Category: blog EN

This Blog Article as Podcast?

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Apr 07, 2025

Offering AI Investment Tools: A Regulated Activity?

BaFin Anwalt

Artificial intelligence (AI) or, more specifically, large language models (LLM) are no longer just on the rise, but have already arrived in many areas of business and private life. The use of chatbots and other AI applications is increasingly becoming part of everyday life. A chatbot can now answer questions that previously required extensive Google searches and visits to many different websites, including maneuvering annoying cookie banners and often a flood of unwanted advertising, in just a few seconds. The added value of web searches by chatbots for users cannot be denied. It is therefore no surprise that trust in and the desire for AI-supported tools is increasing in more and more areas of life. One possible use of AI/LLMs may be to use them to assist in investment decisions. Recently, ESMA also felt compelled to publish a warning about the risks of using AI in financial investments. This was also published on the BaFin website on March 28, 2025. According to BaFin, consumers should be particularly careful when buy and/or sell signals are artificially generated. AI tools and apps could provide tips or recommendations that may be inaccurate or misleading. Those who invest based on them risk significant financial losses. AI tools and apps are neither authorized nor supervised by financial regulators. This notice once again provides reason to examine the previous classification of providers of automated software-based investment services and, in this context, to examine under which conditions providers of dedicated AI investment tools require a license from BaFin.

The So-Called Robo-Advice

BaFin has been dealing with the topic of automated distribution of financial instruments and similar digital offers for quite some time. In an article from the 2017 annual report, BaFin already summarizes these under the term robo-advice and states that such advice generally meets the legal definition of investment advice or financial portfolio management and therefore requires a license under banking or commercial law. In a later article from 2020, BaFin reiterated its view that robo-advice can be legally classified as investment advice, financial portfolio management, acquisition brokerage or investment brokerage in an article entitled “Robo-Advice – Automated Investment Advice and Financial Portfolio Management”. In its 2022 information notice “Automatisierte und signalbezogene Beratungs- und Handelssysteme” (Automated and Signal-Based Advisory and Trading Systems), BaFin once again emphasized that a conclusive regulatory assessment is only possible if BaFin is provided with the contractual agreements between the provider and its customers in individual cases. Liability for robo-advice has also been addressed in case law. In a judgment dated May 30, 2018 – 12 U 95/16 – the Higher Regional Court of Hamm ruled that in the case of automated online trading in financial products, proprietary trading (which does not require a license) is deemed to have taken place by the person “who decides on the fundamental settings and specifications of the software”. The court stated that the decisive factor is not who actually makes the settings or where the software is installed (on the customer’s hardware or in the cloud). The court regards the main criterion as being who made the “decisive specifications” in the relationship between the parties. In the legal literature, it has been argued, among other things, that in the case of software with abstractly defined trading algorithms, the software provider has no discretion. The user is responsible for the use of the software. The decisive factor is which contractual partner can ultimately decide on its use or non-use (usually the user). Therefore, automated portfolio management should at least not be subject to authorization as financial portfolio management.

What are the Arguments For and Against Requiring Permission for Providers of AI Investment Tools?

First of all, it must be noted that the judgment of the Higher Regional Court of Hamm cannot be applied across the board to all robo-advisers and AI investment tools, since it is based on a case in which the investor himself actually provided essential specifications for the software. Furthermore, investors require the same level of protection with AI systems as they would with advice or management from a human. The mere power of disposition of the investor (activation/deactivation) does not change the lack of predictability of the AI decisions. LLMs are characterized precisely by the fact that they do not merely follow predefined algorithms. Without predictability for the investor, an investment decision should not be attributable to the investor. If an investor uses an ordinary AI chatbot and asks it for help with investment decisions, it is unlikely that the provider of this chatbot can be said to be performing an activity that requires a license. The situation could be different if AI-supported software is explicitly offered that automatically manages the investor’s portfolio and makes buy and sell decisions for the investor. Providers of AI investment tools should therefore check in each individual case whether their own application includes activities that require a license. If necessary, the business model should be adapted to avoid authorization requirements or to obtain a license. Consideration could also be given to cooperating with market participants who already have the necessary authorizations. After analyzing one’s own business model, an inquiry should first be made to BaFin to clarify one’s own intentions before the AI investment tool is offered to investors in Germany.

Attorney Anton Schröder

The lawyer responsible for questions relating to AI Investment Tools, Robo-Adviser and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

This Blog Article as Podcast?

The Gist of It:

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Mar 31, 2025

Issuance of Stablecoins with a Value of up to EUR 5 Million – What Advantages Does MiCAR Offer Small ART Issuers?

So-called Asset-Referenced Tokens (ART) have been strictly regulated under the Markets in Crypto Assets Regulation (MiCAR) since the summer of 2024. According to the MiCAR definition, ARTs are a special form of crypto-assets that attempt to maintain value stability by referencing one or more other assets, without being classified as E-Money Tokens (EMT). According to the new supervisory regime for crypto-assets in the EU, in principle, initially only credit institutions and issuers specifically authorized for the issuance of ARTs are permitted to issue Asset Referenced Tokens and offer them to the public. However, MiCAR allows for an exception to this principle for micro-issuances if the equivalent value of the ART issued by the respective issuer has not exceeded the threshold of EUR 5 million over a period of twelve months. The average outstanding value is to be calculated at the end of each calendar day. If these conditions are met, the issuer of the Asset Referenced Tokens does not require a MiCAR license and does not subsequently have to apply for admission to the competent authority – in Germany, the BaFin. However, this does not eliminate all the other requirements for ART issuers that the MiCAR imposes.

The Obligation to Prepare a Crypto-Assets White Paper Also Applies to ART Issuers under the 5-Million Exception

One of the key obligations of issuers of crypto-assets under MiCAR is the requirement to prepare and publish a crypto-assets white paper. ART issuers, in particular, are required to prepare a crypto-assets white paper for the stablecoins they issue. The MiCAR specifies in great detail the content that must be included in the document. Under the exemption for ART issuances below the 5 million threshold, only the requirement to obtain MiCAR authorization as an issuer of Asset Referenced Tokens or to be a credit institution is waived. However, the text of the regulation explicitly requires the preparation of an ART white paper even in cases where the exemption is applied. The exemptions for issues of other crypto-assets – such as offers to no more than 150 investors per member state or free offers of crypto-assets – are generally not applicable to issues of ART. ART issuers therefore cannot get around the obligation to create a white paper, even if they always remain below the equivalent of EUR 5 million with the ART they issue.

BaFin Does Not Have to Authorize ART White Papers under the 5-Million Exception

MiCAR requires that white papers for ART crypto-assets must be explicitly authorized by the competent authority. This significant difference compared to the white paper to be prepared for other crypto-assets can be explained by the fact that the regulatory requirements for ART issuers are significantly more extensive than those for issuers of other crypto-assets that do not qualify as ART or EMT. However, the requirement to publish a white paper does not apply to issuers operating under the exemption for ART issuances of less than 5 million. This regulation causes problems in that it creates legal uncertainty with regard to the question of exactly how micro-issuers of ART must publish their white paper. This is because the MiCAR regulation on the disclosure requirement on the issuer’s website refers, according to its wording, exclusively to crypto-assets white papers for Asset-Referenced Tokens that have been authorized. The Central Bank of Ireland therefore asked ESMA for clarification on this issue in August 2024. However, ESMA’s response is still pending and is still being reviewed by the EU Commission. However, issuers of ART issues below the equivalent of EUR 5 million will be well advised to also publish the white paper on their own website in any case and to keep it available there from the start of the public offering and only remove it when no third party no longer holds any of the issued ART.

The lawyer responsible for regulatory questions relating to the authorization as an issuer of asset referenced tokens and for the related exemptions at our law firm is Attorney Lutz Auffenberg, LL.M. (London).

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Mar 24, 2025

Qualified Crypto Custody – Are NFTs Regulated as Cryptographic Instruments in Germany?

The Markets in Crypto Assets Regulation (MiCAR) has been fully applicable in the European Union for almost three months now, imposing uniform compliance and licensing requirements on crypto service providers throughout the Union. The national crypto regulation previously in force in Germany has thus become obsolete. However, a small remnant of national regulation remains for the area of crypto custody even under the MiCAR regime. In the course of the implementing law regulating the transition to the MiCAR regime, the German legislator had to find a solution for those companies that, with their national crypto custody license, were allowed to hold crypto assets prior to the entry into force of the MiCAR, which now fall outside the scope of the MiCAR. The rationale of the government for the Financial Market Digitization Act, which implemented the transition to MiCAR, was that the transition should not limit the scope of the custody portfolios of crypto-custodians with a national KWG license. In particular, this issue concerned crypto assets that also meet the requirements for a financial instrument within the meaning of the MiFID2 regulation. MiCAR explicitly excludes such financial instruments from its scope of application. Also excluded from the scope of MiCAR are so-called non-fungible tokens (NFT), i.e. crypto assets that are individually designed and not interchangeable with other crypto assets of the same type and quality.

Can an NFT be a Cryptographic Instrument within the Meaning of the KWG?

To solve this problem, the German legislator introduced the new regulatory category of cryptographic instruments. It is important to understand that cryptographic instruments are not financial instruments within the meaning of the KWG, but a special category of instruments that only play a role to the extent that only financial services institutions with a license for qualified crypto custody are allowed to hold cryptographic instruments. Cryptographic instruments do not play a role for other types of permission. Cryptographic instruments are defined in the KWG in continuation of the former national crypto-value concept – which was to be abolished – as digital representations of a value that has not been issued or guaranteed by any central bank or public authority and does not have the legal status of a currency or money, but is accepted by natural or legal persons as a means of exchange or payment or for investment purposes on the basis of an agreement or actual practice and can be transferred, stored and traded electronically. The KWG also explicitly excludes four types of instruments from the definition, namely e-money, monetary values in closed-loop models, crypto assets under MiCAR and securities within the meaning of the German Securities Deposit Act (Depotgesetz). Accordingly, to the extent that an NTF meets the legal definition in an individual case and constitutes a cryptographic instrument, the custody of the NFT in Germany may require a license from BaFin to provide qualified crypto custody. In particular, this may apply to NFTs that are used for investment purposes.

BaFin May also Grant an Isolated License for Qualified Crypto Custody Business in Accordance with the KWG

The custody of NFTs or cryptographic keys (private keys) for NFTs for customers can therefore qualify as a qualified crypto custody transaction, even if the custody is offered, for example, only as an additional service to the operation of an exchange platform for the NFTs. Qualified crypto custody is a fully-fledged financial service within the meaning of the KWG, so that in such cases an application for a corresponding license can be submitted to BaFin. It is irrelevant whether the applicant company in question also has a license under the MiCAR for crypto custody or another crypto service. A license under the KWG and an authorization under the MiCAR can be granted concurrently. The requirements for a license application under the KWG are extensive. In particular, the applicant must present a viable business plan for the first three financial years, have reliable and professionally suitable managers who can devote sufficient time to managing the business, and be able to demonstrate that it has a business organization that meets the minimum regulatory standards with regard to risk management, IT security, money laundering compliance and emergency management. The regulatory minimum capital that qualified crypto custodians must be able to demonstrate at all times is 150,000 euros, provided they do not also trade in financial instruments for their own account.

Attorney Lutz Auffenberg, LL.M. (London)

The lawyer responsible for regulatory questions relating to NFTs and authorization BaFin procedures at our law firm is Attorney Lutz Auffenberg, LL.M. (London).

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Mar 17, 2025

DORA in Action: What are Critical or Important Functions and Why Does It Matter?

Regulation (EU) 2022/2554, also known as DORA, has come into force and presents new challenges for financial entities. This regulation aims to minimize the risks arising from digital transformation and increasing interconnectedness in the finance and insurance industry. DORA focuses on managing threats such as cyberattacks and business interruptions in order to strengthen operational resilience. The requirements that DORA places on financial enteties are complex and involve a considerable amount of red tape. Nevertheless, the regulation promotes important minimum standards in the area of digital operational resilience. DORA is supplemented by regulatory technical standards (RTS) and implementing technical standards (ITS), which are developed by the European Supervisory Authorities (EBA, EIOPA and ESMA) in collaboration with national supervisory authorities and adopted by the Commission. Many of these RTS have already entered into force and provide financial companies with specific guidelines for implementing the DORA requirements. However, despite the broad applicability of DORA and the RTS, uncertainties remain in the interpretation and implementation in individual cases. The lack of binding interpretation guidelines makes it difficult for financial enteties to fulfill the numerous new obligations. In many areas, there is still a great deal of uncertainty among financial companies. A concrete example of the existing difficulties faced by financial companies can be found in the supposedly simple task of creating a register of information, filling it out correctly and then providing it to BaFin in a timely manner. Aside from the technical difficulties, the biggest problem here is that the preceding question must be answered, whether a function provided by a third-party ICT service provider is important or critical.

Important or Critical Function – Why is Classification Practically Relevant?

So what are critical or important functions in the sense of the DORA regulation? The regulation does not define what a function is in the sense of DORA. It is possible that the European legislator took for granted what is meant by this and therefore refrained from providing a definition. From the context and the objectives of the regulation – namely to strengthen the digital operational resilience of business operations – it can be concluded that functions in the sense of DORA means operational and business functions of a financial entity. DORA defines in Art. 3 no. 22 a critical or important function as a function whose failure would materially impair a financial entities financial performance or the soundness or continuation of its operations and services, or whose interrupted, defective, or omitted performance would materially impair a financial entites continued compliance with the licensing conditions and obligations or its other obligations under applicable financial services law. In short, these are functions whose failure would have a significant adverse effect on: financial performance, business continuity or regulatory compliance. This classification is of practical relevance for ICT third-party service providers that provide such critical or important functions or support significant parts of them. Among other things, this means that the requirements for the design of the contract are much more extensive. Furthermore, only the direct ICT third-party service provider has to be specified in the register of information for non-critical functions. For critical or important functions, on the other hand, all subcontractors in the ICT service chain must also be recorded.

The Register of Information and Initial Guidance from BaFin

Pursuant to Article 28 (3) DORA, financial entities must maintain a register of information (RoI) that covers all contractual agreements on the use of ICT services provided by third-party ICT service providers. The register is to be made available to the competent authorities on an annual basis. Initially, the registers are to be submitted to the BaFin on April 11, 2025. The requirements for the registers of information are set out in Commission Implementing Regulation (EU) 2024/2956 (RTS RoI). On March 6, 2025, the BaFin hosted a workshop on the submission of the registers of information to provide guidance and assistance to the financial entities concerned. BaFin is visibly endeavoring to support financial entities in implementing DORA. The registers of information must be created as structured files according to the ESAs taxonomy. The BaFin provides an Excel template for this purpose and also accepts registers that have been created using this template. In order to make it easier for smaller financial entities in particular to submit the information, BaFin will convert the completed Excel templates into the target format. During the workshop, BaFin also addressed the question of how to determine whether a subcontractor in the ICT service chain is to be included in the register of information. BaFin has proposed three orientation questions for this purpose:

Is there a direct dependency between the ICT service and the subcontractor?
Does the subcontractor ensure the provision of essential parts of the ICT service to support a critical or important function?
Could a disruption at the subcontractor affect the security or continuity of the ICT service?

BaFin also pointed out that the principle of proportionality and a risk-based approach must be taken into account. The interpretation proposed by BaFin is to apply subject to any later conflicting interpretations by the ESAs. Despite the proposed systematic questions, uncertainties remain for financial entities. After all, they have to decide on a case-by-case basis whether or not to include a subcontractor in the chain of subcontractors. The effort required to identify all subcontractors in the chain is a major undertaking in itself. In addition, each subcontractor must be considered.

Attorney Anton Schröder

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Feb 24, 2025

News on Financial Entities as ICT Third-Party Service Providers and on Subcontracting under DORA

The EU Regulation 2022/2554 (DORA) has come into force and financial firms must comply with the new requirements. The regulation focuses on addressing the challenges posed by digital transformation and growing interconnectedness in the financial industry, which will intensify in the future. DORA aims to further reduce risks arising from cyber-attacks and business interruptions, for example. Specific obligations that DORA places on financial entities are complex. The bureaucratic burden that DORA places on financial entities should not be underestimated. At the same time, however, DORA helps to promote appropriate minimum standards in the area of digital operational resilience. DORA is supplemented by regulatory technical standards (so-called RTS), which are regularly drafted by the ESAs (EBA, EIOPA and ESMA) in cooperation with the national supervisory authorities and adopted by the Commission in accordance with the relevant requirements. Most RTS have already entered into force in this way. The RTS are intended to provide financial entities with specific guidelines on how the requirements of the DORA are to be understood and implemented in the areas regulated by the RTS. Although DORA and almost all RTS are already applicable, there is still some uncertainty regarding the interpretation of DORA in individual cases. EIOPA has now provided interpretation notes via the ESA’s joint Q&A on one of the major questions concerning DORA – namely, when a financial entity is to be classified as an ICT third-party service provider in relation to other financial entities. There is also uncertainty regarding the outsourcing by ICT third-party service providers of critical or important functions or significant parts thereof to subcontractors. The draft RTS on this from the ESA is still at the drafting stage despite the fact that the DORA has already come into force, and now the Commission has announced its intention to partially reject the draft. The following comments address these issues surrounding DORA.

Clarification: When Financial Entities May Be Qualified as Third-party ICT Service Providers

One of the most pressing questions for many financial companies is whether DORA applies when a financial entity provides digital services to another financial entity. At what point are the services between financial entities classified as ICT services? If the services are ICT services within the meaning of DORA, a financial entity can also be considered an ICT third-party service provider within the meaning of DORA. This is explicitly clarified in recital 63 of the DORA. On behalf of the ESAs, EIOPA is now providing legal practitioners with an interpretative guide. In EIOPA’s view, financial services may also include an ICT component. If financial entities provide ICT services to other financial entities in connection with their financial services, the financial entity receiving the ICT services should check whether, firstly, the services constitute an ICT service as defined by DORA and, secondly, whether the financial entity providing the services and the financial services it offers are regulated under EU law or the national law of a member state or a third country. Should both tests be passed, the ICT service in question should be considered predominantly a financial service and not an ICT service within the meaning of Article 3 subsection 21 DORA. If the service is provided by a regulated financial entity offering regulated financial services, but the service is unrelated or independent of such regulated financial services, the service should be considered an ICT service for the purposes of Article 3 subsection 21 DORA. This interpretation is to be endorsed as it is in line with the objectives of the DORA, is consistent with the guiding principles of recital 79 and avoids additional red tape in the area of ICT third-party risk management between financial entities, each of which is already subject to the requirements of the DORA.

Further Uncertainty Regarding RTS on Subcontracting

On January 21, 2025, the European Commission rejected the draft regulatory technical standards (RTS) related to subcontracting of ICT services supporting critical or important functions. These RTS are urgently needed, among other things, so that financial entities know how far-reaching contractual agreements with third-party ICT service providers need to be with regard to subcontracting. The Commission considers that the requirements in Article 5 of the draft RTS go beyond the powers granted to the ESAs by Article 30 subsection 5 DORA. In particular, it concerns the conditions for monitoring the chain of ICT subcontractors that are not specifically linked to the conditions for subcontracting. The Commission is asking for the removal of Article 5 and associated Recital 5 from the draft RTS to ensure that the draft is consistent with the mandate. The corresponding article will therefore no longer be part of the rules to be observed by financial entities. Unfortunately, this also delays the binding adoption of the RTS, and financial entities are still only able to work with the draft. At least the Commission is only proposing editorial changes that are intended to improve the quality of the legal act without affecting the substance of the act. The ESAs have six weeks to revise the draft based on the proposed amendments by the Commission and resubmit it. If the ESAs do not amend the draft in line with the Commission’s suggestions or do not submit a revised draft within this period, the Commission may adopt the RTS with the amendments it has proposed or reject them altogether. It is therefore clear that more legal certainty will probably soon prevail. Until then, financial entities should use the existing draft and refrain from the requirements in Article 5 of the RTS.

Attorney Anton Schröder

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Feb 17, 2025

Token Sale in the MiCAR Era – How Can a Token Issuance be Advertised?

Since the new Regulation on Markets in Crypto Assets (MiCAR) came into full legal force at the end of last year, the regulatory requirements for token sale events and initial coin offerings have also expanded considerably. This applies in particular to issuers of e-money tokens (EMT) and asset-referenced tokens (ART), but also to issuers of other crypto assets. Provided that no exemptions provided for by MiCAR can be utilized, the provider of the crypto assets must prepare and publish a detailed crypto asset whitepaper prior to the public offering via a token sale event. In addition, providers of new crypto assets must now meet compliance requirements and, in particular, identify, avoid and disclose any conflicts of interest. MiCAR also requires providers to draft their marketing communications for a public offering in compliance with certain minimum requirements and publish them on their website prior to the launch of the token sale. Marketing communications must be clearly recognizable as such and must contain a specific reference, pre-formulated in MiCAR, to the fact that they have not been reviewed or approved by an authority and that the provider bears sole responsibility for their content. In any case, any marketing communications must be consistent with the details and information in the underlying crypto asset whitepaper. But what exactly are marketing communications within the meaning of MiCAR?

What Constitutes a Marketing Communication Under MiCAR?

Modern marketing for token sale events is difficult to compare with advertising measures that issuers and distribution service providers carry out for traditional capital market issues. The usual marketing measures prior to MiCAR coming into force took place almost entirely online and ranged from content marketing via articles placed in specific portals, community building on social media channels or the provision of digital giveaways such as NFTs. Under MiCAR, the question therefore arises as to whether these marketing measures also qualify as marketing communications and are therefore subject to the corresponding labeling and publication obligations under MiCAR. However, MiCAR itself does not contain an independent definition of the term marketing communication. However, it can be inferred from the recitals preceding the text of the regulation that marketing communications should at least also include advertising messages and marketing materials that are disseminated via social media platforms. According to this statement, not only text messages would be covered by the term marketing communication, but possibly also other modern advertising measures such as memes or images. The term must be further substantiated by interpretation. In this respect, for example, recourse can be made to the definition of advertising in securities law, which in any case requires a certain promotion of the willingness to subscribe through a measure that relates to a specific public offer of securities. This objective could also be used for the interpretation of the marketing communication within the meaning of MiCAR.

How Can Providers Label Memes and NFTs as Marketing Communications?

The more modern and unconventional the individual advertising measure, the more difficult it becomes to comply with the MiCAR requirements for the labeling of marketing communications. In particular, the affixing of the provider’s unambiguous and clearly recognizable declaration of responsibility in accordance with the textual requirements of MiCAR causes difficulties where only a very limited number of characters may be possible or even where communication is to take place exclusively via an image. Ultimately, BaFin or ESMA would have to clarify whether short links or asterisk references may be used in this respect, as long as such aids do not restrict the clear recognizability of the declaration. In individual cases, such reference solutions could even be conducive to the visibility of the markings required by supervisory law if, for example, a presentation in small font size or in a less conspicuous color design could be avoided in this way. As long as there is no official administrative practice on the details of the design of marketing communications under MiCAR, the provider will have to assess for each individual advertising measure for token sales if it constitutes a marketing communication and how specifically the applicable design obligations are to be implemented.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Feb 10, 2025

AiaaS – Proven Solution for New Breakthrough Technologies

Artificial intelligence (AI) is already revolutionizing numerous areas of society and the economy. It opens up new opportunities for growth and innovation by automating processes, using resources more efficiently and enabling completely new business models. Accordingly, the demand for AI is high. Developing and operating your own AI models is costly and time-consuming, and requires high initial investments and extensive specialist knowledge. To meet the demand for cost-effective alternatives, the market has found a solution that has been used in the IT sector for a long time. Under the catchy name Software-as-a-Service (SaaS), software and hardware resources are offered as cloud-based solutions. This means that resources can be provided to users in a scalable and cost-effective way. The new star in the sky of cloud-based services is called AI-as-a-Service (AIaaS). This service allows companies to use predefined or self-trainable AI models that run on the infrastructure of large cloud providers via API. The advantages in terms of cost, time, scalability and access to the latest AI technologies are immense. This means that even small or medium-sized companies can implement AI projects that would otherwise only be available to large technology companies. Although it is similar to SaaS solutions, AIaaS raises a number of legal issues that need to be addressed before AIaaS projects can be implemented.

A Fresh Take on Old Favorites

A range of different AI applications are already on the market, serving a variety of functions. These range from chatbots to document processing and innovative investment tools. As with SaaS, the right contract design plays a crucial role in AIaaS. The contract must meet the requirements of the respective application. In particular, the contractual parties’ performance obligations must be regulated. The contractual parties should take the time to clearly describe the services in order to avoid misunderstandings and to create clarity for the interpretation and legal classification. Service level agreements should be concluded to ensure sufficient availability and quality of the AIaaS service, maintenance times and response times in the event of disruptions. Another important topic is the correct handling of data protection in accordance with the GDPR, since personal data is usually processed. Often, the use of cloud-based AIaaS solutions also involves a transfer of personal data to a third country, which is only permitted under the strict conditions of the GDPR. It must be clarified who is the responsible party, whether there is joint responsibility or order processing. Also, it needs to be clarified whether the use of the AIaaS is to be regarded as an outsourcing from the own company to the AIaaS service provider and whether this results in specific legal obligations. IT security also plays an important role. This applies in particular to financial companies that are subject to Regulation (EU) 2022/2554 (DORA). AIaaS providers are likely to regularly qualify as third-party ICT service providers within the meaning of DORA, which is why the far-reaching requirements of DORA must be observed. The requirements for contract design, project organization and monitoring can be high in individual cases, but there are also many design options that can best be used for a successful implementation of the project through careful planning and close exchange between the parties involved.

New Territory: Artificial Intelligence Act

In addition to the aspects mentioned above, the Regulation (EU) 2024/1689 (AI Act) is another piece of legislation that has been introduced recently at the European level and that the parties involved in an AIaaS relationship must comply with. In some cases, the requirements can be very extensive. For example, the AI Act prohibits certain practices in the field of AI. It also defines special risk management requirements for high-risk AI systems and obligations for actors in relation to such systems. It also imposes transparency requirements on certain AI systems and requires providers and operators of AI systems to take measures to ensure to the best of their ability that their personnel and other persons involved in the operation and use of AI systems on their behalf have an adequate level of AI competence. This may also mean that appropriate training is necessary. In most cases, the requirements for companies that integrate AIaaS solutions into their business are limited and do not present any significant obstacles. It is also a stated aim of the regulation to promote innovation and employment and to give the Union a leading role in the introduction of trustworthy AI.

Attorney Anton Schröder

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Jan 20, 2025

DORA Is Live – When Do the First Reports Have to Be Made to BaFin?

The time has come: the two-year transitional period since the entry into force of DORA on 16 January 2023 has expired and DORA is applicable since 17 January 2025. The financial firms and ICT third-party service providers affected must now meet the new requirements introduced by DORA. Financial firms must measure their digital operational resilience against the provisions of DORA. DORA comprises 64 articles, which are supplemented by a series of Regulatory Technical Standards (so-called RTS). The RTS create uniform standards across the EU, so that all affected financial firms throughout the Union must meet the same requirements. This is intended to strengthen the freedom of establishment and the digital operational resilience of the entire European financial market. DORA addresses ICT risks by setting out specific requirements for ICT risk management capabilities, incident reporting, operational resilience testing, and monitoring of risks associated with the use of third-party ICT service providers. BaFin has already stated on several occasions that there will be no further transition period after the two-year transition period. This means that financial companies must already fulfill the DORA requirements. But what about specific reporting and notification requirements that financial companies must submit to BaFin? The main focus here lies on the Register of Information, which refers to all contractual agreements for the use of ICT services provided by third-party ICT service providers and must be maintained by financial companies as part of their ICT risk management.

What is the DORA Register of Information?

An important part of the DORA regulation is the requirement for financial firms to establish sound management of third-party ICT risk. This includes, for example, a strategy for managing ICT third-party risk and, optionally, a strategy for using multiple ICT providers. In addition, guidelines must be created for the use of ICT third-party services, in particular for ICT services that support critical or important functions. The Register of Information is also a key component of ICT third-party risk management. Financial companies must maintain this register of information for all contractual agreements for the use of ICT services provided by third-party ICT service providers. A distinction must be made between ICT services that support critical or important functions and those that do not. The requirements for the Register of Information (RoI) are specified in detail by the Regulation on implementing technical standards with regard to standard templates for the Register of Information (ITS RoI). Financial undertakings must provide the competent authority – in Germany BaFin – with the complete Register of Information or, upon request, certain parts of this register, together with all information deemed necessary for the effective supervision of the financial undertaking. BaFin has now announced that it will require financial companies to submit the Register of Information to BaFin for the first time by 11 April 2025 at the latest. To this effect, BaFin published a series of articles on its website just a few days ago. The background to this is that BaFin must transmit the Registers of Information to the European Supervisory Authorities by 30 April 2025 so that they can classify the third-party ICT service providers requiring supervision as critical ICT service providers within the meaning of the DORA, which are subject to special supervision under the DORA.

How Should the Register of Information be Submitted in Accordance with the Regulation?

For financial companies that have already completed the implementation of DORA, submitting the Register of Information to BaFin should not pose a problem. Financial companies that have not yet fully adapted to the DORA requirements should not panic either, but should quickly start creating the Register of Information so that it is ready as soon as BaFin requests it. In a recently published article, BaFin also called on the financial companies concerned to prepare to submit the Registers of Information to BaFin for the first time by no later than 11 April 2025. However, the authority also promised to provide the companies with close support until then and to try to clarify as many open questions as possible. BaFin has published detailed information on its website. The Registers of Information are transmitted to BaFin via BaFin’s reporting and publication platform (MVP). When creating the registers, financial companies must follow the guidelines of the European Supervisory Authorities (ESAs). The registers are to be submitted as structured files that correspond to the taxonomy specified by the ESAs. In order to make the conversion easier for smaller finance companies in particular, BaFin plans to provide a special Excel template on its website in the near future. This template can then be used by financial companies instead of a structured file, provided that the given structure of the Excel template is strictly adhered to. As an alternative to submitting the Register of Information as a structured file, financial companies should be able to submit the completed Excel template via the MVP. It is also essential for companies that plan to apply to BaFin for a license to operate as a financial service provider in the near future to ensure that the requirements of DORA have been implemented. This is the best way to avoid delays in the processing of the license application. The requirements of DORA are very complex. However, they do not fundamentally differ from the requirements that BaFin has already placed on financial companies prior to the entry into force of DORA. Provided that a solid information security management system (ISMS) already exists within the company, the adjustments should be able to be implemented quickly in most cases.

Attorney Anton Schröder

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Jan 06, 2025

Units of Account and MiCAR – Can Crypto Tokens Still be Units of Account?

On 18 December 2024, the German Bundestag passed the Financial Markets Digitization Act (FinmadiG) on the last legs of the current minority government consisting of the SPD and the Greens. It passed the Bundesrat before Christmas without any further amendments, meaning that it entered into force after publication in the Federal Law Gazette just in time to implement the transition to the regulatory regime of the EU Markets in Crypto Assets Regulation (MiCAR) under national law. The previous definition of crypto assets under national law in the German Banking Act (KWG) and Investment Firms Act (WpIG) has thus finally been deleted and consigned to the realm of legal history. Crypto assets within the meaning of the KWG and the WpIG are now, for the purposes of national law, exclusively crypto assets as defined by MiCAR and therefore digital representations of a value or a right that can be electronically transferred and stored using distributed ledger technology or similar technology. However, the previous definition of crypto assets in accordance with the KWG and WpIG was not the only unilateral move by German legislators in matters of crypto regulation prior to the MiCAR regime. Since 2011, BaFin has consistently taken the view that Bitcoins and similar cryptocurrencies i.e. so-called currency tokens are also to be classified as units of account and thus as financial instruments within the meaning of the KWG and WpIG. The question is whether the qualification of currency tokens as units of account is still possible after the FinmadiG came into force or whether the application of the new regulatory regime for crypto assets under the FinmadiG and MiCAR has led to the silent departure of units of account from crypto regulation.

Prior to MiCAR Crypto Assets and Units of Account Could Both Be Given at the Same Time

Under the superseded national crypto regulation, crypto assets were designed as a so-called catch-all provision, meaning that tokens could qualify as both a crypto asset and another form of financial instrument from the KWG or WpIG instrument catalog. In principle, this hybrid classification was not harmful and could even be helpful in individual cases. For example, cryptocurrencies that had the legal status of money could not fall under the definition of crypto assets under the KWG and WpIG, but could still qualify as a unit of account and therefore still be a regulated financial instrument. In such cases, regulation under the KWG and WpIG could apply to business activities with corresponding tokens, as intended by the legislator. Under the new regulation based on MiCAR, this is more difficult, especially as the regulation under KWG and WpIG differs from that under MiCAR in terms of its regulatory content. It is therefore necessary to be able to assign tokens to one of the two regulatory regimes in a legally secure and unambiguous manner. The legal situation following the going into force of the FinmadiG therefore no longer provides for crypto assets under German law and clarifies that crypto assets within the meaning of the KWG and the WpIG are crypto assets within the meaning of MiCAR. Tokens that are not classified as crypto assets under MiCAR may qualify as cryptographic instruments in individual cases. However, it remains problematic that bitcoins, for example, clearly qualify as a unit of account and thus as a financial instrument under the KWG and WpIG according to the administrative practice not yet abandoned by BaFin, but at the same time also as a crypto asset within the meaning of MiCAR. Which regulatory regime should apply in such cases?

BaFin Should Prioritize MiCAR over National Regulation

It is obvious that MiCAR should take precedence over purely national regulation under the KWG and the WpIG for the regulatory classification of tokens. Unfortunately, the German legislator has failed to include a clarification in the law in this regard, which would have been possible without any problems as part of the far-reaching amendments to the two federal laws. However, sufficient clarification could also be achieved in practice by BaFin finally abandoning its administrative practice of classifying bitcoins and comparable clones as units of account. It dates back to a time when there was no codified regulation for crypto tokens and has done its duty at the latest since the FinmadiG and MiCAR came into force. As far as can be assumed, there would be no regulatory gaps. A departure from the classification of currency tokens as units of account would also be expedient and welcome with regard to the standardization of the law applicable in the EU, which is necessary for the realization of the European single market.

The lawyer responsible for questions relating to MiCAR and units of account at our law firm is Attorney Lutz Auffenberg, LL.M. (London).

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Dec 16, 2024

Interoperability Through Token Bridges – Are Wrapped Tokens Crypto Assets under MiCAR?

Blockchain technology has established itself as a promising technical infrastructure for numerous applications since the emergence of the smart contract economy. Investment products and capital market issues in particular are now increasingly being mapped and processed via smart contracts implemented on blockchains. The tokenization of so-called real-world assets (RWA tokens) or rights is also increasingly being implemented to enable the digital transfer of the underlying assets. One of the biggest challenges of blockchain-based projects, however, is the fact that blockchains are essentially closed networks that are not compatible with each other. The use of bitcoins or their equivalent value to interact with a smart contract implemented on the Ethereum blockchain, for example, is not technically possible at first glance. So-called token bridges can provide a remedy in such cases. These are smart contracts that enable their users to use value units from other blockchain infrastructures on other blockchains. Technically, this works by users transferring cryptocurrencies of a certain type to a blockchain address managed by the token bridge in order to receive wrapped tokens in return, which are generated on the target blockchain and can therefore be used there. Wrapped tokens usually represent the value of the deposited cryptocurrency at a ratio of 1:1.

Can Wrapped Tokens Represent Asset-Referenced Tokens?

Under MiCAR, digital representations of values or rights that can be transferred and stored electronically using distributed ledger technology or similar technology are regulated as crypto assets. Wrapped tokens certainly meet these very broadly formulated requirements. However, MiCAR also recognizes special forms of crypto assets that may be associated with further obligations for issuers and providers of crypto services. An asset-referenced token (ART) exists, for example, if a crypto asset attempts to maintain a stable value by referring to another asset or another right or a combination thereof, including one or more official currencies. As wrapped tokens usually represent the value of another crypto asset on a 1:1 basis, they will in most cases qualify as ART. For the issuer of the wrapped token, this may mean in particular that the wrapped token may not be issued without the necessary authorization under MiCAR. In addition, the issuer of ART is obliged to create an asset reserve, which must be held in accordance with the specific requirements set out in MiCAR. Furthermore, depending on the design of the underlying smart contracts, providers of token bridges may trigger licensing obligations under MiCAR. For example, the safekeeping of deposited crypto assets may constitute crypto custody subject to authorization. The retransfer of deposited crypto assets may also be subject to authorization under MiCAR if it is to be carried out to a different blockchain address than the one from which the crypto assets were originally transferred to the token bridge.

Can Token Bridge Models Also Be Realized in an Unregulated Way?

Providers of token bridges and issuers of wrapped tokens may therefore be subject to far-reaching regulatory obligations. One way to avoid these considerable administrative burdens may be to decentralize the token bridge and the issuance of wrapped tokens to such an extent that there is no sufficiently responsible person for the operation of the token bridge and the issuance of wrapped tokens. In this respect, it would be necessary for the token bridge to function in a completely decentralized manner and for no identifiable person to have control or influence over the operation or issuance of wrapped tokens. In this case, there would be no addressee for the regulatory obligations provided for under MiCAR and the token bridge would be able to operate outside the scope of MiCAR.

The lawyer responsible for questions relating to the qualification of tokens under MiCAR at our law firm is Attorney Lutz Auffenberg, LL.M. (London).

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Dec 02, 2024

Getting Ready for DORA (Part VII) – Which Financial Companies Benefit From the Simplified ICT Risk Management Framework?

From 17 January 2025, affected companies will have to comply with the new requirements introduced by DORA. The main objective of DORA is to fully and consistently harmonize digital operational resilience and ICT security. The need for this arises, among other things, from the fact that legal differences and varying national regulatory and supervisory approaches to ICT risk create obstacles to the functioning of the internal market for financial services. This makes it considerably more difficult for financial companies operating across borders to exercise their freedom of establishment and freedom to provide services without hindrance. Furthermore, competition between the same types of financial companies operating in different member states has also been severely distorted by these differences. DORA addresses ICT risks through targeted requirements for ICT risk management capabilities, incident reporting, operational resilience testing, and monitoring of ICT third-party risk. When dealing with DORA, the principle of proportionality must be taken into account. This means that the size, overall risk profile, nature, scale and complexity of the financial services must be taken into account when implementing the requirements. This is also reflected in the requirements for ICT risk management: DORA provides for a so-called simplified ICT risk management framework for certain financial firms. But to whom exactly does this apply?

Which Companies Can Implement a Simplified ICT Risk Management Framework?

The simplified ICT risk management framework is significantly scaled back compared to the general framework otherwise provided by the DORA and places fewer specific requirements on the implementation of ICT risk management. To put it bluntly, ICT risk management is reduced from fifteen articles to one. This simplified framework applies exclusively to the financial institutions explicitly named by DORA. These include, for example, small and non-interconnected investment firms, small institutions for occupational retirement provision, and institutions excluded under the Capital Requirements Directive (CRD IV). These exclusions are particularly welcome in light of the considerable effort involved in implementing the DORA requirements. Smaller companies that fall under the exemption can thus operate an ICT risk management system that is appropriate in relation to their size and overall risk profile. An adequate level of protection is ensured by the requirements of the simplified ICT risk management framework in conjunction with the regulatory technical standards (RTS RMF). These standards define the tools, methods, processes and guidelines for ICT risk management and for the simplified framework. The simplified ICT risk management framework should also apply to payment institutions and e-money institutions that have been excluded from the respective member states’ implementation under the Payment Services Directive (PSD2) or the E-Money Directive. However, there is inconsistent implementation here by the individual member states.

Unequal Requirements for Payment Institutions in Different Member States

Despite DORA’s harmonization efforts, gaps still exist. These are particularly evident in the case of payment institutions and e-money institutions. This is because the member states had a certain amount of leeway when implementing the PSD2 and the E-Money Directive. It is therefore possible that when transposing the directive into national law, the option of “exempting” certain payment institutions or e-money institutions and subjecting them to simplified requirements in national law will be used. Consequently, in these cases, the DORA refers to an exemption that only applies to financial companies if the respective member state has implemented this exemption in its national law. However, this is in strong contrast to the DORA’s objective of creating a level playing field for all market participants. Recital 42 of the DORA shows that the European legislator has recognized this problem and ultimately accepted the unequal treatment of comparable financial companies. One example of this is that a payment institution regulated in Germany must comply with the general ICT risk management framework, while a comparable payment institution in another member state that has made use of the exemption may apply for the simplified ICT risk management framework. It is therefore necessary to check in each individual case whether and to what extent the simplified ICT risk management framework can be applied for. Even if this is not the case, the general ICT management framework must still be implemented proportionately.

Attorney Anton Schröder