Blog

DORA clearly distinguishes between threats, incidents, and attacks—but what reporting obligations do they trigger? An overview of the new requirements.

ICT contracts under DORA: Between minimum standards and power shifts. The regulation not only sets high requirements for digital resilience, but also changes the dynamics of contract negotiations. Financial companies must now enforce strict requirements—but which services actually fall under DORA, and how can exit strategies, audit rights, and risk management be regulated in a contractually watertight manner?

Under the prohibition of contribution in the State Treaty on Gambling, payment institutions are not permitted to execute payments in connection with illegal gambling. Cases in which original gambling providers do not have the necessary permission are clear-cut. However, difficulties arise in cases where gambling is not the focus of the customer’s business activities.

The draft version of the new PSD3 no longer includes the concept of e-money agents. Instead, there will be distributors that payment institutions may use for the distribution and redemption of e-money. What changes could this bring for institutions and their agents in the future regulatory regime?

The new PSD3 aims to transfer the regulation of the e-money business to the supervisory regime for payment services. However, the new term “e-money services” poses some difficulties of interpretation. Which specific activities will it cover in future?

In addition to MiCAR authorization, the custody of e-money tokens generally requires a license as a payment service provider under the ZAG. Which payment services are relevant in this regard, and what alternatives do affected crypto custodians have for applying for their own license?

DORA implementation: BaFin specifies requirements for simplified ICT risk management framework: BaFin provides financial companies with an overview of documentation, security measures, and processes for the simplified ICT framework, but emphasizes that the content must be tailored to each individual case in accordance with the principle of proportionality.

Opportunities and challenges: How is SupTech changing the fight against financial crime, and why are FinTech companies increasingly under scrutiny from regulators?

Stablecoins are the talk of the town. They are undoubtedly crypto assets and regulated under MiCAR. But can they also be considered monetary amounts under the ZAG in individual cases? If so, could the exception for limited networks apply to services relating to them in this case?

One AI system, two sets of rules: The compliance requirements of the GDPR and the AI Act overlap, but they are not identical. What are the differences and similarities?

Crypto custodians must comply with comprehensive compliance obligations under MiCAR regulations. This includes entering into crypto custody agreements with custody clients that contain the minimum content specified in MiCAR. But what exactly must such custody agreements cover?

In the context of public offerings of token sales designed in accordance with MiCAR, all purchasers should have the same rights. In the case of private investors, however, consumer protection may vary in individual cases due to the Rome-I-Regulation. Is the corrective measure of the Rome-I-Regulation for public offerings of financial instruments also applicable to token sales?