Fintech 2026 Comparisons

The digital assets sector – regulated under the Digital Assets Act since 2020 – has developed gradually, slowly aligning not only with regulatory requirements but also with the discretionary expectations of other market participants, including banks. Resistance from legacy players, who are legally prohibited from engaging in digital asset activities or holding such assets, coupled with limited market knowledge, persisted until 2025. However, these barriers weakened over the course of that year, allowing digital assets and related services to gain a more stable foothold in the Serbian market.

Amendments to payments legislation have also paved the way for the expansion of open banking, which is expected to grow significantly in 2026. Further, Serbia’s accession to the Single Euro Payments Area (SEPA) in 2025 marked a major milestone. Payment service providers are anticipated to become fully operational by mid‑2026, supporting broader financial‑market development through more efficient payment flows.

Throughout 2025, both legacy financial institutions and other market participants introduced various AI‑driven solutions aimed at automating internal processes. This trend is expected to continue into 2026, in line with developments not only in Serbia but also within the global financial sector.

Payment services are among the most developed segments of the fintech sector. Existing solutions include mobile banking, instant and cashless payments, QR‑code payments, and online payments supported by payment processors and e‑commerce integrations.

Blockchain and Web3 technologies are primarily used in the digital assets space. Serbia has introduced a regulatory framework for digital assets, under which token issuances can be carried out with approval from the competent authorities. Additionally, services related to digital assets are offered by licensed service providers operating as legal entities.

Another major area of development is the application of artificial intelligence (AI). Among current market participants – especially banks and insurance companies – AI is used in automated customer support systems (such as chatbots and virtual assistants), for processing client requests, and for detecting fraud and suspicious transactions. These solutions aim to optimise internal processes, reduce operational costs, and strengthen risk management.

Across legacy market participants, the dominant trend is the digitalisation of retail financial services. Key developments include online account opening for domestic clients, digital submission of loan applications, and the ability to conclude insurance contracts through electronic channels.

Technical and market solutions related to the open banking concept are also progressing, supported by gradual alignment with regulatory requirements and the infrastructure of banks. Crowdfunding platforms are present in the market as well, though their reach remains limited due to regulatory and foreign‑exchange constraints. The receivables‑financing segment is likewise developing, with digital factoring models and invoice‑financing platforms emerging – particularly targeting small and medium‑sized enterprises and their liquidity‑management needs.

Serbia is not a member of the EU, and EU law does not apply directly. However, the country’s key financial regulatory framework is largely aligned in practice with the PSD2 and EMD2 Directives.

The fintech sector is regulated through several statutes, with the applicable regime depending on the legal qualification of each specific service. The primary supervisory authorities overseeing most fintech verticals are the National Bank of Serbia (NBS) and the Securities Commission.

In the area of payment services, the Law on Payment Services applies and is aligned with PSD2. Payment services – including open banking – may be provided only by entities licensed by the NBS, specifically banks, payment institutions, and electronic money institutions. Payment processors may operate under the technical service provider exemption, provided that they do not hold or control client funds at any point.

Digital lending models (including online banking) fall under the general rules on lending and consumer protection. These services may be offered exclusively by banks in accordance with the Banking Act. When loans are provided to individuals or sole traders, additional consumer protection rules also apply.

Serbia does not yet have a dedicated regulatory regime for peer‑to‑peer or crowdfunding lending. This leaves some scope for alternative legal structuring but also creates a degree of regulatory uncertainty.

Investment and trading platforms dealing with financial instruments fall under the Capital Markets Act, which is largely aligned with MiFID II principles. Such platforms require authorisation from the Securities Commission unless they operate through already‑licensed intermediaries.

The Digital Assets Act establishes a national regulatory framework for token issuers and digital asset service providers. This framework is domestic in nature and is not yet aligned with the EU’s MiCA Regulation.

In the insurtech sector, the digital distribution of insurance products is governed by the Insurance Act. These activities require authorisation for insurance agency or brokerage services and fall under the supervision of the National Bank of Serbia.

Alongside sector‑specific regulation, most fintech business models must also comply with horizontal regulatory requirements, particularly those relating to anti‑money laundering and counter‑terrorist financing, as well as consumer protection.

In Serbia, fintech fee structures depend on the specific type of financial service being provided. There is no standalone “fintech” charging regime; instead, fee models and transparency obligations follow the sector‑specific rules applicable to each regulated activity, particularly those relating to payment services, consumer lending, investment services, and digital assets.

In the payment services and electronic money sectors, providers may charge transaction fees, account maintenance fees, and fees for the issuance and use of payment instruments. All fees must be clearly outlined in the framework agreement and accompanying fee schedule, disclosed to users before a contract is concluded, and any changes must be communicated in advance.

Digital lending fees may include interest, processing fees, administrative charges, and default interest. Recent amendments to the consumer protection framework have introduced interest‑rate caps, limits on early‑repayment fees, and prohibitions on certain types of charges. Lenders must comply with strict transparency requirements, including disclosure of the total cost of credit, clear presentation of the annual percentage rate of charge (APR), and the provision of standardised pre‑contractual information.

Investment firms may charge execution, portfolio management, custody, and advisory fees. Regulation requires full ex‑ante transparency, aggregated disclosure of all costs and charges, and prohibits hidden or opaque fee structures.

Digital asset service providers typically charge commissions and transfer fees, subject to a statutory obligation to disclose the full fee schedule before establishing a business relationship. Providers are expressly prohibited from charging fees by deducting them directly from digital assets held on behalf of users.

Regardless of the specific fee model, general consumer‑protection principles require all charges to be clear, accurate, and non‑misleading, with hidden costs strictly prohibited. Compliance oversight primarily rests with the National Bank of Serbia, while the Securities Commission supervises investment‑services activities.

Serbia does not have a standalone regulatory regime dedicated specifically to fintech companies. Instead, regulatory requirements depend on the nature of the activities performed. Banks are subject to comprehensive prudential, governance, and risk‑management obligations, while fintech companies generally operate under more limited and specialised licensing regimes, such as those applicable to payment institutions, electronic money institutions, and digital asset service providers.

When banks rely on fintech providers for technological or operational services, these arrangements are treated as outsourcing. In such cases, the bank remains fully responsible for compliance and risk management, under the supervision of the National Bank of Serbia.

A framework for testing innovative solutions exists solely in the payments sector, pursuant to the Payment Services Act. Under this legislation, the National Bank of Serbia has discretionary authority, on a case‑by‑case basis, to approve temporary exemptions from the application of certain statutory provisions. These exemptions may include waiving the requirement to obtain a licence for the provision of payment services, for the purpose of testing innovative payment services in a controlled environment.

For such an exemption to apply, the service must contain an element of innovation – meaning it represents a new or significantly enhanced payment service compared to existing market solutions. The application of this exemption is subject to obtaining the prior opinion of the NBS, as well as granting the NBS access to and oversight of the testing process.

The National Bank of Serbia and the Securities and Exchange Commission are the competent authorities with shared oversight of the capital markets, financial services, investment funds, and digital assets. Their respective jurisdictions and scopes of authority are determined by the Law on the National Bank of Serbia and the Capital Markets Act, which comprehensively define and allocate the responsibilities and powers of each supervisory authority.

The regulatory framework of the Republic of Serbia does not recognise the concept of no-action letters.

Banks may, by contract, delegate the provision of payment services to agents that are licensed payment institutions. They may also outsource cash‑flow management activities to bank agents licensed by the National Bank of Serbia. Any outsourcing arrangement is subject to prior notification to the National Bank of Serbia. In all cases, the bank must ensure full and unrestricted supervisory access for the regulator and remains fully responsible to the regulator.

In the payment services and electronic money sector, payment institutions and electronic money institutions are prohibited from outsourcing the regulated activities for which they are licensed.

Digital asset service providers may not outsource regulated functions. They may outsource only limited operational tasks, subject to prior notification to the competent authority and provided that such arrangements do not undermine internal controls or the financial stability of the provider. The vendor must also enable direct supervision and ensure access to documentation by the competent authority.

UCITS management companies and AIFMs may delegate portfolio management and risk management, subject to the prior approval of the Securities Commission and only to entities holding the relevant regulatory authorisation.

In Serbia, fintech service providers may be considered “gatekeepers” to a certain extent; however, the extent of their responsibility depends on the legal classification of the services they provide.

Providers of regulated financial services – such as payment institutions, electronic money issuers, investment firms, and digital asset service providers – are subject to anti‑money laundering and counter‑terrorist financing obligations. These include KYC procedures, transaction monitoring, application of a risk‑based approach, and reporting of suspicious activities. They must also ensure system security, implement fraud‑prevention measures, and address unauthorised transactions.

Investment and crypto platforms have additional duties, including the implementation of market‑surveillance mechanisms designed to prevent market manipulation and other forms of market abuse.

By contrast, fintech companies that provide purely technical or support services, without holding client funds or offering regulated financial services, are not considered financial “gatekeepers”. Their responsibility is primarily governed by general contractual principles and data‑protection regulations.

National supervisory authorities are responsible for ensuring regulatory compliance within the fintech sector. Their oversight helps safeguard market integrity, maintain financial stability, and protect users of financial services.

Regulators have a range of enforcement measures at their disposal, including orders to remedy breaches, recommendations, warnings, and administrative fines. In cases of serious or repeated violations, the most severe sanction available is the revocation of a licence. Regulators may also initiate misdemeanour proceedings when appropriate.

In certain circumstances, regulatory bodies are required to publicly disclose information about sanctioned entities and the penalties imposed on them.

Additionally, significant fines may be levied against entities that provide regulated services without first obtaining the required licence from the competent authority.

Privacy

All entities that process personal data – whether fintech companies or traditional financial institutions – must comply with the Personal Data Protection Act. This applies regardless of whether the entity acts as a data controller or a data processor.

Cybersecurity

Cybersecurity obligations are primarily regulated by the Information Security Act. Fintech companies may be classified as operators of ICT systems of special importance, particularly when they operate in regulated markets, provide digital asset services, or manage ICT systems for financial institutions. Such operators must comply with extensive requirements concerning security measures, incident management, audits, and outsourcing. Importantly, they remain fully responsible for the overall security of their systems. For financial institutions, especially banks, oversight is carried out by the National Bank of Serbia.

Social Media Content and Software Development

Business use of social media is subject to general advertising and consumer protection rules, with additional sector‑specific restrictions for communications related to regulated financial services. Software is protected under copyright law; however, for regulated financial entities, software development and implementation must also meet additional ICT risk‑management, security, and outsourcing requirements.

As a matter of law, certain categories of regulated fintech entities are required to undergo mandatory external audits of their financial statements, which must be conducted by licensed audit firms. This requirement applies in particular to payment institutions, electronic money institutions, investment firms, and digital asset service providers. As part of these audits, auditors review both the financial statements and the internal controls related to financial reporting, and they are obligated to promptly notify the regulator of any fact that may constitute a serious breach of law.

In addition to oversight by regulators and auditors, fintech activities may also fall under the supervision of other competent authorities, such as tax authorities and personal data protection authorities.

Banks, international card schemes, and other financial partners also carry out thorough due‑diligence procedures before entering into business relationships with fintech companies.

Furthermore, professional and industry associations contribute to the development of the sector by promoting best practices, standards, and recommendations.

The combination of regulated and unregulated products and services within a single business model depends on the type of financial activity involved.

The regulatory framework permits the existence of hybrid payment institutions and hybrid electronic money institutions, provided they comply with mandatory accounting segregation of activities and safeguarding requirements for client funds.

Digital asset service providers may conduct only those additional activities that are directly related to the provision of digital asset services.

Banks are subject to the principle of exclusivity of activities. Under this principle, they may offer only those services expressly prescribed by law, along with activities directly related to those services. Any other services must be provided solely through affiliated entities and require regulatory approval.

Anti‑money laundering and counter‑terrorist financing (AML/CFT) legislation, as well as international sanctions regimes, have a significant impact on the fintech sector in Serbia. Entities that provide regulated financial services – including payment institutions, electronic money institutions, investment firms, and digital asset service providers – qualify as obliged entities under AML/CFT regulations. As such, they are required to apply customer due diligence and verification measures, conduct risk assessments, monitor transactions, and report suspicious activities. These entities must also assess technological risks and carry out a risk assessment prior to introducing any new technology or business practice. In addition, international sanctions regimes require screening of clients and transactions against relevant sanctions lists and impose restrictions on cross‑border business relationships.

Unregulated entities are subject to general prohibitions on unlawful activities and may have ad hoc reporting obligations if suspicious behaviour is identified. International sanctions regimes apply equally to unregulated entities, as all persons are required to assess their counterparties and ensure they do not engage with individuals or entities listed under applicable international sanctions or terrorism lists.

Although Serbia is not a member of the European Union, its AML/CFT framework is aligned with the relevant EU directives, which themselves are based on the FATF standards. The national regime operates on a risk‑based approach and includes core elements such as customer due diligence, ongoing monitoring of business relationships, and the reporting of suspicious transactions, all consistent with key FATF recommendations.

Digital asset-related services in Serbia may be provided exclusively by legal entities established in Serbia that hold the required licence for such services. The National Bank of Serbia and the Securities and Exchange Commission oversee this market with the aim of preventing the provision of services by entities that are not duly licensed.

However, in cases involving reverse solicitation – where a Serbian resident, acting on their own initiative, approaches a foreign service provider that has not offered or promoted its services in a way that could be considered as directly or specifically targeting the Serbian market – such activity is not expressly regulated under Serbian law and is therefore not explicitly prohibited.

Although robo‑advisory services themselves are not expressly regulated under Serbian law, the regulation of advisory services depends on the type of asset involved.

Digital tokens – including security tokens and cryptocurrencies – fall within the broader category of digital assets (as further explained in 10.3 Classification of Blockchain Assets) and are regulated by the Law on Digital Assets. Under this law, advisory services relating to digital assets may be provided by entities whose sole activity is offering advisory services, without the need to obtain a specific licence. However, such entities must clearly inform clients that they operate without supervisory approval. Advisory services may also be provided by licensed digital asset service providers – such as exchanges, custodians, or brokers – provided they hold the appropriate licence for the relevant services. To prevent conflicts of interest, the Law on Digital Assets explicitly prohibits operators of digital asset trading platforms from providing investment advice.

By contrast, advisory services relating to financial instruments are subject to a licensing regime and may only be offered by entities duly authorised by the Securities Commission under the capital markets regulatory framework.

Legacy players in Serbia, including banks and other financial institutions, have begun implementing robo‑adviser solutions to enhance client support and improve the efficiency of their existing services. When a legacy player provides services related to trading in financial instruments, such activities are classified as investment advice, which is strictly regulated under the Capital Market Law and requires prior authorisation from the Securities and Exchange Commission.

Any implementation of automated solutions within the scope of investment advisory services must comply with all applicable regulations. This includes, among other obligations, acting in the best interests of the client, conducting suitability assessments, and ensuring effective management and prevention of conflicts of interest.

Regarding digital assets, banks are prohibited under the Digital Assets Act from providing any services other than the custody of cryptographic keys. Consequently, any form of advisory service related to digital assets – whether automated or non‑automated – is not permitted for legacy players.

The provision of services relating to financial instruments must comply with the requirements set out in the Capital Markets Act, including best execution obligations aligned with MiFID II. Under these rules, investment firms are required to take all sufficient steps to obtain the best possible result for their clients, taking into account factors such as price, costs, speed, likelihood of execution, and settlement.

By contrast, the Law on Digital Assets does not impose formal best execution obligations on advisers providing digital asset advisory services. However, where such services are offered to natural persons in a business‑to‑consumer context, the relevant consumer protection rules apply. In addition, advisers that provide other licensed digital asset services must comply with certain general standards. These include:

• acting fairly, honestly, and professionally;
• prioritising clients’ interests;
• providing accurate and transparent information; and
• executing orders without undue delay.

Online lending in Serbia is limited exclusively to banks and is treated as a regulated financial activity that requires licensing and supervision by the National Bank of Serbia. Electronic money institutions and payment institutions may extend only limited short‑term credit directly linked to payment services (eg, authorised overdrafts), but they are not permitted to offer standard cash loans. NBS regulation enables fully online lending – including remote, video‑based client identification – for both new and existing bank customers.

The regulatory framework for fiat loans varies depending on the status of the borrower. Loans issued to individuals, farmers, and entrepreneurs are subject to the most stringent rules. These include comprehensive pre‑contractual disclosure requirements, transparency obligations regarding interest rates, rights related to early repayment, and enhanced NBS supervisory oversight. Lending to legal entities is also regulated, but the requirements are less formalised and do not include consumer‑specific protections.

Foreign loans are subject to particularly strict rules. The Foreign Exchange Operations Act and accompanying NBS regulations impose additional obligations whenever either the lender or borrower is a non‑resident. In all such cases, resident parties must report transactions to the NBS, with even stricter requirements applying when a domestic bank lends to non‑residents, especially those outside the EU. Due to NBS’s focus on safeguarding financial stability and the monetary system, online lending procedures cannot be used for foreign loan transactions.

Regardless of borrower type, all lending and loan intermediation activities are subject to AML and CFT obligations.

In the Republic of Serbia, underwriting processes – used to assess creditworthiness and risk – vary depending on the borrower category, regardless of whether the loan is granted online.

For bank lending, underwriting is largely shaped by regulatory requirements and internal bank policies derived from the National Bank of Serbia regulations. Before approving a loan, banks must evaluate the client’s creditworthiness, which includes analysing income, indebtedness, repayment history, and the risks associated with both the transaction and any collateral.

For loans to individuals, particular attention is given to the borrower’s ability to meet obligations throughout the entire loan period, in line with responsible lending rules. These processes are supervised by the NBS and must be fully documented and consistently applied.

For loans to entrepreneurs and legal entities, underwriting involves financial analysis of the business, assessment of cash flow, creditworthiness, indebtedness, and evaluation of business and sector-specific risks. While these processes fall under general risk management requirements, banks have greater discretion in defining their methodology compared to the more strictly regulated consumer lending segment.

Banks, as the sole online lenders operating in the Republic of Serbia, may use various sources of funding to issue loans in fiat currency. These sources include deposits, their own capital, bond issuance, interbank loans, and foreign borrowing. All such activities are strictly regulated by the National Bank of Serbia to ensure the stability of the financial system.

Syndication of fiat‑currency loans in Serbia is primarily regulated by the Foreign Exchange Operations Act as well as the broader banking regulatory framework. Syndicated loans are extended by a group of lenders – typically used for large corporate, infrastructure, or project‑finance transactions – and may include domestic banks participating in international lending syndicates.

These loans are executed through contractual arrangements co-ordinated by an arranging bank or agent, while all participating banks remain fully responsible for their respective portions of the loan. Each lender is required to conduct its own independent credit risk assessment.

The regulatory framework also imposes exposure limits, stipulating that a single bank’s exposure to one borrower, or a group of connected borrowers, may not exceed 25% of its capital. This requirement ensures that risk is appropriately shared among multiple lenders.

Syndicated loans in Serbia are not conducted through online lending platforms.

In Serbia, payment processors do not operate their own payment “rails” as a matter of law. Instead, they rely on existing, regulated payment infrastructure operated by licensed financial institutions or authorised payment system operators.

Under the Law on Payment Services, entities commonly referred to as “payment processors” generally fall within the category of technical service providers. Their activities – such as data processing and storage, authentication of data and users, provision of IT and communication services, and the supply and maintenance of devices and terminals used for payment and similar services – are expressly excluded from the definition of payment services, provided that these entities do not at any point hold, control, or otherwise dispose of users’ funds.

As a result, payment processors must rely on existing payment rails, including bank‑operated payment systems, international card schemes (such as Visa and Mastercard), and the infrastructure of licensed electronic money institutions. They may not independently establish or operate new payment rails unless they obtain authorisation from the National Bank of Serbia to provide payment services or to operate a payment system.

Cross‑border payments and remittances in Serbia are regulated through a combination of foreign exchange regulations, the Payment Services Act, and AML/CFT requirements. These frameworks are supervised primarily by the National Bank of Serbia, along with other competent authorities. Only authorised institutions licensed by the NBS may provide cross‑border payment services and remittances.

Cross‑border payments and fund transfers must comply with applicable rules on payment transactions, which include reporting obligations, permitted transaction purposes, and other regulatory requirements. Providers are also required to conduct client identification and verification, perform transaction monitoring, carry out risk assessments, report suspicious transactions, and apply enhanced measures for high‑risk jurisdictions and clients.

The regulatory framework applies mainly to licensed payment service providers, such as banks, payment institutions, and electronic money institutions. Payment processors, acting as technical service providers, fall under indirect regulation to the extent that they support or process cross‑border transactions.

Payment processors may participate in cross‑border payments solely as technical service providers – such as by offering data processing or IT infrastructure – provided they do not hold or control client funds. Their AML/CFT and compliance obligations are enforced indirectly through contractual arrangements with the licensed institutions that rely on their infrastructure.

Under the Serbian Capital Markets Act, trading in financial instruments (excluding cryptocurrencies and other digital assets) may take place on three types of marketplaces licensed by the Securities Commission.

• Regulated Market – operated by a licensed stock exchange. In Serbia, there is only one regulated market, the Belgrade Stock Exchange (BELEX).
• Multilateral Trading Facility (MTF) – an alternative multilateral trading venue operated by a stock exchange or a licensed investment firm. In Serbia, the only such venue is BELEX MTF.
• Organised Trading Facility (OTF) – also operated by a stock exchange or a licensed investment firm. In practice, OTFs are not yet operational in Serbia.

These three types of marketplaces are primarily distinguished by their execution models, access regimes, and the scope of transparency obligations imposed on issuers and operators.

• Execution model – Regulated Markets and MTFs must operate on a strictly non‑discretionary basis, meaning that orders must be matched automatically in accordance with predefined, objective rules, without any intervention by the operator. By contrast, OTFs operate on a discretionary basis, allowing the operator to decide whether and how orders will be matched.
• Access – access to Regulated Markets is subject to strict, legally prescribed membership criteria. MTFs and OTFs, however, have the discretion to set their own access rules.
• Conflicts of interest and trading by the operator – on Regulated Markets and MTFs, the operator is prohibited from proprietary trading or acting as a counterparty to client transactions, including matched‑principal trading, in order to prevent conflicts of interest. OTFs, however, may engage in matched‑principal trading with client consent and, in certain limited cases involving illiquid sovereign debt, may also trade on their own account.
• Transparency – Regulated Markets impose the most stringent transparency and disclosure obligations on issuers, including the requirement to publish an approved prospectus and provide periodic and ad hoc disclosures under statutory rules. Disclosure obligations on issuers whose instruments are traded on MTFs and OTFs are significantly lighter and are largely defined by the internal rules of the respective platform operator.

In Serbia, a licence from the competent authority is also required for the operation of a digital asset trading and exchange platform. The National Bank of Serbia licenses and supervises platforms that trade in cryptocurrencies, while the Securities Commission licenses and supervises platforms that trade in digital tokens. The platform operator may provide all digital‑asset‑related services except portfolio management and investment advisory services. Although one digital asset trading platform has been established in Serbia, it is not yet operational.

Crowdfunding in Serbia is not governed by a single comprehensive law. Instead, its legal treatment depends on the underlying financing model and is generally subject to contract law. In practice, lending‑based crowdinvesting, as well as reward‑based and donation‑based models, are used. Although these models allow investors to finance projects, existing crowdfunding platforms in Serbia do not provide for secondary trading of the acquired rights or claims. As a result, crowdfunding in Serbia functions primarily as a financing mechanism, rather than as a true trading marketplace.

Under the Capital Markets Act, Regulated Markets, MTFs and OTFs may be used exclusively for trading in financial instruments. The scope of permitted instruments varies depending on the type of platform. Regulated Markets and MTFs may trade in all financial instruments, including equity and debt securities as well as derivatives. OTFs, however, are subject to legal restrictions and may trade only in non‑equity instruments – specifically bonds and other forms of securitised debt, structured finance products, emission allowances and derivatives – while trading in shares is expressly prohibited.

By contrast, trading in cryptocurrencies and digital tokens is governed by the Law on Digital Assets and is conducted on specialised digital asset trading platforms. Trading may involve both digital assets issued in the Republic of Serbia and those issued abroad, provided that the applicable listing conditions set out in 6.4 Listing Standards are met.

The increased activity of crypto‑exchanges in the global market prompted Serbia to become one of the first jurisdictions to adopt the Law on Digital Assets in 2020. This law, among other things, introduced a requirement that all entities performing activities related to digital assets – including the organisation of digital‑asset trading within the territory of the Republic of Serbia – must obtain authorisation from the competent authority as providers of digital‑asset‑related services.

Given that the Law requires a digital asset service provider, including a trading‑platform operator, to be incorporated as a commercial company, fully decentralised protocols (DEXs) must establish a legal entity in Serbia and obtain the relevant licence in order to operate lawfully in the country. The competent authority responsible for issuing this licence depends on the type of digital assets traded on the platform.

Furthermore, the emergence of crypto‑exchanges has led to amendments to anti‑money laundering regulations. Under these changes, transactions executed directly between users (P2P), outside traditional payment accounts, are classified as high‑risk transactions.

The conditions for listing financial instruments on different trading venues vary under the Capital Markets Act. A regulated market represents the most strictly supervised segment, where listing cannot occur without the prior approval of a prospectus. Certain exemptions apply, such as where the total consideration of the offer is less than EUR1 million over a 12‑month period, where the offer is made exclusively to qualified investors or to fewer than 150 natural or legal persons, or where the denomination per financial instrument is at least EUR100,000.

By contrast, trading venues such as MTFs and OTFs operate under more flexible regimes. Listing financial instruments on these venues does not automatically trigger the obligation to prepare a prospectus unless the instruments are offered to the public. Nevertheless, a market operator may, through its internal rules, require the preparation of an information document similar to a prospectus, albeit subject to less stringent formal requirements.

Regarding digital asset trading, a platform operator may define the conditions for admitting digital assets to trading. Under the Law on Digital Assets, trading on a digital asset exchange is permitted for assets issued both in Serbia and abroad. Trading is also allowed for digital assets without an approved white paper in Serbia, but advertising such assets is subject to restrictions. Advertising is allowed only when:

• the White Paper is subsequently approved in Serbia or an EU member state; or
• the digital asset is already being traded to a significant extent on global markets through licensed or registered platforms operating in compliance with EU regulations or other relevant AML/CFT standards.

Where digital tokens are traded without an approved White Paper, the platform operator – acting as a digital asset service provider – may advertise only the fact that secondary trading is available. Such advertising must be accompanied by a clear disclaimer stating that no white paper has been approved, in accordance with a by‑law adopted by the Securities and Exchange Commission.

By contrast, where virtual currencies have been issued without an approved White Paper, advertising is strictly prohibited. The National Bank of Serbia has not prescribed any conditions under which such advertising may be permitted.

Investment firms executing client orders in traditional financial instruments are required to comply with the obligations set out under the Capital Market Law, which is broadly aligned with MiFID II. These obligations include executing orders in the sequence in which they are received and taking all reasonable steps to achieve the best possible outcome for the client. Relevant factors include price, costs, speed, and the likelihood of execution. Clients must also receive confirmation of executed transactions no later than the end of the following business day.

Firms may refuse to execute an order if there is a justified suspicion of money laundering or terrorist financing. Additionally, investment firms must ensure that orders are executed fairly, both in relation to other clients and in relation to the firm’s own trading interests.

The Law on Digital Assets establishes specific requirements for platforms trading cryptocurrencies and tokens. Digital asset service providers must implement systems and measures to ensure prompt, fair, and efficient execution of client orders relative to other orders, with execution carried out in the order of receipt. Providers are required to maintain an electronic order book that records all purchase and sale orders, as well as cancellations, with precise timestamps, in a manner that prevents subsequent alterations without client consent.

Execution must be refused where there is a reasonable suspicion that fulfilling the order would contravene legal requirements, anti-money laundering or counter‑terrorist financing regulations, or would constitute a criminal offence.

Pursuant to the Law on Digital Assets, secondary trading conducted through a multilateral trading platform may be carried out exclusively by a platform operator that is incorporated in the Republic of Serbia as a commercial company and licensed by the competent authority. The mere availability of such platforms – including foreign platforms – to users in the Republic of Serbia does not, in itself, mean that they operate lawfully. To operate legally, these platforms must establish a legal entity in Serbia and obtain the relevant licence required for operating a digital asset trading platform.

Banks, as traditional participants in the financial market, are prohibited from organising trading platforms and from providing any digital asset-related services, except for the custody of cryptographic keys. At the same time, despite these restrictions, the traditional banking sector in Serbia continues to play a dominant role in deposit‑taking and lending, as these are activities exclusively reserved for banks under applicable law.

There is currently no specific regulation that explicitly addresses payment for order flow (PFOF) practices, whether in relation to traditional financial instruments or digital assets. However, the general rules set out in the Capital Markets Act – including best execution obligations, conflict of interest provisions, and client protection requirements – effectively prohibit the receipt of fees or inducements that could undermine a client’s interests.

Similarly, the Law on Digital Assets, through its overarching principles, creates practical limitations on the application of PFOF. In particular, the law requires that the interests of users take precedence, which restricts practices that could compromise fair treatment or the quality of execution.

In the Serbian market, the core principles of market integrity and the prohibition of market abuse apply equally to both traditional financial instruments and digital assets. In each of these areas, investment firms and providers of digital asset services are required to act fairly and in the best interests of their clients, with insider trading and market manipulation strictly prohibited.

With respect to the technical integrity of the market, client orders must be executed promptly, fairly, and in the order in which they are received. Firms must also maintain complete and accurate transaction records. To further safeguard market integrity, investment firms and digital asset service providers are obliged to identify and avoid conflicts of interest and to comply with all applicable anti-money laundering requirements.

The development and use of high‑frequency trading (HFT) and algorithmic trading (AT) are regulated under the Capital Markets Act, which permits the application of these technologies exclusively in the trading of financial instruments.

Investment firms may engage in AT and HFT, provided they submit prior notification to the Securities and Exchange Commission. Additionally, persons trading on their own account (dealers) who would otherwise not require a licence must obtain an investment firm licence if they engage in HFT.

The use of AT/HFT requires compliance with strict organisational, technical, and staffing standards, as well as broader regulatory obligations. These include implementing robust risk‑management arrangements, pre‑ and post‑trade controls, real‑time monitoring, algorithm testing procedures, an emergency system shut‑down (“kill switch”), and precise time‑synchronisation mechanisms.

In general, investment participants who trade financial instruments on their own account (in a principal capacity) are exempt from the requirement to obtain a licence. However, when they act as market makers, they must be licensed by the Securities and Exchange Commission as investment firms. In this context, market makers are required to meet certain statutory conditions, including capital requirements, the employment of appropriately licensed personnel, and the appointment of board members who possess a good professional reputation and relevant experience.

Market makers do not operate independently but rather within a stock exchange or other trading venue, pursuant to a contract with the trading venue operator. Such contracts typically define the market maker’s obligations regarding the provision of liquidity, the quoting of competitive prices, and the maintenance of market presence. They also outline any rebates or incentives offered by the trading venue in exchange for the market maker assuming the risk associated with maintaining liquidity.

Regulations in the Republic of Serbia clearly distinguish between dealers and investment funds.

Dealers trade financial instruments on their own account, using their own capital, and are generally not required to be licensed or subject to the full investor protection regime. However, they must obtain a licence from the Securities and Exchange Commission when they act as market makers, hold the status of a member or participant of a regulated market or MTF, use direct electronic access to a trading venue, engage in high‑frequency or algorithmic trading (HFT/AT), or trade on their own account while executing client orders.

Investment funds are collective investment vehicles regulated under the Law on Open‑Ended Investment Funds with Public Offering and the Law on Alternative Investment Funds. Their assets are managed by a management company, which is required to act in the best interests of investors. With a special licence from the Securities and Exchange Commission, management companies may also provide additional services – such as portfolio management or investment advice – to clients outside the fund. When offering these services, they must comply with the Capital Markets Act, including rules on conflicts of interest. Furthermore, if they use algorithmic trading, they are subject to the same regulatory standards as other investment firms.

Developers are not directly subject to regulation. Their work is evaluated in the context of the responsibilities of the entities that employ these tools, the technical and organisational standards that the tools must comply with, and the application of general provisions on market abuse and criminal liability.

In practice, underwriting processes in insurance involve analysing relevant data about both the insured party and the associated risk. These processes increasingly rely on digital tools, automated systems, and data analytics. While insurers may choose whichever underwriting methods and technological solutions best suit their operations, all processes must comply with insurance regulations and the rules issued by the NBS. This includes adhering to requirements related to risk management, the use of transparent and non‑discriminatory criteria, and maintaining appropriate controls over automated processes. In addition, underwriting activities must comply with applicable data protection regulations and consumer protection rules governing financial services.

In Serbia, different types of insurance are subject to distinct regulatory regimes. Life and long‑term products, including savings or investment‑linked policies, are governed by enhanced supervisory requirements. These include stricter risk assessments, more complex long‑term liability management, greater transparency obligations, and expanded policyholder rights. As a result, the underwriting process for these products is more detailed and demanding.

By contrast, non‑life insurance (such as property, liability, and accident coverage) operates under a more flexible regulatory framework. This reflects the shorter duration of such contracts and their differing risk profiles, leading to comparatively simpler underwriting processes.

Regtech providers are not, in themselves, regulated entities. Instead, the technologies they develop for use in regulated sectors are tailored to the specific regulatory frameworks governing the contexts in which they are deployed. This means that such technological solutions must be designed, implemented, and operated in a manner consistent with the requirements of the relevant laws and regulations.

Responsibility for the proper application of regtech solutions – and for ensuring their ongoing compliance with applicable legal and regulatory obligations – ultimately rests with the regulated entities that adopt and use these technologies.

In Serbia, contractual arrangements between financial institutions and technology providers are heavily shaped by mandatory regulatory requirements. Regulations governing banking, payment services, digital assets, data protection and ICT risk management establish minimum contractual standards intended to ensure system resilience, data accuracy and effective regulatory oversight.

Contracts must clearly define the scope of authority, duties and liabilities of the service provider. From a performance standpoint, technology contracts are required to support business continuity obligations. This includes specifying key parameters such as the maximum acceptable outage (MAO), recovery time objective (RTO) and recovery point objective (RPO), in accordance with the National Bank of Serbia’s ICT risk‑management rules.

Data accuracy is also a regulatory imperative. Payment institutions and electronic money institutions may outsource activities to third parties only if the vendor applies internal control systems equivalent to those of the institution itself.

One of the most critical regulatory requirements concerns audit and supervisory access. Agreements must grant the financial institution, its external auditors and the competent regulators (the National Bank of Serbia or the Securities Commission) access to all relevant documentation, systems, records and business premises of the vendor.

Contracts must further impose clear incident‑notification obligations on service providers. As financial institutions must report significant ICT incidents to the regulator, vendors are required to notify the institution without delay of any security or operational incident that could affect service delivery.

Within this framework, market practice plays a primary role only in determining commercial terms such as penalty levels, indemnity structures or technical thresholds related to business continuity commitments. The core contractual framework – including audit rights, continuity requirements, security standards and data accuracy obligations – is largely prescribed by regulation and forms the statutory minimum for lawful outsourcing in the financial sector.

Financial institutions supervised by the National Bank of Serbia – including banks, insurance and reinsurance companies, insurance brokers, insurance representatives and agents, providers of financial leasing, management companies of voluntary pension funds, payment institutions, and electronic money institutions – are prohibited from holding digital assets or instruments linked to digital assets, and their capital may not consist of digital assets. They are also prohibited from providing services related to digital assets or from acting as users of such services. However, banks are permitted to hold cryptographic keys.

Consequently, traditional financial players may use blockchain technology only for purposes unrelated to digital assets, although it is unclear to what extent they have implemented it in their operations.

Serbia has adopted the principle of technological neutrality, under which digital assets may be implemented using any technology, including blockchain. The law does not regulate the technology itself; instead, it allows for the use of any solution that is suitable for recording, transferring, and storing digital assets.

Consistent with the principle of technological neutrality, digital assets are defined not by the technology on which they are based, but by the rights and obligations they confer. Under the Law on Digital Assets, a digital asset is described as a digital record of value that can be bought, sold, exchanged, or transferred electronically, and may be used either as a means of exchange or for investment purposes. The law expressly excludes from this definition any digital representations of currencies that constitute legal tender, as well as other financial assets governed by separate legislation.

Accordingly, digital assets are classified into two categories: digital tokens and virtual currencies.

With regard to financial instruments, their issuance is generally subject to capital market regulations. However, an exception applies to tokens that possess the characteristics of financial instruments, provided that the total value of such tokens issued by the issuer does not exceed EUR3 million within a 12‑month period.

Any natural or legal person – whether domestic (Serbian) or foreign – may act as a digital asset issuer. While no licence is required to assume this role, the approval of a White Paper is mandatory for the public disclosure and public offering of digital assets. The Securities and Exchange Commission serves as the supervisory authority responsible for approving White Papers related to the issuance of digital tokens, whereas the National Bank of Serbia performs this function for the issuance of virtual currencies.

With respect to the tokenisation of real‑world assets, full implementation is still dependent on the integration of official property registries with blockchain technology. This remains a significant challenge not only in Serbia but across jurisdictions globally.

Trading platforms for digital assets are regulated in Serbia and may be operated only by a legal entity established in Serbia that holds either a licence from the National Bank of Serbia for cryptocurrency trading or a KHOV licence for trading digital tokens. Operators are required to meet capital, staffing, and technological standards.

In contrast, peer‑to‑peer trading between holders of digital assets – when carried out without the involvement of an intermediary – is not regulated and can be conducted freely without any licence.

Staking is not specifically regulated under Serbian law, but may be classified as a type of digital asset service provided by licensed digital asset service providers. Licensed providers operating in Serbia may include staking services within their service offering.

A provider of services related to digital assets who holds a licence to provide portfolio management of digital assets, operate a trading platform for digital assets, or offer services involving the receipt, transfer, and execution of orders for the purchase and sale of digital assets on behalf of third parties, is permitted to lend funds or digital assets to its clients solely for the purpose of providing financial leverage in digital asset trading, in accordance with an agreement with the respective client.

The lending of funds and digital assets may be carried out by the digital asset service provider exclusively from its own assets, and not from the assets of its clients.

Cryptocurrency derivatives are not regulated as a distinct type of digital asset. Depending on the rights and obligations they embody, they may be classified into one of two categories of digital assets:

• virtual currency; or
• a digital token.

Each type of digital asset may be offered publicly, provided that a White Paper for the issuance of the digital asset has been approved by the competent regulatory authority.

There is no specific regulation governing DeFi in Serbia; however, the trading of digital assets is regulated under the Law on Digital Assets. Consequently, only legal entities registered in Serbia and holding a licence issued by the competent regulatory authority may provide services related to digital assets in the Serbian market. This means that online DeFi protocols available to Serbian residents do not exempt their operators from complying with the applicable legal requirements.

The activities of investment funds are governed by the Law on Open‑Ended Investment Funds with Public Offering (UCITS) and the Law on Alternative Investment Funds (AIFs). Under these regulations, UCITS funds and public AIFs may invest only in assets explicitly listed in the applicable rules, which currently exclude crypto‑assets and other blockchain‑based assets.

Private AIFs intended for professional or semi‑professional investors may invest in other types of assets if such investments are expressly permitted by the fund’s rules and approved by the Securities and Exchange Commission. However, investing in digital assets remains challenging in practice. Every fund must appoint a custodian – typically a bank – and under the Law on Digital Assets, banks are not permitted to provide services related to digital assets. This limitation significantly restricts the ability of funds to hold or manage digital asset investments.

Virtual currencies are a type of digital asset that are neither issued nor guaranteed in value by a central bank or any other public authority. They are not necessarily linked to legal tender and do not possess the legal status of money or currency. However, they are accepted by individuals or legal entities as a means of exchange and can be bought, sold, exchanged, transferred, and stored electronically.

Accordingly, virtual currencies represent one of the two regulated types of digital assets in Serbia.

The Law on Digital Assets provides a broad framework for the issuance of digital assets by dividing them into two main categories: digital tokens and virtual currencies. The law does not define NFTs as a separate, standalone type of digital asset. Instead, depending on their purpose and the specific rights and obligations they grant to investors, NFTs may be classified under one of the two regulated categories. Alternatively, if an NFT exhibits features of both virtual currencies and digital tokens, it may be treated as a hybrid digital asset.

In Serbia, stable digital assets are defined by law as digital assets issued with the aim of minimising fluctuations in their value. Their value is linked to the value of legal tender or to one or more low‑volatility assets (for example, pegged to the official exchange rate of the Serbian dinar or to a relatively stable foreign currency).

A stablecoin may fall into one of two categories of digital assets – digital tokens or virtual currencies – depending on its intended purpose and the rights it grants to investors.

Stablecoins may be issued by any issuer, whether domestic or foreign, and whether a natural or legal person. Unlike the regulatory framework in the EU, Serbia does not require a licence for the issuance of stablecoins.

However, in order for a stablecoin to be offered publicly, the competent regulatory authority must approve the publication of its White Paper.

Although Serbia is not an EU member state, as a candidate country it has transposed PSD2 provisions through amendments to the Payment Services Act, thereby establishing a regulatory framework for open banking. This framework includes the regulation of Payment Initiation Services (PIS), which allow third parties to initiate payments directly from a user’s account held with another payment service provider, and Account Information Services (AIS), which enable the collection and consolidation of information from one or more user accounts across different payment service providers.

For practical implementation, the National Bank of Serbia has adopted subordinate legislation, including technical regulatory standards. However, the full application of these standards has been deferred, providing existing payment service providers with a transition period to make the necessary technical and organisational adjustments. The final deadline for compliance is 1 January 2026.

Banks and payment service providers are subject to strict compliance obligations that are fully aligned with EU law, including GDPR and PSD2. All providers – banks, PISPs, and AISPs – must ensure a high level of protection for personal and banking data, with account access permitted only on the basis of explicit user consent. AISPs may access only those accounts and data that the user has authorised. Strong Customer Authentication (SCA), including multi‑factor authentication, is mandatory for online account access and electronic transactions and must dynamically link each transaction to the specific amount and payee to minimise fraud risk. As ASPSPs, banks must ensure secure data exchange through standardised APIs, enabling reliable identification of TPPs and secure messaging.

The Payment Services Act further requires providers to implement a comprehensive operational and security risk management framework. This includes regular risk assessments, procedures to detect, classify, and resolve significant incidents, and the application of security controls that protect users from fraud and misuse. Banks must submit updated risk assessments to the NBS. Where services are outsourced, providers must demonstrate that external ICT systems maintain a high level of protection and must notify the NBS in advance of any intended outsourcing arrangements.

The framework also establishes clear incident‑response obligations. Providers must promptly inform the NBS of any significant operational or security incident and must notify users if their financial interests could be affected. Banks may temporarily block AISP or PISP access if there is reasonable suspicion of unauthorised or fraudulent activity, and they must also notify the NBS when such action is taken.

Fraudulent conduct in the financial services and fintech sectors in the Republic of Serbia is criminalised through several statutory offences. General fraud provisions apply to financial market and fintech activities, covering situations in which a person, with the intent to obtain unlawful financial gain, misleads another through false representation or by concealing facts, thereby causing financial loss.

The Criminal Code also specifically addresses computer fraud. This includes the manipulation of electronic systems through inaccurate data entries, omissions, or other forms of interference carried out to obtain unlawful financial gain and cause damage to another party. Additionally, the unauthorised acquisition or use of payment cards or payment data for cashless transactions is expressly criminalised.

Fraudulent conduct in capital markets is further regulated by the Capital Markets Act, which includes offences such as market manipulation and misuse of insider information. Comparable conduct in the digital assets market is sanctioned under the Digital Assets Act.

The regulatory approach in this area is primarily preventive, emphasising the obligation of financial institutions to establish effective systems for detecting, preventing, and promptly identifying fraud. Enforcement measures and criminal prosecution serve as complementary components of the broader institutional framework.

Particular attention is directed toward fraud involving electronic payments, such as unauthorised transactions, phishing attacks, payment card misuse, and the manipulation of users to prompt the initiation of funds transfers. The regulatory framework includes specific protective mechanisms for situations involving user manipulation, imposing obligations on the payee’s service provider. For example, where reasonable grounds exist to suspect fraud, the payee’s service provider may temporarily restrict the payee’s access to funds for a defined period (up to three days) and may refund the payer if the payee fails to substantiate the lawful origin of the funds.

Regulators also monitor risks associated with digital identity and remote customer onboarding, as well as abuses relating to digital assets and online investment platforms.

In addition to regulatory supervision, Serbia has a specialised public prosecutor’s office for combating high‑tech crime. This office has jurisdiction over criminal offences committed through information technologies, including fraud occurring within the digital financial environment.

As a general principle, an injured party is entitled to compensation for any damage suffered, and this rule applies equally to damage resulting from fraud.

Where such damage is caused by regulated entities – including financial institutions, capital markets service providers, or digital asset service providers – civil liability for the loss may be accompanied by criminal liability, depending on the circumstances of the case.

Payment service providers are, as a rule, expressly liable for unauthorised payment transactions, as well as for the non‑execution, defective execution, or delayed execution of payment transactions, unless a statutory exemption applies (for example, in cases involving fraudulent conduct by the user). In the case of unauthorised transactions, the provider must refund the transaction amount to the user without delay. The user’s liability for losses is capped at RSD3,000 when the loss results from the use of a lost or stolen payment instrument. The user bears no loss where the provider failed to require appropriate (two‑factor) authentication or where the transaction was executed after the misuse had been reported. The user may bear the full amount of the loss only where the provider proves that the damage resulted directly from the user’s fraud or gross negligence in safeguarding personalised security credentials, thereby placing the burden of proof on the provider.

In the digital assets sector, the consequences of losses suffered by users in relation to digital asset service providers are not specifically regulated. Accordingly, general tort and contractual liability principles apply.