The new European regulatory environment: MiCA, DORA, PSD3, AI Act

The recent regulatory changes in the European Union (EU), alongside emerging technologies like blockchain and artificial intelligence, are set to transform the fintech landscape, creating new opportunities while also posing compliance challenges.

These changes in European regulatory environment include the Markets in Crypto-Assets Regulation (MiCA), Digital Operational Resilience Act (DORA), Payment Services Directive 3 (PSD3), the Financial Data Access (FiDA) Regulation, and the AI Act. A short overview of each follows.

MiCA

Until now, the EU lacked a unified legal framework for the crypto-assets industry. The new regulation establishes common conditions for companies across the EU, addressing gaps in national regulations that cause market fragmentation. This will create an environment conducive to developing a larger EU crypto-assets market and fully utilising the EU's internal advantages.

MiCA aims to foster the growth of the crypto-asset sector in Latvia. It applies to those involved in issuing, offering, trading, or providing services related to crypto-assets. Financial market participants will need a licence from Latvijas Banka, valid throughout the EU.

In addition to opportunities, MiCA also presents significant challenges for companies to comply with regulation and navigate the comprehensive and complex requirements. This may lead to industry consolidation at EU level, providing better quality of business models and corporate governance. The market has to ensure robust cybersecurity measures, data protection practices, customer protection, and financial stability to meet standards.

Starting from January 2025, Latvijas Banka will be able to issue licences for operations under MiCA. Now is the right time for companies to adapt their business models and operations to align with the new regulatory framework, which may involve substantial changes in organisational structures, management, business processes, and investments, especially in compliance related to the field of money laundering and terrorism financing. Companies have to demonstrate strong organisational capabilities, adequate knowledge, skills and expertise to perform functions to ensure sustainability.

DORA

DORA is another regulation that will apply to financial institutions starting from 17 January 2025. It aims to harmonise and consolidate regulatory ICT requirements across the EU, enhancing financial institutions' ability to manage ICT risks, mitigate cyber threats, and improve their cybersecurity capabilities.

The main focus of the DORA regulation is centred on four areas: ICT risk management framework, ICT incident reporting, digital resilience testing, and ICT third-party service provider risk management.

Key challenges in implementing DORA include ensuring compliance with rigorous cybersecurity and operational resilience requirements. Market participants have to allocate adequate resources, investments in technology and skilled personnel to address cyber threats. Readiness for DORA is affected by the lack of IT industry professionals on the market and variations in the maturity of management process capabilities among market participants.

In the financial industry, cybersecurity is crucial, as it safeguards business data and assets. Currently, financial institutions in Latvia are prime targets for cyberattacks, which can result in significant financial losses, reputational damage, and legal liabilities. AI-powered cyberattacks are an emerging threat in the global cybersecurity landscape. Weak cybersecurity can result not only in data breaches, business disruption, and loss of authorisation, but also affect the stability of the entire financial system.

The cloud infrastructure and outsourcing services are widely used in the financial sector. As the banking sector is being digitised, its reliance on third party providers still grows. Within the existing regulatory framework, certain IT outsourcing risks are not managed effectively enough. The DORA introduces stricter standards, and the European Supervisory Authorities will supervise the external critical service providers for the EU under the DORA.

AI Act

The European Commission has approved the AI Act to address the risks and opportunities that AI can bring.

The aim of the regulation is to improve the application of AI in the internal EU market and to ensure legal clarity and a solid foundation for the use of human-centred and trustworthy AI. The regulation should also ensure that the fundamental rights are protected and technology is used in a highly secure manner. It not only harmonises the rules for the deployment and use of AI systems in the EU but also defines prohibited applications of AI and lays down specific requirements for high-risk AI systems as well as obligations for the operators of such systems.

PSD3

The PSD3 sets out more extensive strong customer authentication regulations and stricter rules on access to payment systems and account information.

The aim of the regulation is to protect the consumer rights and personal information while improving competition in the payments industry. To enhance the regulatory framework for payment services, the provisions of the PSD2 and the E-Money Directive will be merged into the PSD3. Under these provisions, e-money institutions will formally cease to exist and will be referred to as payment institutions. Among a range of other services, they will still be able to issue e-money.

FiDA

To support innovation in the financial services sector and to improve the control of the EU customer data, the FiDA/OpenFinance proposal was drafted. It aims to develop open finance by stipulating requirements and creating incentives for data holders to share data in an efficient and standardised way. At the same time, customers would retain control over their data, and their data privacy and safety would be preserved. This should simplify the process of opening financial accounts and promote more personalised financial services, based on the shared data, and so access to and availability of the financial services would improve overall.

Learn more

The new European regulatory environment and the steps Latvia has taken towards establishing a supportive regulatory framework for the fintech industry are topics covered in a recent interview with Marine Krasovska, conducted by Evita Lune, PhD, Partner, and Global Head of the FinTech Practice at Pedersen & Partners. Read the full interview on the Pedersen & Partners website.

Consultations

In case you have questions about the new regulations and supervisory requirements, please apply for a consultation at the Innovation Hub.

Published:29.07.2024

Consultations with experts of Latvijas Banka

"*" indicates required fields

Information on the applicant

This field is for validation purposes and should be left unchanged.
This website uses cookies, including analytics third-party cookies to collect statistical visitor data and to improve our website. For more information on cookies and how they are used on this website, please read our cookie policy. If you agree to the use of analytics cookies, please click ‘Accept recommended cookies’. If you do not agree to the use of analytics cookies, please click ‘Proceed with necessary cookies only’.
Necessary cookies
Analytics cookies
Yes
Yes
Yes
No
Yes
No