Initial meeting

Category: blog EN

Apr 13, 2026

Prediction Markets – What’s Behind the Hype?

Prediction markets are currently the talk of the town and are experiencing a veritable boom. These are online platforms where users can buy and sell so-called contracts that depend on whether one or more specific events occur or do not occur. Popular events that are frequently the subject of these contracts include, for example, election outcomes (particularly in U.S. politics), as well as the outcomes of sporting and cultural events, but also events from the financial world, such as central bank interest rate decisions, corporate data, or stock market indices. These platforms are often decentralized and built on blockchains such as the Ethereum blockchain. Specifically, users of these platforms purchase shares or contracts that bet on either the occurrence or non-occurrence of the event in question. The price of the respective shares is determined by supply and demand regarding the occurrence or non-occurrence of the event in question. If many users bet on the event occurring, the price of the shares that reward the event’s occurrence rises, and the price of the shares that bet on the event’s non-occurrence falls proportionally. If the relevant event occurs and the user has purchased a share targeting that outcome, they receive a predefined payout. The question arises as to whether these contracts constitute bets or financial instruments, and whether such a model is even feasible in Germany.

Are prediction Markets Gambling or Financial Instruments?

In Germany, online gambling is generally regulated by the 2021 State Treaty on Gambling and is largely supervised and monitored by the Joint Gambling Authority of the German States (GGL). Financial instruments, on the other hand, are regulated both by European regulations and directives—most notably the Markets in Financial Instruments Directive 2 (MiFID II)—and by German laws such as the Securities Trading Act (WpHG). In Germany, financial instruments and compliance with the relevant regulations are supervised by the Federal Financial Supervisory Authority (BaFin). To date, BaFin has not yet taken an explicit position on the topic of prediction markets and the legal nature of the shares offered. The GGL, however, has. In a blog post dated September 5, 2025, on its website, it issued a strong warning against participating in so-called social betting on prediction markets. According to the GGL, these social bets—which relate to events in public or social life, such as political elections, court rulings, natural disasters, social events, or other non-sporting developments, are not eligible for licensing in the Federal Republic of Germany under the State Treaty on Gambling 2021 due to the high risk of manipulation associated with them and are therefore, in the GGL’s view, illegal gambling.

Does this Mean that Prediction Markets Cannot Be Operated Legally in Germany?

Against this backdrop, and particularly in light of the GGL’s statement, one is left with the impression that operating a prediction market platform and participating in or purchasing shares on such a platform is not legally permissible in Germany. However, it seems questionable whether this initial impression is actually accurate. A careful reading of the GGL’s statement reveals that the authority explicitly refers only to “non-sporting events.” The GGL therefore does not address sporting events that are the subject of a contract purchased on a prediction market. In fact, the State Treaty on Gambling expressly provides for the permissibility of betting on defined sporting events with verifiable results and clear rules. Operators could therefore apply to the GGL for a license to organize and/or facilitate sports betting and for inclusion on the so-called whitelist. However, the GGL would have no jurisdiction at all if the social bets and contracts on a prediction market were not gambling but rather financial instruments. The assertion that the operation of a prediction market is not eligible for authorization under the State Treaty on Gambling would then be irrelevant to the regulatory assessment of the platform’s operations. Against this backdrop, it would be conceivable to structure the contracts or share certificates, where possible, as, for example, financial futures or derivatives. The offering of such products is, in principle, legally permissible in Germany provided the relevant authorizations from BaFin are obtained. When planning such business models, it is essential to consider not only the licensing requirements but also any relevant general rulings by BaFin and its general administrative practices regarding the compliance obligations of financial firms. Whether a prediction market platform can ultimately be operated legally in Germany therefore depends heavily on the thoroughness of the business planning and the circumstances of the individual case.

Rechtsanwalt Dr. Lutz Auffenberg, LL.M. (London)

I. https://fin-law.de

E. info@fin-law.de

subscribe to Newsletter

This Blog Article as Podcast?

The Gist of It:

Presentation

    Contact

    info@fin-law.de

    Mar 23, 2026

    Raising Capital Through Securities Issuances – What Are the Options, and What Should Be Considered?

    For many companies, raising funds on the capital market can be an attractive alternative to traditional bank loans. The advantages of raising capital through the issuance of securities lie, on the one hand, in the fact that issuers can determine the terms of the issuance themselves, such as maturity, interest rates, repayment terms, and so on. On the other hand, the funds raised through a securities issue do not necessarily have to be secured by the issuer. However, this last point in particular is usually a prerequisite for a bank to grant a loan in the case of traditional bank loans. Of course, the issuance of securities in the EU and in Germany is strictly regulated, not least for the sake of investor protection. For this reason, issuers must also fulfill various documentation requirements when issuing securities. At the European level, the fundamental regulatory framework for this is provided by Regulation (EU) 2017/1129, also known as the Prospectus Regulation. At the national level in Germany, this is supplemented by the Securities Prospectus Act (WpPG). But when exactly must an issuer prepare a securities prospectus, and are there any exceptions to this rule?

    A Securities Prospectus is the Standard

    The Prospectus Regulation stipulates that securities may only be publicly offered in the European Union following the prior publication of a prospectus approved by the competent authority. Depending on the type of prospectus being prepared—the Prospectus Regulation distinguishes between various types of prospectuses, such as  e.g. the EU Growth Issuance Prospectus, the EU Follow-on Prospectus and the Base Prospectus—the effort involved in preparing each type varies significantly. For example, the maximum number of pages an EU follow-on prospectus may have is 50 DIN A4 pages in printed form. In contrast, for an EU Growth Prospectus, the permissible maximum number of pages is 75 DIN A4 pages in printed form. Generally speaking, the preparation of a securities prospectus requires a significant amount of resources from the preparer. Nevertheless, the preparation, approval, and publication of a securities prospectus can be worthwhile simply because a public offering of securities via such a prospectus also includes the possibility of conducting the offering in EU countries other than the one that approved the prospectus, following prior notification of the prospectus. In addition, the Prospectus Regulation itself provides for exceptions under which a prospectus need not be prepared.

    Are the Exceptions to the Prospectus Requirement?

    The Prospectus Regulation itself provides that it does not apply to certain types of securities. For example, units in closed-end investment funds, as well as securities that are unconditionally and irrevocably guaranteed by a Member State or a local authority of a Member State, are already excluded from the scope of the Regulation. Accordingly, no securities prospectus needs to be prepared for these. Furthermore, the Prospectus Regulation provides that public offerings of securities do not require a previously published and approved securities prospectus if the offering is directed, for example, exclusively at qualified investors or at a maximum of 149 non-qualified investors per Member State. The same applies to offers where the minimum subscription amount or the denomination of the securities is at least EUR 100,000. In addition, the Regulation provides for an exemption from the obligation to publish a prospectus for issuers of securities, provided that the total value of the securities offered in the EU over a 12-month period does not exceed 8 million euros and the Member State in which the issuance takes place has adopted such a threshold. Germany has set the cap at 8 million euros. The current cap of 8 million euros will be raised to 12 million euros in the Prospectus Regulation by the EU Listing Act on June 5, 2026. For such offerings, however, the Securities Prospectus Act currently still stipulates that, for amounts up to a maximum of 8 million euros, issuers must either prepare a securities information sheet (WIB) comprising a maximum of four DIN A4 pages, have it approved by BaFin, and publish it, or that issuers must prepare and publish a Key Information Document (KID) in accordance with the PRIIPs Regulation. Such a Key Information Document does not require approval by the competent supervisory authority. Which documentation must be prepared depends on how the securities being offered are structured. A security that meets the requirements of a “packaged investment product” under the PRIIPs Regulation may only be publicly offered after the publication of a KID. Other securities may only be publicly offered after the preparation, approval, and publication of a WIB.

    Attorney Dr. Lutz Auffenberg, LL.M. (London)

    I. https://fin-law.de

    E. info@fin-law.de

    subscribe to Newsletter

    This Blog Article as Podcast?

    The Gist of It:

    Presentation

      Contact

      info@fin-law.de

      Mar 16, 2026

      The Crypto Asset White Paper – What Are BaFin’s Powers Regarding Token Offerings?

      Anyone seeking to offer crypto assets to the public in the European Union must first prepare and publish a crypto asset white paper in accordance with MiCAR regulations. The document must provide detailed information about the token offering. Specifically, Article 6(1) of MiCAR requires that the document include, in particular, information about the provider or—if different—the issuer of the crypto assets, the project behind the crypto assets, the details of the public offering, the rights and obligations associated with the tokens, as well as the risks, technical functioning, and potential adverse effects on the climate or the environment must be presented in the crypto asset white paper. Particularly attractive to initiators of crypto projects is the fact that MiCAR does not require approval of the crypto asset white paper by the competent supervisory authority, which in Germany is BaFin. Under Art. 8(1) MiCAR, the only requirement is that the offeror or issuer submit the final crypto asset white paper to the competent authority. Art. 8(3) MiCAR clarifies in this context that the supervisory authority may not require approval of the document prior to publication. The submission must take place 20 business days prior to the date of publication of the white paper.

      What Specifically is BaFin’s Role in Relation to Crypto Asset Whitepapers?

      At first glance, BaFin’s role regarding crypto asset white papers under MiCAR appears straightforward. BaFin is merely required to forward the crypto asset white paper submitted by the issuer to ESMA within five business days, after which ESMA makes it available in its crypto vasset white paper registry starting on the date the public offering begins. The submission to ESMA must take place within five business days of receiving the white paper. In addition, BaFin is tasked with forwarding, also within five days, the list of Member States—to be provided by the issuer—in which the public offering of the crypto assets is to take place, to the central contact point of the host Member States. In addition to the crypto asset whitepaper, BaFin, as the competent authority of ESMA, must also submit the explanation regarding the legal nature of the crypto assets to be offered, which must be drafted by the issuer and must explain why the crypto asset does not qualify as an e-money token (EMT) or an asset-referenced token (ART). However, Article 8 of MiCAR does not explicitly grant any substantive review authority in any form. Nevertheless, Article 94(1) of MiCAR sets forth certain powers vested in the competent authorities, and thus also in BaFin. The German legislature has specified these powers in Section 16 of the Crypto Markets Supervision Act (KMAG).

      What Regulatory Instruments Does BaFin Have at Its Disposal Regarding Crypto Assets White Papers?

      Art. 94(i) of MiCAR stipulates that competent authorities must have the power to require the persons responsible for a crypto white paper to amend or supplement the document if it does not contain the content required under MiCAR. BaFin may also require amendments to the white paper if this is required for reasons of financial stability or the protection of crypto asset owners. Furthermore, as the competent authority, BaFin has the option to suspend the public offering of crypto assets for up to 30 business days if there is suspicion that provisions of MiCAR have been violated. BaFin’s most stringent supervisory measure is the ability to prohibit a public offering of crypto assets if violations of MiCAR have been identified or if there is a sufficiently well-founded suspicion that such a violation will occur. In accordance with general principles of administrative law, BaFin must always act proportionately when exercising these powers. The German legislature has implemented the suspension and prohibition of public offerings of crypto assets in Section 15 of the KMAG. The authority to require changes to the crypto asset white paper was granted to BaFin under Section 16 of the KMAG.

      Attorney Dr. Lutz Auffenberg, LL.M. (London)

      I.  https://fin-law.de

      E. info@fin-law.de

      subscribe to Newsletter

      This Blog Article as Podcast?

      The Gist of It:

      Presentation

        Contact

        info@fin-law.de

        Mar 09, 2026

        The Listing Act – What is Changing for Smaller Securities Issuances in European Prospectus Law?

        Regulation (EU) 2024/2809, also known as the Listing Act, was adopted on October 23, 2024, and largely entered into force on December 4, 2024. The Listing Act provides for far-reaching changes to various EU legal acts concerning the European capital market. The aim of the changes is to increase the attractiveness of the capital market in Europe and to significantly simplify capital raising for small and medium-sized enterprises via the local capital markets. This objective has been a perennial issue in European legislation, but unfortunately it has not yet been implemented with sufficient effectiveness through the various measures that have been implemented, most notably the so-called Capital Markets Union. In order to achieve a sustainable strengthening of the European capital market this time, the Listing Act provides for changes not only to the Market Abuse Regulation (MAR), MiFID2, and MiFIR. According to the provisions of the Listing Act, comprehensive changes are also to be made to the Prospectus Regulation, which will be particularly attractive for small and medium-sized enterprises. Some of these changes to prospectus law are already in effect, while others will only apply and take legal effect from June 5, 2026. Issuers and providers of smaller securities issuances should therefore be aware of the upcoming changes and check whether they could result in attractive financing opportunities for them.

        The EU Growth Issuance Prospectus and the EU Follow-on Prospectus

        Regulations governing the new EU growth issuance prospectus and the EU follow-on prospectus have been in force since March 5, 2026. The EU follow-on prospectus can be used by issuers and offerors for public offers of securities and their admission to trading on a regulated market that have been admitted to trading on a regulated market or an SME growth market for at least 18 months without interruption. The form of the EU follow-on prospectus is standardized and may not exceed a maximum of 50 A4 pages in printed form. In addition, it must be written in a comprehensible manner and in a legible font size. The EU growth issuance prospectus may be issued by issuers that qualify as SMEs, as well as by issuers that do not qualify as SMEs, provided that their securities are admitted to trading on an SME growth market or are to be admitted to trading on such a market. In addition, unlisted companies planning an emission with a total countervalue for the publicly offered securities of up to EUR 50 million may also use the EU Growth Prospectus, provided that they did not exceed an average number of 499 employees in the last financial year. Total countervalue must be based on the last 12 months. The EU Growth Prospectus is also a standardized document that must be written in a comprehensible manner and in a legible font size. The maximum number of pages allowed for this prospectus is 75 A4 pages in printed form, which means it can be slightly more comprehensive than the EU Follow-on Prospectus.

        What Changes Will the Listing Act Bring for Small Issuances of Up to EUR 12 Million?

        Previously, the Prospectus Regulation provided for the possibility of an exemption from the obligation to publish a prospectus for issuers of securities, provided that the total consideration of the securities offering in the European Union did not exceed EUR 8 million over a period of 12 months and the Member State concerned, in which the issue was to take place, had decided on such a maximum limit. Germany had set the maximum limit at EUR 8 million, while numerous other member states only allowed exemptions for smaller issue volumes. For public offerings up to a value of EUR 8 million, the German Securities Prospectus Act has since required either the preparation of a securities information sheet consisting of 3 or 4 A4 pages or the preparation of a key information document (PRIIPs KID) in accordance with the PRIIPs Regulation. From June 5, 2026, the Prospectus Regulation, as amended by the EU Listing Act, will provide that public offers of securities with a total value of up to EUR 12 million in the Union will be exempt from the obligation to publish a prospectus. However, the respective member states may decide to lower this threshold to EUR 5 million. This increased threshold will thus enable smaller companies to raise significantly more capital than before without having to prepare, approve, and publish a securities prospectus. However, the obligation to prepare a securities information sheet will continue to apply in Germany.

        Attorney Dr. Lutz Auffenberg, LL.M. (London)

        I. https://fin-law.de

        E. info@fin-law.de

        subscribe to Newsletter

        This Blog Article as Podcast?

        The Gist of It:

        Presentation

          Contact

          info@fin-law.de

          Feb 23, 2026

          European CASP Supervision – Will ESMA Replace BaFin in MiCAR Supervision?

          The supervision of crypto service providers (CASP) has become a day-to-day issue for financial supervisory authorities in European member states over the last few years, and especially since MiCAR came into force. Hardly any self-respecting institution can avoid the question of whether its own business areas should be expanded to include crypto assets or whether blockchain technology could be used to improve the technical efficiency of existing business models. The German BaFin, in particular, which was already required to supervise crypto-related business models under national law before MiCAR came into force, has built up considerable expertise in this area in relation to the functioning of crypto assets and the markets in which they are traded. However, the EU Commission is considering withdrawing the supervisory mandate for providers of crypto-asset services from BaFin and, in general, all national financial supervisory authorities in the future and having supervision carried out directly by ESMA, based in Paris. ESMA would then be directly responsible for license applications from crypto asset service providers in accordance with Art. 62 MiCAR. After successfully completing the MiCAR licensing process, ESMA would also take over the ongoing supervision of CASPs from the national supervisory authorities.

          ESMA’s Jurisdiction Would Apply to All Pure CASPs – Distinction for Entities Notified Under Article 60 MiCAR

          According to the current draft of the EU Commission for the planned amendments to MiCAR, ESMA would be the competent authority for all companies that have applied for or received authorization under Article 62 MiCAR. With regard to credit institutions, investment firms, or other companies supervised under other regimes that are authorized to offer crypto asset services in addition to their traditional business after successfully completing a notification procedure in accordance with Article 60 MiCAR, the current jurisdiction of BaFin and the Deutsche Bundesbank would remain in place for the time being. However, under the current draft regulation, such companies would have to submit information on their total annual turnover to ESMA on an annual basis, specifying the percentage of turnover attributable to crypto-asset services. As soon as crypto asset services became the company’s main business according to these figures, the supervisory mandate with regard to the supervision of obligations under MiCAR would be transferred from the nationally competent authority to ESMA. The last available annual financial statements approved by the management body of the notified company would be decisive in each case.

          EU Passporting for CASPs to be Integrated Directly into Authorization

          Another change planned by the EU Commission concerns the MiCAR passporting regime. In future, crypto-asset service providers will be allowed to provide the crypto-asset services for which they are authorized by ESMA throughout the European Union. This approach seems sensible and understandable, especially since ESMA would be responsible for supervising all crypto-related business anyway. However, it remains to be seen whether the planned changes would actually lead to simplifications. It seems questionable whether the supervision of small and medium-sized CASPs by the Paris-based ESMA in particular can prove to be practicable. Correspondence and supervisory discussions would probably take place largely in English, which could cause difficulties for smaller CASPs. With regard to investor protection, internationalization could also create hurdles for customers of supervised CASPs if they have to turn to an international institution with their concerns instead of being able to contact German-speaking representatives at BaFin and the Bundesbank. One positive effect would certainly be that the already very granular interpretation of MiCAR by ESMA would be further harmonized and differences in the supervisory rigor of national supervisory authorities could be counteracted. However, it remains to be seen whether the EU Commission’s proposals will actually be implemented in this form, as the consultation period for comments from market participants and associations on the proposed amendments has only recently expired and the evaluation of the comments received is still pending. In addition, the proposals would still have to go through the entire EU legislative process, which is rarely, if ever, completed without significant changes.

          Attorney Dr. Lutz Auffenberg, LL.M. (London)

          I. https://fin-law.de

          E. info@fin-law.de

          subscribe to Newsletter

          This Blog Article as Podcast?

          The Gist of It:

          Presentation

            Contact

            info@fin-law.de

            Feb 16, 2026

            Utility Tokens in Transition – Legal Nature Under the German Banking Act (KWG) and MiCAR

            Since the launch of Ethereum in 2015 and the associated emergence of the smart contract economy, issuing proprietary tokens has become an interesting alternative to corporate financing, especially for startups and tech companies. In the past, issuers of crypto tokens generally attempted to design their tokens as utility tokens. The background to this was the legal situation in Germany at the time, according to which utility tokens were not necessarily classified as financial instruments within the meaning of the German Banking Act (KWG) or the Securities Trading Act (WpIG). BaFin took the view that utility tokens were a subtype of crypto tokens that essentially enabled the purchase of goods or services from their issuer and were therefore conceptually limited to the issuer’s network. Based on this understanding, synonyms for utility tokens were app tokens, usage tokens, or consumption tokens. If the legal requirements were met, crypto tokens could qualify as financial instruments until MiCAR replaced national crypto regulation at the end of 2024. At that time, crypto assets were financial instruments pursuant to Section 1 (11) sentence 1 no. 10, sentences 4 and 5 of the previous version of the KWG and Section 2 (5) no. 10 of the WpIG and were therefore potentially subject to financial services or investment services requiring a license. The definition required that the token in question be accepted as a medium of exchange or payment or serve investment purposes. In the case of utility tokens, these conditions could not be met in individual cases. In such cases, utility tokens were not regulated financial instruments and services relating to them were therefore not activities subject to authorization.

            Under MiCAR, Utility Tokens are a Clearly Defined Subtype of Crypto Assets

            Since MiCAR came into force, crypto assets have been defined in Article 3(1)(5) MiCAR as digital representations of a value or right that can be electronically transferred and stored using distributed ledger technology or similar technology. The EU regulation also provides an explicit definition for utility tokens in Article 3(1)(9) MiCAR. According to this, utility tokens are crypto assets that are exclusively intended to provide access to a good or service provided by their issuer. Since the definition requires that it be a crypto asset, these tokens can no longer be considered unregulated items since MiCAR came into force. In any case, they are crypto assets that can potentially be the subject of crypto asset services. Commercial handling of them may therefore trigger licensing requirements under Art. 59 ff. MiCAR. The issuance of these tokens also entails obligations for their issuers and offerors, in particular the fundamental obligation to prepare and publish a crypto asset white paper, with MiCAR regulating specific details in this regard.

            What are the Advantages for Issuers and Offerors of Such Tokens under MiCAR?

            Utility tokens are now regulated crypto assets under MiCAR regulations. However, for public offerings of utility tokens, the EU regulation provides for very attractive privileges for issuers and offerors in certain circumstances. For example, Article 4(3)(c) MiCAR stipulates that the provisions of the entire Title II of MiCAR do not apply to public offerings of utility tokens that provide access to goods or services that already exist or are already being provided. Issuers and offerors of such utility tokens therefore have the advantage that they are not required to prepare and publish a crypto asset white paper. Furthermore, they are not required to comply with the strict requirements for marketing communications under Article 7 MiCAR, they are not subject to the transparency requirements under Article 10 MiCAR, and purchasers of the utility tokens are not entitled to the right of withdrawal under Article 13 MiCAR. However, these advantages only apply if the goods or services made accessible via the tokens actually already exist and are available. If, for example, their development or availability is to be financed by the proceeds from the utility token sale, the privileges do not apply. Issuers and providers of tokens that have additional relevant functions besides providing access also do not enjoy these advantages. The definition of utility tokens in Art. 3 (1) No. 9 MiCAR clearly stipulates that utility tokens only exist in the case of crypto assets that exclusively provide access to goods and services of their issuer.

            Attorney Dr. Lutz Auffenberg, LL.M. (London)

            I. https://fin-law.de

            E. info@fin-law.de

            subscribe to Newsletter

            This Blog Article as Podcast?

            The Gist of It:

            Presentation

              Contact

              info@fin-law.de

              Feb 09, 2026

              Notification Procedure as a Fast Track for Existing Institutions to Obtain a MiCAR License

              Crypto assets are not financial instruments within the meaning of MiFID2 regulation. This is explicitly clarified in Art. 2 (4a) MiCAR in conjunction with Art. 3 (1) No. 49 MiCAR. Nevertheless, credit institutions and investment firms, particularly in the Federal Republic of Germany, are showing growing interest in trading digital assets. For existing institutions, crypto assets open up new target groups and markets as well as innovative modern product types that attractively expand the product portfolio alongside or in conjunction with traditional MiFID business. In fact, the opportunities to seize these chances are within reach for already licensed credit institutions and investment firms, but also for e-money institutions, UCITS management companies, or alternative investment fund managers, as they can benefit from the notification procedure fundamentally regulated in Art. 60 MiCAR. Article 59(1) MiCAR provides for two options for obtaining authorization to provide crypto-asset services. First, pursuant to Article 59(1a) MiCAR, a company may provide crypto-asset services if it has previously been authorized as a crypto asset service provider. The significantly simpler route is the notification procedure for existing institutions set out in Article 59(1b) MiCAR and regulated in Article 60 MiCAR. According to this, credit institutions, investment firms, e-money institutions, UCITS management companies, and alternative investment fund managers can obtain authorization as providers of crypto asset services by submitting certain information about their planned crypto asset transactions to BaFin without having to go through a full authorization process.

              Who Can Benefit from a MiCAR Notification?

              Article 60(1) MiCAR grants authorized credit institutions the option of providing all crypto asset services after submitting a complete notification. For investment firms, the notification option is restricted in that, after successful notification, they may only provide those crypto asset services that correspond to the investment services for which they hold a corresponding license in accordance with MiFID regulations. Article 60(3) subparagraph 2 regulates which MiFID investment services correspond to which crypto asset services. In contrast, pursuant to Art. 60(4) MiCAR, e-money institutions are only permitted to provide custody, administration, and transfer services in relation to the e-money tokens they issue after successful notification. If an e-money institution wishes to offer additional crypto asset services, it must obtain the necessary authorization by submitting an application for authorization in accordance with Article 62 MiCAR. UCITS management companies or alternative investment fund managers may notify crypto asset services for the acceptance and transmission of orders in crypto assets for clients, advice on crypto assets, and portfolio management of crypto assets, provided that they hold the relevant authorizations under the UCITS Directive (2009/65/EC) or the AIFM Directive (2011/61/EC). Finally, market operators authorized under MiFID2 also have the option of taking advantage of the notification procedure. If their notification is successful, they can operate a trading platform for crypto assets.

              What Requirements Must Be Met and How Long Does the Notification Take?

              The notification procedure under Article 60 MiCAR is significantly less complex than a full application for authorization under Article 62 MiCAR. In particular, the notifying institution must present a viable business plan outlining how crypto asset services are to be marketed and offered in the future. In addition, it must provide a detailed and complete description of how the institution will adapt its strategies, procedures, and internal controls in relation to the planned provision of crypto asset services. This includes adapting internal procedures for risk management and money laundering prevention, IT security, emergency and business continuity planning, outsourcing management, and all other procedures relevant to regulatory compliance. Specific details are regulated by Delegated Regulation (EU) 2025/303. With regard to the duration of notification procedures, Article 60 MiCAR stipulates somewhat ambiguously for all types of eligible institutions that crypto asset services to be notified may only be provided once the information to be submitted has been transmitted to the competent authority at least 40 working days prior to the initial provision. According to Article 60(8) MiCAR, the competent authority – in Germany, BaFin – must check within 20 working days of receiving the notification whether the information in the notification is complete. If any information is missing, BaFin shall set a deadline for the applicant to provide the missing information, which may not exceed a further 20 working days from the date of the request. It should be noted that the request period does not count towards the 40 working days specified in Article 60(1) to (6) MiCAR. This means that the notification procedure can actually take 60 working days.

              Attorney Dr. Lutz Auffenberg, LL.M. (London)

              I.  https://fin-law.de

              E. info@fin-law.de

              subscribe to Newsletter

              This Blog Article as Podcast?

              The Gist of It:

              Presentation

                Contact

                info@fin-law.de

                Dec 15, 2025

                The Tokenization of Real World Assets – Can Real Estate Be Tokenized Using RWA Tokens?

                The tokenization of so-called real-world assets (RWA tokens) is currently one of the hot topics in the blockchain scene. In this context, the term tokenization refers to the technical and, as far as possible, legal connection of a digital token, usually existing on a blockchain, with a specific tangible object, such, as for example, real estate or a wind turbine, or with a specific intangible object, such, as for example, a right. The tokenization of rights continues to enjoy unbroken popularity in the financial sector. The issuance of security tokens, i.e., the public offering of financial products that are linked to a token in such a way that they qualify as securities within the meaning of securities regulation, has become a very popular form of corporate financing. BaFin qualifies such products, which in terms of content often constitute an investment under the German Investment Act, as sui generis securities due to their tokenization. This is the case if the products meet certain requirements in terms of transferability, tradability on the financial market, and the granting of securities-like rights. When issuing an electronic security under the German Electronic Securities Act (eWpG), the qualification of the products as securities has already been carried out by the legislator, so that products issued under the eWpG unproblematically constitute securities. But how can physical objects such as real estate be tokenized?

                Possible Concepts for Tokenizing Real Estate

                In principle, the complete tokenization of real estate via RWA tokens, i.e., of land ownership, is not yet provided for in the German legal system. This is primarily because in Germany, the land register is the sole and decisive legal document for assigning land ownership to individuals, and it does not yet allow for digitization, let alone tokenization via RWA tokens. Ultimately, this means that, in general, the person entered in the land register is also the owner of the property in question. However, there are various ways of approaching the tokenization of real estate. One example is the KG model, and another is the subordinated bond model. In both models, the initiator/issuer acquires the property in question and then allows interested investors to participate in it. In the KG model, the initiator would typically establish another company, a trust limited partner. This company would then establish a GmbH & Co KG with the initiator, provided that the latter is a GmbH, whereby the initiator would act as the personally liable partner and the trust company as the (trust) limited partner. Interested investors can then conclude tokenized trust agreements with the trust limited partner, which would transfer the rights of the trust limited partner in the GmbH & Co KG to the investors, i.e., both the rights to profit sharing, as specified in the partnership agreement, and the other corporate rights of a limited partner. In this model, the GmbH & Co KG would be the owner of the property as entered in the land register. The issuance of a subordinated bond is another option for tokenizing real estate. In this case, the issuer usually issues subordinated bonds that are registered in the name of the investor – mostly subordinated loans or subordinated profit participation rights – and tokenizes them. These products grant investors, for example, a share in the profits of the property in question or in the issuer’s corporate profits. In both models, however, the investor does not legally acquire ownership of the properties in question.

                What Documentation is Required for the Distribution of the Tokens?  

                As a rule, and if structured appropriately, tokenized products created according to one of the two models mentioned above will qualify as investments under the German Asset Investment Act (Vermögensanlagengesetz). As explained above, BaFin considers these tokenized investments to be securities for regulatory purposes if structured appropriately. In this respect, the regulatory regime for securities applies to their distribution. The volume of the planned issue is a decisive factor here. For issues with volumes of up to EUR 8,000,000, a securities information sheet of no more than four A4 pages is required or, in the case of a product packaged in accordance with the PRIIPs Regulation and provided that the product is offered to retail investors, a key information document (KID). Furthermore, in the case of issuances using a securities information sheet, distribution to non-qualified investors is only permitted if it is carried out by way of investment advice or investment brokerage through an investment services company. For issuances of up to EUR 20,000,000, a so-called EU growth prospectus  could be prepared, approved, and published; for issuances with a volume of more than EUR 20,000,000, a securities prospectus must be prepared by the issuer, approved by BaFin, and published, unless a statutory exemption applies.

                Attorney Dr. Lutz Auffenberg LL.M. (London)

                I.  https://fin-law.de

                E. info@fin-law.de

                subscribe to Newsletter

                This Blog Article as Podcast?

                  Contact

                  info@fin-law.de

                  Dec 01, 2025

                  Do Issuers of Crypto Assets Require a PRIIPs KID in Addition to the MiCAR White Paper?

                  For more than a decade, EU Regulation No. 1286/2014 (PRIIPs Regulation) has required issuers and providers of packaged retail investment products and insurance-based investment products to prepare, publish, and make available key information documents (PRIIPs KIDs). The key information document is intended to provide retail investors with a clear and easily understandable overview of the underlying investment product. It must therefore not exceed three A4 pages in length and must contain the essential key information and warnings required by the PRIIPs Regulation. The legal form of the investment product is generally irrelevant, which is why a PRIIPs KID may have to be prepared for issues of both securities and, for example, units in investment funds or asset investments in accordance with the German Asset Investment Act (VermAnlG), as long as the product is to be offered to retail investors. Even fundamentally unregulated investment products may fall under the PRIIPs Regulation if the product meets its requirements for a packaged investment product or insurance-based investment product. In this context, the question arises as to whether issuers of crypto assets may also be required to prepare a key information document for a token issue, especially since the regulator of the PRIIPs Regulation in 2014 certainly did not have MiCAR, which will not apply until the end of 2024, in mind.

                  Prospectus Requirements Under Other Regulations Are Irrelevant for the Applicability of the PRIIPs Regulation

                  The fact that issuers and providers of investment products may be required by other regulations, such as the Prospectus Regulation, the KAGB or the VermAnlG, to prepare and publish prospectuses or other documentation relating to their products is fundamentally irrelevant to the question of the applicability of the PRIIPs Regulation. The obligation to prepare and publish a key information document may therefore exist in addition to the obligation to prepare a prospectus, provided that the investment product in question meets the requirements of the PRIIPs Regulation. According to Article 4 (1) of the PRIIPs Regulation, the existence of a packaged retail investment product within the meaning of the PRIIPs Regulation requires, in particular, that the amount to be repaid to the retail investor is subject to fluctuations resulting from the performance of reference values that are not directly acquired by the retail investor. According to BaFin’s administrative practice, only external reference values such as the value of precious metals, investment products from third-party providers, or crypto assets are relevant here. Internal reference values such as issuer- or group-related profit figures such as profit after tax or EBITDA, on the other hand, do not constitute a PRIIP. According to these principles, crypto assets within the meaning of Art. 3 (1) No. 5 MiCAR can also qualify as PRIIPs if they are to be distributed to retail investors and provide for a repayment to the investor whose amount depends on an external reference value. In this context, it is important to note that a repayment within the meaning of the PRIIPs Regulation can be not only genuine repayment claims at the end of a term, but also interest or other returns from the investment product during the period of ownership.

                  PRIIPs KID and Crypto-Asset White Paper Conceivable for Certain Crypto Assets

                  In cases where a crypto asset meets the requirements outlined above, the issuer and also the persons who advise on or sell the crypto asset may be required to prepare a PRIIPs KID, publish it, and make it available to investors in good time before subscription. The obligations under the PRIIPs Regulation then apply in addition to the obligations under MiCAR, meaning that, in addition to creating the PRIIPs KID, it may also be necessary to create and publish a crypto-asset white paper. The issuer of a crypto asset must therefore take both EU regulations into account when planning its token issuance. In this context, it is also important to note the further obligations under the PRIIPs Regulation and MiCAR, which impose strict requirements on issuers and providers in the area of advertising and marketing communications for the offering of investment products or crypto assets. No advertising statement may relativize or contradict the information contained in the PRIIPs KID or the crypto-asset white paper. It is therefore of considerable importance to ensure that, in the event of the applicability of the PRIIPs Regulation to a token issuance, the crypto-asset white paper in accordance with MiCAR and the key information document in accordance with the PRIIPs Regulation are consistent.

                  Attorney Dr. Lutz Auffenberg, LL.M. (London)

                  I.  https://fin-law.de

                  E. info@fin-law.de

                  subscribe to Newsletter

                  This Blog Article as Podcast?

                  The Gist of It:

                  Presentation

                    Contact

                    info@fin-law.de

                    Nov 17, 2025

                    From Basic Tests to TLPT: DORA Redefines Resilience Testing Requirements

                    Since January 17, 2025, financial companies have been required to comply with the requirements of Regulation (EU) 2022/2554, better known as DORA. This regulation creates a harmonized legal framework to strengthen digital operational resilience across the EU financial sector and address the growing risks posed by cyberattacks and ICT operational disruptions. To achieve this goal, DORA establishes a complex set of rules, supplemented by detailed technical regulatory standards (RTS) from the European Supervisory Authorities (ESAs). A key pillar for ensuring this resilience is the way companies test their systems. Overall, DORA introduces more far-reaching, uniform, and specific testing requirements for financial companies than previously existed. While earlier requirements were often fragmented or left room for interpretation, DORA now requires a structured and comprehensive testing program. This ranges from regular basic tests to sophisticated, threat-led penetration tests (TLPTs) for systemically important institutions. These new obligations require a detailed examination of the regulation and the associated RTS. The following section therefore outlines the general requirements for the testing program and what needs to be considered for the extended tests, known as TLPTs.

                    General DORA Requirements for Stress Tests

                    Financial institutions that are not micro-enterprises must establish, maintain, and review a robust and comprehensive program for testing digital operational resilience. This program is an integral part of the ICT risk management framework (in accordance with Art. 6 DORA). The main objective of the testing program is to assess preparedness for handling ICT-related incidents, identify weaknesses, deficiencies, and gaps in digital operational resilience, and implement corrective measures promptly. Financial firms must take a risk-based approach when executing the testing program. In doing so, they must give due consideration to the evolving ICT risk landscapes, specific risks to which the firm is exposed, and the criticality of information assets and services provided. The program must include a range of assessments, tests, methods, procedures, and tools, including vulnerability assessments and scans, open-source analysis, network security assessments, gap analyses, physical security reviews, scenario-based testing, compatibility testing, performance testing, end-to-end testing, and penetration testing. Appropriate testing must be performed at least once a year on all ICT systems and applications that support critical or important functions. The tests should be performed by independent internal staff or external personnel. The findings and challenges arising from the digital operational resilience tests must be continuously and properly incorporated into the ICT risk assessment process. They serve as the basis for appropriate reviews of the relevant components of the ICT risk management framework.

                    Advanced Testing: Threat-Led Penetration Testing (TLPT)

                    Beyond general testing, DORA requires certain financial companies to perform advanced testing known as threat-led penetration testing (TLPT). The legal basis for this can be found in Articles 26 and 27 of DORA. TLPT is another tool for strengthening operational resilience. DORA is guided by international standards such as the G7 Fundamental Elements and frameworks such as TIBER-EU, and defines TLPT in Article 3(17) DORA as a framework that replicates the tactics, techniques, and procedures of real attackers who are perceived as genuine cyber threats and enables a controlled, tailored, knowledge-based (red team) test of the financial company’s critical live production systems. The requirements of Articles 26 and 27 DORA are supplemented and specified in detail by Delegated Regulation (EU) 025/1190 (RTS on TLTP). Which companies must carry out TLTPs is determined by BaFin as the competent supervisory authority or, in the case of significant credit institutions, by the ECB. The criteria for classification are set out in Article 28(8), subparagraph 3, DORA. The impact of the financial company in question, its systemic nature, and its ICT risk profile based on the criteria set out in Article 2 of the RTS on TLPT are taken into account. Micro-enterprises are exempt from the obligation to perform TLPTs.

                    FIN LAW

                    I.  https://fin-law.de

                    E. info@fin-law.de

                    subscribe to Newsletter

                    This Blog Article as Podcast?

                      Contact

                      info@fin-law.de

                      Nov 10, 2025

                      Threats, Incidents, and Attacks Under DORA – What Financial Companies Need to Know

                      Since January 17, 2025, Regulation (EU) 2022/2554 – better known as DORA – has been compulsory for financial companies. A key objective of the regulation is to strengthen the digital operational resilience of the financial sector and create clear structures for dealing with ICT risks. But not all risks are the same: DORA makes a precise distinction between threats, incidents, and attacks – and attaches different obligations to each category. While threats as potential sources of danger are primarily to be analyzed internally, actual incidents and attacks trigger specific reporting and action obligations. This distinction becomes particularly relevant when it comes to the question of when financial companies are obliged to inform authorities or affected parties. The regulation not only defines what constitutes a cyber threat, an ICT-related incident, or a cyber-attack, but also specifies the steps that companies must take in each case. Precise classification is of central importance not only for compliance, but also for the strategic orientation of ICT risk management.

                      What Are Threats, Incidents, and Attacks Under DORA

                      DORA uses a number of different terms for attacks and incidents. These terms can be broadly divided into two categories: threats (which have the potential to cause damage) and incidents/attacks (the actual events that have caused or are causing damage). Threats refer to possible circumstances or actions that could affect network and information systems (ICT). According to Art. 3 No. 12 DORA, a cyber threat refers to a possible circumstance, event, or action that could harm, disrupt, or otherwise affect network and information systems, users of these systems, and other persons. According to Art. 3 No. 13 DORA, a significant cyber threat is a cyber threat whose technical characteristics indicate that it could have the potential to cause a serious ICT-related incident or a serious payment-related operational or security incident. An ICT-related incident is the most general category of a negative event in the ICT sector. It is defined in Article 3(8) of DORA as an unplanned event or a series of related events that compromises the security of network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data or on the services provided by the financial institution. ICT-related incidents are further subdivided into serious ICT-related incidents and serious payment-related operational or security incidents within the meaning of Article 3(10) and (11) DORA. In contrast, a cyberattack within the meaning of Article 3(14) DORA refers to a malicious ICT-related incident resulting from an attacker’s attempt to destroy, expose, alter, disable, steal, or gain unauthorized access to or use of an asset.

                      What Obligations Are Associated With Each Category?

                      DORA attaches different legal consequences and obligations to threats, incidents, and attacks. There is no external reporting obligation for cyber threats as a general threat category. The information is primarily used for internal analysis and further development of digital operational resilience. Reporting a significant cyber threat to the competent authorities is voluntary under Article 19(2) DORA. Financial companies may share this information if they consider the threat to be relevant to the financial system, service users, or customers. Both ICT-related incidents and cyberattacks only trigger an external reporting obligation if they reach a certain level of severity, i.e., if they are classified as serious. According to Art. 19 (1) DORA, financial companies must therefore report serious ICT-related incidents to the competent authority. Credit institutions, e-money institutions, payment institutions, and account information service providers must also report serious payment-related operational or security incidents in accordance with Article 23 of DORA. It follows from recitals 23 and 54 of DORA that this specific reporting obligation replaces the corresponding reporting obligations under PSD2 in order to avoid duplication of requirements. However, the obligations of financial companies are not limited to reporting requirements. Following disruptions to their main activities as a result of serious ICT-related incidents, financial companies must provide for subsequent reviews of the ICT-related incident. These reviews should investigate the causes and identify improvements to ICT processes or the ICT business continuity policy. In addition, financial companies that are not micro-enterprises must, upon request, notify the competent authorities of the changes made following the review of ICT-related incidents in accordance with Article 13 of DORA. Consequently, DORA focuses on proactive integration into risk management and voluntary information sharing in the event of threats, while clear reactive obligations such as reporting, damage limitation, recovery, and root cause analysis are at the forefront in the event of incidents/attacks.

                      FIN LAW

                      I.  https://fin-law.de

                      E. info@fin-law.de

                      subscribe to Newsletter

                      This Blog Article as Podcast?

                      The Gist of It:

                      Presentation

                        Contact

                        info@fin-law.de

                        Oct 27, 2025

                        Contract Drafting in the Context of the DORA Regulation – What Do Financial Companies Need to Observe?

                        Since January 17, 2025, Regulation (EU) 2022/2554 – better known as DORA – has been binding for financial companies and third-party ICT service providers. The regulation not only sets high requirements for digital operational resilience, but also has a direct impact on contract drafting. A key question that arises in practice is: When is a service considered an ICT service within the meaning of DORA? This distinction is crucial because, according to Article 30 DORA, contracts for ICT services must contain certain minimum content. This includes, among other things, clear provisions on risk management, incident reporting, audit rights, and exit strategies. The classification of a service as an ICT service therefore has far-reaching consequences for contract negotiations between financial companies and their service providers. If services are incorrectly not classified as ICT services, this not only poses compliance risks, but also contractual gaps that can lead to liability issues in serious cases. At the same time, DORA shifts the balance of power in contract negotiations: financial companies are now obliged to impose strict requirements on their service providers – which redefines the scope for negotiation for both sides. But how can ICT services be clearly identified, and which contractual clauses are absolutely necessary to meet DORA requirements? These questions are the focus of current discussions and show that DORA represents not only a regulatory challenge, but also a contractual one.

                        What are ICT Services?

                        According to Article 3(21) of DORA, ICT services are digital services and data services that are provided on a permanent basis to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support provided by the hardware supplier by means of software or firmware updates, with the exception of traditional analog telephone services. The definition is very broad in order to cover as many ICT services as possible and effectively implement the objectives of DORA. A key limitation of the scope of application, as set out in the definition, is that only digital services and data services that are provided on a permanent basis are to be covered. This means that only continuing obligations are regularly covered, while one-off services are not. Annex III of Commission Implementing Regulation (EU) 2024/2956 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the information register (ITS on register of information). This contains a list of categories of ICT services, each with a brief description. This list can be used as an aid for initial classification. The services mentioned include: ICT project management, ICT development, ICT helpdesk and first-level support, ICT security management services, data provision, data analysis, ICT operating resources and hosting services (excluding cloud services), computing power, data storage outside the cloud, telecommunications providers, network infrastructure, hardware and physical devices, software licensing (excluding SaaS), ICT operations management (including maintenance), ICT consulting, ICT risk management, IaaS, PaaS and SaaS.

                        Article 30 DORA Defines Clear Minimum Standards for ICT Contracts – Both for Standard and Critical Services

                        Every contract for ICT services must first contain a precise description of the services, rights, and obligations, including the exact locations where data is processed and stored. Information security and data protection are key: Specific technical and organizational measures must be defined to ensure the availability, authenticity, integrity, and confidentiality of all data—regardless of whether it is personal data or not. In addition, regulations on data access in the event of insolvency or termination of the contract are essential to ensure continuity of service. Service level agreements (SLAs) with quantitative and qualitative performance targets are mandatory, as is the service provider’s obligation to provide support in the event of ICT incidents and to relieve the financial company of its reporting obligations. Cooperation with supervisory authorities must be contractually anchored, and the financial company’s termination rights – for example, in the event of violations of compliance requirements or deficiencies in risk management – must be explicitly defined. Finally, participation in digital resilience training should be agreed upon, unless the service provider already has its own qualifications. If critical or important functions are involved, the requirements become more stringent: in this case, extended reporting obligations, emergency plans, participation in penetration tests, and comprehensive audit rights for the financial company are mandatory. Exit management regulations that ensure an orderly transition at the end of the contract or when changing service providers are also particularly relevant. In addition, subcontracting must be strictly controlled and contractually secured in order to avoid unwanted risks.

                        FIN LAW

                        I.  https://fin-law.de

                        E. info@fin-law.de

                        subscribe to Newsletter

                        This Blog Article as Podcast?

                          Contact

                          info@fin-law.de

                          to top