book here.

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

No Tied Agents Under MiCAR – How Do Liability Umbrellas and Contractually Tied Agents Have to Prepare for MiCAR?

From 30 December 2024, the provisions of the Markets in Crypto Assets Regulation (MiCAR) will be legally effective throughout the European Union. From that date, crypto-asset service providers within the scope of the new regulation will no longer be allowed to provide their services without the required MiCAR authorization. MiCAR does not recognize the tied agent model, a concept known from other areas of financial market regulation, in which activities requiring a license can be provided under the responsibility of a sufficiently authorized institution without a license of one’s own. In this regard, ESMA already clarified in September 2024 that crypto-asset services under the MiCAR may only be provided by companies that are either authorized as crypto-asset service providers or that have successfully completed a notification procedure in accordance with the MiCAR as a credit institution or securities institution that is already supervised. Since, under the current regulation in Germany according to the Investment Firm Act (WpIG), crypto securities are considered financial instruments and the law allows liability umbrella solutions for business models in which companies in Germany exclusively provide investment brokerage, investment advice or placement services, the transition to the MiCAR regime for correspondingly tied agents potentially represents a real showstopper. What can tied agents and their liability umbrellas with crypto-related business models do before 30 December 2024 to seamlessly continue business under MiCAR?

Can Tied Agents be Covered by the MiCAR Transitional Provision?

MiCAR provides for a transitional regime for providers of crypto-asset services that have provided their services in accordance with the law applicable to them, i.e. in accordance with the applicable national provisions. Such providers may continue to provide their services after 30 December until 1 July 2026, or until a MiCAR license is granted or refused, whichever event occurs first. However, member states have the option of shortening the timeframe until 1 July 2026. The German legislator has not yet enacted any implementing legislation for MiCAR, so a shortening of the timeframe is not to be counted in for the time being. According to the wording, tied agents would in principle be able to make use of the transitional regulation, since they have legally provided crypto value services prior to 30 December 2024 under the applicable national regulations. However, it must be taken into account in any case that the permissibility under supervisory law of the provision of services by tied agents is derived from the investment firms acting as a liability umbrella. In view of this, it can be assumed that reliance on the transitional regulation for tied agents can only be considered if the liability umbrella solution used continues to exist under the applicable law from 30 December 2024 and the liability umbrella continues to fulfill the relevant requirements. In contrast, BaFin has contacted the institutions under its supervision that have tied agents and pointed out that the involvement of tied agents will be inadmissible under MiCAR. Tied agents who therefore wish to invoke the transitional provisions of MiCAR should in any case clarify this approach in advance with their liable institution and BaFin.

The Alternative to the Liability Umbrella is Either an Outsourcing Solution or a MiCAR Authorization

If tied agents are not eligible or unwilling to rely on the MiCAR transitional provisions, they need an alternative solution. It is possible to apply to the competent authority for an own MiCAR license, but such an application requires thorough and time-consuming preparation, as well as patience until the BaFin approval process is complete. A so-called outsourcing solution can be implemented more quickly, in which the previous tied agent acts as an outsourcing company for the provider authorized to provide crypto-asset services. As in the liability umbrella model, the provider of crypto-asset services is then responsible under supervisory law. The outsourcing company then provides technical services to the provider, such as the provision of a technical platform, support services and distribution. However, caution is advised with regard to outsourcing solutions in which outsourcing to crypto companies from non-EU countries is to take place. In ESMA’s view, outsourcing must not lead to a situation in which the third-country company ultimately provides crypto-asset services in Europe without an own authorization through a European special-purpose entity, while the service itself is actually provided in a third country.

Attorney Lutz Auffenberg, LL.M. (London)

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

May 17, 2022

FIN LAW Successfully Advises DLT Finance on BaFin Authorization as Financial Institution

The trading entity of our client DLT Finance Holding AG, DLT Subsidiary AG has been approved by BaFin as financial institution pursuant to section 15 subsection1 WpIG. From now on, DLT Finance is fully enabled to provide a broad spectrum of services in the crypto markets in addition to the crypto custody services offered by the group’s company DLT Custody GmbH, such as crypto trading and crypto brokerage, borrow/lending, crypto custody and crypto management as well as realization of tokenization projects for customers. DLT Subsidiary AG obtained from BaFin the authorization to provide the following investment services:

Financial commission business (section 2 subsection 2 no. 1 WpIG)
Issuance business (section 2 subsection 2 no. 2 WpIG)
Investment brokerage (section 2 subsection 2 no. 3 WpIG)
Investment advisory (section 2 subsection 2 no. 4 WpIG)
Contract brokerage (section 2 subsection 2 no. 5 WpIG)
Placing business (section 2 subsection 2 no. 8 WpIG)
Financial portfolio management (section 2 subsection 2 no. 9 WpIG)
Proprietary trading through market making (section 2 subsection 2 no. 10a WpIG) and
Proprietary trading as a service to others (section 2 subsection 2 no. 10c WpIG)

Founding partner Lutz Auffenberg, LL.M. represented DLT Subsidiary AG in the BaFin proceedings. FIN LAW sincerely congratulates DLT Finance on the acquisition of the authorization.

Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”.

Clarification: When Financial Entities May Be Qualified as Third-party ICT Service Providers

Further Uncertainty Regarding RTS on Subcontracting

Contact

Contact

What Constitutes a Marketing Communication Under MiCAR?

How Can Providers Label Memes and NFTs as Marketing Communications?

Contact

A Fresh Take on Old Favorites

New Territory: Artificial Intelligence Act

Contact

What is the DORA Register of Information?

How Should the Register of Information be Submitted in Accordance with the Regulation?

Contact

Prior to MiCAR Crypto Assets and Units of Account Could Both Be Given at the Same Time

BaFin Should Prioritize MiCAR over National Regulation

Contact

Can Wrapped Tokens Represent Asset-Referenced Tokens?

Can Token Bridge Models Also Be Realized in an Unregulated Way?

Contact

Which Companies Can Implement a Simplified ICT Risk Management Framework?

Unequal Requirements for Payment Institutions in Different Member States

Contact

Contact

Contact

Can Tied Agents be Covered by the MiCAR Transitional Provision?

The Alternative to the Liability Umbrella is Either an Outsourcing Solution or a MiCAR Authorization

Contact

Contact