Fintech 2026 Comparisons

A Maturing but Dynamic Ecosystem

The Netherlands continues to be recognised as one of Europe’s leading fintech hubs, with over 850 active fintech companies and a total tech ecosystem valued at more than EUR240 billion. Amsterdam in particular serves as a magnet for both homegrown champions – such as Adyen, Mollie, Bunq and Bird – and international entrants including CurrencyCloud, Lemonade and Airwallex, which each selected the Netherlands as their base in the European Union (EU).

Recent Market Developments

Over the past twelve months, fintech lending has shown notable growth. According to the Dutch Central Bank (De Nederlandsche Bank, DNB), outstanding fintech loans rose from EUR1.8 billion in 2021 to EUR4.4 billion by YE-2024, with the sector’s share of SME financing reaching 2.8%. Embedded finance, regtech and insurtech have continued to expand. Legacy institutions have deepened their engagement with fintech, moving beyond passive investment into developing proprietary solutions and acquiring fintech companies outright.

Key Challenges for 2026

The regulatory landscape will be the most significant driver of change. The Markets in Crypto-Assets Regulation (MiCAR) licensing regime became fully applicable in mid-2025, impacting around 80 previously DNB-registered crypto firms. The Digital Operational Resilience Act (DORA) entered into full application in January 2025, imposing ICT risk management and third-party oversight obligations across the financial sector. The EU AI Act is being phased in, with bans on prohibited AI practices and AI literacy requirements already effective since February 2025, and obligations for high-risk AI systems applicable from August 2026.

Artificial Intelligence in Fintech

AI models are increasingly embedded in Dutch fintech products and services. Common applications include fraud detection and behavioural analytics, AML/KYC automation, credit scoring, robo-advisory and customer service chatbots. Both DNB and the Netherlands Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) have signalled that AI-specific supervision will be intensified, with the AFM focusing on conduct risks such as digital nudging through apps, and DNB emphasising soundness, accountability, fairness, ethics and transparency (their “SAFEST” principles).

The European Parliament also published a draft report in May 2025 examining AI’s impact on the financial sector. Fintech firms deploying AI should expect growing regulatory expectations around explainability, data quality, AI governance and human oversight.

Digital Payments and Banking

Digital payments remain the largest and most established fintech vertical in the Netherlands. Companies such as Adyen, Mollie and Buckaroo provide payment processing infrastructure for both SMEs and large enterprises. Neobanks like Bunq and Knab offer fully digital banking services, competing directly with incumbents. Mobile wallets and contactless payment solutions have achieved widespread adoption among Dutch consumers.

Lending and Alternative Finance

Fintech lending platforms – including Mogelijk, New10 and Bridgefund – primarily serve SMEs with automated credit assessment processes and faster decision-making than traditional banks. Crowdfunding service providers operate under the EU Crowdfunding Regulation.

Buy-now-pay-later (BNPL) and instalment payment models have also gained significant traction, particularly in the e-commerce space. Their business models will be impacted by the entry into force of the Consumer Credit Directive II (CCD II).

Embedded Finance

Embedded finance is a rapidly growing vertical in which non-financial platforms integrate licensed financial services – such as insurance, credit or payments – into their customer journeys. Insurtech firms leverage AI and data analytics to personalise insurance products and streamline claims processing.

Regtech, Wealth Tech and Crypto-Assets

Regtech solutions (eg, Fourthline or Duna) help financial institutions manage compliance obligations more efficiently, particularly in the areas of AML, transaction monitoring and regulatory reporting. Robo-advisers and digital investment platforms have broadened access to wealth management (eg, Semmie). Crypto-asset service providers, now subject to MiCAR licensing, represent a further distinct vertical.

The Dutch Financial Supervision Act

There is no standalone regulatory regime for fintech in the Netherlands. Instead, fintech firms are regulated based on the type of financial service they provide. The principal legislative framework is the Dutch Financial Supervision Act (Wet op het financieel toezicht, Wft), a comprehensive statute also implementing EU financial services directives and setting national requirements for licensing, governance, conduct and prudential supervision.

Licence Types Relevant to Fintech

Depending on the services offered, fintech firms may require one or more of the following licences or registrations under the Wft:

• banking licence (supervised by DNB or the European Central Bank (ECB) (for significant institutions)) for deposit-taking and lending activities;
• payment institution or electronic money institution licence (DNB) for payment services or e-money issuance;
• investment firm licence (AFM) for investment services under MiFID II;
• alternative investment fund manager licence (AFM) for fund management activities;
• crypto-asset service provider (CASP) licence (AFM) under MiCAR; and
• crowdfunding service provider authorisation (AFM) under the EU Crowdfunding Regulation.

Relevant EU Regulatory Developments

In addition to MiCAR and DORA (discussed above), several forthcoming EU instruments are expected to impact the Dutch fintech sector.

• The revised Payment Services Directive (PSD3) and the Payment Services Regulation (PSR) will revise the framework for payment services.
• The proposed Financial Data Access Regulation (FiDA) aims to broaden data-sharing beyond payment accounts to cover insurance, mortgages and investment data.
• The CCD II must be transposed into Dutch law in 2026.
• The AIFMD II implementation is due by April 2026.

Fee-Based Models

Fintech firms in the Netherlands employ various compensation models, the permissibility of which depends on the regulatory framework applicable to the specific service. Common models include transaction-based fees (per payment or per trade), subscription or tiered pricing for platform access, interest margins on lending products, and management or performance fees for investment services.

Restrictions on Inducements (MiFID II)

For investment services subject to MiFID II, strict rules on inducements apply. Independent investment advisers and portfolio managers are prohibited from receiving or retaining third-party commissions. Where inducements are permitted, they must be designed to enhance the quality of the service and must be clearly disclosed to the client.

Consumer Credit and Insurance Disclosure

For consumer credit products, the Wft and underlying regulations require the provision of pre-contractual information – including the annual percentage rate of charge (APR), total cost of credit and repayment terms – enabling consumers to compare products.

Specific commission and inducement rules apply to insurance intermediaries and managing general agents. For insurance distribution, the applicable disclosure regime requires transparency about the nature and basis of the remuneration received by intermediaries.

General Transparency Obligations

Across all regulated financial services, the overarching duty-of-care provisions in the Wft require that compensation structures do not conflict with the client’s best interests. Firms must ensure that fee structures are transparent, non-misleading and adequately disclosed before the client enters into an agreement.

Regulatory Neutrality as the Starting Point

A fundamental principle of Dutch financial regulation is technological neutrality. The Wft does not distinguish between fintech firms and traditional financial institutions. The same licence requirements, conduct standards and prudential rules apply to any entity providing a particular type of financial service, regardless of whether it is a “fintech” or a more traditional firm. This principle of “same activity, same risk, same rules” means that fintechs operating in a regulated market face substantially the same regulatory obligations as legacy players.

Proportionality in Practice

Where differences arise, they tend to be in the practical application of requirements rather than in the legal framework itself. Prudential requirements – particularly capital adequacy, governance and reporting – are generally applied proportionately, meaning that smaller or less complex firms face lighter operational burdens than systemically important institutions. For example, a payment institution’s own-funds requirements under PSD2 are significantly lower than the capital buffers required of banks under CRR/CRD. A similar proportionality principle applies to rules and expectations governing the operations and set-up of a regulated firm.

Incumbents Face Additional Layers

Incumbents, such as traditional banks (credit institutions) are subject to additional regulatory layers – such as the Single Supervisory Mechanism (with direct ECB oversight for significant institutions), deposit guarantee scheme obligations, resolution planning under the Bank Recovery and Resolution Directive (BRRD), and more extensive governance requirements – that do not apply to most fintech entrants. This effectively means that while the entry-level playing field is formally level, the full regulatory burden on credit institutions is considerably heavier.

The Netherlands does not currently operate a regulatory sandbox that allows the regulator to disapply certain statutory requirements. Instead, DNB, the AFM and the Authority for Consumers & Markets (Autoriteit Consument & Markt, ACM) jointly operate the InnovationHub. This facility serves as a point of contact for innovative firms seeking regulatory guidance and provides early-stage support in navigating the licensing landscape. The InnovationHub, however, does not create regulatory exemptions.

Separately, under the EU AI Act, the Netherlands must establish an AI regulatory sandbox by August 2026, which will provide structured compliance guidance but no regulatory exemptions.

The Netherlands operates a “twin peaks” supervisory model. The AFM supervises market conduct, including transparency, fair treatment of customers and market integrity. DNB supervises prudential soundness (primarily, compliance with capital requirements), financial stability and the integrity of the financial system.

DNB is the primary supervisor of entities subject to capital and liquidity requirements, including banks, insurers, payment institutions and certain crypto-asset issuers. DNB works closely with the ECB in its supervision of banks, where the ECB directly supervises and licenses significant Dutch banks under the Single Supervisory Mechanism. DNB also supervises compliance with the Dutch Anti Money Laundering and Financing of Terrorism Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft) AML/CFT requirements. The AFM is the primary supervisor of investment firms, fund managers, financial service providers and certain crypto-asset service providers. Most larger financial institutions are in regular contact with both regulators.

Under PSD2, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) and the ACM have specific supervisory roles.

At EU level, the European Supervisory Authorities (ESAs) (EBA, ESMA and EIOPA) complement national supervision, promote regulatory convergence and develop technical standards.

DNB and the AFM do not issue “no-action letters”. In practice, however, market participants may seek informal guidance through supervisory engagement or via the InnovationHub. Such guidance may clarify the regulators’ interpretation of applicable rules but does not constitute a legally binding “safe harbour”. Regulators retain full supervisory and enforcement powers, and reliance on informal views does not preclude future action if circumstances change.

Regulated entities may generally outsource activities to, or procure ICT services from, regulated and non-regulated entities, subject to regulatory limitations. For example, regulated entities:

• must ensure their sound and controlled business operations (including maintaining adequate substance);
• may not outsource the responsibility of the management board; and
• must comply with the governance, monitoring and contracting requirements that apply pursuant to the rules on outsourcing and DORA.

A regulated entity remains fully responsible for compliance with financial regulations when outsourcing functions. If the outsourced function constitutes a regulated activity, the vendor must generally hold the relevant authorisation or licence to perform that service, as this requirement applies to whoever carries out the activity. However, for ancillary or operational functions that merely support a regulated activity (eg, IT infrastructure or cloud services), outsourcing to unregulated third parties is permitted, provided there are robust controls in place.

Vendors are typically subject to the following:

• mandatory contractual requirements covering audit rights, data security, business continuity, and termination provisions;
• regulatory notification or approval for material outsourcing arrangements; and
• ongoing oversight obligations imposed on the outsourcing entity.

The concept of “gatekeeper” has particular significance in the Dutch anti-money laundering framework. The Wwft imposes specific obligations on a broad range of institutions, including banks, payment institutions, electronic money institutions, investment firms, insurers and CASPs:

• conducting institutional and client risk assessments;
• performing customer due diligence;
• monitoring transactions on an ongoing basis;
• reporting unusual transactions to the Financial Intelligence Unit (FIU-Netherlands); and
• maintaining adequate records.

Fintech firms that hold a licence under the Wft will typically qualify as Wwft gatekeepers, meaning they bear direct responsibility for identifying and mitigating money laundering and terrorist financing risks arising from activities conducted on or through their platforms. DNB has explicitly stated that CASPs fulfil an important gatekeeper role, as evidenced by enforcement actions against unlicensed parties.

AFM and DNB can take a variety of informal and formal enforcement actions. Serious regulatory violations, including unlicensed activity, money laundering and market abuse may also qualify as criminal offences under the Dutch Economic Offences Act (Wet op de economische delicten).

Informal measures have no statutory basis and typically include compliance briefings and written warnings. Formal administrative sanctions escalate progressively:

• remedial – order subject to periodic penalty payment (last onder dwangsom) or instruction (aanwijzing);
• punitive – administrative fine (bestuurlijke boete); and
• structural –
1. licence restriction or revocation;
2. appointment of a curator;
3. suspension of voting rights; or
4. prohibition on performing functions.

Sanction decisions are generally published, exposing fintechs to significant reputational damage. Individual accountability is increasingly invoked, with de facto directors (feitelijk leidinggevenden) potentially facing fines alongside the infringing entity.

Beyond financial regulation, industry participants face an expanding body of horizontal rules on privacy, cybersecurity, online content and software governance. For firms active on social media or operating user platforms, content moderation and transparency duties under EU digital regulation are increasing. Software development is increasingly affected by product safety, accessibility and AI-related rules, requiring documentation, risk assessments and life cycle governance.

Compared to legacy players, digital-native entrants may be structurally better equipped to comply with data governance and secure-by-design requirements. While core obligations under privacy, cybersecurity and digital regulation formally apply equally to fintech and legacy players, their risk exposure might differ in practice. Fintech firms are typically more exposed to scrutiny due to data-driven models, cloud use and AI deployment.

External auditors play a key review role, both generally in relation to the often mandatory audit of the financial statements, as well as the mandatory audit of regulatory reporting by specific regulated entities, including payment institutions and banks. The Wft also obliges these auditors to notify DNB without delay of any circumstance that breaches prudential requirements or jeopardises the institution’s viability, effectively making external auditors an extension of prudential oversight.

Since January 2025, DORA further requires financial entities to secure contractual audit and inspection rights over their ICT third-party service providers, subjecting critical vendors to regular review.

Industry bodies – including the Holland FinTech Association, the Dutch Payments Association (Betaalvereniging Nederland), the Dutch Banking Association (NVB) and the United Payment Institutions Netherlands (VBIN) – promote best practices and facilitate knowledge-sharing but exercise no binding supervisory or enforcement powers.

It is common practice for fintech firms to offer unregulated services alongside regulated ones. Platforms may combine payment processing or investment services with unregulated activities such as data aggregation, financial planning tools or lead generation and several typical business models involve offering embedded financial services in addition to real-economy product offerings.

A notable trend is embedded insurance, where platforms bundle insurance into non-insurance purchase journeys. The AFM has taken an active interest in this area, publishing a dedicated report on customer protection in embedded insurance and outlining when platforms require an AFM licence. Under the Dutch implementation of the Insurance Distribution Directive (IDD), where insurance is ancillary to a good or service, the customer must be offered the option to purchase without the insurance.

Non-regulated entities offering embedded insurance products frequently use specific exemptions, such as the ancillary insurance intermediary exemption or the tied intermediary model under the Wft.

The Wwft is the primary Dutch Act concerning AML obligations, covering customer due diligence (CDD) and unusual transaction reporting. The Dutch Sanctions Act (Sanctiewet 1977) obliges entities to screen against sanctions lists and freeze matched assets. Regulated fintech companies, including licensed payment institutions, e-money institutions and crypto-asset service providers (CASPs), are directly subject to both Acts. DNB actively enforces compliance and has recently levied multiple fines, including on payment institutions and a neobank for inadequate transaction monitoring.

Unregulated fintechs are not directly subject to the Wwft but face indirect impact. Regulated clients increasingly require AML due diligence from their technology vendors as part of outsourcing obligations under the Wft and DORA.

The AML landscape will shift when the EU AML Package takes effect in July 2027. The Anti-Money Laundering Regulation (AMLR) introduces a directly applicable EU-wide rulebook that will largely replace the Wwft’s substantive provisions, harmonising CDD requirements, suspicious transaction reporting and beneficial ownership obligations across member states.

The Dutch AML/CFT framework closely follows FATF standards. The Wwft is the Dutch implementation of the EU Anti-Money Laundering Directives (most recently AMLD5), which are themselves designed to align with the FATF Recommendations. In its 2022 mutual evaluation, FATF rated the Netherlands as “Compliant” or “Largely Compliant” on all 40 Recommendations and found that the country’s AML/CFT measures are delivering good results overall.

The Dutch framework has several distinctive features. The transaction reporting system is built around “unusual” rather than “suspicious” transactions, with FIU-Netherlands filtering reports into formal suspicious designations. The Sanctions Act 1977 enables the Netherlands to maintain a national terrorism sanctions list and freeze assets domestically, independent of UN or EU listings. In addition, since 1 January 2026, traders in goods may no longer accept cash payments of EUR3,000 or more, well below the EU-wide EUR10,000 limit that will apply under the AMLR from mid-2027.

Dutch legal practice recognises the concept of reverse solicitation, which allows fintech companies duly authorised in another jurisdiction to offer otherwise regulated products and services to clients in the Netherlands without triggering local licensing requirements. The reverse solicitation exception applies if the client has approached the fintech company entirely on its own exclusive initiative. This means that the fintech company or other persons acting on its behalf may not have engaged in any prior solicitation, promotion or marketing in the Netherlands.

Whether the reverse solicitation exception applies must be assessed on a case-by-case basis, regardless of whether the client is a new or existing client. The reverse solicitation exception is interpreted narrowly and is subject to close regulatory scrutiny, taking into consideration all forms of communication, including online advertisements.

Traditional financial instruments (eg, shares, bonds, ETFs and certain security tokens) qualify as financial instruments under the Wft. Robo-advisers offering automated portfolio management or investment advice in these instruments typically require an investment firm licence and must comply with MiFID II as transposed into the Wft (eg, suitability testing, disclosure requirements and product governance).

With effect from 1 July 2024, Dutch financial regulations introduced additional safeguards for automated advice to consumers, requiring financial services providers using automated systems to give advice to:

• designate responsible persons with sufficient expertise;
• conduct pre-deployment analyses;
• periodically verify appropriateness of automated advice; and
• take immediate mitigating measures where deficiencies are identified.

Most cryptocurrencies fall outside the Wft’s scope. Robo-advisers focusing solely on crypto-assets may nonetheless be subject to MiCAR authorisation requirements and applicable Dutch consumer-protection rules.

Dutch banks, insurers and asset managers have broadly responded to robo-advisers through selective integration rather than wholesale replacement of traditional advisory models.

• Hybrid advisory models – Legacy players increasingly combine digital onboarding, automated risk profiling and model portfolios, with access to human advisers for more complex situations.
• White-label or in-house robo solutions – Several legacy players have deployed proprietary robo-advice engines or white-label fintech solutions within existing client portals, retaining governance, compliance and client ownership in-house.
• Cautious regulatory implementation – Compared to fintech start-ups, legacy players tend to implement robo-advice conservatively, often limiting automated models to execution-only or simplified advice propositions. This reflects both liability risk management and heightened supervisory scrutiny, particularly given the AFM’s stated focus on robo-advice as part of its 2023–2026 supervisory strategy.

Under the Wft, best execution rules apply to investment firms executing client orders in financial instruments. Key provisions include the obligations for investment firms to:

• take all reasonable measures to obtain the best possible result for clients, considering:
1. price,
2. costs,
3. speed,
4. likelihood of execution and settlement,
5. size, and
6. nature of the order; and
• establish, implement and regularly review an order execution policy.

In a robo-advisory context:

• algorithms must be designed to execute orders on terms most favourable to clients;
• automated decision-making logic must be properly calibrated, monitored and periodically reviewed; and
• conflicts of interest embedded in algorithms (such as biased venue selection or product preferences) must be identified and mitigated.

Firms should also maintain adequate audit trails to demonstrate compliance.

Under Dutch law, the regulatory treatment of fiat currency loans differs primarily by borrower category. Consumer loans to individuals are heavily regulated under the Wft, implementing EU consumer credit rules. Lenders must comply with strict disclosure obligations, creditworthiness assessments and interest caps, and are subject to AFM conduct supervision. The Consumer Credit Directive II (CCD II) will further tighten these requirements, including rules on AI-based assessments and open banking data.

Fiat currency loans to small businesses and other non-consumers fall largely outside the Dutch consumer protection regimes. Contractual freedom is broader, with fewer mandatory disclosures and no statutory interest cap. Certain SMEs may benefit from limited protections, but overall regulation is considerably lighter than for consumers.

In the Netherlands, online lenders generally follow a broadly similar underwriting process:

• identification and verification (AML/KYC requirements under the Wwft and EU anti-money laundering framework);
• creditworthiness assessment based on income, employment history, bank-account transaction data, and public register checks (eg, BKR);
• risk scoring using internal models (statistical scoring, behavioural data, automated decision-making); and
• affordability checks to assess repayment capacity.

For consumer credit, a meaningful credit assessment is required under the Wft, derived from the CCD. For business loans, no detailed statutory underwriting process applies, though general KYC, AML and prudential obligations remain applicable. Automated underwriting tools are increasingly subject to scrutiny under the EU AI Act and CCD II, particularly where credit scoring systems qualify as high-risk AI applications.

Online lending platforms can source fiat currency funds in various ways, each with distinct regulatory implications.

• Peer-to-peer/crowdfunding – Loan-based crowdfunding platforms are primarily regulated under the EU Crowdfunding Regulation, requiring AFM authorisation as a crowdfunding service provider. Platforms operating outside the scope of this regulation (eg, below applicable thresholds) may still be subject to the Wft as credit intermediaries.
• Taking deposits – Accepting repayable funds from the public constitutes a regulated activity requiring a DNB banking licence, with associated prudential and governance requirements.
• Securitisations – Loans may be financed via the EU Securitisation Regulation, triggering disclosure, risk-retention and investor-protection obligations.

Across all sources, lenders must comply with AML/CFT obligations under the Wwft and the EU anti-money laundering framework, conduct proper credit assessments, and adhere to Dutch consumer credit rules where applicable.

Syndication of online loans occurs in the Netherlands, particularly for larger SME or real-estate loans originated via online platforms.

Process

A lender or platform originates the loan and allocates parts of the exposure to multiple professional or semi-professional investors, either at origination or post-origination. This is typically structured contractually via loan participations rather than transfer of the underlying loan, with the platform acting as arranger and servicer.

Regulatory Framework

Syndications must comply with the Wft. Where loan participations qualify as transferable securities, the EU Prospectus Regulation may apply, subject to relevant exemptions (eg, offers to fewer than 150 persons). The platform may require an AFM licence as credit intermediary or investment firm. Where repayable funds are attracted from the public, banking-licence restrictions under the Wft apply.

Payment processors in the Netherlands are not legally required to use any specific payment rail, but the practical effect of EU regulation is that standard euro credit transfers and direct debits must run on SEPA-compliant infrastructure.

The SEPA Regulation (as amended by the Instant Payments Regulation) mandates participation in the EPC’s SEPA schemes, ISO 20022 compliance, pan-EU reachability, and instant credit transfer capability for all PSPs offering standard transfers. Retail payment system operators must ensure technical interoperability with other EU systems. These requirements collectively foreclose the option of substituting a fully proprietary system for standard euro payment instruments.

PSD2 and the Wft regulate who may provide payment services (requiring a DNB licence) and impose operational and security requirements, but do not prescribe which back-end infrastructure a PSP must use. The forthcoming PSD3/PSR will further open existing rails to non-bank PSPs by granting them access to all EU payment systems on fair terms, including potentially central bank settlement accounts.

The regulatory framework expressly permits innovation – for example, the SEPA Regulation allows some new payment schemes to request for a temporary three-year exemption for certain interoperability requirements. Overlay services built on top of SEPA rails – such as the pan-European Wero wallet origination from the Dutch iDeal – generally fall outside the SEPA Regulation requirements. Blockchain-based or token-based rails are possible but trigger additional requirements under MiCAR.

Cross-border payments and remittances are regulated through EU and Dutch rules. Any entity providing payment services in or from the Netherlands requires a licence from DNB, unless it has passported its licence from another member state. PSD2 extends its transparency and information requirements to “one-leg” transactions where only one payment service provider is located within the EEA.

Within the eurozone, the SEPA Regulation harmonises the technical standards for credit transfers and direct debits, while the Cross-Border Payments Regulation ensures that charges for cross-border euro payments within the EU correspond to those for domestic transactions.

AML/CFT is a primary focus area. Payment service providers are obliged entities under the Wwft and must conduct customer due diligence, monitor transactions and report unusual transactions to FIU-Netherlands. The Transfer of Funds Regulation requires that payer and payee information accompanies all fund transfers and extends this “travel rule” to crypto-asset transfers.

Different types of marketplaces and trading platforms are recognised in the Netherlands. Under MiFID II and its Dutch implementation in the Wft, three types of trading venues are distinguished:

• regulated market;
• multilateral trading facility (MTF); and
• organised trading facility (OTF).

The operation of an MTF or an OTF constitutes an investment activity, for which an investment firm licence is required from the AFM. For the operation of a regulated market, a licence is required from the Dutch Minister of Finance. There is considerable overlap in the regulatory requirements applicable to these trading venues. In addition to the MiFID II trading venues, MiCAR introduces a separate category of trading platforms for crypto-assets, for which a licence is required from the AFM.

The regulatory regime applicable to an asset depends primarily on its classification under EU law, which recognises several types of asset classes. Financial instruments, including transferable securities, money-market instruments and certain options, futures, swaps, forwards and other derivative contracts, are governed by MiFID II. Crypto-assets are governed by MiCAR, which distinguishes between:

• e-money tokens (EMTs);
• asset-referenced tokens (ARTs); and
• crypto-assets other than EMTs or ARTs.

EMTs aim to maintain a stable value by referencing the value of one official currency. ARTs aim to maintain a stable value by referencing another value or right, or a combination thereof, including one or more official currencies, but do not qualify as EMTs. The regulatory regime applicable to ARTs and EMTs is more stringent than the regime applicable to other crypto-assets.

The emergence of cryptocurrency exchanges has been one of the key drivers behind the adoption of MiCAR. Prior to MiCAR, the operation of trading platforms for crypto-assets was largely unregulated, creating risks relating to consumer protection, market integrity and financial crime. To address these risks, MiCAR introduced a licensing requirement for the provision of crypto-asset services, including the operation of trading platforms for crypto-assets. Fully decentralised trading platforms for crypto-assets (ie, without any intermediary) are, however, excluded from the scope of MiCAR.

When securities are admitted to trading on a regulated market or offered to the public, a prospectus must be published in accordance with the Prospectus Regulation. The prospectus must contain all information necessary for investors to make an informed assessment of the issuer’s financial position, the rights attached to the securities and the reasons for the issuance of the securities and its impact on the issuer. The prospectus must be approved by the AFM prior to its publication. Certain exceptions or an exemption to the prospectus requirements may apply. In addition to the Prospectus Regulation, trading venues may impose their own listing standards.

If an ART, EMT or other crypto-asset is offered to the public or admitted to trading, a crypto-asset white paper must be drawn up and published in accordance with MiCAR. Certain exceptions to this requirement may apply. The crypto-asset white paper contains necessary information for (potential) investors to make well-informed investment decisions.

Various order handling rules apply to trading platforms and marketplaces, covering areas such as trading rules, organisational requirements, best execution and transparency. Regulated markets, MTFs and OTFs must, for example, establish transparent rules and procedures to ensure fair and orderly trading, as well as objective criteria for the efficient execution of orders. A similar requirement applies to trading platforms for crypto-assets under MiCAR: a crypto-asset trading platform must set non-discretionary rules and procedures to ensure fair and orderly trading and objective criteria for the efficient execution of orders. In addition to these specific obligations for trading platforms, investment firms and crypto-asset service providers more broadly are subject to other order handling rules, including the best execution requirement.

The rise of peer-to-peer trading platforms has reduced the reliance on (traditional) brokers and other intermediaries. This has put pressure on the traditional players, particularly with respect to their fee structures and profit margins. This has also led to increased competition across the market, including among the fintech players. From a regulatory perspective, the rise of peer-to-peer trading platforms poses various regulatory challenges, notably with respect to AML/CFT, investor protection and cross-border supervision.

Payment for order flow (PFOF) is prohibited in the Netherlands at both the national and EU level. At the national level, investment firms are prohibited from, directly or indirectly, providing or receiving any commission in relation to the provision of an investment service or ancillary service to a retail investor. This means that a Dutch investment firm may not receive payments for executing or forwarding client orders. At the EU level, MiFIR prohibits investment firms acting on behalf of retail clients or opt-in professional clients from receiving any fee, commission or non-monetary benefit from any third party for executing or forwarding client orders to a particular execution venue. Both prohibitions apply concurrently and are subject to certain exceptions.

The Market Abuse Regulation (MAR) establishes a regulatory framework aimed at preserving market integrity and enhancing investor protection and confidence in the financial markets. The MAR sets out rules on insider dealing, unlawful disclosure of inside information, market manipulation and other measures to prevent market abuse. The MAR applies, amongst others, to financial instruments admitted to trading on a regulated market, MTF or OTF.

Similarly, MiCAR aims to ensure the integrity of the crypto-asset markets and confidence therein. To that end, MiCAR also contains rules concerning the unlawful disclosure of inside information, insider dealing and market manipulation in relation to crypto-assets.

High frequency trading (HFT) is regulated as a subset of algorithmic trading under MiFID II, as implemented in the Wft. MiFID II requires investment firms engaged in algorithmic trading to maintain effective systems and risk controls, including pre- and post-trade controls, algorithm testing, annual self-assessments, kill functionality and real-time monitoring.

Proprietary traders using HFT techniques cannot rely on the exemptions otherwise available under MiFID II and must obtain an AFM licence. HFT firms must also notify the AFM and relevant trading venue competent authorities. Trading venues permitting algorithmic trading must ensure system resilience, implement circuit breakers and maintain order-to-trade ratio mechanisms.

The MAR equally applies to HFT, prohibiting manipulative strategies such as spoofing and layering regardless of the technology used.

The regulatory framework does not differentiate between asset classes at the level of the core obligations. However, certain calibrations vary by asset class in practice: tick size regimes apply specifically to equity and equity-like instruments, and ESMA has proposed developing technical standards to set out the maximum order-to-trade ratio, calibrated per asset class.

Dutch law does not provide for a standalone market maker licence or registration. HFT firms trading in a principal capacity must be licensed as investment firms by the AFM under MiFID II, as implemented in the Wft. Under MiFID II, the proprietary trading exemption no longer applies to firms using HFT techniques or acting as market makers. This applies across all asset classes, including derivatives.

Where a licensed investment firm uses algorithmic trading to pursue a market-making strategy, MiFID II imposes additional obligations. The firm must provide liquidity continuously during a specified proportion of the trading venue’s trading hours, enter into a binding written market-making agreement with the venue, and maintain effective systems and controls to ensure compliance.

Dutch and EU regulation distinguishes between proprietary dealers and funds. Proprietary trading firms using HFT must be licensed as investment firms under MiFID II (as implemented in the Wft) and are directly subject to its algorithmic trading requirements.

Fund managers operating under the AIFMD or the UCITS Directive fall outside the scope of MiFID II when performing fund management activities. Where an AIFM is authorised to provide additional MiFID services (such as individual portfolio management), those specific activities are subject to MiFID II. In practice, if a fund’s trades are transmitted to a broker for execution, the algorithmic trading obligations attach to the executing broker rather than the fund manager.

The business models differ in that dealers trade for their own profit from spreads and latency, while fund managers invest pooled third-party capital and are subject to AIFMD governance, delegation and investor protection rules. Both are subject to (distinct) licensing requirements, to the MAR and DORA’s ICT resilience requirements.

Programmers developing trading algorithms are not individually licensed or regulated. Regulatory accountability rests entirely with the investment firm deploying the algorithm. An investment firm must govern the full algorithm life cycle, ensure staff have adequate regulatory knowledge and maintain responsibility for third-party code. Engaging external developers may trigger a regulatory outsourcing framework, requiring due diligence, contractual safeguards and ongoing oversight. The Dutch remuneration rules, including the variable remuneration cap, apply to all individuals working under the responsibility of a Dutch-licensed financial enterprise.

Insurtech participants are increasingly using AI in underwriting for risk assessment, setting premiums and detecting fraud. Insurers use AI for behavioural pricing, determining premiums based on customer behaviour, drawing on new internal and external data sources. Among Dutch insurers, AI is most commonly used for chatbots, targeted online marketing and fraud detection, and most expect usage to increase significantly.

Although underwriting processes are not directly prescribed by regulation, they are substantially shaped by it. AI applications used for risk assessment and premium setting in life and health insurance are classified as high-risk under the EU AI Act. This requires compliance with standards relating to risk management, data quality, human oversight, robustness and transparency. Supervisory objectives and standards apply regardless of the technology used, including AI.

Under the EU AI Act, AI used for setting premiums and assessing risk in life and health insurance is categorised as high risk. This triggers requirements relating to the following:

• risk management;
• data quality;
• technical documentation;
• human oversight;
• robustness; and
• transparency.

Specifically in the insurance sector, AI-based premium personalisation could undermine the principle of solidarity, potentially rendering certain groups uninsurable.

The AFM and DNB have signalled continued supervisory focus on the use of AI in insurance, with particular attention to model risk management, data quality, transparency of decision logic and fair treatment of policyholders. Insurers are expected to map their AI applications and ensure that automated processes remain consistent with the duty-of-care obligations under the Wft.

Whether a regtech provider is subject to regulation depends on the nature of the services it provides. A regtech designation does not, of itself, trigger or exempt a firm from regulatory requirements.

Many regtech providers operate as B2B technology or software servicers that assist regulated firms with compliance obligations and are not themselves subject to financial services regulation. Examples include the following.

• KYC/onboarding software and digital identity tools – software solutions provided to regulated entities without the provider itself performing regulated activities.
• Regulatory reporting tools – software that automates transaction reporting (eg, under MiFID II or EMIR) on behalf of clients, where the regtech provider is not itself transmitting orders or acting as a financial intermediary.
• AML monitoring and transaction screening software – tools that flag suspicious activity for the regulated firm’s own compliance team.
• Risk and compliance software – software enabling financial firms to manage compliance workflows and monitor regulatory developments.

The following regtech activities may trigger a licence requirement.

• Automated investment advice (robo-advisory) – providing automated investment recommendations to end clients constitutes an investment service and requires an investment firm licence under MiFID II as implemented in the Wft.
• Transaction reporting as a delegated service – reporting trades on behalf of clients under MiFID II as an Approved Reporting Mechanism (ARM) requires authorisation.

Finally, regtech providers may indirectly be subject to supervision if they provide outsourced services or other ICT-services to regulated entities.

Provisions typically included in agreements with technology service providers are shaped by hard EU law (primarily DORA), Dutch national regulation (in particular statutory outsourcing restrictions and guidance and “good practices” published by the AFM and DNB) and market practice. Key contractual provisions include the following:

• a clear and complete description of the outsourced or contracted service, including service levels and uptime requirements;
• termination provisions and related transitional services;
• restrictions on subcontracting;
• obligations on the supplier to disclose without delay any incidents or circumstances that may affect the security or continuity of the service;
• audit and inspection rights (also in favour of the regulator);
• cybersecurity, confidentiality and encryption requirements; and
• data protection obligations, including compliance with applicable data processing requirements and restrictions on cross-border data transfers.

Traditional market participants in the Netherlands are actively exploring the integration of blockchain technology into their business models. Several major Dutch banks are developing use cases for blockchain technology within their payment and settlement infrastructure.

• ING, the largest bank in the Netherlands, joined forces with eight other European banks to develop a euro-denominated stablecoin intended for cross-border payments, digital asset settlement and supply chain management. The initiative aims to provide a euro-based alternative to existing stablecoins.
• ABN AMRO, another significant Dutch bank, has obtained a European licence for crypto custody services under MiCAR and has completed its first international Smart Derivative Contract (SDC) transaction in collaboration with another bank.

The principal EU legislative framework applicable to crypto-assets in the Netherlands is MiCAR. MiCAR establishes rules concerning the issuance, offering and trading of crypto-assets and requires national competent authorities to supervise compliance and enforce a licensing regime.

Both the AFM and DNB have indicated that blockchain-based applications are subject to close supervisory attention. DNB is the primary supervisor of EMT and ART issuers, and the AFM is the primary supervisor of CASPs. The AFM and DNB regularly publish updates concerning the MiCAR framework through their websites, including newsletters, regulatory guidance, warnings and Q&A.

Not all blockchain assets are financial instruments. Dutch and EU law classify digital assets based on their economic function rather than the underlying technology. Where a crypto-asset qualifies as a transferable security or other financial instrument under MiFID II, the existing financial regulatory framework applies, including the Prospectus Regulation and MAR.

Crypto-assets that fall outside the scope of MiFID II are governed by MiCAR, which introduces a layered classification. MiCAR defines crypto-assets broadly as any digital representation of value or rights that can be transferred and stored electronically using distributed ledger technology. Within this definition, three categories are distinguished:

• asset-referenced tokens (ARTs), which maintain a stable value by referencing one or more assets such as currencies or commodities;
• electronic money tokens (EMTs), which are pegged to a single official currency; and
• all other crypto-assets that do not fall into either category.

Each classification carries distinct requirements regarding authorisation, reserve obligations, governance and disclosure, supervised in the Netherlands by the AFM and DNB.

Any person offering crypto-assets to the public or seeking admission to trading must publish a white paper and notify the AFM. The white paper must contain information on the offeror, the underlying technology, and the rights and obligations attached to the crypto-asset. The offeror is liable to holders for losses resulting from information in the white paper that is not complete, fair or clear, or that is misleading.

Stricter rules apply to specific token categories. Issuers of ARTs require prior AFM authorisation and must submit detailed documentation, including proof of management expertise, internal governance policies and information on the reserve of assets backing the token. Issuers of EMTs must be authorised as a credit institution or electronic money institution and notify the relevant competent authority of their white paper.

Tokenisation of real-world assets faces specific obstacles under Dutch private law. For example, the transfer of immovable property requires a notarial deed registered with the Land Registry (Kadaster), and the transfer of shares in a Dutch limited liability company requires execution of a deed before a civil-law notary. These formalities cannot currently be replaced by a blockchain transaction, meaning that tokens representing such assets can convey only a contractual claim, not direct legal title.

Crypto-asset trading platforms must be authorised by the AFM as CASPs under MiCAR. The Dutch transitional regime expired on 1 July 2025, after which all CASPs require a MiCAR licence or an EU passport. Platform operators face specific requirements, including crypto-asset admission assessments, a ban on dealing on own account against clients and the implementation of market abuse detection systems.

All forms of intermediated secondary trading in crypto-assets (exchange services, order execution, reception and transmission) fall within MiCAR’s CASP framework. Where tokens qualify as financial instruments, MiFID II and the trading venue regime apply instead. MiCAR introduces its own market abuse provisions covering insider dealing and market manipulation. Genuinely decentralised peer-to-peer trading without an identifiable intermediary falls outside MiCAR’s scope.

MiCAR does not classify staking as a standalone crypto-asset service and does not prohibit it. Direct staking by crypto-asset holders on a proprietary basis is unregulated. However, where staking is offered as a service to clients through an intermediary (staking-as-a-service), the provider typically holds the clients’ crypto-assets or private keys. ESMA has confirmed in its Q&A that this constitutes custody and administration of crypto-assets, which is a regulated CASP service requiring AFM authorisation under MiCAR.

ESMA’s guidance imposes several conditions on CASPs offering staking services. The CASP must obtain explicit client consent before staking their assets. Staking profits must be allocated to the clients whose assets are staked, not retained solely by the CASP. Notably, ESMA states that if staking services are combined with custody services, losses of crypto-assets stemming from the provision of staking services provided to the client, and from the underlying staking activity itself, should be deemed as attributable to the CASP.

The European Commission is mandated under Article 142 of MiCAR to assess the need for dedicated regulation of staking and lending services, indicating that further legislative developments in this area are anticipated.

Crypto lending is explicitly excluded from MiCAR and therefore not regulated under that framework. There is no dedicated Dutch legislation governing these activities. However, depending on the structure of the arrangement, existing regulatory frameworks under the Wft may apply. Consumer lending in crypto-assets may require a licence, accepting repayable funds from the public may trigger a banking licence requirement, and pooling investor funds for crypto lending may qualify as a collective investment scheme under the AIFMD.

The European Commission (EC) is mandated by MiCAR to assess the need for dedicated EU regulation of crypto lending and borrowing. The EBA and ESMA provided an analytical contribution in January 2025. Future EU-level rules in this area may follow.

MiCAR does not cover derivatives whose underlying is a crypto-asset. Where such derivatives qualify as financial instruments under MiFID II, the full MiFID II framework applies, including licensing, conduct-of-business and transparency requirements. The AFM has confirmed that the qualification as a financial instrument does not depend on the derivative’s structure but on its settlement method, noting that a derivative may qualify as a financial instrument if it is settled in cash, ARTs, EMTs or physical delivery.

Crypto contracts for difference (CFDs) are subject to the AFM’s permanent product intervention measures, including a 2:1 leverage cap for retail investors, mandatory risk warnings and margin close-out protection. ESMA has clarified that perpetual futures on crypto-assets are likely to qualify as CFDs and therefore fall within the scope of these restrictions.

MiCAR does not regulate DeFi as a distinct category. The recitals to MiCAR provide that fully decentralised crypto-asset services without any intermediary fall outside MiCAR’s scope, but this exemption is narrowly framed and its boundaries remain unclear. Where an identifiable entity controls or facilitates a service, including through front-end interfaces, governance structures or wallets, MiCAR applies regardless of the protocol’s technical architecture. The EBA and ESMA have observed that full decentralisation is rare in practice.

Critically, MiFID II does not contain a decentralisation exemption. DeFi protocols facilitating trading in crypto-assets that qualify as financial instruments are subject to MiFID II irrespective of their technological design. In the Netherlands, the AFM assesses the actual degree of intermediation on a case-by-case basis.

The EC is mandated under Article 142 of MiCAR to assess whether dedicated regulation of decentralised systems is needed. Further legislative developments in this area may follow.

Funds investing in crypto-assets typically qualify as alternative investment funds (AIFs) under the AIFMD. Their managers must be either licensed by the AFM (full AIFMD regime) or registered under the light regime for sub-threshold managers. Licensed AIFMs are subject to comprehensive requirements covering governance, delegation, risk management, depositary obligations and investor disclosure. Light AIFMs face lighter obligations but cannot passport across the EEA. UCITS are generally unable to invest directly in crypto-assets under the eligible asset rules. Indirect exposure – for example, through listed crypto exchange-traded products (ETPs) – may be permissible within the applicable investment restrictions.

The regulatory treatment of the transactions by fund managers depends on the classification of the underlying assets. If crypto-assets qualify as financial instruments, MiFID II applies to the fund’s service providers and if the assets are in scope of MiCAR, the custody provider may require CASP authorisation.

The revised AIFMD II, applicable from April 2026, will introduce new rules on loan origination and liquidity management that may be relevant for crypto-focused fund strategies.

The term “virtual currency” was defined in the Wwft, implementing AMLD5, as a digital representation of value not issued by a central bank, not attached to legal currency, but accepted as a means of exchange and transferable electronically. This was a narrow AML-focused classification.

MiCAR has introduced the broader concept of “crypto-asset”, defined as any digital representation of value or rights that can be transferred and stored electronically using distributed ledger technology. This encompasses ARTs, EMTs and all other crypto-assets. Unlike the Wwft definition, MiCAR provides a comprehensive regulatory framework covering issuance, white paper obligations, governance, conduct-of-business and market abuse. The Dutch Wwft registration regime for virtual currency service providers has been superseded by MiCAR’s CASP licensing regime as of 1 July 2025.

Genuinely unique and non-fungible tokens are excluded from MiCAR and are not subject to specific crypto-asset regulation in the Netherlands. Platforms facilitating trading in such NFTs do not require CASP authorisation from the AFM for those transactions.

The exclusion requires a substantive , case-by-case assessment. Following ESMA guidance, the AFM evaluates uniqueness based on intrinsic characteristics, utility and attached rights rather than technical identifiers. NFTs issued in large series or as collections are treated as an indicator of fungibility, and fractional parts of an NFT are not automatically considered unique. Where tokens are functionally substitutable, MiCAR applies in full.

Separately, an NFT that meets the criteria of a financial instrument under MiFID II is subject to the existing financial regulatory framework, including the Prospectus Regulation and MAR, irrespective of any MiCAR exemption.

MiCAR does not use the term “stablecoin” but captures these instruments through two categories. EMTs reference a single official currency and may only be issued by credit institutions or electronic money institutions. ARTs reference multiple assets or rights and require dedicated authorisation from DNB, unless the issuer is already a licensed credit institution. Both categories require a white paper.

Reserve requirements differ by category. ART issuers must maintain a reserve of assets backing the tokens, invested in highly liquid, low-risk instruments and held in segregated custody. EMT issuers must deposit at least 30% of received funds in segregated credit institution accounts. Holders of ARTs have a right of redemption at market value, and EMT holders may redeem at par at any time. Issuers of ARTs and EMTs are prohibited from granting interest to holders.

DNB supervises Dutch-licensed ART and EMT issuers. Where a token is classified as “significant” by the EBA in accordance with MiCAR, the EBA acts as the primary supervisor and stricter requirements apply (eg, in relation to own funds and liquidity).

In line with PSD2, Dutch financial supervision law supports open banking. PSD2 was implemented with some delay in the Netherlands, in particular because of concerns around data protection and the conflicting priorities of PSD2 and GDPR. Now, PSD2’s access to account (XS2A) rule is among the more powerful enablers. The fair and collaborative supervisory framework in the Netherlands also helps.

Data privacy and data security compliance remain significant challenges in the Netherlands. Banks and other financial institutions continue to invest heavily in cybersecurity. Since DORA became fully applicable in January 2025, covered firms have reached the active compliance stage, including the enforcement of contractual arrangements with ICT third-party service providers. Firms have also strengthened board-level expertise, also in view of the board-level accountability requirements and expectations under relevant financial supervision laws (including DORA).

A further complexity arises from the fact that GDPR compliance and PSD2 compliance fall under different supervisory authorities (the AP and DNB, respectively). Firms accordingly face scrutiny from both regulators simultaneously. The regulators have entered into a co-operation protocol governing their joint oversight of personal data processing obligations arising under PSD2 and the GDPR.

There is no dedicated financial services fraud offence in the Netherlands. Fintech-related fraud is prosecuted under the general provisions of the Dutch Criminal Code (Wetboek van Strafrecht), principally the offences of fraud, forgery, embezzlement, computer intrusion, and identity fraud. Fraud requires that the perpetrator induces another person to surrender property, provide services or make data available through false pretences, with the intent to obtain an unlawful benefit.

Common fintech fraud patterns in the Netherlands include:

• push-payment scams;
• phishing and spoofing;
• account takeovers;
• marketplace and invoice fraud; and
• the use of money-mule networks for money laundering.

In parallel, the AFM enforces the market abuse regime under the MAR for financial instruments and, since MiCAR’s application, the equivalent market abuse provisions for crypto-assets under MiCAR. Administrative fines of up to EUR20 million or 15% of annual turnover (whichever is higher) may be imposed. Many Wft violations also constitute economic offences under the Economic Offences Act (Wet op de economische delicten), enabling criminal prosecution alongside or instead of administrative enforcement for breaches of financial regulations.

The AFM and DNB focus their supervisory attention on fraud typologies that directly affect customers. Priority areas include authorised push-payment fraud (including bank helpdesk impersonation and invoice scams), phishing and spoofing, and online account takeover. DNB monitors compliance with the strong customer authentication (SCA) requirements under PSD2 and the application of SCA exemptions. Both regulators expect effective transaction monitoring and disruption of money-mule networks. Cross-border co-operation between banks, fintechs and law enforcement features prominently, given that fraud networks operate internationally and move rapidly between channels.

A fintech provider’s liability for customer losses depends on the type of service provided and the applicable regulatory framework. For payment services, Dutch law implementing PSD2 (Book 7, Title 7B of the Dutch Civil Code (Burgerlijk Wetboek)) distinguishes between unauthorised and authorised transactions. For unauthorised payments, the PSP must in principle refund the customer promptly, subject to timely notification (generally within 13 months). The PSP bears the evidentiary burden of proof to demonstrate proper authentication, correct recording and the absence of technical failure. The PSP may refuse reimbursement where losses result from the customer’s fraud or gross negligence in safeguarding security credentials.

The proposed PSR will introduce two new PSP liability triggers: (i) where authorised push-payment fraud involves impersonation of the PSP, provided the customer reports the fraud to the police and notifies the PSP, and (ii) where the PSP fails to properly implement fraud prevention mechanisms, including payee name and IBAN verification for all transfers.

For crypto-asset services, CASPs are liable under MiCAR for any loss of crypto-assets attributable to them, including losses from custody and staking.

The Wft imposes a general duty of care requiring financial service providers to act in clients’ best interests. A breach of this duty of care may give rise to civil liability under Dutch law. Customer disputes may also be submitted to the Financial Services Complaints Institute (Klachteninstituut Financiële Dienstverlening, Kifid).