Areas of Focus

In Belgium, while the first fintech initiatives focused on alternative financing solutions such as crowdfunding platforms, the sector really gained traction with the development of payment solutions. These include retail payment platforms, with a fair share of money remitters, but also B2B payment services such as professional foreign exchange (FX) payments for small and medium-sized enterprises (SMEs). As a result of Brexit, several UK payment service providers (PSPs) selected Brussels to establish their European headquarters. The arrival of these players has added a lot of maturity to this sector in Belgium, which has become one of the most important fintech verticals in Belgium.

In addition, many fintechs active in Belgium also focus on providing solutions to the financial sector (regtechs).

Evolution of the Sector

Artificial intelligence and open finance are currently among the most prominent topics in the fintech sector. Under the upcoming EU Regulation 2024/1689 of 13 June 2024, laying down harmonised rules on artificial intelligence (the “AI Act”), fintech companies that develop or use AI will need to comply with a new set of rules, varying based on the type of AI involved. The AI Act will be implemented in stages, with initial provisions taking effect as of 2 February 2025 and full enforcement expected by 2 August 2026.

Meanwhile, the EU Proposal for a Regulation on a framework for Financial Data Access (FIDA), currently under interinstitutional negotiations, aims to establish a framework for the exchange of financial data across all verticals of the financial sector. If adopted, this ambitious regulation could present a major opportunity for the development of innovative products by fintechs.

The predominant fintech business model in the Belgian fintech industry is the payment vertical, which is populated by both incumbents and fintech entities. Belgium also sees many fintechs active in investment as well as many regtechs. Although Belgium has seen a surge in projects related to crypto-assets and the blockchain technology, that vertical is not predominant in Belgium.

Payment Services

The payment sector in Belgium is varied. There is an important activity on the B2B side, notably in the field of professional FX payments and acquiring services for merchants. Following Brexit, several international money remitters have located their EEA headquarters in Belgium, which has then attracted other money remitters, as they are looking for a level regulatory playing field and, therefore, wish to be supervised by the same authority as many of their major competitors.

Investment Services

In Belgium, both incumbents and fintechs offer innovative investment solutions covering various types of investments, but also aiming at different types of clients. (Automated) investment solutions provided via well-designed smartphone apps and relying on ETFs and automation of portfolio management are especially on the rise.

Regtechs

Belgium counts many regtechs providing solutions to all verticals of the financial sector. They cover a broad scope of services, amongst others identification services, authentication services, information analysis, transaction monitoring, platform as a service, etc. A recent trend also includes fintechs active in ESG.

PSD2

The regime for payment verticals is governed by the Belgian Law of 11 March 2018 on the status and supervision of payment institutions and electronic money institutions (the “PI & EMI Law”) transposing the EU Directive 2015/2366 of 25 November 2015 on payment services in the internal market (PSD2). This transposition has been very straightforward, and  Belgium does not have any significant “gold plating”. While the legal texts are generally a copy-paste of the European legislation, their interpretation by the relevant Belgian regulator (the National Bank of Belgium, or NBB) may differ from other European jurisdictions. For instance, the regulator interprets the notions of “payment services” and “payment accounts” quite broadly.

E-money

Contrary to other regulators, the NBB reserves the qualification of “e-money” to very specific prepaid products and does not automatically consider as such all wallets/account solutions. In practice, this interpretation has no real impact and business models developed under an e-money licence abroad are pursued in Belgium under a payment institution licence.

Compensation models in the payments industry vary significantly depending on the actual application. Personal payment applications are often offered free of charge for the user (or included in the general services if offered by an incumbent bank). On B2B and especially in FX service provision, compensation models are often inspired by the (anticipated) volumes of FX payments generated by clients.

In both cases, regulated market players are subject to pre-contractual information requirements, including a disclosure obligation on the pricing of their services. However, the extent of such requirements will depend on the customers (consumers or others).

Most financial regulations originate from EU legislation, which does not differentiate between fintech and legacy players. However, EU regulators should apply them in a proportionate manner, which allows for some differentiation in practice. The Belgian regulator follows this and applies a “same business, same risks, same rules” principle which, combined with the “proportionality” principle, provides for a strict but generally pragmatic approach.

In Belgium, there is no regulatory sandbox. However, the NBB and the Financial Services and Markets Authority (FSMA) have set up a joint and unique Fintech Contact Point, allowing fintech entrepreneurs to contact them directly and openly discuss the regulatory aspects of their products or services. According to the Belgian regulators, this approach should be seen as a “soundbox” (ie, a possibility to speak with the regulator outside any concrete licence application), rather than an actual sandbox. In general, Belgian regulators have a strict but pragmatic approach towards fintech companies. They are open to innovation and to organising informal meetings with fintechs to discuss their project prior to launching any formal demands.

There are two main regulators in Belgium for the financial services sector, which are of course also relevant for fintech companies.

• The NBB – the competent supervisor for the prudential requirements applicable to credit institutions (CIs), insurance undertakings, e-money institutions (EMIs), payment institutions (PIs) and large stockbroking companies.
• The FSMA – the competent supervisor for the prudential regime applicable to smaller investment companies, regulated credit providers, insurance intermediaries, crowdfunding platforms and financial intermediaries. The FSMA also oversees the conduct of business rules on insurance and investment services (in addition to more general authority over public offers, listed companies and the financial markets). The FSMA analyses local initiatives to ensure that they do not fall within existing regulations under its supervision, such as public offerings or investment services. The FSMA furthermore supervises crypto-wallet and exchange service providers, following the Belgian transposition of EU Directive 2018/843 of 30 May 2018 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD5). Its role will also most likely evolve in light of the EU Regulation 2023/1114 on markets in crypto-assets (MiCA), but Belgium has not officially designated the competent authority yet.

The FPS Economy: next to these two main supervisors, the Federal Public Service Economy (FPS Economy) has very specific powers regarding the conduct of business rules of regulated credit and payment services. 

Belgian regulators do not issue no-action letters; however, as outlined in 2.5 Regulatory Sandbox, a designated contact point enables fintech entrepreneurs to engage directly with the regulators and discuss the regulatory implications of their products or services. In that context, fintechs can receive unofficial feedback from the regulator which, even if not binding, provides a certain level of comfort.

Regulated functions can only be outsourced to parties which are regulated for these functions. Financial institutions may outsource unregulated, more operational functions to third parties, but under certain conditions.

For CIs, investment firms, PIs and EMIs, the NBB has entirely integrated the European Banking Authority (EBA) guidelines on outsourcing into its supervisory practice. Under these guidelines, regulated entities are required:

• to perform a substantive risk assessment before deciding to outsource;
• to conduct thorough due diligence on the potential partner and the services before selecting the outsourced partner;
• to remain liable towards their own clients, irrespective of the outsourcing arrangement;
• to have a written outsourcing policy in place, containing a minimum set of mandatory provisions; and
• on an ongoing basis, to supervise and control the outsourced activities (including through audits), record all outsourcing arrangements in a specific register and inform the NBB beforehand of critical or important outsourcing arrangements.

The NBB and the FSMA generally apply the same principles to other regulated entities, with some differences depending on their activities and the risks they pose for the market.

In addition to the outsourcing rules, regulated entities are, since 17 January 2025, subject to the EU Regulation 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA), which introduces, among other things, new rules regarding the use of ICT services provided by third party ICT service providers. In principle, the requirements under DORA apply in parallel to the outsourcing requirements. However, according to the European Supervisory Authorities (ESAs), if the ICT service is regulated, it should not be considered as an ICT service under the DORA.

There is no specific “gatekeeper” liability regime established in Belgium for fintechs regarding the activities on their platform. In practice, this will mainly depend on who is actually/legally providing the services to customers through the platforms.

Belgian regulators may take various measures against non-compliant entities: impose (important) fines, issue public statements of non-compliance, request a change of the board and/or the (effective) management, appoint a temporary administrator or, in extreme cases, withdraw the licence. The Belgian regulators are consistent in their approach across the different verticals and, before imposing any sanction, generally discuss with the financial entity concerned to try and agree on a settlement.       

Certain additional non-financial regulatory regimes may be of particular importance to fintech companies, given their greater susceptibility to certain abuses or exposure to certain risks.

Data Protection Regulations

With regard to privacy laws, the most important regulations are the EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and EU Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “ePrivacy Directive”) and the provisions transposing this directive into Belgian law. The Belgian legislature also adopted the Belgian Law of 30 July 2018 on data protection (the “Data Protection Law”), partially incorporating the generally applicable GDPR provisions as well as providing for complementary provisions. With the entry into force in January 2024 of the EU Regulation 2023/2854 of 13 December 2023 on harmonised rules on fair access to and use of data (the “Data Act”), new layer of rules regarding the use of data generated by the use of a product or service can be expected.

Anti-Money Laundering Laws

Belgian anti-money laundering (AML) laws, transposing the AMLD5, are applicable to fintech companies that carry out regulated activities (such as banks, insurance companies, crypto-asset service providers, EMIs and PIs).

Cybersecurity

EU Directive 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) was transposed into Belgian law by the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (the “NIS2 Law”) (in force since October 2024). This law requires financial institutions to take technical and organisational measures to manage the risks to the security of the network and information systems on which these institutions’ financial services depend. Furthermore, there is the (slightly outdated) Law of 28 November 2000 on computer-related crime and the international Budapest Convention of 23 November 2001 (including its Protocol) and the Lanzarote Convention of 25 October 2007, to which Belgium is a party. These regulations do not make a distinction between fintech companies and legacy players. In addition, regulated fintechs must also comply with specific requirements issued at the European level. Since 17 January 2025, they are subject to the DORA, relating amongst others to ICT-risk management, operational resilience testing, incident reporting and third-party ICT risk monitoring. In addition, they must comply with the Guidelines EBA/GL/2019/04 of 29 November 2019 on information and communications technology and security risk management, prescribing how financial institutions should manage ICT and security risks, and what the supervisory authorities’ expectations of ICT and security risk management are.

Marketing and Communications

Advertising, marketing documents and any other type of communication (including verbal communication) distributed within the context of professional marketing of financial products (eg, relating to all types of savings, insurance and investment products) to retail clients in the Belgian territory, are regulated by the Royal Decree of 25 April 2014 concerning certain information requirements for the offering of financial products to non-professional clients, regardless of the media channels through which these communications take place. These are subject to information requirements relating, on the one hand, to the provision of an information sheet and, on the other hand, to the advertising of financial products. The FSMA has also developed specific marketing rules on the commercialisation of virtual currencies.

The general information requirements (“correct, easily understandable and in clear, concise and comprehensible terms”) apply as well to all communications, whether through social media or other media, generally in a stricter way with regard to regulated products and services (eg, consumer credit).

The activities of industry participants are reviewed (to a certain extent) by accounting and auditing firms. Their tasks are set out in the prudential framework of each of the regulated entities. Auditors must be certified by the competent regulator prior to servicing regulated companies.

There is no general rule under Belgian law prohibiting regulated financial entities from providing unregulated products and services. In certain cases, the formal approval of the regulator is required before implementing such activities. In that case, the regulator will, however, assess the impact of these unregulated services on the regulated activity and may impose certain requirements, or demand that these services or products are offered through a separate legal entity. This is notably the case for certain PIs and EMIs offering unregulated services. The combination of regulated services with crypto services has garnered particular attention from the Belgian regulator.       

Belgium has transposed all EU AML requirements into its Law of 18 September 2017 on the prevention of money laundering and terrorist financing and on the restriction of the use of cash (the “AML Law”) with a few limited gold-plating measures. They apply to all types of regulated entities providing their services in Belgium through a physical establishment.

For now, the most important obstacle that the AML rules represent for regulated fintechs is the lack of full harmonisation at the EU level, which makes it complicated for international businesses to comply with each of the local AML regimes, as well as the acquiring and retaining of the competent personnel holding an expertise both in terms of AML regulation and technological innovation. Concerning the sanction rules, Belgium is fully aligned with the regime imposed at the EU level and applies it directly.               

The Belgian AML rules generally align with the standards set by the FATF.

Under the Belgian law of 21 November 2017 on markets in financial instruments (the “Investment Services Law”), which implements EU Directive 2014/65/EU of 15 May 2014 on markets in financial instruments (“MiFID II”), the licensing requirement for third-country investment firms does not apply when an EU-based client independently and exclusively initiates the provision of an investment service from a third-country firm. In such cases, the services are not considered to be provided within Belgium. However, it is important to note that the FSMA regards reverse solicitation as an exceptional regime and explicitly states that it cannot serve as a business model to maintain or continue servicing an existing client base.

Depending on their scope, the services provided through robo-advisers qualify as order execution, investment advice or portfolio management under the MiFID II and the Belgian Law of 2 August 2002 on the supervision of the financial sector and financial services (the “Financial Supervision Law”). Therefore, companies offering robo-advisory services directly to Belgian investors should (i) be licensed as Belgian investment firms or CIs or (ii) be able to rely on the passporting of an EU member state investment firm or CI licence to operate on the Belgian market.

Belgian law provides for two types of investment firm licences:

• portfolio management and investment advice companies supervised by the FSMA; and
• stockbroking firms supervised by the NBB.

Stockbroking firms can provide all investment services regulated under MiFID II. By contrast, portfolio management and investment advice companies may only provide the following services: reception and transmission of orders, order execution, portfolio management and investment advice services.

Robo-advisers are sometimes also offered as pure IT technology tools (under a user licence agreement) to regulated firms licensed to provide investment services. In such a case, the company offering the tool does not need to be licensed – the licence of its client (eg, a bank or an investment firm) suffices.

Outside financial regulations, robo-advisers may also fall within the scope of the AI Act. Depending on their technical characteristics, robo-adviser technology may qualify as an AI system under the AI Act. In such case, both developers of the tool and the financial entity making use of the tool may be subject to additional requirements. The AI Act will enter into application in different stages, with the first stages being applicable as of 2 February 2025 and full application foreseen on 2 August 2026.

Finally, and to be complete, it should also be noted that in some instances, robo-advisers are used to automate transactions on unregulated assets, which may fall outside the scope of the MiFID II regulatory framework. In these instances, robo-advisers may find themselves in a regulatory blind spot. When such services reach a certain size, it is highly advisable to discuss them with the regulators.

The emergence of robo-advisers has put pressure on legacy players, as they are expected to soon become a core product for many investors. As a result, multiple legacy players now internally manage their own robo-advisers, or totally or partially outsource their investment services to a robo-adviser (which in this case has to be regulated) or enter into a licence agreement with a technical provider in order to use the robo-adviser as a purely technical tool.

The best execution rule of MiFID II and its transposing regulations applies equally to robo-advisers, as the services provided by these are qualified as investment services (see 3.1 Requirement for Different Business Models). An issue that might arise about the fulfilment of best execution by robo-advisers advising consumers and businesses could be the malfunctioning of the automated tool (eg, through manipulation or mistakes resulting from being too fast or too focused on some aspects). For consumers in particular, issues may arise as to the processing of (personal) information and the (mis)understanding of the advice by the consumer.

In any case, the investment services providers remain ultimately responsible for the execution of the orders and cannot hide behind the use of robo-advisory technology to avoid their liability vis-à-vis investors.

Legal Regimes Applicable to Loans/Credit

Schematically, there are four different legal regimes applicable to loans/credit in Belgium.

Mortgage credit offered to consumers by CIs or other licensed lenders

Mortgage credit is subject to a highly regulated regime in Book VII of the Code of Economic Law (CEL) – see Articles VII.123–147/38 (rules of conduct) and VII.148–216 (prudential requirements).

This legal regime sets out compulsory rules for aspects of the contractual relationship, such as:

• pre-contractual information;
• content of the agreement;
• security interests;
• rules for termination;
• maximum interest rates;
• joint offer of insurance products; and
• extrajudicial management complaints.

Lenders are subject to an obligation to obtain prior validation of their credit agreement templates by the FPS Economy.

Consumer credit offered to consumers by CIs, other licensed lenders or indirect peer-to-peer consumer lending platforms

Consumer credit is subject to a highly regulated regime in Book VII of the CEL – see Articles VII.64–122 (rules of conduct) and VII.148–216 (prudential requirements).

This regime sets out compulsory rules for aspects of the contractual relationship, such as:

• pre-contractual information;
• content of the agreement;
• security interests;
• rules for termination;
• maximum interest rates;
• joint offer of insurance products; and
• extrajudicial management complaints.

Lenders are subject to an obligation to obtain prior validation of their credit agreement templates by the FPS Economy.

On 18 October 2023, the EU legislature adopted EU Directive 2023/2225 on credit agreements for consumers (CCD2). Member states have until 20 November 2025 to transpose CCD2, and its provisions will apply as of 20 November 2026. This revision of the former Directive on consumer credit agreements aims at removing legal uncertainty and further harmonising the EU consumer credit regulatory framework, in particular, regarding new credit products developed in the online environment. These upcoming changes are expected to have a particular impact on (currently unregulated) “Buy Now Pay Later” (BNPL) products.

Peer-to-peer lending between consumers is not regulated and is only subject to general contract law (see directly below). However, it should be noted that peer-to-peer consumer lending may not result in a public offering. For this reason, consumer peer-to-peer lending practices in their purest form (where consumers lend directly to other consumers through a matchmaking platform) are not allowed in Belgium. Alternative (indirect) peer-to-peer models are, however, present.

SME credit offered by CIs, other lenders or licensed crowdlending platforms

The regime applicable to credit to SMEs is less regulated than the one applicable to consumer credit. The regime applies not only to Belgian companies (to the extent that they do not exceed the thresholds of SMEs), but also to organisations and individuals who do not act for private purposes (eg, a self-employed natural person).

The Law of 21 December 2013 on the financing of SMEs (the “SMEs Law”) notably sets out:

• pre-contractual information obligations;
• an obligation to the lenders to adopt a code of conduct in relation to the granting of loans to SMEs; and
• specific rules for early reimbursements.

The SMEs Law is not applicable to loans granted through crowdfunding platforms.

Crowdfunding platforms (ie, platforms providing matchmaking services between project owners and investors) are regulated under the Law of 18 December 2016 regulating the recognition and definition of crowdfunding and containing various provisions on finance on crowdfunding (the “Crowdfunding Law”) and the EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business (the “Crowdfunding Regulation”). Under the Crowdfunding Regulation, crowdfunding platforms must obtain a licence before they start operating within the EU; once obtained in one EEA country, their licence enables them carry out their activities across the EU on a cross-border basis.

Loans and forms of credit offered by CIs or other lenders to enterprises other than SMEs

If credit/a loan does not fall in one of the four above-mentioned categories, it is regarded as unregulated. General contract law applies and only a few specific provisions (Articles 1905–1914) of the Belgian (former) Civil Code must be taken into account, as well as general consumer protection law (as contained in Book VI of the CEL) when offering B2C credits that fall outside the scope of the consumer credit regime (eg, “Buy Now Pay Later” products).

The underwriting processes will mainly depend on the type of credit and customer.

AML Obligations

The common feature of all underwriting processes of regulated credit is that all lenders (or crowdfunding platforms) are subject to the AML Law which transposes AMLD5.

Typical AML obligations are therefore applicable (ie, identification and verification of the identity of the borrower/ultimate beneficial owners, risk-based assessment, ongoing surveillance, reporting of suspicious transactions, etc). An increasing number of market participants make use of innovative means for identification in a remote environment (eg, facial likeness detection, videoconferencing or other biometric data, Belgian eID (electronic identity card), other electronic identification means or relevant trust services as set out in the EU Regulation 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (“eIDAS Regulation”)).

Additional Obligations

Besides the AML obligations, the online onboarding of clients must also comply with specific obligations laid down in the CEL, the SMEs Law, the Crowdfunding Law and the Crowdfunding Regulation.

These pieces of legislation usually impose that specific information about the lender and the credit be provided to the customer (usually on a “durable medium”). These obligations have an important impact on the onboarding of clients, especially in a B2C context.

Signature Obligation

Lastly, it must be noted that credit contracts concluded with consumers require a written or a qualified electronic signature. This obligation also has a significant impact on the conclusion of online credit agreements with consumers.

Belgians can easily sign electronic contracts using their Belgian eID, or even completely electronically using a mobile application of qualified trust service providers such as itsme®. These signatures are both qualified electronic signatures under the eIDAS Regulation, and thus have the equivalent legal effect of a handwritten signature.

In 2023, the doctrine of functional equivalent – which assimilates, under certain conditions, physical processes to online processes – has been extended to all contractual mechanisms (Article 5.30 of the Belgian Civil Code).

The source of funds for loans will depend mainly on the nature of the lender rather than on the nature of the credit:

• CIs use client deposits to grant loans (money multiplier), provided that they keep sufficient deposit reserves at the European Central Bank or ECB (see EU Regulation 2021/378 of 22 January 2021 on the application of minimum reserve requirements) and respect the EU Directive 2013/36/EU of 26 June 2013 on access to the activity of CIs and the prudential supervision of CIs and investment firms and the EU Regulation 575/2013 of 26 June 2013 on prudential requirements for CIs and investment firms;
• other lenders, licensed or not (which are not CIs) cannot receive refundable deposits under Belgian law (Article 28 of the Law of 11 July 2018 on the offer of investment instruments to the public and the admission of investment instruments to trading on a regulated market) (the “New Prospectus Law”) and cannot create money ex nihilo – therefore, they can only lend their own funds; and
• lenders who operate through crowdfunding platforms lend their own funds and, from a legal point of view, the borrower issues debt instruments.

Syndication of online loans is not a current market practice in Belgium. This is mainly because loan syndication is reserved to the biggest borrowers and the biggest funding transactions. The largest financing contracts are generally not concluded online.

There is no specific regulation in this respect; only a set of market practice documentation.

However, the crowdlending process presents certain similarities to the syndication mechanism.

In Belgium, there are two main payment systems:

• CEC (Centre for Exchange and Clearing), a domestic retail payment system for retail payment instruments, based on multilateral netting and settlement; and
• TARGET-BE, the Belgian component of T2 for real-time gross settlement and used for settling central bank operations, primarily related to monetary policy, for large interbank transfers and client operations.

In addition to those, payment processors may in principle create or implement new private payment systems.

PSD2

With the PSD2, the EU legislature wanted to create an efficient and integrated market for payment services, regulating cross-border payments in the same way throughout the EU. This has been transposed into Belgian law by the PI & EMI Law (in relation to the prudential regime of PIs) and the CEL (in relation to the conduct of business rules for all PSPs).

In June 2023, the European Commission published proposals to improve the existing legal framework and ultimately replace it with the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR).

SEPA

Belgium is part of the Single Euro Payments Area (SEPA), a system that establishes a single set of tools and standards, making cashless cross-border payments in euros as efficient and easy as national payments. SEPA enables European businesses, consumers and governments to make and receive credit transfers, direct debit payments and card payments under the same conditions.

Cross-Border Payment Regulation

EU Regulation 2021/1230 of 14 July 2021 on cross-border payments in the Union requires PSPs to apply the same charges for cross-border electronic payment transactions in euros within the European Union.

There are essentially three main types of trading platforms: regulated markets, MTFs and OTFs. In addition, since the entry into force of MiCA, trading platforms for crypto-assets are also regulated.

MiFID II provisions pertaining to trading platforms have been implemented in Belgian law mainly through the Investment Services Law, which is divided into two sections, the first one covering regulated markets and the second being dedicated to MTFs and OTFs.

• Regulated markets – must obtain a licence from the Minister of finance, assisted by the FSMA. This agreement is subject to many prudential requirements, such as the fitness and properness of the management and the shareholding, and the implementation of adequate organisation and control processes.
• OTFs and MTFs – can only be exploited by specific licensed entities – ie, CIs, stockbroking firms and market operators. In addition to the requirements applicable to their existing licence, these entities are subject to an extra layer of requirements set out in the Investment Services Law.
• Trading platforms for crypto-assets – can only be exploited with a MiCA Crypto-asset Service Provider (CASP) licence.

Generally speaking, all asset classes are subject to equivalent regulatory regimes.

Financial/investment instruments are covered by the Belgian implementation of MiFID II and Prospectus Regulation frameworks, while crypto-assets (with some exceptions) are now governed by MiCA.

To help delineate the two regimes, the FSMA published a Communication on 22 November 2022 on the classification of crypto-assets as securities, investment instruments or financial instruments. In December 2024, ESMA also published guidance on the classification of crypto-assets and their potential intersection with other types of regulation and asset classes.

The emergence of cryptocurrency exchanges has led to the adoption of several regulations, both at the European level and in Belgium.

As of 30 December 2024, all centralised and some decentralised exchanges are regulated by MiCA, making the Belgian VASP-regime (from the AMLD5 framework) obsolete in the near future.

In addition, the FSMA Regulation of 5 January 2023 prescribes additional marketing rules when commercialising virtual currencies to consumers in Belgium, irrespective of the location of the advertiser.

Lastly, the FSMA Regulation of 3 April 2014 prohibits the professional marketing of financial products, the return of which depends directly or indirectly on cryptocurrencies. This regulation seriously limits the distribution schemes and structuring of crypto-assets.

Article 30 of the Investment Services Law requires regulated market operators to ensure that the regulated markets they operate and/or manage adopt clear, non-discriminatory, objective and transparent listing standards. These standards must also allow the markets to ensure that the issuers comply with the information requirements under EU law (initial, periodic and occasional information). With respect to derivatives, these listing standards must ensure that the characteristics of the derivatives allow for an orderly rating and efficient settlement.

Regulated market rules are subject to the prior approval of the FSMA and must be published on the market operator’s website.

OTFs and MTFs are also required to adopt transparent and non-discriminatory listing standards. Generally speaking, OTFs and MTFs are subject to softer requirements than regulated markets.

Market rules must allow for the efficient handling of orders. In addition, MiFID II rules of conduct and their delegated regulations apply in Belgium. The same also applies for MiCA, which introduces order handling rules for CASPs.

Articles 27quater and 28 of the Financial Supervision Law further specify that regulated entities executing clients’ orders must ensure that these are handled quickly, fairly and efficiently. They must also take sufficient measures to ensure that the best possible result is achieved, taking into consideration the price, cost, speed, probability of the execution, the size, nature and any other relevant criteria pertaining to the order (the “best execution” principle).

Due to various legal obstacles, the Belgian market is not yet mature in respect of peer-to-peer trading platforms. Therefore, at this stage, no impact can truly be observed.

A change in this respect may, however, be expected due to the entry into force of the Crowdfunding Regulation, but this remains to be seen. This regulation sets up a European passport for crowdfunding platforms. See 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities(Loans and forms of credit offered by CIs or other lenders to enterprises other than SMEs).

There is no Belgian specificity in payment for order flow. ESMA has stressed the fact that MiFID II limits the possibility for brokers to receive any remuneration, discount or non-monetary benefit for routing client orders to execution venues, resulting in a clear onus on firms to ensure that the execution quality achievable at a venue is the driver for sending client orders to such a venue, and not any payment for order flow. Due to a lack of any further specific guidelines on the matter from the FSMA, it can be anticipated that the FSMA will follow ESMA’s position and take a rather reluctant stance regarding payment for order flow out of consideration for best execution policies.

In the absence of any specific regulation, payment for order flow would be assessed in the light of inducement requirements, which prevent regulated entities from paying or receiving benefits from third parties unless:

• it enhances the quality of the service;
• it does not affect the general duty of acting honestly, fairly, professionally and in the client’s best interest; and
• the client is adequately informed.

Regulation (EU) 596/2014 of 16 April 2014 on market abuse (MAR) and the various Implementing and Delegated Regulations in this respect are directly applicable in Belgium. The Belgian legal framework on principles regarding market integrity and market abuse governing trading is further complemented by Article 25 and Sections 8 and 9 of Chapter II of the Financial Supervision Law, which lays down the competencies of the FSMA as the supervisor in this respect, and the applicable sanctions. In addition, in its Circular of 18 May 2016, the FSMA provides practical instructions, accompanying the ESMA guidelines to the MAR. Title VI of MiCA also contains specific rules on market abuse.

Under the applicable rules, market manipulation, insider dealing and unlawful disclosure of non-public information are considered forms of market abuse which are subject to administrative and/or criminal sanctions.

Regulated firms engaged in algorithmic trading should have adequate and effective internal controls in place, appropriate to their business activity, to ensure that trading systems cannot be used for any purpose contrary to MAR. Alternatively, they should have a connected trading venue, to ensure that their trading systems are resilient, have sufficient capacity, are subject to appropriate trading thresholds and limits, and to prevent erroneous orders from being sent or otherwise operated in such a way that they could lead or contribute to the creation of a disorderly market.

With DORA’s application, financial institutions using such technologies are required to have a robust ICT risk management framework in place, including effective arrangements to deal with business continuity, testing, internal controls and potential ICT service provider management framework.

In general, the FSMA is wary of algorithmic and high-frequency trading entities and there is no tendency to encourage this sector from the regulator’s perspective.

A regulated company that is engaged in algorithmic trading, as a member of or participant in one or more trading platforms when trading for its own account, is deemed to be implementing a market-making strategy if its strategy consists, among other things, of simultaneously publishing firm bid and offer prices of a comparable size and at competitive levels for one or more financial instruments on one or more trading platforms, with the result that the entire market is regularly and freely advertised on one or more trading platforms.

Duties and Requirements

There is a prior notification duty to the FSMA and the NBB, as well as to the competent authorities of the trading venue where the regulated company engages in algorithmic trading as a member or participant of the trading venue. The FSMA may require these firms to provide specific information on their activities.

Only regulated companies engaged in algorithmic trading are targeted by the applicable regulation. No further rules or distinctions are made.

Only regulated companies engaged in algorithmic trading are targeted by the applicable rules of the Belgian Royal Decree of 19 December 2017 and the EU Commission Delegated Regulation 2017/589 of 19 July 2016 with regard to RTS specifying the organisational requirements of investment firms engaged in algorithmic trading (RTS 6). Therefore, no provisions apply specifically to the programmers developing and creating trading algorithms and other electronic trading tools.

However, in case the technology used is outsourced to a third party, DORA, applicable as of 17 January 2025, also has a significant impact on ICT third-party providers as they will qualify as ICT services third-party providers for the financial institution, and therefore be indirectly subject to DORA requirements, amongst others linked to IT security, continuity, and reporting obligations towards the financial entity. Providers designated as critical third-party providers (CTPPs) by ESAs will even be subject to a direct oversight framework.

Numerous underwriting processes are available to industry participants, and each comes with a different set of regulations.

Actors creating their own insurance products will most likely need a full insurance company licence from the NBB in accordance with the Law of 13 March 2016 on the status and control of insurance and reinsurance companies (the “Law of Control”).

In practice, insurtechs most often act as distributors or business introducers.

Insurtechs as Distributors

When they act as distributors, insurtechs need to be registered as insurance intermediaries with the FSMA. The regulations applicable to insurance intermediaries are mainly contained in the Law of 4 April 2014 relating to insurances (the “Insurance Law”).

Insurtechs as Business Introducers

Mere business introducers do not need any licence or registration but must carefully design their business model as they can provide only strictly limited services, thereby reducing their potential added value.

Additional Rules and Obligations

Whichever distribution and operation structure they opt for, insurtechs will need to comply with the rules of conduct contained in the Insurance Law, as well as the circulars and recommendations issued by the NBB and the FSMA.

Furthermore, the provision of online services, as well as B2C provision of services, leads to the application of additional obligations, mostly organised by the CEL.

In addition to general common principles, each type of insurance (life, annuities, property, etc) is subject to its own set of regulations under the Insurance Law.

Industry players often tend to specialise in one or more specific markets. At the very least, they tend to focus either on life or non-life products. The Law of Control prohibits the provision of both life and non-life services to insurance companies (Article 222).

Investment and savings life insurance products are among the most regulated. Their distribution leads to the application of strict diligence obligations (appropriateness and suitability tests).

Regtech providers are not specifically regulated (except eID and trust service providers which are regulated by the eIDAS Regulation). However, as they serve industry participants with products/tools facilitating compliance with prudential regulations (eg, EU Directive 2009/138/EC of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (“Solvency II”) or the Belgian Law of 25 April 2014 on the legal status and supervision of credit institutions (the “Banking Law”) or rules of conduct (eg, MiFID II, the Insurance Distribution Directive, PSD2 and AMLD5)), regtechs need to have a comprehensive understanding of these regulations.

As of 17 January 2025, regtechs will also indirectly be subject to DORA, which requires regulated entities to impose specific obligations on their ICT service providers. In addition, some regtech providers may fall directly under the scope of DORA as CTPPs.

Contractual Arrangements

Contractual arrangements between regtech providers and regulated entities are, as such, not regulated. However, services offered by regtech providers often fall within the scope of the notion of “outsourcing” or “ICT service”, triggering specific obligations for regulated entities, including specific mandatory provisions in the agreement between the regtech and the regulated entity (eg, terms to assure performance and accuracy).

Obligations Imposed on Regtech Service Providers

Under the outsourcing rules and DORA requirements, before entering into outsourcing arrangements or arrangements with ICT service providers, regulated entities must conduct a thorough due diligence on the service providers to ensure their suitability. Furthermore, regulated entities are required to impose multiple contractual obligations on regtech providers, such as agreed service levels, reporting obligations, continuity plans, termination assistance and audit obligations. The audit clause generally allows regulated entities as well as their regulator(s) to control or request key information from their provider.

Cryptocurrencies were initially thought of as a challenge to traditional banking players.

However, the optics have now changed, and legacy players are adopting blockchain applications regarding a wide range of activities and services (from internal administrative organisation to client onboarding processes, crowdfunding set-ups and even broader market integration).

Alongside the adoption of blockchain technology by incumbents, a new trend of “Web3” and decentralised finance projects developed by start-ups and scale-ups is currently emerging.

The NBB has stated in the past that, although the technology looks promising, actual use cases for distributed ledger technologies (of which blockchain is only one particular type) are still relatively limited in number and in scope. According to the NBB, attention is particularly required concerning the use of distributed ledger technology or blockchain technology, as institutions should be aware of the legal value of smart contracts or the information contained in the distributed ledger, the possible governance complications and the security or resilience threats that may exist at different nodes in the network.

The FSMA is currently still the relevant regulator for virtual asset service providers and is responsible for their registration for AML purposes. Rules for the commercialisation of virtual currencies have been developed specifically for Belgium.

There are currently no regulations in place which explicitly detail the classification of crypto-assets. As a rule, if a crypto-asset displays the same characteristics as regulated financial or investment instruments, it may qualify as a regulated financial/investment instrument and fall within the scope of the related regulation.

Guidance can however be found in communications by the competent authorities, both at the European and Belgian level. In December 2024, ESMA published guidance on the conditions and criteria for the qualification of crypto-assets as financial instruments, as well as broader guidance on the classification of crypto-assets, including a standardised test. Local guidance includes a 2017 FSMA Communication on the risks of ICOs, where the FSMA assessed the similarities between crypto-assets, investment instruments, means of storage, calculation and exchange, and utility tokens, and a 2022 FSMA communication on the classification of crypto-assets as securities, financial or investment instruments, which provides some additional guidance on the most common cases where crypto-assets may classify as regulated securities, investment instruments or financial instruments.

While opinion remains divided on whether cryptocurrencies should be classified as financial or investment instruments, legal doctrine seems to prefer their qualification as a financial instrument as regards investment tokens, at least to the extent that a right is obtained by the issuer.

MiCA covers all categories of crypto-assets that are not already subject to traditional EU regulation and introduces a prudential regime for both crypto-asset issuers and service providers.

Based on the aforementioned 2017 FSMA Communication and the 2022 FSMA Communication, the following (non-exhaustive) overview of possible applicable regulations should be taken into account by issuers of blockchain assets.

EU regulations:

• EU Regulation 2017/1129 of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market (the “Prospectus Regulation”);
• MiFID II;
• EU Directive 2011/61/EU of 8 June 2011 on Alternative Investment Fund Managers Alternative Investment Fund Managers Directive (AIFMD);
• MAR;
• AMLD4;
• AMLD5;
• EU Directive 2009/110/EC of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions (EMD2); and
• MiCA.

Belgian regulations:

• the FSMA Regulation of 3 April 2014;
• the New Prospectus Law;
• the Crowdfunding Law;
• the PI & EMI Law;
• the Royal Decree of 8 February 2022 on the status and the supervision of service providers for the exchange of virtual currency and fiat currency and custodian wallet providers; and
• the FSMA Regulation of 5 January 2023.

This list serves only as provisional guidance and in no way constitutes the full legal framework on crypto-assets and it should be seen in light of the specific circumstances at hand.

Finally, MiCA now provides a concrete legal framework for the issuance of crypto-assets that fall outside the scope of existing legislation, as well as for entities providing crypto-related services. With its entry into force, a common licensing regime applies for crypto-asset issuers and service providers across the EEA member states.

Since May 2022, cryptocurrency exchanges offering crypto/fiat conversion (“virtual asset service providers” – VASPs) have been required to register with the FSMA before offering their services in Belgium. This registration process goes beyond what is required under AMLD5, such as the verification of the competence of the persons in charge of the effective management, the requirement for holding a minimum capital amount, as well as the need to operate under a specific type of company form. This regime has now transformed into a transitional regime since MiCA’s full application and has largely become obsolete.

In addition, EU Regulation 2022/858 of 30 May 2022 on a pilot regime for market infrastructures based on distributed ledger technology (the “DLT Regulation”) allows EEA-based entities to apply for an EEA-wide permission to operate DLT market infrastructures (DLT multilateral trading facilities, settlement systems and trading and settlement systems) within a temporary regulatory sandbox regime. The new regime, which has been open since March 2023 to both new and existing market players, specifically targets the trading and settlement of crypto-assets that qualify as financial instruments under MiFID and thus are not captured within the scope of MiCA.

Lastly, the EU Regulation 2023/1113 of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets (TFR), alongside MiCA, includes additional requirements to ensure the traceability of any type of “virtual asset” transfer or transaction. This modification is likely to have a significant impact on any entity providing crypto-related activities, including crypto-exchanges.

Staking services as such are not regulated in Belgium, unless they qualify as a crypto-asset service under MiCA (eg, custody and administration of crypto-assets).

Lending services relating to cryptocurrencies are not regulated in Belgium.

Depending on how these derivatives are structured, the offering of cryptocurrency derivatives could fall under the Belgian implementation of MiFID II, as well as under the New Prospectus Law and the Prospectus Regulation.

Cryptocurrency derivatives are also covered in the following two FSMA regulations (as confirmed by royal decree):

• the FSMA Regulation of 3 April 2014 prohibits the professional marketing of so-called “non-conventional assets” to retail clients; prohibited non-conventional assets include financial products, the return of which depends directly or indirectly on cryptocurrencies; and
• the FSMA Regulation of 26 May 2016 prohibits the distribution of certain financial derivatives among Belgian retail clients, as well as a number of aggressive or inappropriate distribution techniques and forms of professional marketing of derivatives on electronic trading venues.

DeFi is not in scope of MiCA or Belgian regulations. However, MiCA does not clearly explain when a service is considered to be “decentralised”, leaving some room for interpretation. On 16 January 2025, the ESAs published a report on DeFi with some further insights, but their findings have not provided a conclusive answer on MiCA’s scope.

Parties facilitating the trading of security tokens or cryptocurrencies will thus always be subject to a case-by-case analysis by the local regulator.

Funds investing in blockchain technology (such as Amplify Transformational Data Sharing ETF and Reality Shares Nasdaq NextGen Economy ETF) currently remain unregulated.

Virtual currencies have received many different definitions in Belgium in recent years. They generally are not treated differently to other blockchain assets, except if they qualify as e-money tokens (EMTs) or asset-referenced tokens (ARTs) under MiCA, which are subject to a stricter regime than regular virtual currencies/crypto-assets. 

With MiCA’s application, the Belgian notion of “virtual currencies” only remains relevant in the context of the FSMA’s marketing rules on crypto, which refer to the marketing of “virtual currencies” instead of “crypto-assets”.

NFTs and NFT platforms are in principle subject to the same rules as any other crypto-related initiative. They are however excluded from the scope of MiCA as well as from the FSMA Regulation of 5 January 2023. Depending on the characteristics and purposes of the NFTs or the structure and activities provided by the platforms, they could fall within scope of certain other existing regulations (eg, through a qualification as investment instruments).

The prudential rules of PSD2 were transposed in the PI & EMI Law, while the conduct of business rules were inserted in the CEL. The open banking aspect of PSD2 came into force in Belgium along with the EU Regulated Technical Standards 2018/389 of 27 November 2017 on Strong Customer Authentication (RTS SCA) in September 2019.

Consequently, PSPs are required to allow third-party providers (TPPs) to access payment accounts, either through a dedicated interface (interface specific for TPPs) or through their customer interface.

In June 2023, the European Commission proposed FIDA. This proposal is currently being discussed by the European legislative chambers. If adopted, FIDA would force financial entities to share data relating to (almost) all financial services with other financial entities and a new type of service provider, the financial information service providers. 

Effects of PSD2 on Open Banking

As the PSD2 and the RTS SCA implementing it only impose limited requirements on the interface, without indicating how these results should be obtained and with no standardisation, PSPs are left to decide how to implement proper technical solutions – which leads to difficulties for both the PSPs and the TPPs. However, PSD2 has also fostered innovation as it has prompted incumbents to either innovate internally or to enter into partnerships with new fintech players. In this way, open banking under PSD2 has opened up the field to new financial services providers and TPPs, such as account information service providers (AISP) and payment initiation service providers (PISP). Also, new customer authentication methods have been developed or further implemented in existing applications following the RTS SCA, paving the way to a simpler and smoother user-friendly atmosphere in financial services offerings.

Certain concerns have been raised due to the open banking requirement, such as concerns about data protection risks, security measures and the risk of cyber-attacks on third-party applications and/or APIs. These concerns have also raised the question of liability should something go wrong regarding any of the above aspects (liability of the PSP or of the relevant TPP).

Regarding data privacy and data security concerns, it is generally agreed that PSD2 and GDPR are jointly applicable regulations. Furthermore, a high level of security of financial and operational systems has become a key element. Regulation has also placed some liability with the PISP, who are subject to an obligation to insure themselves.   

There is no specific criminal legislation on fraud in financial services. Most frauds within the financial sector fall under the definition of generic offences, such as fraud within the definition of Article 496 of the Belgian Criminal Code. The constitutive elements of a fraud are threefold: (i) the intention to appropriate one’s belongings, (ii) the voluntary delivery of those belongings, (iii) which is induced by the use of false identities or fraudulent tactics.

Generally, victims of fraud press charges with the police but scammers and fraudsters are rarely identified, which leads many of them to bring civil claims against the financial institutions that were somewhat involved in the fraudulent transactions (eg, payer’s and payee’s institution(s)).

In general, the FSMA primarily focuses on authorised-pushed payment fraud, tackling fraudulent investment offers or trading platforms, identity theft, boiler room scams, or fake credit offers.

Additionally, nearly half of the reports to the FSMA involve online trading platforms, which give rise to the main type of investment fraud in Belgium.

The FSMA, along with the FPS Economy, regularly launches campaigns to combat investment fraud.

In Belgium, the responsibility of a fintech service provider for losses arising from fraud is primarily determined by compliance with PSD2 and whether negligence or misconduct can be demonstrated. Providers are required to authenticate transactions securely, ensure accurate processing, and prevent technical errors. Failure to meet these obligations, such as insufficient fraud detection or inadequate security measures, may result in liability.