Fintech 2024

Last Updated March 21, 2024


Law and Practice


Orrick works with leading multinationals, financial institutions, Italian and international investors and startups to identify legal solutions to guide strategic business decisions. Based in Milan and Rome, its Italian team provides support on cross-practice, cross-border tech, finance, corporate, M&A and private equity transactions as well as compliance and regulatory matters. It also defends clients with disputes in and out of court. Its Fintech & Regulatory team has developed in‑depth European knowledge and experience in banking and financial regulation. It is recognised for its knowledge of innovative financial products and strategies for their delivery through emerging electronic platforms and other distribution networks. The team advises fintech operators on how to structure and implement new technologies for contracts and remote operations for the subscription of financial services, peer-to-peer payment platforms, instant-payment related services, robo-advisory services, lending and crowdfunding platforms for individuals and SMEs, wealth and asset management services, and information services on customer accounts. Orrick would like to thank Marco Boldini, Niccolò Martinoli and Nicolo Matteo Bonaldo for their assistance in the writing of this chapter.

In 2023, European fintech faced a 70% funding drop to pre-2020 levels, influenced by the end of mega rounds and a shift to quality investments. Payments and challenger banks (also known as “neobanks”) retreated, losing ground to crypto and lending. US, Asian and strategic investors reduced their participation. M&A remained stable, but deal sizes shrank significantly, impacting valuations. Public market stabilisation offers potential for funding/exits, but terms have shifted. Local ecosystems varied in impact, with the UK, Germany and France experiencing a 70% funding drop, while exits persisted. Poland saw a notable decline, but crypto infrastructure gained traction. The trend towards B2B software and fintech continued, with over 50% of deals in B2B software. Businesses focused on recurring-revenue software with strong margins show resilience. Key areas poised for momentum in the next six to 12 months include payment landscape reassessment, regtech growth in Know Your Customer (KYC) and anti-money laundering (AML), continued open banking and Banking-as-a-Service consolidation, and the expansion of generative artificial intelligence (AI) in insurance and banking, alongside increased automation and digitalisation of the CFO and HR functions.

In the EU, fintechs largely adopt vertical models, focusing on specific products and services rather than directly competing with traditional financial institutions. These models include digital payments and mobile wallets, neobanks, peer-to-peer (P2P) lending, insurtech, regtech, robo-advisers, blockchain and cryptocurrency, open banking platforms, cybersecurity and sustainable finance. For example, Italy is seeing increasing collaboration between fintechs and financial intermediaries, with 90% of fintechs confirming at least one collaboration, and 65% collaborating with traditional financial incumbents, according to the EY Fintech Waves 2023 survey. The EU fintech landscape is dynamic, with various emerging business models contributing to the industry’s evolution.

In the European fintech landscape, regulatory frameworks vary across key sectors:

  • PSD2 compliance: Fintechs in payment services adhere to the revised Payment Services Directive (PSD2), obtaining authorisation, ensuring security and contributing to open banking initiatives.
  • Crowdfunding and P2P lending: Platforms may face national regulations and must comply with Regulation (EU) 2020/1503, known as the Regulation on European Crowdfunding Service Providers for Business, which establishes standardised regulations throughout the EU for investment-based and lending-based crowdfunding services concerning business financing. This Regulation facilitates platforms’ ability to operate across the EU by allowing them to apply for an EU passport under a unified set of rules, streamlining the authorisation process. Additionally, the accompanying Directive modifies Directive 2014/65/EU (MiFID II) by including crowdfunding service providers authorised under the Regulation in the list of exempt entities, thus exempting them from the Directive’s scope.
  • Cryptocurrency exchanges: Adhering to the Market in Crypto-Assets Regulation (MiCAR) and AML/counter-terrorist financing (CTF) regulations under the Fifth AML Directive, crypto exchanges ensure customer due diligence and reporting.
  • Digital banking (neobanks): Neobanks follow banking regulations and PSD2 for payment services, with emphasis on licensing, capital requirements and transparency.
  • Robo-advisers: Platforms adhere to MiFID II, obtaining authorisation, ensuring customer suitability and transparently disclosing investment information.
  • Insurtech: Compliance with varying insurance regulations includes solvency, consumer protection and risk management.
  • Open banking and application programming interfaces (APIs): PSD2 compliance is essential for open banking, requiring secure API access and adherence to technical standards.
  • Consumer protection and data privacy: General Data Protection Regulation (GDPR) compliance is crucial for data protection, alongside adherence to consumer protection laws, ensuring fair practices and transparent communication.
  • Crypto-assets: Compliance with MiFID II is required if they qualify as financial instruments. Compliance with MiCAR is required for e-money tokens, asset-referenced tokens and tokens different from asset-referenced and e-money tokens. Operators also have to comply with provisions of Regulation (EU) 2022/858 (the Distributed Ledger Technology (DLT) Pilot Regime, a pilot regime for market infrastructures using DLT for the trading and settlement of crypto-assets qualifying as financial instruments) for digital native assets.

The EU regulates compensation structures in various financial services, including banking, investment and insurance, under a comprehensive framework focused on consumer protection and transparency. Fintech firms employ different compensation models, each with specific disclosure requirements. Fee-based models involve charging customers for services, necessitating clear disclosure of associated fees, additional charges and costs. Commission-based models, relying on earnings from product or service sales, demand disclosure of their nature and amounts to ensure transparency and mitigate conflicts of interest. Subscription models, freemium models, asset-based models and robo-advisory fee models also require transparent communication of terms, fees and features. Throughout, the EU stresses clear, fair and easily understandable disclosures, ensuring consumers are informed about potential conflicts arising from compensation structures.

In the European fintech market, in principle, industry regulations (banking, financial, insurance, collective asset management) apply to fintechs, in deference to the principle “same activity, same risks, same rules”, even if there are nuances and specificities that can differ from those of legacy players due to the use of technologies for some particular cross-market aspects (eg, the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554)). In some cases, however, fintechs are subject to new regimes that have been specifically drafted (MiCAR, DLT Pilot Regime, Proposed AI Regulation), which in any case must co-ordinate with the traditional regimes. To foster innovation, regulatory authorities adopt a more flexible approach in certain cases, offering for example regulatory sandboxes or introducing pilot regimes. However, the overarching goal remains to ensure consumer protection, financial stability, and adherence to core regulatory principles, even if the application of rules may vary based on the specificities of fintech activities.

The EU lacks a centralised regulatory sandbox for fintech and innovation but allows and encourages member states to establish their own with regard to specific areas. Also, as part of its digital commitment, the European Commission introduced a blockchain-focused regulatory sandbox in 2023, open to 20 projects annually until 2026. This is a sandbox designed for businesses (including startups, scale-ups and public entities) that have already demonstrated a so-called proof of concept. Participants will be selected based on three criteria: (a) project maturity (a criterion that accounts for 40%); (b) legal and regulatory relevance (a criterion that accounts for 40%); and (c) relevance to the EU’s policy priorities (a criterion that accounts for 20%). This sandbox covers a broad spectrum of regulatory issues, including those related to digital identity, cybersecurity, consumer protection, competition law, smart contracts for automated data management and AML, as well as topics related to the specificities of individual sectors (environmental, healthcare, financial, etc). Additionally, a pilot project for an AI regulatory sandbox has been launched by the Commission. The AI regulatory sandbox aims to bring competent authorities closer to companies developing AI to define best practices that will guide the implementation of the Commission’s future AI regulation and the drafting of best practices. In any case, the aim of the Commission with regulatory sandboxes is to balance the promotion of innovation with consumer protection and financial system integrity, allowing fintechs to enter a regulated landscape but benefit from certain exemptions from the general rules and thus test products and services with real clients but under more favourable rules.

The regulatory landscape for fintech in Europe involves various supervisory authorities, reflecting the complex and diverse nature of the financial services industry on the continent. The main supervisory authorities at the European level and their respective jurisdictions include the European Central Bank for the stability of the eurozone banking system, the European Banking Authority (EBA) for banking regulation at the EU level, the European Securities and Markets Authority (ESMA) for securities markets, the European Insurance and Occupational Pensions Authority for the insurance and pension sectors, and the Single Supervisory Mechanism for prudential supervision of significant banks in the eurozone. Each EU member state has its own National Competent Authority (NCA) responsible for supervising financial institutions and enforcing compliance with EU regulations within its national borders. NCAs collaborate with the European supervisory authorities.

In general, outsourcing at the European level is well regulated, primarily through soft law provisions and guidelines such as the EBA Guidelines on outsourcing arrangements (EBA GL/2019/02) or the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-164-4285), encapsulating generally similar cross-market principles. Consider, for instance, the definition of essential or important functions, echoed in various sector-specific regulations such as PSD2 or those concerning data processing and outsourcing in cloud systems. In principle, it is even possible to outsource a function or activity that is subject to authorisation. In such cases, the outsourcing party must ensure that the service provider is registered or authorised by a competent authority to perform such activities. EBA GL/2019/02 outline a series of contractual safeguards that must be present in an outsourcing agreement. Outsourcing can encompass all functions that can or should, in principle, be performed by the supervised entity. However, specific safeguards are provided for essential or important functions. Moreover, outsourcing contracts should cover aspects such as service levels, access to information, audit rights, data protection and business continuity.

Unregulated fintech providers are not deemed by any law to be “gatekeepers” and they have no statutory responsibility (save for regulatory consumer protection obligations). Regulated fintech providers, specifically Crypto-Asset Service Providers (CASPs) of regulated payment instruments/infrastructures and banks are deemed to be “gatekeepers”; hence, the significant part of the payment processing (ie, clearing and processing of payments) is done by banks, and fintech providers are required to partner with banks or obtain some form of approval from banks to participate in the payment system.

On 6 September 2023, the European Commission designated Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft as gatekeepers under Regulation (EU) 2022/1925, also known as the Digital Markets Act (DMA), covering 22 core platform services. The designated gatekeepers must have complied with new requirements by 6 March 2024, aimed at fostering a fair and open digital market in the EU. Those requirements include allowing third-party apps, facilitating easy unsubscribing, providing advertisers access to performance tools, banning the use of business user data for competition, preventing favourable ranking of the gatekeeper’s products, and restricting end-user tracking without proper consent. Pursuant to Article 3 of the DMA, a provider of core platform services is designated as a gatekeeper if:

  • it has a significant impact on the internal market;
  • it manages a core platform service that serves as a crucial gateway for business users to reach end users; and
  • it holds an entrenched and durable position in its operations or is expected to acquire such a position in the near future.

Regulators may take various enforcement actions across key sectors, including:

  • imposition of administrative penalties or sanctions;
  • initiation of criminal prosecution, resulting in fines, imprisonment or both;
  • withdrawal or suspension of licences, registrations or approvals;
  • prohibition from opening branches or restricting entity activities;
  • disqualification of directors from assuming office in other licensed institutions;
  • debarment of representatives; and
  • restriction of an entity’s activities.

In the EU’s fintech market, regulatory implications extend beyond financial services to encompass privacy, cybersecurity, social media content and software development. Unlike legacy players, fintech firms must navigate a dynamic landscape where adherence to multifaceted regulations is crucial. Stricter privacy regulations, exemplified by GDPR, demand heightened data protection measures, influencing how fintech firms handle customer information. Robust cybersecurity protocols become imperative, such as DORA, as fintech relies heavily on digital infrastructure. Additionally, regulations addressing social media content impact customer engagement and advertising strategies. Fintech firms’ agility in software development contrasts with the often cumbersome approaches of legacy players, necessitating adaptable compliance frameworks. Navigating this intricate regulatory web demands a nuanced understanding for fintech firms, ensuring they meet diverse requirements while differentiating themselves from traditional financial entities.

The European fintech market is a hyper-regulated sector where regulatory oversight involves various entities beyond regulators. Central banks oversee payment systems and monetary policy; Financial Intelligence Units combat money laundering, requiring AML and KYC procedures; data protection authorities ensure GDPR compliance; cybersecurity authorities review practices to safeguard sensitive data; market conduct authorities ensure fair practices; and industry associations establish standards.

Furthermore, as they often engage in regulated activities, fintech firms are subject, each according to the peculiarities of national regulations, to a series of obligations relating to supervision and control. These obligations must be carried out both by internal bodies within the company (considering key corporate control functions such as Internal Audit, Compliance, and the Board of Statutory Auditors) and by external entities (such as audit firms).

In some cases, however, fintech companies may not perform activities subject to licensing. When collaborating with regulated entities, it is crucial for them to always pay attention to applicable rules, best practices and market standards, ensuring high standards and competitive compliance quality in the eyes of the market and clients.

In the EU fintech market, it is common for industry participants to offer a mix of regulated and unregulated products and services. In general, if firms provide a regulated service, the scope of the other activities that they are allowed to carry out is set by relevant legislation. For example, MiFID II provides a list of “ancillary” unregulated services that MiFID firms can provide alongside regulated services. Also the PSD2, for example, allows authorised payment services institutions to provide operational and closely related ancillary services, such as guaranteeing the execution of payment transactions, currency exchange services, custody activities, and the recording and processing of data, as well as commercial activities other than the provision of payment services, provided that they comply with provisions protecting customers of regulated services. Fintech firms may operate under a single legal entity that is authorised for certain activities, while also offering non-regulated or less regulated services. Others may have separate legal entities for regulated and unregulated activities.

In general, the AML regulation at the European level was the first to address phenomena related to the fintech industry (eg, the first European definition of “cryptocurrency” is found in the Fifth AML Directive). This means that many fintech operators, even if they do not engage in regulated activities, are still subject to AML regulations, which have broad cross-sectoral applicability.

Regulated fintechs offering regulated financial services, such as payment services or cryptocurrency exchanges, are typically required to implement robust AML procedures. Those firms are usually supervised by national financial regulatory authorities and are required to adhere to the EU’s AML Directives, such as the Fourth and Fifth AML Directives.

Even if not directly subject to specific financial regulations, unregulated fintechs may need to implement risk-based AML measures, especially if their services involve financial transactions or have the potential for misuse. For example, AML rules on customer due diligence, including identity verification and monitoring of transactions, apply to both regulated and unregulated entities. Failure to comply can result in penalties, fines or other enforcement actions.

In the EU, robo-advisers adapt their business models based on asset classes, meaning that there can be differences in robo-advisory services depending on the asset class being recommended, and each asset class may be subject to specific regulations. In general, robo-advisers providing investment advice and managing individual portfolios regarding assets that meet the criteria to be classed as financial instruments, such as shares, bonds, exchange-traded funds (ETFs) or other listed instruments, will be subject to the MiFID II framework. Additionally, they need to adhere to corporate governance regulations and disclosure requirements.

Robo-advisers managing ETF portfolios need to comply with the UCITS (Undertakings for Collective Investment in Transferable Securities) Directive or the AIFMD (Alternative Investment Fund Managers Directive), depending on the type of ETFs they offer. Again, Robo-advisers offering portfolios containing cryptocurrencies or digital assets need to comply with MiCAR or MiFID II, depending on the possible qualification of the digital assets as a financial instrument. Finally, robo-advisers on insurance products are subject to Insurance Brokerage Directive (EU) 2016/97 and the Retail Insurance Products Regulation (EU) 2017/2358. These set harmonised rules for the mediation of insurance and reinsurance products within the EU, focusing on intermediary qualification, transparency of information provided to clients, management of conflicts of interest, and distribution of insurance products, as well as enhancing consumer protection in retail insurance product distribution, establishing specific requirements such as assessing product compatibility with customers’ needs, and transparency of fees and costs. In any case, regardless of the business model, robo-advisers need to comply with sustainable investment regulations, such as the Sustainable Finance Disclosure Regulation, as well as GDPR on data protection and AML and CTF regulations.

In response to robo-advisory innovations in the EU fintech market, traditional financial institutions are adopting hybrid models, combining human expertise with robo-tools, ensuring both personalised advice and automated efficiency. They enhance digital platforms for user-friendly access and incorporate algorithmic trading strategies. Legacy players prioritise regulatory compliance, engage in continuous innovation, and emphasise education to improve customer experience. Customers’ experience is improved also by leveraging data analytics and AI, which includes personalised financial planning, goal-based investing and real-time portfolio monitoring. Some opt for white-label solutions, partnering with robo-advisory fintechs, allowing traditional players to offer automated investment solutions without building the technology from scratch, while others pursue partnerships and acquisitions for rapid expertise gain. Adoption varies across institutions, reflecting strategies and client needs in the dynamic fintech landscape.

Robo-advisers, if they fall within the MiFID framework, must comply with the ‘best execution’ principle, adopting all reasonable measures to obtain the best possible result for the client when executing instructions, and communicating to clients the strategies adopted. Key considerations include fine-tuning algorithmic decision-making to adapt to market changes, maintaining transparency through clear disclosure of execution processes, and prioritising price improvement strategies for favourable customer outcomes. Market liquidity assessments, effective order routing and venue selection are vital components, along with trade aggregation considerations for economies of scale. Robo-advisers must diligently manage and disclose potential conflicts of interest, while robust technology infrastructure is crucial to mitigate operational risks and ensure uninterrupted trade execution.

In the European fintech market, differences exist in the business and regulation of loans for individuals, small businesses and other categories. Fintech firms focusing on consumer loans typically offer unsecured personal, payday or instalment loans, adhering to consumer protection regulations outlined in EU directives such as the Consumer Credit Directives. Small business lenders provide tailored financing solutions, navigating both consumer protection and business lending regulations. P2P lending platforms connect borrowers with investors, subject to regulations covering both consumer and business lending, including the EU Crowdfunding Regulation. Marketplace lenders operate online platforms for diverse borrowers, necessitating compliance with consumer protection laws and financial regulations. Regulatory variations across EU countries impact lending practices, influencing fintech firms to navigate nuanced consumer protection laws and business lending regulations. AML and KYC compliance differs between consumer and small business loans, with the latter facing stricter requirements.

Online lending is a reserved activity which requires authorisation by NCAs. Online lenders employ diverse underwriting processes shaped by business models, risk appetites and technological capabilities. Common processes include advanced credit scoring models utilising machine learning, alternative data analysis incorporating non-traditional sources, and automated decision-making for efficient underwriting. Lenders need to oversee the entire underwriting process until the loan agreement is finalised. They must conduct thorough creditworthiness and credit rating evaluations of potential borrowers, employing internal risk classification methods alongside external credit assessments.

Consumer credit assessments, especially for real estate loans, have specific criteria and are regulated by the Consumer Credit Directive 2008/48/EC, which covers all consumer loan agreements.

The new Directive on consumer credit – Directive (EU) 2023/2225 dated 18 October 2023 (CCD II) – responds to the changing landscape of the consumer credit sector, primarily driven by digital advances in consumer decision-making and behaviours.

CDD II aims to broaden the regulations to include small loans, leasing and crowdfunding platforms.

Further stringent regulations apply to real estate loans under the Mortgage Credit Directive (2014/17/EU), focusing on advertising, contractual transparency, and credit assessments to safeguard consumers in real estate transactions.

The main channel to access credit remains the banking channel. Banks accept deposits from customers, subject to regulatory requirements such as capital reserves and AML measures, as a primary source of funding for lending activities. Obtaining a banking licence, however, is necessary to legally accept deposits. However, due to both the difficulty of obtaining a banking licence and the challenges often faced by small and medium-sized enterprises in accessing this channel, this has been complemented by alternative channels for accessing credit.

Besides banking, sources of funds for loans include various channels such as lending-based crowdfunding, credit funds and P2P lending.

Lending-based crowdfunding is regulated by Regulation (EU) 2020/1503, and enables small firms to collect funds through the issuance of debt financial instruments.

Alternative investment funds are also used in the granting of loans, in the form of “loan origination”, “loan participation” or “loan restructuring”, and are subject to the AIFMD. These funds must undergo a non-objection procedure with the national bank authorities to obtain authorisation for direct lending activities.

Finally, P2P lending involves individuals lending money directly through online platforms, raising legal and regulatory concerns about consumer protection and transparency. P2P lending, however, currently lacks a specific regulation.

Online lending platforms need an Investment Brokerage Firm License for lending marketplaces or a Crowdfunding Service Providers License for crowdfunding platforms. In general, platforms lacking their own authorisation often incorporate an officially licensed credit institution or insurance company into the lending process, known as the ‘fronting bank’ model.

For alternative funding models, such as tokenisation, the relevant rules depend on the asset being tokenised. However, the regulatory framework is still unclear.

Syndicated loans in the European fintech market are generally viewed favourably as they enable institutional investors and banks to pool resources for projects that might otherwise be considered too risky for individual financing. The process begins with loan origination, followed by structuring the syndicate, inviting participants (including institutional investors and banks) and conducting due diligence. Participants negotiate terms, they agree on allocations, and the originating lender administers the loan. However, the collaborative nature of syndicated loans can increase the potential for competition law risks. On 5 April 2019, the European Commission released a long-awaited report titled “EU loan syndication and its impact on competition in credit markets”. While the report does not include the Commission’s own recommendations or conclusions, it is intended to guide the Commission’s policy and enforcement efforts in this area. Additionally, it proposes several safeguards that lenders should adhere to in order to maintain competition in the syndication process.

Payment processors enjoy the freedom to utilise existing payment rails or innovate by creating new ones. The regulatory framework, notably PSD2, encourages competition and innovation, enabling fintech companies to enhance efficiency through novel payment solutions. This flexibility allows processors to leverage traditional infrastructure such as card networks or bank transfers while fostering the introduction of entirely new payment systems. PSD2’s emphasis on open banking further supports the development of innovative payment initiation and account information services. Overall, the European fintech landscape promotes a dynamic and competitive environment, empowering payment processors to choose between existing and newly created payment rails, provided that regulatory standards and security measures are complied with.

Cross-border payments and remittances are regulated through several key frameworks to ensure transparency, efficiency and consumer protection. PSD2 enhances competition and security, providing a legal basis for payment institutions to operate across the EU. The Cross-Border Payments Regulation within the Single Euro Payments Area focuses on efficiency and cost-effectiveness for eurozone cross-border transactions. AML and CTF regulations impose due diligence and reporting obligations. Foreign exchange regulations govern currency conversion, ensuring fair practices. Regulation (EC) No 924/2009 emphasises pricing transparency for cross-border payments within the EU. Consumer protection laws and Swift standards enhance transparency and security, while e-money regulations safeguard electronic funds in cross-border transactions. Compliance with these regulations is crucial for fintech firms engaged in cross-border payments.

Fund administrators in the European market are subject to regulation based on their activities and jurisdiction. The regulatory framework includes the AIFMD, which imposes regulatory requirements for administrators of alternative investment funds (the AIFMD aims to create a harmonised framework for the management and administration of alternative investment funds (AIFs) within the EU), the UCITS Directive for UCITS administration (which sets out regulations for their authorisation, operation and supervision), and MiFID II for certain services. National regulations of EU member states also apply. Compliance with AML and CTF regulations is crucial to prevent financial crime. Fund administrators may need to obtain regulatory authorisation or registration from relevant supervisory authorities, and their activities are often subject to ongoing regulatory oversight. The level and nature of regulation can vary based on factors such as the size of the fund administrator, the scope of services offered and the types of funds it administers.

Contractual terms between fund advisers and administrators are diverse and contingent on factors such as fund characteristics, regulatory mandates and industry norms. Fund advisers commonly seek specific provisions to ensure performance and accuracy. These include Service Level Agreements defining service expectations, Reporting Requirements for accurate and timely reporting crucial for compliance, Audit and Inspection Rights permitting audits to ensure compliance, Data Security and Confidentiality clauses safeguarding financial information, Compliance with Regulations stipulating adherence to financial regulations, Indemnification and Liability provisions allocating responsibilities for errors, and Technology and Infrastructure Requirements outlining necessary capabilities. The presence of these provisions can be influenced by a combination of regulatory mandates and industry practices. Careful negotiation and documentation of these terms, considering fund particulars and regulatory environments, are essential, often facilitated by legal and compliance professionals to align contracts with regulatory and industry standards.

Various marketplaces and trading platforms in the EU are permissible and subject to diverse regulations based on their activities.

These platforms include:

  • Regulated markets: These are the traditional stock exchanges and regulated trading venues where financial instruments are traded. Regulated markets are subject to the MiFID II framework.
  • Multilateral trading facilities (MTFs): These are alternative trading platforms allowing the trading of securities outside traditional stock exchanges. Unlike traditional exchanges, MTFs offer more flexible trading conditions and typically lower costs for traders. On the other hand, multilateral trading systems operated by credit or financial service institutions are supervised by NCAs. MTFs are subject to the MiFID II framework.
  • Organised trading platforms (OTFs): These are specialised platforms for specific securities such as derivatives. They face stricter regulation compared to MTFs, necessitating compliance with transparency and market integrity standards. OTFs must also ensure the absence of conflicts of interest influencing trade execution. OTFs are subject to the MiFID II framework.
  • Systematic Internalisers (SIs): SIs are investment firms that execute client orders internally rather than routing them to external trading venues. SIs are subject to the MiFID II framework.
  • Crowdfunding platforms: These facilitate the raising of capital from investors, typically for startups or small businesses, through various models such as equity crowdfunding, lending-based crowdfunding or reward-based crowdfunding. Crowdfunding platforms are subject to the Regulation on European Crowdfunding Service Providers for Business, which aims to ensure investor protection, transparency and operational resilience.
  • Crypto-asset exchanges: Platforms facilitating the trading of cryptocurrencies and digital assets are subject  to either MiCAR or MiFID II, depending on the qualification of the asset. If it could be qualified as a financial instrument, MiFID II will apply; otherwise, MiCAR will apply.

Various asset classes face distinct regulatory frameworks:

  • Equities and derivatives: Governed by MiFID II, ensuring transparency, investor protection and market integrity in financial instrument trading.
  • Cryptocurrencies and digital assets: Guided by MiCAR, the DLT Pilot Regime (for DLT native assets) and the Fifth AML Directive, imposing AML and CTF obligations on exchanges.
  • Debt instruments: Subject to MiFID II, with potential specific regulations or exemptions for certain debt instruments.
  • P2P lending and crowdfunding: Subject to a mix of consumer credit regulations and MiFID II, depending on the financial products offered.
  • Real estate crowdfunding: Regulated by a combination of crowdfunding rules, real estate transaction regulations and potentially national laws.
  • Commodities: Regulated under MiFID II, with specific provisions for commodity derivatives, addressing market abuse and manipulation in commodity markets.

The EU has long been working on regulating activities related to crypto-assets, including crypto exchange activities. MiCAR was published on 9 June 2023 in the EU’s Official Journal and came into force on 29 June 2023. The Regulation mandates that exchange service providers be authorised and adhere to a set of obligations concerning customer information and information transmission regarding transactions, as well as strict prudential and conduct rules, along with regulations against insider trading and market manipulation.

As of the implementation of MiCAR, most crypto-assets not governed by financial services or e-money laws are subject to MiCA regulations. Firms need to ascertain the classification of the crypto-assets they handle, distinguishing whether they fall under the CASP regime, are deemed financial instruments under the DLT Pilot Regime or fall under other financial regulations.

On 7 December 2022, the European Commission, as part of the Listing Package, published a series of measures aimed at making capital markets more attractive for SMEs. The main proposals concern: (a) Regulation (EU) 2017/1129 regarding the prospectus to be published for a public offer or admission to trading of securities on a regulated market (Prospectus Regulation); (b) Regulation (EU) No 596/2014 on market abuse (MAR); (c) Regulation (EU) No 600/2014 on markets in financial instruments (MiFIR); and (d) MiFID II Directive with the repeal of the outdated Directive 2001/34/EC (Listing Directive). The main reference regulation is the Prospectus Regulation, which lays down requirements for drafting, approving and distributing the prospectus when securities are offered to the public or admitted to trading on a regulated market within an EU member state. This is accompanied by Delegated Regulation (EU) 2021/528, Delegated Regulation (EU) 2019/979 and Delegated Regulation (EU) 2019/980.

Listing standards, however, vary based on regulatory jurisdiction and the specific exchange, as a lot of discretion is left to the EU member states. Each exchange, such as Euronext or Deutsche Börse, as well as the London Stock Exchange, sets its own criteria covering financial performance, corporate governance and disclosure obligations. Regulatory oversight from bodies such as ESMA ensures compliance with standards.

Trading platforms in which financial instruments are negotiated are subject to specific rules concerning order handling set forth in MiFID II and MiFIR. Some new specific rules are provided by MiCAR for crypto-asset exchange platforms.

The main example of P2P trading platforms is crowdfunding platforms, governed by Regulation (EU) 2020/1503, where people can directly invest in crowdfunding projects, for instance, through the acquisition of shares. These platforms cannot be considered as true trading platforms, given that they only serve as placing platforms that put the investor in contact with the crowdfunded company. Subsequent exchanges of the acquired shares can only be made in a private way, helped by the use of bulletin boards provided by crowdfunding service providers. Any other trading venue where financial instruments are negotiated is regulated by MiFID II, and this is true even for P2P trading venues where parties can directly negotiate without any intermediation. P2P trading is particularly widespread in the crypto-assets market, which is especially built on a disintermediation principle. Nonetheless, even P2P trading in crypto-assets is now well regulated by MiCAR, which established a wide set of rules to grant a minimum level of protection to investors.

MiFID II devoted specific attention to how investment firms must grant the best execution of clients’ orders on financial instruments taking into account the main important and risky factors in execution: price, costs, speed, likelihood of execution and settlement, the size and nature of the order, or any other consideration relevant to the execution of the order. Execution policies and disclosure must explain how the investment firm deals with all the aforementioned factors for the best interest of its clients. The MiFID II framework on best execution has also been adopted by MiCAR for crypto-asset service providers involved in the execution of clients’ orders.

Payment for order flow represents a typical way in which a market maker promotes the execution of investment orders with it. Essentially, the market maker pays a rebate to investment firms that route their clients’ buy or sell orders to it. Under the MiFID II framework, this payment is considered as an inducement, which the investment firm may accept provided that it is able to demonstrate its compliance with MiFID II principles on inducements and the successful conduct of the so-called quality enhancement test, thanks to which the inducement is justified by demonstrating the corresponding enhancement of the level of service. A limited regulation on inducements is also provided by MiCAR, but only related to the provision of crypto-asset portfolio management and advisory services.

Market operators and market makers should co-operate in order to guarantee market integrity and increase the investors’ confidence in it. Illegal practices such as insider dealing, unlawful disclosure of inside information and market manipulation are heavily sanctioned through the application of EU rules on market abuse. Regulation (EU) No 596/2014 (Market Abuse Regulation – MAR) established criteria and principles whose purpose is to define unlawful conducts and bring them to light, for instance by means of market transaction monitoring systems. Bespoke rules on market abuse are set forth by MiCAR for cases where crypto-assets are admitted to trading.

According to MiFID II, algorithmic trading can be described as trading in financial instruments in which the specific parameters of orders (eg, initiation, timing, price, quantity, etc) are automatically determined by a computerised algorithm, with or without any human intervention. Among algorithmic trading techniques is high-frequency algorithmic trading, which is based on an infrastructure designed to minimise network and other latencies, by the fact that the initialisation, generation, transmission or execution of the order is determined without human intervention. Therefore, high-frequency algorithmic trading is characterised by a very high intra-day traffic.

MiFID II provides specific controls, risk, business continuity and monitoring requirements for investment firms involved in algorithmic trading. These firms must notify their national supervisory authority of their intention to establish algorithmic trading techniques. In Italy, Consob recently issued a Guide whose aim is to provide support for Italian firms that have to comply with EU rules on algorithmic trading.

Under MiFID II, a market maker is an entity – generally a bank or an investment firm – that offers itself on regulated markets and MTFs, on a continuous basis, as willing to trade directly by buying and selling financial instruments at prices defined by it. The role of market makers is to enable the liquidity of certain financial instruments, especially by offering to buy them for determined prices. Market makers act through algorithms to improve their own trading strategies and to deal with very rapid market changes. Algorithmic trading allows market makers to study market transaction data and execute trades, according to predefined rules, in a very fast way.

According to the MiFID II rules on high-frequency and algorithmic trading, the same rules apply to investment firms or banks when they provide investment services for their clients (executing orders, receiving and transmitting orders or dealing orders on their own account). At the same time, investment funds are not subject to the specific rules on this form of trading, given that they are not involved in the provision of high-frequency and algorithmic trading executing orders of their clients. Nonetheless, EU member states can adopt slightly different approaches, such as in Italy where the provisions on high-frequency and algorithmic trading must be applied by those investment funds or fund managers that are members and/or participants of regulated markets or of multilateral trading facilities.

Despite the high importance of programmers of algorithmic trading mechanisms, they are not directly subject to any specific regulatory obligation under MiFID II. Nonetheless, given that the investment firms performing high-frequency and algorithmic trading are heavily regulated, when they make use of third parties for developing and structuring algorithmic trading functionalities they must assess the third parties’ reliability and they still remain responsible for compliance with the MiFID II obligations. Therefore, any investment firm that outsources any activity concerning the implementation and functioning of high-frequency and algorithmic trading systems to any third party must have adequate knowledge and competence to ensure constant and safe monitoring over the third party.

At the moment there is no regulation governing true DeFi technologies within the EU. Regulating and supervising DeFi is not easy, as highlighted by ESMA in its October 2023 report “Decentralised Finance in the EU: Developments and risks”, given the technicalities involved and the need “to determine how the current rules may apply to a system that purports to eliminate those entities to which existing rules precisely apply”. Even MiCAR and the DLT Pilot Regime  do not directly address true DeFi technologies.

Companies or platforms involved in the production and publication of general and generic financial research are not subject to any authorisation and can freely perform their activity. This research cannot be tailored for a specific investor, taking its own profile as the basis for the output of the research. Indeed, personalised or individualised research can be easily qualified as individual investment recommendations, which can only be performed by firms authorised for the provision of the investment advice service.

The spreading of rumours or other unverified information is not per se regulated, unless it is linked to financial instruments negotiated on regulated markets or MTFs. In this event, market abuse rules can be applied and those identified as responsible for the rumours can be heavily sanctioned, including through the application of criminal sanctions.

Investment firms or banks managing trading platforms, as companies authorised for the managing of authorised market infrastructure, must monitor and control the behaviours of all the clients interacting with them. This is even valid for those firms managing social trading platforms, where some traders can have a strong influence on other investors and lead their investment choices. Controls must be particularly focused on those conducts which may constitute, under MAR, market abuse practices. Market participants must adopt specific mechanisms to detect the breach of MAR obligations.

The underwriting of insurance contracts is regulated by the Insurance Distribution Directive (Directive 2016/97/EU), under which insurance companies and insurance contract distributors must comply with specific transparency obligations and give clients a set of information and documents – for instance on cost and charges – before the subscription of an insurance product. A simple, standardised insurance product information document (IPID) is foreseen for the provision of plain and clear information on non-life insurance products, so that consumers can make more informed decisions. Some life insurance products with an investment component are classified as Pre-packaged Retail Investment and Insurance Products (PRIIPs) and their distribution must be preceded by the delivery of the Key Information Document (KID) illustrating the very basic characteristics of the product and its costs.

EU legislation on insurance is based on Directive 2009/138/EC (Solvency II) which provides the rules on prudential requirements, organisational structure and governance of EU-based insurance companies. This Directive divides insurance products into two main classes: non-life insurance products and life insurance products. These classes (life or non-life) are governed by different rules; therefore, insurance companies and insurance distributors are treated in a different way depending on the classes of insurance products they manufacture and/or distribute. Specific rules are provided for insurance against civil liability in respect of the use of motor vehicles, given that there is an obligation to insure against such liability. The market of this particular insurance product is going to be reformed thanks to the implementation of Directive 2021/2118/EU, whose goals are a better harmonisation of EU member states’ legislation on motor third-party liability, protection of injured parties, and compensation in all cases of insolvency of foreign companies.

Regtech providers are very skilled companies involved in the development of technological solutions for the provision of regulated services in the banking, financial and insurance sectors. Under EU law, regtech providers can be subject to rules and regulatory standards depending on the services in which they are involved as outsourcees. Outsourcing in the financial sector is deeply regulated by EU law and, in detail, by EBA guidelines, which establish specific requirements for outsourcees, obligations and standards which must mandatorily be inserted within an outsourcing contract, and the obligation to inform regulatory authorities of the existence and scope of the outsourcing contract. Another important regulation for regtech providers is DORA, whose aim is to provide uniform requirements for the security of networks and information systems of companies operating in the financial sector as well as for their outsourced providers of cloud platforms or data analytics services.

Any outsourcing agreement concerning the provision of services to financial regulated entities must contain specific contractual clauses as required by EU law in the form of the EBA guidelines on outsourcing. Contractual terms must be incorporated through detailed service-level agreements and key performance indicators to define the provision of services and monitor the outsourcee’s activity. Additional and stricter obligations should be applied whenever the services provided by the outsourcee can be classified, for the financial institution, as critical or important functions.

The use of distributed ledger technologies, among which is blockchain, is spreading in the fintech sector thanks to the growth of crypto-asset markets and the introduction of a specific EU regulation (MiCAR) which provides rules on crypto-assets and standards for the use of distributed ledger technologies. DLT can simplify and secure many activities and operational processes related to the registration of transactions. The use of this technology has now been developed even in the financial markets thanks to Regulation (EU) 2022/858, which introduced a pilot regime (DLT Pilot Regime) for market infrastructures using DLT for the trading and settlement of crypto-assets qualifying as financial instruments within the meaning of MiFID II.

As mentioned, the approach of the EU regulation towards distributed ledger technologies (among which is blockchain) is mainly contained in the DLT Pilot Regime and in MiCAR. As regards the use of DLT for the trading and settlement of financial instruments, the standards that must be implemented as well as the exemptions from the application of MiFID II rules are set forth in the DLT Pilot Regime. The approach of the EU regulator in this field is to build a protected and safe harbour in which DLT solutions for the marketing of financial instruments can be tested and developed.

Generally speaking, the assets registered on blockchain are crypto-assets. The most important of them, after the introduction of MiCAR, are now classified as (i) electronic money tokens, which maintain a stable value by referencing the value of one official currency and which are to be used as a means of exchange, (ii) asset-referenced tokens, which maintain a stable value by referencing another value or right or a combination thereof, including one or more official currencies, and (iii) a residual category mainly consisting of so-called utility tokens, which are only intended to provide access to a good or a service supplied by its issuer. On the other hand, crypto-assets that can be qualified as financial instruments are out of the scope of MiCAR.

As mentioned, some crypto-assets are now regulated by MiCAR, which provides specific requirements regarding issuers’ prudential capital, conduct and governance. At the same time, MiCAR introduced a wide set of rules aiming at guaranteeing transparency in the issuance and placement of crypto-assets. For those crypto-assets which, given their characteristics, can be classified as financial instruments, MiFID II rules on the trading of financial instruments are applied.

Crypto-asset service providers are regulated by MiCAR, which provides specific rules for those providers which are involved in the management of a crypto-asset exchange platform, such as AML procedures, order routing and execution policies, conflict of interest policies, and resiliency and business continuity policies. For those firms managing trading platforms on which crypto-assets qualified as financial instruments are negotiated, MiFID II rules on regulated market operators and MTF or OTF operators are applied.

Even though EU law regulates harmonised funds (UCITS) by establishing some requirements on the assets in which they can invest, and managers of AIFs, at the same time it does not provide specific rules on funds involved in investments in crypto-assets. Nonetheless, UCITS are subject to such strict restrictions on investment that it is very hard for them to invest in crypto-assets, while AIFs are generally open to any kind of investment and crypto-assets can be inserted in their portfolios.

Virtual currencies represent those crypto-assets mainly used as means of payment or exchange. Within the classification of crypto-assets set forth by MiCAR, there are electronic-money tokens which, thanks to their link with one official currency, can be generally used by their holders as a means of payment. Given their peculiar characteristics, specific rules are provided by MiCAR for the issuance and placement of e-money tokens. Other cryptocurrencies not qualifying as e-money tokens cannot fall within the scope of application of MiCAR, and their qualification and legal treatment would depend on a case-by-case assessment.

EU rules on trading platforms for financial instruments and for crypto-assets do not allow the use of fully decentralised platforms whose functioning is not managed and controlled by any authorised and supervised entity. According to both MiCAR and the DLT Pilot Regime, trading and exchange platforms must always be managed by an authorised entity, which must meet specific prudential, governance and conduct requirements and is supervised by public authorities. Therefore, at the moment, true DeFi technologies cannot be used for financial instruments and crypto-asset issuance and exchange.       

NFTs and NFT platforms are not regulated by MiCAR. Their issuance, placement and trading are out of the scope of the EU regulation on crypto-assets given that their features (they are unique and non-fungible) limit the extent to which they can have a financial use and, therefore, risks to holders and the financial system. Even fractional NFTs are excluded from the application of MiCAR, while they may in some cases be qualified as financial products or instruments and be subject to the applicable MiFID II rules.

The EU approach towards promoting the introduction and spread of open banking solutions is very proactive, since open banking technologies are considered very helpful to improve consumers’ control over their savings and financial conditions, and to allow simpler and faster payment transactions. PSD2 regulates AISPs and PISPs, which allows banks’ customers to have an aggregate view of their accounts and make payments through the use of a single provider.

Since open banking solutions work thanks to the sharing of data between banks and payment service providers, a strong commitment is required by the EU law on data protection and security. Open banking operators are therefore subject to PSD2 technology requirements, such as Strong Customer Authentication, to GDPR rules on privacy and data protection, and to DORA provisions aimed at dealing with ICT risks.

The provision of financial services is a risky activity whose potential impacts for savers and for the financial markets in general can be very significant. Frauds and misconduct, such as the selling of non-transparent products and deliberate market distortion, can cause unimaginable damage. Therefore, financial services provision is reserved to specific authorised and supervised intermediaries. The rise of fintech solutions and the risks linked to their complexities led to the introduction of specific regulations – such as on outsourcing, privacy and ICT risks – aimed at making financial intermediaries responsible for the correct functioning of the adopted technologies.

The types of fraud that can be found in the financial markets are varied and new types are always emerging, from internet fraud involving illegal access to current accounts or data theft, to fraud committed by financial advisers or agents (mainly classic Ponzi scheme fraud). Particular attention has recently been paid by ESMA to the many financial influencers who operate on social networks by abusively promoting various forms of investment, sometimes even illegal ones.


Corso G. Matteotti, 10
20121 Milan

+39 02 4541 3800

+39 02 4541 3801
Author Business Card

Trends and Developments


Orrick works with leading multinationals, financial institutions, Italian and international investors and startups to identify legal solutions to guide strategic business decisions. Based in Milan and Rome, its Italian team provides support on cross-practice, cross-border tech, finance, corporate, M&A and private equity transactions as well as compliance and regulatory matters. It also defends clients with disputes in and out of court. Its Fintech & Regulatory team has developed in‑depth European knowledge and experience in banking and financial regulation. It is recognised for its knowledge of innovative financial products and strategies for their delivery through emerging electronic platforms and other distribution networks. The team advises fintech operators on how to structure and implement new technologies for contracts and remote operations for the subscription of financial services, peer-to-peer payment platforms, instant-payment related services, robo-advisory services, lending and crowdfunding platforms for individuals and SMEs, wealth and asset management services, and information services on customer accounts. Orrick would like to thank Marco Boldini, Niccolò Martinoli and Nicolo Matteo Bonaldo for their assistance in the writing of this chapter.

The European fintech legislation is facing a turning point which is already shaping the contours of the future of financial services in the EU. The EU legislator, in fact, has not only already regulated some new fintech areas, such as the crypto-asset industry with the Markets in Crypto-Assets Regulation (MiCAR), and updated and streamlined some existing regulations (ie, the revised Payment Services Directive (PSD2) and the revised Markets in Financial Instruments Directive (MiFID II)), but is in the process of adopting newly minted pieces of legislation in order to regulate the most sensitive issues for clients and traders, such as issues relating to the security of information systems, the implementation of artificial intelligence (AI)in financial services, as well as the creation of dedicated trading venues for digital native assets (DLT Pilot Regime).

MiCAR’s Crypto-Asset Revolution

One recent significant milestone reached by the European legislator in the fintech sector relates to MiCAR. Published on 9 June 2023 in the EU’s Official Journal, MiCAR came into force on 29 June 2023, establishing a comprehensive regulatory framework for previously unregulated crypto-assets in the EU. While certain provisions took effect from 30 June 2024, MiCAR will be fully applicable from 30 December 2024. Its adoption marks the conclusion of a successful, even if long and quite troubled, legislative process, introducing a new chapter into the EU’s Single Rulebook, and replacing divergent national frameworks on crypto-asset regulation across member states.

MiCAR applies to crypto-asset service providers (CASPs) and crypto-asset issuers (CAIs) operating within or across the EU. MiCAR’s primary aim is to provide a definition of the regulated crypto-assets, which are e-money tokens (whose value is linked to a fiat currency), asset-referenced tokens (whose value is linked to a value or a right and to one or more fiat currencies) and other crypto-assets granting the right to access to specific goods or services (for instance, utility tokens). It seems clear that MiCAR does not clearly regulate some other crypto-assets, such as bitcoins, given that they cannot be inserted into one of the MiCAR’s definitions and they are, at the same time, neither issued by any CAI nor registered in a “supervised” distributed ledger technology (DLT). 

The regulated services under MiCAR are largely akin to those covered by existing EU financial regulations, such as MiFID II, mandating licensing for both CASPs and CAIs. With several EU-level authorities tasked with publishing numerous applicable technical standards as per MiCAR, the framework aims to be technology-neutral and agnostic to asset class and jurisdiction, aiming for a balanced approach between addressing the different levels of risk posed by each type of crypto-asset and fostering financial innovation.

MiCAR expands regulatory oversight to encompass businesses offering various crypto-asset services. These services include some specifically crypto-related services (such as the operation of a trading platform for crypto-assets, the exchange of crypto-assets for funds or other crypto-assets, and the provision of transfer services for crypto-assets) and other services which are substantially similar to MiFID II services (such as the execution of orders for crypto-assets, the placing of crypto-assets, the reception and transmission of orders for crypto-assets, and advisory and portfolio management services related to crypto-assets).

Key Takeaways From MiCAR

MiCAR establishes a harmonised EU-wide licensing regime and a single set of conduct of business rules, with provisions gradually becoming applicable. Licensing and conduct of business rules apply to both natural and legal persons engaged in crypto-asset issuance, public offering, trading or related services in the EU.

MiCAR introduces a “whitepaper” framework for minimum disclosure requirements, particularly for issuers of asset-referenced tokens and e-money tokens. Supervisory responsibilities are assigned to national competent authorities and EU-level bodies for effective enforcement and consumer protection.

MiCAR applies to CASPs based on where they provide services rather than where they are established. MiCAR has extraterritorial effect, requiring third-country firms offering services to EU-based customers to be authorised under MiCAR. However, a reverse solicitation exception exists for EU clients seeking services from third-country firms on their own initiative, excluding those services from MiCAR’s scope. Yet, if third-country firms solicit or promote services in the EU, they cannot rely on this exception.

Authorisation for CASPs necessitates that their “place of effective management” is in the EU, with at least one EU-resident director. Essentially, this restricts third-country firms from providing crypto-asset services within the EU. Once authorised, CASPs can use a passporting regime to offer services across the EU, requiring notification to their home regulator, which then communicates with regulators in relevant member states for cross-border provision within 15 calendar days.

CASPs are obliged to uphold standards of honesty, fairness and professionalism, prioritising their clients’ best interests. This includes clear and non-misleading communication, with marketing materials clearly identified as such. CASPs must maintain transparency through ongoing disclosure requirements, including policies on pricing, costs, fees and climate impacts. Prudential obligations entail maintaining minimum capital requirements and robust organisational governance, covering management suitability, business continuity, record-keeping, client asset safeguarding, conflict management and outsourcing protocols. CASPs must establish outsourcing policies and written agreements with third parties while retaining responsibility for MiCAR compliance, regardless of delegation. All these requirements and obligations can be easily compared to those set forth in the MiFID II legal framework, thus confirming from which principles and rules the EU legislator took its inspiration for regulating crypto-assets.

The Proposed Regulation on AI

The landscape of AI regulation is rapidly evolving, spurred by technological advances and the emergence of powerful AI models such as OpenAI’s ChatGPT and Google’s Bard. In April 2021, the European Commission introduced its proposal for the Artificial Intelligence Act (AI Act), igniting debates and adding complexity to the already intricate EU legislative process. Nevertheless, there is a pressing sense of urgency to address these emerging trends comprehensively, not only for the EU’s benefit but also to position Europe as a global leader in AI regulation, influencing other jurisdictions as they contemplate their own approaches.

Throughout the legislative journey, both the Council of the EU and the Parliament formulated their positions, which, although initially aligned with the Commission’s proposal, began to diverge over time. As a result, the three legislative bodies must now reconcile their differences and align on integral aspects of the AI Act. Despite potential challenges, it is expected that the final text will be adopted before the next European elections scheduled in May 2024.

The AI Act and the EU’s Regulatory Approach

Despite disagreements among legislative bodies, the AI Act serves as a cornerstone in understanding the EU’s direction and approach to AI regulation. Its overarching objective is clear: to enhance consumer acceptance and trust in AI technologies within Europe. Achieving this goal is challenging, but the AI Act aims to do so by establishing harmonised rules governing the development, introduction and use of AI systems across the EU.

The EU’s regulatory approach is characterised by a “horizontal approach” focusing on creating one technology-focused regulation covering various AI impacts and use cases. Unlike tailored regulations for specific AI models or economic sectors, the AI Act addresses AI’s broad impacts and applications. This approach leaves the door open to future adaptation through secondary rulemaking for specific cases.

Implications for Stakeholders

The AI Act has extraterritorial reach, impacting all providers and users of AI systems whose output is utilised within the EU, regardless of their location. To ensure oversight, third-country providers will need to appoint representatives within the EU.

The AI Act forbids the use of specific dangerous AI practices (such as those giving social scores or able to manipulate humans’ behaviour) and then targets “high-risk” AI systems, which pose significant risks to health, safety or fundamental rights. These systems face stringent requirements concerning data quality, documentation, transparency, human oversight and cybersecurity. Users of high-risk AI systems also bear responsibilities to ensure safe and appropriate use.

Impact on the Financial Sector

While the AI Act is horizontal legislation, it impacts specific financial use cases such as credit scoring models and insurance risk assessment tools.

In credit scoring models, AI conducts comprehensive data analysis, employs predictive analytics to forecast default likelihood, utilises machine learning for continuous adaptation and improved accuracy, automates processes for faster decision-making and enables personalised lending decisions. Similarly, in insurance risk assessment tools, AI aids in underwriting policies, employs predictive modelling for anticipating future claims, detects fraud, segments customers based on risk profiles, streamlines claims processing and facilitates risk mitigation strategies. Overall, AI empowers institutions to enhance decision-making, mitigate risks, improve efficiency and deliver better outcomes, albeit with the importance of responsible deployment, transparency and ethical considerations to maintain trust and fairness.

AI systems used in these contexts are likely to be classified as high-risk due to their potential impact on individuals’ financial resources and fundamental rights. For instance, in credit scoring mechanisms, AI technologies could lead to some form of discrimination based on how the algorithms are structured and work. Given the algorithms have to be pre-structured with some criteria, the strict application of those criteria can lead to biased decisions. For instance, specific groups of people or ethnicities can be excluded from a credit line simply because they all live in a specific geographic area.

In this field, sectoral regulation can be very important in establishing further and detailed rules to address the use of algorithms and AI practices. At the same time, sectoral regulation should be able to avoid a too strict and rigid approach in order to enhance and promote future developments and researches on AI implications.

To avoid overlaps with existing financial regulations, the AI Act directly refers to financial regulation for compliance purposes. Nonetheless, it remains a primary compliance reference, especially for institutions reliant on high-risk AI systems.

DLT Pilot Regime

Another important issue that will shape the European fintech market in the near future is linked to the DLT regulatory framework.

On 23 March 2023, Regulation (EU) 2022/858, also known as the DLT Pilot Regime (DLTPR), came into effect. This regulation allows for the trading, clearing and settlement of DLT-based transferable securities, as defined in Article 4(1)(44) of Directive 2014/65/EU (MiFID II), on a multilateral trading facility (MTF) under MiFID II. In simpler terms, security tokens can now be traded in compliance with EU financial market regulations, offering both increased market efficiency and a high level of investor protection.

Structurally, the DLTPR serves as a regulatory sandbox, providing temporary exemptions from certain specific requirements of EU financial services legislation for certain DLT market infrastructures. The insights gained from the DLTPR experience over the coming years will inform targeted adjustments to EU law regarding the issuance, safekeeping, asset servicing, trading and settlement of DLT financial instruments. The goal of the DLTPR is not widespread implementation of the technology but rather to gain insight into effective mechanisms for future DLT implementation on a larger scale. The DLTPR is limited to a maximum of six years, with specific permissions for operators granted for up to six years. The European Securities and Markets Authority (ESMA) is tasked with preparing a report on the DLTPR’s functioning and effectiveness by 24 March 2026, after which the European Parliament and the Council will decide whether to extend the regulation for a further period of up to three years. However, the sandbox approach of the DLTPR presents challenges for market participants, as uncertainties remain about the future regulatory landscape and the potential discontinuation of the regime. Additionally, the DLTPR grants national regulators wide discretion, allowing them to grant exemptions or impose additional obligations on applicants/operators in various cases. While this flexibility aligns with the experimental nature of the DLTPR, it also creates uncertainty for applicants, with unpredictable outcomes during the application process.

It is worth noting that the DLTPR and its connection with MiCAR introduces complexities in regulating crypto-assets within the EU. This is because the DLTPR and MiFID II apply to crypto-assets classified as financial instruments under MiFID II, while MiCAR governs other forms of crypto-assets, resulting in parallel regulatory frameworks.

This parallel framework can lead to overlaps when service providers offer services covering both financial instruments and other tokens. For instance, providing investment advice on security tokens requires authorisation under MiFID II and for other crypto-assets under MiCAR. To address this, Article 60(3) of MiCAR permits investment firms authorised under MiFID II to provide equivalent crypto-asset services under MiCAR.

However, ongoing authorisation requirements remain complex, as neither MiCAR nor the DLTPR streamlines provisions. A DLT MTF must comply with MiFID II and DLTPR requirements, while a trading platform for crypto-assets must adhere to MiCAR rules. Although the technology is identical, operators must navigate compliance with both frameworks.

MiCAR lacks specific procedures for settling and clearing crypto-asset transactions on trading platforms, as it does not carry the same regulatory baggage as financial instruments. Nevertheless, it is expected that MiCAR trading platforms will adopt transaction standards and cybersecurity measures from the DLTPR, indirectly regulating transactions.

MiCAR includes a legislative update procedure, requiring a report on its application within 24 months and a possible legislative proposal within 48 months of entry into force. Similarly, the DLTPR mandates a report by ESMA to the Commission by 24 March 2026. Both regimes will eventually merge into a unified trading and settling regime for all crypto-assets under EU legislation.

Finally, another important development in the European fintech legislation concerns the review of PSD2 recommended in 2022, including merging PSD2 with the second Electronic Money Directive, addressing consumer risks from authorised push payments fraud, clarifying exclusions in PSD2 and expanding “open finance” products. The European Commission is expected to adopt the proposed amendments into law by the end of 2024. The revision is of particular interest to fintechs, as it may alter regulatory scope and prudential requirements.


European fintech legislation is undergoing a significant transformation that is poised to reshape the landscape of financial services within the EU. The legislative initiatives have been very deep. The adoption of MiCAR and the DLTPR), the prospective introduction of the AI Act, as well as the revision of PSD2, reflect the EU’s proactive approach in addressing emerging challenges and opportunities in the fintech sector.

The AI Act represents a pivotal step in regulating AI technologies, aiming to foster consumer trust and acceptance while positioning Europe as a global leader in AI regulation. The AI Act’s extraterritorial reach and focus on high-risk AI systems underscore its significance for stakeholders, including those in the financial sector, where AI applications play a crucial role in credit scoring models and insurance risk assessment tools. In these fields, the risks of discriminations and distortions led by a mechanical application of algorithms will be faced through a flexible sectoral regulation.

Similarly, MiCAR establishes a comprehensive regulatory framework for crypto-assets, addressing gaps in national regulations and promoting market efficiency and investor protection. The framework encompasses various crypto-asset services and introduces licensing requirements for providers operating within or across the EU. Nonetheless, MiCAR does not address all kinds of crypto-assets, which will probably require future reforms of the MiCAR framework, and leaves some grey areas in which interpretations and criteria from the supervisory authorities are essential.

The parallel regulatory framework with the DLTPR introduces complexities but aims to streamline provisions and eventually merge into a unified regime for all crypto-assets under EU legislation.

Furthermore, the review of PSD2, slated for adoption by the end of 2024, promises amendments to address consumer risks, clarify exclusions and expand open finance products, which will have significant implications for fintech companies.

Overall, these legislative developments signal the EU’s commitment to fostering innovation while safeguarding consumer interests and market stability. Compliance with these evolving regulations is imperative for stakeholders, necessitating proactive adaptation to ensure alignment with regulatory requirements and timelines.


Corso G. Matteotti, 10
20121 Milan

+39 02 4541 3800

+39 02 4541 3801
Author Business Card

Law and Practice


Orrick works with leading multinationals, financial institutions, Italian and international investors and startups to identify legal solutions to guide strategic business decisions. Based in Milan and Rome, its Italian team provides support on cross-practice, cross-border tech, finance, corporate, M&A and private equity transactions as well as compliance and regulatory matters. It also defends clients with disputes in and out of court. Its Fintech & Regulatory team has developed in‑depth European knowledge and experience in banking and financial regulation. It is recognised for its knowledge of innovative financial products and strategies for their delivery through emerging electronic platforms and other distribution networks. The team advises fintech operators on how to structure and implement new technologies for contracts and remote operations for the subscription of financial services, peer-to-peer payment platforms, instant-payment related services, robo-advisory services, lending and crowdfunding platforms for individuals and SMEs, wealth and asset management services, and information services on customer accounts. Orrick would like to thank Marco Boldini, Niccolò Martinoli and Nicolo Matteo Bonaldo for their assistance in the writing of this chapter.

Trends and Developments


Orrick works with leading multinationals, financial institutions, Italian and international investors and startups to identify legal solutions to guide strategic business decisions. Based in Milan and Rome, its Italian team provides support on cross-practice, cross-border tech, finance, corporate, M&A and private equity transactions as well as compliance and regulatory matters. It also defends clients with disputes in and out of court. Its Fintech & Regulatory team has developed in‑depth European knowledge and experience in banking and financial regulation. It is recognised for its knowledge of innovative financial products and strategies for their delivery through emerging electronic platforms and other distribution networks. The team advises fintech operators on how to structure and implement new technologies for contracts and remote operations for the subscription of financial services, peer-to-peer payment platforms, instant-payment related services, robo-advisory services, lending and crowdfunding platforms for individuals and SMEs, wealth and asset management services, and information services on customer accounts. Orrick would like to thank Marco Boldini, Niccolò Martinoli and Nicolo Matteo Bonaldo for their assistance in the writing of this chapter.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.