The SREN Act

The Law to Secure and Regulate the Digital Space (Loi visant à sécuriser et réguler l’espace numérique, “SREN Act”) establishes a regulatory framework for games with monetisable digital objects (jeux à objets numériques monétisables, JONUM) for an experimental period of three years. These games combine elements of video gaming and online gambling. The objective is to strengthen oversight of Web3 games that utilise technologies such as blockchain, crypto-assets and non-fungible tokens (NFTs). Article 41 of the SREN Act sets forth several obligations for companies operating JONUM. They must declare their activity to the French National Gaming Authority (Autorité nationale des jeux, ANJ), meet office establishment requirements and strictly prohibit minors from paid gaming, with mandatory age verification, especially when creating an account. The creation of such an account is required to participate in these games.

DORA Act Implementation

Since 17 January 2025, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), commonly known as DORA, has been applicable across the EU. This regulation imposes several obligations on financial entities to prevent, manage and address the consequences of ICT risks. DORA specifically requires a Threat Lead Penetration Testing (TLPT) framework, in line with the TIBER-EU framework.

In this context, France is playing a pioneering role in the implementation of DORA requirements. In January 2024, the ACPR and the BdF jointly developed the TIBER-FR implementation guide providing further context and clarification for DORA’s TLPT requirements. Together, the French Prudential Supervision and Resolution Authority (Autorité de contrôle prudentiel et de résolution, ACPR) and Banque de France (BdF) form the TCT-FR (TIBER Cyber Team for France), also referred to as the TLPT Cyber Team in DORA.

Transfer of Ownership of Securities Registered on a Distributed Ledger Technology (DLT) Platform

On 31 May 2024, the Legal High Committee for Financial Markets of Paris (Haut Comité Juridique de la Place Financière de Paris, HCJP), a think tank representing both the authorities and experts in financial law, published a report titled “On the determination of the law applicable to assets registered in distributed ledgers”. It made several proposals, one of which concerned the law applicable to financial securities covered by the DLT Pilot Regime (p20). This proposal is taken up by the new Article L. 211-7 of the French Monetary and Financial Code, according to which “the conditions and property effects of transactions in financial securities registered using distributed ledger technology under the conditions laid down by Regulation (EU) 2022/858… are determined by the law of the State where the entity authorised to operate the DLT settlement system or, where applicable, the DLT trading and settlement system is located”.

FSB Peer Review

In 2024, the Financial Stability Board (FSB) conducted a peer review in France, with a specific focus on fintech. A first report presents its findings and conclusions, including the key elements of the discussion in the FSB’s Standing Committee on Standards Implementation in October 2024. This second FSB peer review of France is based on the objectives and guidelines for the conduct of peer reviews set forth in the Handbook for FSB Peer Reviews. The main purpose of this peer review is to examine France’s progress in the regulation and supervision of crypto-asset activities, including stablecoins. According to the FSB, “The French authorities have made significant progress in monitoring, regulating and supervising crypto-asset markets in recent years. They have established a regular monitoring mechanism for crypto-asset market developments and risk trends as part of the financial stability monitoring framework of the Banque de France, with the information subsequently shared with the Autorité des marchés financiers (AMF), the Autorité de contrôle prudentiel et de résolution (ACPR), and the Ministry of Finance. The authorities successfully brought a large part of the crypto-asset market into the regulatory framework by implementing the 2019 Action Plan for Business Growth and Transformation (PACTE Act) to complement existing sectoral regulations.”

Last Package of MiCAR Adaptation in French Law

The French Parliament is reviewing a draft law for the latest adaptation of French law to the Markets in Crypto-Assets Regulation (MiCAR) and EU law for financial markets.

The PACTE Act

In 2019, France adopted the PACTE Act (which stands for “Action Plan for the Growth and Transformation of Companies”) with the ambition to become a leading jurisdiction for blockchain technology and crypto-assets. This Act notably introduced a comprehensive regulatory framework for initial coin offerings (ICOs) and digital asset service providers (DASPs).

Almost six years after the PACTE Act came into force, it has shown its success, with more than 100 DASPs registered with the French financial regulator (Autorité des marchés financiers, AMF), as well as its shortcomings, with only four ICOs obtaining an approval (“visa”) from the AMF, the last one being in January 2023.

In 2024, only four companies were licensed by the AMF as DASPs. Since the entry into force of MiCAR on 30 December 2024, applications for approval or registration as a DASP can no longer be submitted to the AMF. From now on, all DASPs registered or approved by the AMF must apply for a crypto-asset service provider (CASP) licence under MiCAR. An 18-month transition period, ending in July 2026, allows them to prepare for their transition, but without the European passport.

Increased Regulation of Fintech Markets at the EU Level

MiCAR is one of the components of the Digital Finance Package adopted on 24 September 2020 by the European Commission. MiCAR was officially adopted by the European Parliament on 20 April 2023 and entered into force on 29 June 2023. The provisions relating to asset-referenced tokens and e-money tokens (EMTs) became applicable on 30 June 2024, while the rest of the regulation has been fully applicable since 30 December 2024.

This regulation, which is directly applicable within the European Union, notably creates a European framework for the authorisation of crypto-asset service providers (CASPs) and establishes a framework for the issuance and supervision of EMTs (better known as “stablecoins”).

The European Securities and Markets Authority (ESMA) and European Banking Authority (EBA) have now finalised numerous technical standards under MiCAR, ensuring a harmonised regulatory approach across the EU. Delegated regulations relating to MiCAR are still awaited from the European Commission.

In France, regulators are already leading the way in processing approval applications in accordance with MiCAR. On 1 July 2024, the AMF launched a pre-application process under MiCAR, enabling DASPs to convert their PACTE applications into applications for CASP licensing. On 15 October 2024, an order was published to transpose the provisions of MiCAR into the French Monetary and Financial Code. The AMF’s General Regulations and other non-binding documentation are also being updated as part of the implementation of MiCAR in France.

To date, no entity has been formally licensed as a CASP by the AMF under the MiCAR regime. However, several entities have been approved by the ACPR for the issuance of e-money tokens, including Circle, Société Générale Forge and Salvus, which were among the first institutions to receive their electronic money institution licences for issuing EMTs in France.

In parallel to MiCAR and the Digital Finance Package, the sixth anti-money laundering/combating the financing of terrorism (AML/CFT) Directive is expected to be adopted (“AML 6”), together with a regulation establishing an EU AML authority, a regulation on AML/CFT regarding customer due diligence and beneficial ownership, as well as an amendment to the 2015 Regulation on Transfers of Funds to include aspects related to crypto-assets.

In December 2024, the Financial Data Access (FiDA) Regulation was adopted. This regulation establishes a new framework expanding access to financial data to develop new services. If adopted, this regulatory framework is expected to foster partnership opportunities between legacy players and fintechs.

CBDC Experiments

The BdF’s experiments with central bank digital currency (CBDC) are continuing.

On 8 November 2021, the BdF published a report on its wholesale CBDC experiments. The BdF concludes that a wholesale CBDC could help ensure the safe development of tokenised financial markets by preserving the key role of central bank money. Furthermore, a wholesale CBDC could help improve cross-border and cross-currency payments.

In September 2022, the BdF held a conference on the role of central banks in relation to the tokenisation of finance.

In February 2023, the governor of the BdF gave a speech in which he confirmed that the BdF is involved in discussions on the possibility to implement a retail CBDC – in contrast to the original focus on a wholesale CBDC.

More recently, in June 2024, the BdF announced that it had teamed up with the Hong Kong Monetary Authority to explore the cross-border interoperability of their respective CBDC infrastructures, focusing on real-time transactions and multi-currency payments.

At the request of the management company Ofi Invest AM and the insurance group Generali France, Société Générale participated from April to November 2024 in projects led by the BdF and the European Central Bank concerning the use of a wholesale CBDC for the settlement of financial transactions involving tokenised securities (security tokens). The main objective of the experiment was to investigate DvP (delivery versus payment) based on the interoperability between the DL3S blockchain of the BdF for the euro cash tokenised part and external blockchains for the security tokenised part. The trial focused in particular on transactions on the assets and liabilities side of tokenised funds of Ofi Invest AM, whose register was kept in the private blockchain operated by IZNES.

In December 2024, the BdF launched an RFP (Request for Proposal) for wholesale financial transactions in central bank money. The Eurosystem will explore how wholesale financial transactions recorded on DLT platforms can be settled in central bank money. The objective of this initiative is (i) to consolidate and develop the ongoing work of the Eurosystem central banks in this area, and (ii) to understand how different solutions could facilitate the interaction between TARGET services and DLT platforms. The Eurosystem’s exploratory work consists of test runs (real operations for a limited period) and experiments (fictitious operations in a test environment) using three solutions based on interoperability between market DLT platforms and Eurosystem infrastructures for settlement in central bank money:

• the Trigger solution provided by the Deutsche Bundesbank;
• the TIPS Hash-Link solution provided by the Banca d’Italia; and
• the Full-DLT interoperability solution provided by the BdF.

The Eurosystem’s exploratory work will focus on the settlement of financial transactions carried out on DLT and denominated in euros. The use cases covered may include the settlement-delivery of financial assets (delivery versus payment, DvP) and currency exchanges (payment versus payment, PvP), as well as cash payments in central bank money.

The Broader Fintech Ecosystem

Concerning the broader fintech ecosystem, there are presently around 800 active fintech companies in France. France’s attractiveness is enhanced by various factors, such as the support of regulatory agencies and public authorities for the fintech industry, the quality of French engineers, and the wide network of start-up incubators and accelerators. France’s attractiveness is also enhanced by the organisation of numerous forums, such as the Paris Fintech Forum, the Paris Blockchain Week Summit and the ACPR-AMF Fintech Forum. These events facilitate exchange and reflection between the various stakeholders.

The French fintech scene covers a wide range of businesses, among them, mobile payments (Lydia); artificial intelligence applied to insurance (Shift); personal fundraising apps (Leetchi); fintech specialised in start-ups and freelancers (Shine, Qonto); dematerialised meal vouchers (Swile); crowdlending and crowdfunding platforms (Lendix, Younited, Unilend, Soul Invest); robo-advisers (Advize, Yomoni); insurtech (Alan, Luko); and payroll processors (Payfit).

After a year demonstrating the acceleration of French fintech, France has strengthened its position for 2023 with the emergence of new players (such as Ecovadis, Pigment, Sweep, Seyna and ClubFunding) in the state’s programme (French Tech Next40/120) dedicated to the support and growth of start-ups at a global level.

In 2024, Pennylane and Pigment joined the ranks of unicorns, becoming the only two new French companies to reach this valuation. However, this achievement is accompanied by a more concerning trend: two French fintechs have moved their headquarters to the USA, raising concerns about the attractiveness of the French and European markets.

In 2024, fundraising picked up again to reach a total of EUR1.3 billion in France, according to the latest report from France FinTech, the trade association for French fintech. This is an increase of 28% compared to 2023. This figure places France in second place among fintech ecosystems on the European continent, just behind the UK, which has raised a total of EUR2.8 billion. Germany is just behind France with EUR874 million raised, an increase of 9%. Switzerland is in fourth position, followed by Spain, Sweden and then the Netherlands, with much lower amounts, under EUR250 million. France has recorded the biggest increase in fundraising, and start-ups are increasingly targeting the markets of their European neighbours.

France FinTech issued in December 2024 a global review of the situation in the French market. The document is available on the France FinTech website.

By the end of 2024, one in three French fintechs will have already reached break-even, according to the annual report of France FinTech. The association, representing the French fintech ecosystem, has a total of 1,145 companies. Of these, 40% are considered “young shoots” with less than three years of existence. 46% are “start-ups” in the Series A stage and employ fewer than 50 people. 12% of the companies identified by France FinTech fall into the “scale-up” category, meaning that they have a viable business model and a strong increase in market share and/or turnover. Finally, 2% are unicorns.

Beyond the Crypto Space

The post-pandemic period, accompanied by rising interest rates and geopolitical uncertainties, has posed significant challenges to many fintechs, and notably neobanks. Among the actors that shut down are Morning, C-zam, Ditto Bank, Boon and Pumpkin.

However, other actors have thrived thanks to the transition to online and mobile banking. Qonto and Lydia have gained significant market share, and other B2B fintechs such as Treezor and Lemonway have established themselves as strategic partners for many smaller start-ups.

In 2024, the French fintech Pluxee successfully completed an IPO, marking a significant milestone for the sector. This trend is expected to continue in 2025, with other fintech companies anticipating similar moves to access financial markets.

On the other hand, since the end of 2022, crowdfunding has experienced a downward trend, with the amount of funds raised dropping from EUR2.3 billion in 2022 to EUR1.7 billion in 2024. Several factors explain this decline, including the implementation of the requirement for crowdfunding service providers to obtain approval, as well as the prolonged real estate crisis, which has hindered investment in this sector.

French fintech companies cover a wide range of business models: mobile payment apps, group gifting/personal fundraising apps, bank account aggregators and personal finance apps, neobanks, banking-as-a-service platforms, crowdfunding and crowdlending platforms, robo-advisers, insurtechs, factoring and short-term financing providers, payroll processors, coin and NFT issuers, cryptocurrency exchanges, hardware wallet makers, etc.

Legacy players have understood the need to co-operate with these challengers in order to modernise and digitalise their business models and adapt to consumers who are increasingly using mobile banking services and other payment innovations. Many French financial institutions have created their own fintech or insurtech incubators, such as L’Atelier by BNP Paribas, Le Village by Crédit Agricole, Kamet by AXA, Truffle FinTech Incubator by Truffle Capital, and Swave by a consortium of financial institutions including Société Générale, New Alpha Asset Management and AG2R La Mondiale. Legacy players are also investing in some of the most successful French fintech companies (eg, Qonto, Shine, Compte Nickel, Crédit.fr, KissKissBankBank, Budget Insight and Treezor).

The regulatory regime applicable to fintech companies depends exclusively on their business model. As soon as an entity provides a regulated service, such entity must comply with a specific set of rules. Whether such entity is a newly created start-up or a century-old financial institution, the applicable rules remain the same (even though the French regulators generally use a proportional approach when enforcing these rules). Even the PACTE Act and the MiCAR order (which transposed MiCAR into French law from 30 December 2024), which created an ad hoc regime for ICOs and DASPs, do not apply exclusively to fintech companies, as any large financial institution is allowed to provide services related to crypto-assets.

The specific regulatory regimes applicable to the fintech-related businesses mentioned in 2.1 Predominant Business Models may be broadly presented as follows (although other regulatory regimes may apply depending on the particularities of each business model):

• mobile payment apps are regulated as payment service providers;
• crowdfunding and crowdlending platforms are regulated as crowdfunding service providers. Since 10 November 2023, the French regime applicable to crowdfunding service providers has therefore been withdrawn to be replaced entirely by the European regime after a long transitional period;
• group gifting/personal fundraising apps are regulated as payment service providers and/or crowdfunding service providers;

• bank account aggregators and personal finance apps are regulated as account information service providers and, where applicable, as payment service providers;
• neobanks are regulated as credit institutions or electronic money institutions;
• robo-advisers are regulated as investment service providers (ISPs) or as investment advisers, if the services provided qualify as investment advice;
• insurtechs are regulated as insurance undertakings or insurance intermediaries;
• payroll processors are normally unregulated, as they merely provide software and do not handle funds themselves; and
• DASPs are subject to the French regulatory regime created by the PACTE Act and are required to register with the AMF and comply with AML legislation if they are established in France or provide services in France. (DASPs may also choose to apply for an optional licence which grants additional rights. DASPs may also be regulated as payment service providers if they collect funds on behalf of their clients.) This regime will remain in effect until 30 June 2026. During this 18-month grandfathering period, DASPs already registered or licensed in France will be able to continue operating. New DASPs will have to obtain MiCAR-compliant authorisation (provided for in Article L. 54-10-7 of the French Monetary and Financial Code). From 1 July 2026, the framework established by MiCAR will progressively apply, ultimately requiring crypto-assets companies to obtain a CASP authorisation from the AMF to operate.

Generally speaking, regulated actors are required to provide various information to their potential customers before entering into a relationship with them, even more so when their customer is an individual who is acting for purposes which are outside his or her commercial activity (ie, a consumer). This information must include the fee structure of the service provider. Most regulated actors are also subject to rules on conflicts of interest which may affect their compensation structure.

More specifically, the main limitations regarding fees charged to customers apply to the following verticals:

• Banks and neobanks – the overdraft fees which may be charged by a bank are subject to a legal limitation. Since 1 November 2020, and due to the COVID-19 crisis, financially fragile people have benefited from the capping of payment incident fees at EUR25 per month for a period of three months.
• CASPs, ISPs and asset managers are subject to strict rules (notably arising from the Markets in Financial Instruments Directive II, MiFID II) regarding their compensation and their ability to earn fees from third parties by executing trades on behalf of clients or recommending that they invest in specific financial instruments.

In any case, even when their pricing structure is unregulated, most fintech start-ups voluntarily disclose their fees on their website or in their general terms and conditions.

Legacy Players

The activities of legacy players (including credit institutions, insurance undertakings and ISPs) are based on traditional banking operations and insurance or investment services and products, which are governed mainly by the CRD IV, Solvency II and MiFID II frameworks (both the regulations and the transposition of the directives into French law). These regulations relate in particular to the capital, internal organisation and resources requirements which are expected to be fulfilled by entities likely to present a systemic risk, especially within the eurozone. In return, legacy players benefit from a monopoly on the regulated activities subject to the above-mentioned directives.

Fintech Companies

The businesses of fintech companies are not comparable to those of legacy players. A lot of these businesses do not qualify as banking operations or insurance or investment services. Some of these businesses are not even regulated (ie, regtech companies). Therefore, provided that their businesses do not qualify as regulated activities, fintech companies will not be subject to the heavy regulations applicable to legacy players.

In addition, there is no legal definition of fintech under French law (nor under European law). The ACPR defined fintech as “start-up projects that generally combine (i) a high degree of innovation and (ii) a service offer in one or more financial areas under the supervision of the ACPR. The innovation component may encompass a product, a process, a marketing technique or an organisational innovation based on the use of new technologies.” Fintech companies do not constitute a homogeneous category of service providers; therefore, a case-by-case approach – based on the service provided – must be followed in order to compare the regulations applicable to legacy players and fintech companies.

Although French regulators do not plan to establish any regulatory sandbox, the French regulatory approach is based on proportionality and relies on setting out tailor-made regulatory frameworks inspired by legacy regulations but proportionate to the activities of fintech companies (so-called “sandboxes”). For example, token issuers and DASPs benefit from a specific legal regime which is inspired by legacy regulations (such as MiFID II) but is not merely a regulatory sandbox.

Both French regulators have also created internal teams dedicated to fintech actors, the purpose of which is to help fintech entrepreneurs navigate complex regulatory issues.

The publication by the ACPR of the charter for the appraisal of fintech authorisation requests on 6 January 2022 illustrates this commitment to supporting fintech projects.

Traditional players are authorised and supervised by the AMF and the BdF, through the ACPR, depending on the services they provide (banking, investment or insurance services). Broadly summarised, the AMF is in charge of protecting consumers that invest in financial instruments, while the ACPR is in charge of preserving the stability of the financial and banking system. The precise allocation of responsibilities is complex: eg, an ISP is authorised by the ACPR, but its programme of activity must be approved by the AMF. Once the ISP is authorised, the ACPR monitors the entity’s activities and financial situation, while the AMF monitors its compliance with the applicable code of conduct. Similarly, the AMF is the authority that grants registration to DASPs, while the ACPR is in charge of validating the applicant’s AML procedure.

French regulators do not have the authority to issue no-action letters. At the European level, only the EBA and ESMA are empowered to adopt such measures, enabling them to issue specific recommendations to the European Commission regarding the application of certain rules when their enforcement threatens market stability, weakens the EU’s competitiveness or undermines investor protection.

A recent example is the European Commission’s 2024 request for the EBA to explore the issuance of a no-action letter concerning the interplay between MiCAR and the revised Payment Services Directive (PSD2). This request aims to address potential regulatory overlaps affecting EMTs and mitigate the administrative burden on CASPs during the transitional period before the implementation of PSD3.

However, this regulatory prerogative remains a limited instrument to resolve legal impasses stemming from inapplicable provisions or those requiring international co-ordination, as it does not allow the ESMA and EBA to temporarily suspend the application of the relevant regulations. This observation has led both the AMF and the HCJP to advocate for granting European regulators the authority to issue genuine no-action letters, similar to that granted to the SEC in the USA.

As a general rule, regulated activities performed by financial institutions may only be delegated to entities which are also authorised to perform such activities. Operational functions related to a regulated service may also be outsourced, although the supervision of the competent regulator extends to the vendor. Outsourcing such functions does not relieve the regulated entity from its primary responsibility towards clients or third parties.

The regulated entity must efficiently implement measures to monitor the compliance of the vendor with the applicable regulatory requirements. In certain cases, the outsourcing must also be declared to the competent regulator. The ACPR, for example, issues detailed guidelines relating to the procedure that must be followed by regulated entities wishing to outsource key functions. The ACPR also fully complies with the 2019 EBA Guidelines on outsourcing arrangements, which set out the internal governance arrangements, including sound risk management, that payment institutions and electronic money institutions should implement when they outsource functions, in particular with regard to the outsourcing of critical or important functions.

As a general rule, regulated entities (whether start-ups or large companies) are responsible for ensuring that the services they provide are not used for illicit purposes. This is why all the regulated actors are subject to AML legislation and are expected to obtain sufficient knowledge of their clients to be able to prevent their clients from using their platform for illicit activities.

Unregulated fintech companies are not subject to AML legislation but are still forbidden from knowingly facilitating illicit activities. These actors need to be careful not to become the vehicles of money-laundering or terrorism-financing schemes.

An interesting example is the emergence of blockchain-based decentralised trading platforms. Whether the person who deploys the smart contract on which the decentralised platform is based is responsible for potential illicit activities conducted through the platform remains unclear.

Both the AMF and the ACPR are empowered to investigate and prosecute entities subject to their supervision. Within each regulator, an independent enforcement committee acts as a specialised court and is able to sanction regulated entities as well as individuals. The AMF’s enforcement committee typically issues 20 to 30 rulings a year, which is twice as many as the ACPR’s enforcement committee issues.

French regulators have recently focused on issuing warnings regarding crypto-assets. Several publications of the AMF and the ACPR notably outlined the significant volatility and risk of loss. Both institutions reminded their readers that these crypto-assets are not legal tender and do not qualify as financial instruments under French law. Consequently, the investors’ attention is drawn to the fact that the legacy regulations aimed at protecting them do not apply. Moreover, the AMF published an analysis of the legal classification of derivatives based on crypto-assets. For the regulator, basically all crypto-asset derivatives qualify as financial contracts, and therefore financial instruments. Consequently, the regulations applicable to the marketing of financial instruments in France (including the specific restrictions which apply to contracts for difference) also apply to crypto-asset derivatives.

In addition, the AMF publishes and regularly updates a blacklist of websites which market financial investments in France without authorisation. This blacklist initially focused on forex trading, binary options and alternative investments (eg, diamonds, wines, forests, etc), but was recently extended to websites irregularly marketing investments in crypto-assets and crypto-asset derivatives. The AMF also recently obtained an order from the Paris Court of Justice which requested the closure of six internet addresses relating to three sites illegally offering alternative investments.

In September 2022, the AMF removed Bykep (formerly Keplerk) from the list of registered DASPs following an investigation that showed serious malpractices and deficiencies in the implementation of the AML-CTF obligations.

In April 2024, an affiliate of a French financial institution was fined EUR1 million for deficiencies in its AML-CTF framework, particularly regarding its risk profiling and the implementation of customer due diligence measures. Significant enforcement actions against neobanks and innovative payment providers can be expected in the next few years, in relation to their implementation of AML legislation. So far, most ACPR sanctions have targeted traditional banks and foreign fintechs. 

The CNIL

Data privacy rules are provided in particular by Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation, GDPR). From a domestic perspective, the National Commission on Informatics and Liberty (Commission nationale de l’informatique et des libertés, CNIL) has jurisdiction over data privacy issues and protection of personal data, regardless of which entity is processing the data (public administrations, associations, private companies, etc). Entities must set out a data processing policy, subject to the supervision of the CNIL. The CNIL may also sanction non-compliant entities.

The ANSSI

The National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d’information, ANSSI) is competent regarding cybersecurity issues. Cybersecurity regulation mainly arises from the transposition of Directive (EU) 2016/1148 of 6 July 2016 (the Network and Information Security Directive). Under French law, entities designated as “operators of essential services” must notify the ANSSI of any breach or incident. In addition, operators of essential services must comply with various organisational requirements, under the supervision of the ANSSI. A government decree of May 2018 designates most regulated financial and banking institutions as operators of essential services. Fintech companies providing unregulated services would probably not be considered as operators of essential services under this regulation.

Online Content

The communication of regulated actors is subject to a burdensome set of rules, especially relating to the distribution of regulated products or services. Customers must be provided with clear, accurate and non-misleading information at any time, whether such information is provided through a financial entity’s own website or through other media. Regarding social media, rules relating to the distribution of regulated services apply regardless of the channel used for such distribution, as reiterated in 2016 by the AMF (through the updates of several position statements relating to the marketing and distribution of financial products) and the ACPR (through a recommendation on the use of social networks for commercial purposes). Consequently, close attention should be paid to the content of information posted on social media, as it is by nature likely to reach non-professional customers.

The role of influencers in the marketing of financial products or investments is closely monitored by the authorities. In July 2022, the AMF and the advertising regulatory authority announced that they would include digital assets in their joint monitoring of advertising on financial products, and start focusing on influencers. In December 2022, the Ministry of Economy launched a national consultation on the regulation and supervision of influencers.

In June 2023, the French Parliament adopted an Act aiming to regulate commercial influence and combat the abuses of influencers on social media, including provisions prohibiting, under penalty of up to two years of imprisonment and a fine of EUR300,000, the direct or indirect promotion of financial products and services by influencers, except in certain cases. The prohibited products and services include:

• financial contracts;
• digital asset services, unless the provider is registered or licensed by the AMF; and
• ICOs, unless the advertiser has obtained an authorisation for the issuance of crypto-assets.

As it stands, influencers are prohibited from promoting digital asset-related products and services for remuneration unless the provider is duly registered or licensed as a DASP and unless they specifically mention the risks associated with crypto-assets to their audience. This regulatory framework is expected to evolve in alignment with MiCAR.

The appointment of an external auditor (commissaire aux comptes) is mandatory for all joint-stock companies (sociétés anonymes) and most simplified joint-stock companies (sociétés par actions simplifiées), as soon as they exceed certain size thresholds. In addition, appointing an accounting firm is mandatory for all companies which carry out a regulated activity.

Regulated entities are subject to strict monitoring and supervision rules. In order to obtain approval from the ACPR, for example, regulated entities must define a comprehensive internal compliance policy. The supervision is both internal and external: compliance with the relevant rules is internally monitored by certain employees of the entity, while external consultants periodically audit and review its compliance procedures. Therefore, part of the supervision of regulated entities is, in practice, outsourced to external consultants.

Fintech companies that provide regulated services must also comply with regulatory requirements. They tend to outsource most of their compliance processes in order to focus on technology and the core business. When fintech companies provide services which fall outside the scope of regulation, however, they are not subject to these compliance processes.

Generally speaking, under French law, most regulated entities may provide certain unregulated services. The extent of a regulated entity’s ability to provide unregulated services depends on its status. For example, credit institutions may provide a wide range of banking-related services (opérations connexes) which do not benefit from the banking monopoly, and they may acquire stakes in private companies. Credit institutions may also carry out various non-banking activities as long as such activities remain limited (ie, less than 10% of the net banking income) and do not limit competition in the relevant markets.

Some regulated actors, such as crowdfunding intermediaries, are also forbidden to provide activities other than those for which they are regulated.

Unregulated fintech companies are not subject to AML legislation but are still forbidden from knowingly facilitating illicit activities. These actors need to be careful not to become the vehicles of money-laundering or terrorism-financing schemes.

By contrast, regulated fintech companies (ie, fintechs providing regulated services) are subject to AML rules, to the same extent that credit institutions, payment service providers or digital asset service providers are. The ACPR and the AMF both issue and update generic AML guidelines, and guidelines specifically applicable to certain regulated entities (such as DASPs, insurance undertakings and investment funds).

Even before the AML 6 package came into force, the French AML rules were being strengthened. For example, since an order on 9 December 2020, the ACPR has been carrying out a prior verification of compliance with AML rules by DASPs providing the service of custody of digital assets on behalf of third parties and the service of purchase or sale of digital assets in legal tender. In addition, the decree of 2 April 2021 removes the EUR1,000 threshold in order to require DASPs to carry out “know your customer” (KYC) checks on their occasional customers as soon as the latter use their service.

The complexity and density of these AML rules may be an obstacle to the development of fintech start-ups if they are not properly advised.

France has been a member of the Financial Action Task Force (FATF) since 1990. The effectiveness of France’s measures against money laundering and terrorist financing, as well as its compliance with the FATF Recommendations, was assessed in May 2022. The evaluation report concluded that France has a robust and sophisticated framework for combating money laundering and terrorist financing, which is effective in many respects.

Regarding the application of this framework in the context of the growing use of fintechs in France, the FATF report indicated that French financial institutions have a good understanding of the obligations they are subject to. It also highlighted the thorough understanding by French DASPs of the specific money laundering and terrorist financing risks associated with their sector.

Banking and Payment Services

Regarding banking and payment services, the requirement for a physical presence in each EU Member State through the establishment of a branch to provide banking or payment services within the EU does not apply to companies based in third countries that offer services to clients and counterparties located in a Member State, within the framework of a reverse solicitation of services.

Marketing of Shares and Units of Funds

The marketing in France of shares or units of funds managed by a management company established in a state other than France is subject to prior authorisation from the AMF when aimed at non-professional clients. However, when the solicitation originates directly from the client and specifically and unequivocally targets the product the client wishes to subscribe to, this is not considered a marketing activity in France and is thus exempt from the prior authorisation requirement from the AMF, as well as from the application of French law.

Provision of Crypto-Asset Services

MiCAR contains a general reverse solicitation principle that allows a non-EU firm to provide regulated services to EU residents without being required to obtain a licence, provided that the clients have themselves solicited the provision of the services from the third-country firm.

Relying on the exception of reverse solicitation would require French CASPs to refrain from actively marketing or distributing their services to EU residents. Indeed, the criterion used to qualify reverse solicitation is quite restrictive considering that the regulated service must be provided “at the own exclusive initiative” of the EU resident.

The assessment of whether a service is provided on a reverse solicitation basis will generally be based on a case-by-case analysis by the AMF or a court. In France, the AMF hasq included in its General Regulations (Article 721-1-1) a detailed list of the criteria used to determine whether the services can benefit from the reverse solicitation exemption. As such, crypto-asset services provided by an entity located in a third country will be considered as provided in France if:

• the service provider has commercial offices for the marketing of a regulated service in France;
• the service provider sends promotional communications, by any means, to customers based in France;
• the service provider organises the distribution of its products and services through one or more distribution networks to customers based in France;
• the service provider has a postal address or telephone number in France; or
• the service provider has a domain name for its website that refers to France (eg, “.fr”).

In addition to these criteria, the fact of sponsoring events or conferences located in an EU Member State can be considered as a sign that the regulated services are provided in that Member State. Indeed, sponsoring these events is often a way of promoting a brand, even if the services themselves are not actively promoted.

It should also be noted that the application of the reverse solicitation principle is stricter in MiCAR compared to MiFID II. For example, the final guidelines on reverse solicitation in MiCAR (published in December 2024) are particularly exhaustive and cover all methods of promotion, including the use of influencers, whereas the MiFID II guidelines, which are older, do not mention them, while remaining sufficiently broad to cover this type of practice.

Three trends can be found in the French market regarding robo-advisers:

• robo-advisers helping mainstream clients in their investment decisions;
• robo-advisers managing investments directly on behalf of their clients; and
• robo-advisers acting as insurance brokers.

In such cases, the services provided by robo-advisers qualify as investment advice or portfolio management within the meaning of the MiFID II framework, and the robo-adviser must consequently be licensed as either a financial investment adviser or an ISP. Robo-advisers that are active in the insurance market have to register as intermediaries with the French register of banking, finance and insurance intermediaries (Orias).

However, in contrast to legacy players, most of the processes of robo-advisers are wholly automated. The clients provide information relating to their financial capacity, objectives and risk aversion through standardised questionnaires. Depending on the client’s profile, the robo-advisers provide advice relating to investment opportunities or manage investments on the client’s behalf. The AMF reiterated in 2017 that entities offering automated tools which provide clients with estimates of how financial instruments will perform are subject to the duty to deliver clear, accurate and non-misleading information.

Generally speaking, robo-advisers allow customers to invest in a diversified portfolio of listed assets, such as a mix of bonds and stocks. Robo-advisers rely heavily on investments in exchange-traded funds or mutual funds.

The appearance of crypto-asset markets on the financial landscape raises specific challenges for the business models of robo-advisers.

The implementation of robo-advisers by financial actors can trigger licensing requirements, depending on the level of automation and the client’s involvement in managing these assets. For instance, when the client does not intervene in the management of their assets, the service provided by the robo-adviser may be classified as portfolio management for crypto-assets, which would require a CASP licence.

However, if the service is “semi-automated”, the robo-adviser’s offering might be excluded from the scope of portfolio management for crypto-assets. Nevertheless, depending on the circumstances, it could still fall under other categories, such as “reception and transmission of orders for crypto-assets on behalf of clients”, “provision of advice on crypto-assets” or “exchange of crypto-assets”.

Until now, the services provided by robo-advisers were reserved for clients with sufficient financial capacity to ensure the profitability of the service. Solutions introduced by robo-advisers target two key issues for mainstream clients: firstly, the service’s cost, and secondly, the entry fees. Various studies have recently outlined that reduced costs and low entry fees are at the heart of robo-advisory strategy. Therefore, the main response of legacy players would be to offer the same service to clients with lower financial capacity.

Issues relating to best execution of orders sent by clients do not differ between legacy players and robo-advisers. As a general principle, the services provided by robo-advisers qualify as investment services according to MiFID II (whether investment advice or portfolio management). Consequently, robo-advisers must set out a best execution policy in relation to orders traded on behalf of their clients.

The French regulatory framework for crowdlending was created in 2014 with a new exemption to the banking monopoly allowing individuals to grant loans through platforms. Several conditions restrained the scope of this exemption: loans could only be granted by non-professional lenders, the amount of each loan was capped at EUR2,000 per lender and per project (EUR5,000 for interest-free loans), and the maturity of each loan had to be less than seven years. Borrowers raising funds through crowdlending were not able to raise more than EUR1 million per project. Mortgage loans and consumer credits were also outside the scope of crowdlending.

Regulation (EU) 2020/1503 on European crowdfunding service providers for business has superseded the French regime.

Concerning regulatory authorisations, crowdlending internet platforms must be licensed by the AMF as crowdfunding service providers with the assent of the ACPR if the applicant’s programme of operations includes facilitating the granting of loans. Legacy lenders, on the other hand, must be authorised as credit institutions by the ACPR. The regulatory requirements that crowdlending platforms have to respect are proportionate to their status (ie, not as burdensome as the rules applicable to legacy credit institutions).

As an exception, the French regulatory regime for crowdfunding intermediaries remains in place for crowdfunding and crowdlending platforms where their activity is restricted to free loans and donations.

Among other regulatory conditions aimed at protecting lenders, crowdlending platforms must deliver detailed information to potential lenders, mainly relating to the underlying projects and the attached risks. Notably, to facilitate the comprehension of the investors, the crowdfunding platforms must make a key investment information sheet containing mandatory information available to prospective investors.

The underwriting process itself is not directly regulated for crowdlending platforms.

Funds raised through crowdlending platforms initially came from individual lenders acting on their own account, outside of any professional context. However, investment funds have increasingly started to invest alongside individuals in SMEs in financing deals through crowdlending platforms.

In view of this trend, Regulation (EU) 2020/1503 introduced a different regime depending on whether the funding is provided by a sophisticated or unsophisticated investor.

No syndication of loans originated through crowdlending platforms is allowed under French law.

The definitions of payment services and payment transactions under French law are broad and cover most existing payment methods. The French Monetary and Financial Code defines what payment services and payment accounts are, rather than how a payment transaction must work from a technical point of view. Therefore, regulated payment processors (ie, payment service providers) should have the ability to use technical innovations to develop new payment methods within the scope of the existing regulation.

The regulation of payment services revolves around the notion of “funds”, which are defined as bank notes, coins, scriptural money and electronic money. A payment method which does not use funds, but rather unregulated units of value (such as cryptocurrencies), might therefore fall outside the scope of the regulation.

However, most payment operations involve a transfer of funds between two payment accounts. Therefore, any payment method implemented by a fintech start-up needs to be compatible with the technical requirements of the entity in whose books the beneficiary’s account is opened.

Cross-border payments and remittances are included in the list of payment services and therefore are regulated as such, as soon as they involve the use of funds.

The French regulation of trading platforms mostly replicates the taxonomy established by MiFID II. French law distinguishes three categories of trading platforms, in accordance with MiFID II: regulated markets, multilateral trading facilities (MTFs and organised MTFs), and organised trading facilities (OTFs).

Firstly, all these trading platforms are subject to the same set of common rules, which include, notably, the prohibition of proprietary trading and various organisational and transparency requirements. Thereafter, the main differences between regulated markets, MTFs and OTFs may be broadly described as follows:

• Regulated markets are authorised by a government decree (on a proposal from the AMF) and are operated by a market undertaking (entreprise de marché).
• MTFs and OTFs may be operated by a market undertaking or an ISP.
• Organised MTFs are MTFs which are subject to additional regulatory requirements. This category is not present in MiFID II; it was created by the French legislature.
• OTFs may not list shares; they may only list the following asset classes: debt securities, structured finance products, greenhouse gas emission allowances, derivatives and physically-settled wholesale energy products.
• OTFs may match buying and selling orders in accordance with discretionary rules, while regulated markets and MTFs must use non-discretionary rules.

Finally, with respect to marketplaces, no specific regulatory regime generally applies. Marketplaces may be regulated to the extent that they allow their clients to purchase or trade products which are subject to a regulation.

With respect to the listing on trading platforms, not all asset classes are subject to the same regime. The relationship between regulated trading platforms and asset classes may be broadly presented as follows:

• any financial instrument may be listed on a regulated market or an MTF; and
• an OTF may only list the following asset classes: debt securities, structured finance products, greenhouse gas emission allowances, derivatives and physically-settled wholesale energy products.

With respect to the Market Abuse Regulation (Regulation (EU) No 596/2014 on market abuse), which establishes a common regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation, all financial instruments are subject to its provisions, whether they are traded on a regulated market, an MTF or an OTF.

The French regulation applicable to financial instruments’ trading platforms has not yet been impacted by the emergence of cryptocurrency exchanges. As financial instruments may not be listed on cryptocurrency exchanges for the time being, they remain outside the scope of regulation of traditional financial products.

Since the PACTE Act came into effect, digital asset service providers operating a cryptocurrency exchange must register with the AMF, which means that they notably have to comply with the AML regulation. In addition, cryptocurrency exchanges which allow their clients to trade cryptocurrencies against legal currency need to either obtain payment service provider status or partner with a payment service provider to handle the legal currency flows.

Finally, cryptocurrency exchanges can obtain an optional licence which provides extended rights to market their services in France. This optional licence comes with additional obligations, which are broadly similar to those of ISPs (ie, relating to reporting, transparency, conflicts of interest, etc). 

Under MiCAR, operating a crypto-asset trading platform now requires approval as a CASP, which imposes stricter requirements, including detailing the platform’s operating rules, complying with AML-CFT regulations, market abuse regulations and prudential capital requirements, and others.

Before MiCAR, third-country platforms could solicit EU clients by establishing a regulated subsidiary in an EU Member State that acted as a broker to the global platform (usually based in an offshore third country). However, in July 2024, the ESMA clarified that this model could lead to non-compliance with rules on reverse solicitation, conflicts of interest and best execution, warning against attempts to exploit regulatory loopholes. With the MiCAR regime in place, this structuration of global platforms – with an offshore company operating the global platform order book and an EU entity acting as a broker – would not be possible.

Finally, the ESMA’s position raises a key question for the future of trading platforms for crypto-assets: how will they adapt to the requirements of MiCAR? Two main options appear to be under consideration. The first is to create a separate platform dedicated exclusively to the EU, which could lead to liquidity fragmentation, making trades less efficient and potentially less attractive to investors. The second option would be to relocate the platform’s headquarters (and therefore its order book) to the EU, enabling the centralisation of operations and compliance with European regulations. However, this second option seems unlikely, as it would require significant investments and a complete restructuring of the platform’s global infrastructure. Therefore, global platforms will need to find a balance between regulatory compliance within the EU and maintaining their global business model.

French law requires trading venue operators to have clear and transparent rules regarding the criteria used to determine which financial instruments may be traded within their system. In addition, the rules of a regulated market must provide for fair, orderly and efficient trading of the financial instruments.

Concerning the listing standards themselves, each trading venue operator establishes its own rules. However, these rules generally rely on the compliance of the issuer of the financial instrument with the relevant provisions of European and national law. Certain specific rules may also be set by the operators themselves. For example, concerning the minimal percentage of float, Euronext’s rules provide that, at the time of admission to listing, at least 25% of the subscribed capital represented by the class of securities concerned must be distributed to the public.

Order handling rules applicable in France arise from Delegated Regulation (EU) 2017/565 of 25 April 2016 and a section of the French Monetary and Financial Code. Pursuant to the delegated regulation, investment firms carrying out client orders must ensure that orders executed on behalf of clients are promptly and accurately recorded and allocated. ISPs must execute client orders sequentially and promptly, unless the characteristics of the order, the prevailing market conditions or the interests of the client require otherwise, and they must inform retail clients promptly about any material difficulty.

Pursuant to the French Monetary and Financial Code, ISPs are subject to an obligation to reach the best possible result when executing a client’s order (also called the “best execution” obligation). “The best possible result” depends on various parameters, including the price of the financial instrument, the cost of the order, the size of the order, etc. With respect to retail clients, the best possible result primarily depends on the aggregate cost of the order.

In addition, ISPs must set out and communicate to their clients an order’s execution policy, which describes how orders are executed by the intermediary.

The rise of peer-to-peer crypto-asset trading platforms does not yet appear to have affected the regulation of trading venues. French and European regulators are closely monitoring the development of such platforms.

Peer-to-peer platforms challenge the very definition of trading venues under MiFID II: all the definitions refer to the notion of a “multilateral system” and imply the use of an order book. Hence, peer-to-peer platforms organised to allow only bilateral trading might fall outside the scope of MiFID II.

However, in January 2022, the ESMA published a consultation paper that clarifies, among other things, the definition of “multilateral system”. According to the ESMA’s publication, “The word ‘multiple’ refers to the system allowing various trading interests, to interact in the same system or facility,” including “systems where only two trading interests interact”. This would mean that peer-to-peer trading should not fall out of the scope of MIFID II only because it is bilateral.

In any case, the peer-to-peer trading platforms that currently exist do not allow the exchange of financial instruments, since they are designed for crypto-assets.

The AMF addressed the issue of payment for order flow in its “guide to best execution” published in 2014 and updated in 2020. The AMF is aware of three kinds of payments for order flow: non-public price reductions, provision of tools, or payment of connection fees and allocation of free shares in the company operating the trading venue.

To be considered lawful, these payments for order flow must satisfy three requirements: transparency vis-à-vis clients, enhancement of the service rendered and compliance with the duty to act in the best interest of the client.

Concerning the duty to act in the best interest of the client, which is defined in Article 314-14 of the AMF’s General Regulations, three cumulative conditions must be met with regard to payments for order flow:

• first, they must be justified by the provision to the client of an additional or higher level of service, commensurate with the incentive received (such as the provision of access, at a competitive price, to a wide range of financial instruments; the provision of one or several value-added tools; the provision of periodic reports on the performance of financial instruments and the associated costs and fee, etc);
• second, they should not directly benefit the ISP, its shareholders or staff members, without any tangible benefit to the client; and
• third, they should be justifiable by the provision to the client of a long-term service in relation to the incentive received.

In any case, the choice of trading venue must be made in a manner that complies with “best execution” obligations, as well as obligations relating to the prevention and management of conflicts of interest.

In 2021, following the controversy over the impact of payment for order flow on retail traders and speculation on “meme stocks”, the then-chairman of the AMF, Robert Ophèle, stated in a conference that he was in favour of a ban on payment for order flow in the EU. 

Since February 2024, these concerns have been acknowledged by European legislators, who have introduced a general ban on payment for order flow in Article 39b of MiFIR. This prohibition will fully apply from 1 July 2026.

France has not used the temporary exemption from the payment for order flow prohibition under MiFIR to allow investment firms located in France to continue engaging in payment for order flow with French clients.

The regulation of market abuse was the subject of major reform at the European level in 2014 with the creation of two instruments: the Market Abuse Directive (Directive 2014/57/EU on criminal sanctions for market abuse) and the Market Abuse Regulation.

The concept of market abuse covers any illicit behaviour on a financial market and, more precisely, insider trading, unlawful disclosure of privileged information and market manipulation.

The regulation of market abuse is built around sanction (with a dual administrative and criminal procedure) and prevention (with the implementation of measures designed to enable the detection of prohibited behaviour).

For instance, the operators of multilateral trading systems have to declare any suspicious operation to the AMF immediately. For this purpose, procedures and appropriate monitoring systems have been set up to prevent and detect market abuse or attempted market abuse.

ISPs must disclose the use of algorithmic trading to the AMF and submit detailed information relating to negotiation parameters, as well as to the compliance monitoring set out, in order to ensure that their algorithmic trading systems are resilient and subject to appropriate thresholds. The activities operated through the algorithmic trading systems must be stored for at least five years and made available upon request to the AMF. There are no specific rules relating to the underlying class of assets subject to algorithmic trading.

The French Monetary and Financial Code provides that entities negotiating for their own account which use algorithmic trading systems are required to be licensed by the AMF as investment service providers for such purpose, even if they do not act on behalf of or for the account of clients.

Since the management companies of investment funds (AIFs and UCITS) are not considered as investment undertakings as a result of the transposition of MiFID II into French law, they are excluded from the scope of EU provisions relating to algorithmic trading. However, they are subject to French rules of good conduct in relation to the best execution of orders.

Programmers who develop and create trading algorithms or other electronic trading tools are not regulated as such.

Whether they are operated in an office or on the internet, insurance underwriting processes are regulated by the French Insurance Code. Several formal conditions must be set out by the insurance company in order to ensure that the agreement is valid and enforceable. When the insured party is a non-professional natural person and subscribes to the policy through an internet platform, a further set of provisions arising from consumer law allows the insured party to withdraw from the insurance agreement within 14 days from the date of subscription.

Each type of insurance (life, annuities, property, etc) is subject to its own set of regulations under the French Insurance Code. The level of supervision of the ACPR is the same for each category of insurance service. It should also be noted that the prudential treatment of insurance undertakings by the ACPR does not differ according to the type of insurance service provided by the entity, but rather, according to its compliance with the related prudential rules.

Regtech companies provide services related mainly to the compliance of legacy players with prudential regulations (ie, the Solvency II, MiFID II and CRD IV Directives), reporting, risk management, KYC and AML procedures. The provision of these services is not regulated.

As a general rule, regulated entities that choose to delegate functions relating to prudential or organisational regulations must ensure that they are able to assess the performance of the outsourced service by the provider. Regulated entities remain responsible towards their regulator, even if a specific obligation is violated by the external provider rather than themselves. To facilitate such monitoring of external providers, regulated entities often include in their agreements provisions which allow them to control the compliance of the external provider with the requirements of the applicable regulation.

Since 2015, most French financial institutions have started to work on implementations of blockchain technology. Several French banks joined the R3 consortium which is developing the private blockchain platform named Corda. Société Générale Forge, a Société Générale subsidiary, has issued digital securities on public blockchains, such as Ethereum and Tezos. In January 2023, Société Générale Forge refinanced tokenised covered bonds by borrowing DAI stablecoins from MakerDAO, a market-leading decentralised finance protocol. Société Générale Forge’s security tokens were used as a loan collateral to the benefit of MakerDAO.

In addition, various major French non-financial companies are also experimenting with blockchain technology in their own field (eg, blockchain-based food traceability platform, blockchain-based authentication of luxury products). The BdF itself has developed a blockchain-based system to manage SEPA Creditor Identifiers. Overall, French legacy players are all implementing, or thinking about implementing, blockchain technology in their processes or their activity.

Furthermore, since March 2020, the BdF has partnered with private sector innovators (such as Accenture, Euroclear, HSBC, etc) to conduct a programme of eight experiments on a wholesale CBDC, such as using a wholesale CBDC to settle an issuance of digital financial securities with Société Générale Forge. On 8 November 2021, the BdF published the results and key findings of its experiments.

Finally, Paris Europlace, which is a think tank that brings together and represents the diversity of players in the financial industry and provides reports and advice, wrote a report in response to the European digital euro project in which it highlighted the potential uses of blockchain in the financial industry and the economic, technical and legal challenges.

While French regulators have issued multiple warnings concerning the risks of crypto-assets, the treatment of blockchain technology has been much more favourable. Blockchain technology is widely regarded as a major innovation which will likely transform the financial industry, and may also transform other industries (such as supply chain, identity management, healthcare, etc). More specifically, in October 2018, the CNIL issued a report on the compatibility of blockchains with the GDPR, and in December 2018, a parliamentary working group published a report on blockchain technology.

Government Decrees

However, the major step was the publication of the government decrees of 8 December 2017 and 24 December 2018, which allow the use of a blockchain (formally called a “shared electronic recording system”) for the issuance, registration and transfer of unlisted equity and debt securities. Securities issued through a blockchain will still qualify as financial instruments, and this new regime will not allow the creation of “security tokens”.

Pilot Regime

The DLT Pilot Regime, which came into force in March 2023, is a set of rules designed to support the deployment of DLT in financial markets. It facilitates the issuance and trade of certain financial instruments on DLT market infrastructures, which benefit from limited exemptions from certain financial regulations such as MiFIR, MiFID II and the Central Securities Depository Regulation. This framework applies in particular to smaller financial instruments such as equities with a market value of less than EUR500 million, bonds with an issue amount of less than EUR1 billion and investment funds with assets under management of less than EUR500 million. The purpose of the DLT Pilot Regime is to foster innovation and foster the growth of DLT-based market infrastructure, while maintaining necessary protections for investors and financial stability.

The entry into force of the Pilot Regime has been prepared by both regulators and major financial institutions which plan to offer services based on that new framework. The HCJP published a report on digital securities in 2022, in order to prepare the adaptation of French law to the Pilot Regime. In March 2023, an act effectively modified the French Monetary and Financial Code to facilitate the use of the Pilot Regime by French entities.

On 31 May 2024, the HCJP published a report titled “On the determination of the law applicable to assets registered in distributed ledgers”. It made several proposals, one of which concerned the law applicable to financial securities covered by the Pilot Regime (p20). This proposal is taken up by the new Article L. 211-7 of the French Monetary and Financial Code, according to which “the conditions and property effects of transactions in financial securities registered using distributed ledger technology under the conditions laid down by Regulation (EU) 2022/858… are determined by the law of the State where the entity authorised to operate the DLT settlement system or, where applicable, the DLT trading and settlement system is located”.

In 2025, to support the implementation of the Pilot Regime, the AMF published an in-depth report describing the main measures of the European regulation and the exemptions it grants under existing frameworks. It also provides a reminder on how to submit an application to the French financial authorities.

Under the existing legislation, certain blockchain assets qualify as financial instruments within the meaning of MiFID II (and its transposition into French law); ie, any blockchain asset which presents the characteristics of a financial instrument would likely qualify and be regulated as such. MiCAR has not altered this classification. Indeed, financial instruments are expressly excluded from the scope of MiCAR and, as a result, from the existing blockchain asset regulation within the French Monetary and Financial Code.

During the grandfathering period, the French Monetary and Financial Code, as amended by the MiCAR transposition ordinance of 15 October 2024, distinguishes between three categories of blockchain assets:

• tokens, excluding those that meet the characteristics of financial instruments;
• any digital representation of value; and

• crypto-assets as defined in Article 3 of MiCAR.

At the same time, MiCAR distinguishes three types of crypto-assets:

• asset-referenced tokens (ARTs);
• EMTs; and
• other crypto-assets.

In addition, French regulators tend to use taxonomy in their publications to distinguish between security tokens, utility tokens and payment tokens.

Regulation No 2018-07 of the Accounting Standards Authority (Autorité des normes comptables, ANC) qualifies all crypto-assets, including cryptocurrencies, as “tokens” for accounting purposes.

The classification of NFTs, however, is still unclear. MiCAR and, consequently, the French Monetary and Financial Code exclude them from their scope of application. They may or may not qualify as digital assets or tokens, depending on their characteristics and the rights that they provide.

The French Monetary and Financial Code, as amended by the PACTE Act, included a section dedicated to token issuers. These provisions applied to the issuance of tokens that do not qualify as financial instruments. 

Under French law, token issuers had the right to ask the AMF to grant its approval (“visa”) to their ICO, as soon as the following requirements were met:

• the issuer was a legal entity incorporated in France, or at least registered in France through a branch;
• the white paper and the marketing materials were accurate, written in plain language and not misleading; and
• the issuer planned to implement adequate procedures to track and safeguard the funds raised in the ICO.

The AMF visa was optional.

In addition to this regime, the ANC published a regulation in December 2018 which established the accounting rules applicable to ICO issuers and ICO investors. This regulation also clarified the tax treatment of ICO issuers and investors, as fiscal and accounting rules were closely related.

Since the entry into force of MiCAR and the adoption of Order No 2024-936 of 15 October 2024 on crypto-asset markets, this regime has been repealed. However, token issuers authorised to issue tokens under this regime may continue to do so until the end of the grandfathering period on 30 June 2026.

From now on, any crypto-asset issuer looking to operate in France must prepare a white paper outlining key details of the planned issuance. If the issuance involves ARTs or EMTs with a stable value and the issuer’s home state is France, they must obtain prior authorisation from the ACPR and submit a white paper. For all other crypto-assets, the issuer simply needs to notify the AMF in advance and provide a white paper.

In all cases, the white paper must provide a clear and complete overview of the operation. It should cover key details about the offeror, issuer and platform operator, along with the crypto-asset project, its public offering or trading admission, the nature of the crypto-asset, the rights and obligations it entails, the underlying technology, associated risks and any significant environmental impact.

All information must be fair, transparent and not misleading. The white paper should be structured in a concise and accessible manner, and must not omit any material facts.

Until now, crypto-assets were governed by the framework established by the PACTE Act, which required crypto-asset service providers to be registered or licensed as a DASP with the AMF. This regime remained in place until 30 December 2024. Since that date, it has no longer been possible to be registered or licensed as a DASP. Entities that held this status will not be able to continue providing crypto-asset services after 30 June 2026, unless they obtain a CASP licence.

Registration as a DASP

Four services in digital assets require the person providing them to register with the AMF as a DASP:

• the service of custody of digital assets on behalf of third parties;
• the service of buying or selling digital assets in legal currency;
• the service of exchanging digital assets for other digital assets; and
• the operation of a digital asset trading platform.

Such registration mostly triggers the application of AML legislation – there are no other substantial rules that apply to registered DASPs.

However, a recent act provides that DASPs registered after 1 January 2024 will be required to comply with additional requirements. Essentially, the rules that apply to licensed DASPs (see below) will be extended to registered DASPs, with the exception of capital requirements.

AMF Licence

In addition, all entities that are actively involved in crypto-assets may apply for an optional licence with the AMF, including those entities which also provide other services (such as reception and transmission of orders, portfolio management, advice to subscribers, etc). Obtaining the licence triggers the application of the AML legislation, as well as various other obligations similar to those of ISPs. In return, licensed DASPs are allowed to market and advertise their services broadly to French clients.

Other Crypto-Asset Platforms

If DASPs operating a crypto-asset exchange platform allow their clients to deposit legal currency or collect client funds to place orders on their behalf, these DASPs are required to obtain payment service provider status or delegate the handling of legal currency flows to a regulated provider.

As for platforms trading crypto-assets which qualify as financial instruments, such as derivatives based on crypto-assets, they will likely need to obtain authorisation to operate as regulated markets, MTFs or OTFs. However, the ESMA’s Report on Crypto-Assets and Initial Coin Offerings (January 2019) suggests that peer-to-peer platforms where crypto-assets that qualify as financial instruments are listed might fall outside the scope of the European regulation.

Status of CASP

The status of CASP established by MiCAR is largely inspired by the French regime under the PACTE Act. This status has been transposed into the French Monetary and Financial Code by an ordinance dated 15 October 2024. The crypto-asset services that trigger licensing requirements are substantially similar to those already existing under French law.

Licensing Requirements

The provision of crypto-asset services requires a licence as a CASP, obtained from the AMF. However, it is accepted that other licences may also allow the provision of these services, provided that prior notification is made to the AMF. This includes licences as a credit institution for all crypto-asset services, or as investment firms under MiFID for crypto-asset services equivalent to those for which they are specifically licensed. The licensing request is subject to compliance with AML regulations, market abuse regulations and outsourcing requirements, and triggers prudential requirements.

Cross-Border Provision of Crypto-Asset Services

Previously, a DASP licence did not allow for operations beyond French borders with foreign clients. However, MiCAR now provides that, regarding the cross-border provision of crypto-asset services, CASPs licensed in an EU Member State may, subject to notification to their home country’s competent authority, provide crypto-asset services throughout the entire EU.

Staking is not regulated as a distinctive activity or service under French law. Depending on the way the staking services are being provided (whether directly, through a centralised exchange platform, or by using the technology made available by a technological provider), this activity can require a prior, mandatory regulatory statute under French law. 

In 2023, the French Financial Sector Consultative Committee (Comité consultatif du secteur financier, CCSF) recommended improving the information provided to crypto-asset holders regarding the risks associated with staking and lending. These risks include the total loss of funds, the blocking of assets, the risk of platform hacking, and the absence of returns in the event of a market increase. The CCSF suggests replacing the term “reward” with “consideration” and recommends discontinuing the use of terms such as “savings” or “crypto-asset account”, as they may mislead investors about the risks associated with these operations.

From the regulators’ perspective, the AMF, in its position-recommendation DOC 2020-07, states that while staking is generally not considered a digital asset service per se, it may involve the provision of other regulated services, such as custodial services, which require authorisation as a CASP. This position aligns with the stance expressed by the ESMA on the matter.

In the 2025 joint EBA-ESMA report on recent developments in crypto-assets addressed to the European Commission, the ESAs emphasised the potential risks associated with staking. Consequently, regulatory developments concerning staking in the EU may be anticipated in the coming years. Some clarifications are expected to be provided by the European Commission in its upcoming report.

Crypto-related lending is not currently regulated as a specific crypto-asset service under French law. However, since the Pacte Act of 2019, CASPs have been required to register with the AMF to offer services such as the custody or exchange of crypto-assets, which may potentially include crypto-lending services.

The entry into force of MiCAR has not changed the situation, as crypto-asset lending remains unregulated by the text.

The 2025 joint EBA-ESMA report has highlighted the risks associated with crypto-lending, including leverage, contagion, liquidity risks and the lack of creditworthiness assessments, calling for improved regulation in this area.

Further developments are expected soon with the adoption of the upcoming report by the European Commission on recent developments in crypto-assets.

The French legislation does not directly regulate derivatives based on crypto-assets. However, in an analysis of the legal classification of crypto-asset derivatives published in 2018, the AMF concluded that a derivative based on a crypto-asset, settled in cash, should be considered a financial contract, which is a category of financial instrument within the meaning of the French Monetary and Financial Code.

Consequently, the rules governing the offering of financial instruments in France apply to crypto-asset derivatives.

Decentralised finance (DeFi) is not currently defined or regulated under French law.

However, most DeFi platforms offer services that could fall within the regime of DASPs. For example, decentralised exchanges such as Uniswap provide the service of exchanging digital assets for other digital assets, which requires registration with the AMF. Platforms that allow users to earn interest on deposits of crypto-assets and to borrow crypto-assets, such as Aave, could potentially fall under the regulation of banking operations, although that regulation has been made to apply to the use of “funds” (ie, legal currency).

It appears that the DASP regime is not adapted to truly decentralised platforms with decentralised governance. The regime was designed to regulate platforms operated by a centralised entity. It is possible that regulators will struggle to identify the persons responsible for the operation of these platforms, and may not, in fact, be able to enforce the regulation.

MiCAR does not aim to regulate DeFi either, although it mandates the European Commission to prepare a report in the coming years to assess whether a tailor-made regime should be created for DeFi. In May 2024, in light of the use of decentralised autonomous organisations (DAOs) by DeFi protocols, the HCJP published a report on the recognition of DAOs under French law. The report proposed a legal definition of DAOs, along with their legal and tax treatment, but this presently remains undetermined.

In 2023, the AMF published a discussion paper on DeFi, aimed at exploring best practices and potential developments in the regulation of the sector. Similarly, the ACPR highlighted the need to develop an appropriate regulatory response to DeFi, taking into account its innovative nature and the risks it generates.

Furthermore, in January 2024, a working group on the certification of smart contracts, led by the ACPR and the AMF, published a report proposing regulatory pathways for the oversight of smart contract certification, within the context of an examination of existing practices. The report concluded that specific measures should be taken to ensure the security and validity of smart contracts within a clear legal framework.

In this context, France is positioning itself as a driving force in the development of European regulation regarding DeFi.

French alternative asset manager Tobam launched the first European cryptocurrency fund, the Tobam Bitcoin Fund, in November 2017. However, this fund was not licensed by the AMF, as cryptocurrencies do not fit into any existing category of the regulatory regime applicable to asset managers.

French law, as amended by the PACTE Act, now allows professional specialised investment funds (fonds professionnels spécialisés, FPSs) and specialised private equity funds (fonds professionnels de capital-investissement, FPCIs) to purchase digital assets registered in a shared electronic recording system, ie, a blockchain. Only professional investors are able to invest in such FPSs or FPCIs. Napoleon Asset Management, a regulated asset manager specialised in crypto-assets, launched the first regulated crypto-asset fund in December 2019 (even though this fund does not hold crypto-assets directly but rather invests in bitcoin derivatives listed on the CME).

Melanion Capital also launched a fund in 2021 that seeks to replicate bitcoin’s price by investing only in listed securities of companies that operate in the Bitcoin sector.

In 2022, Arquant Capital launched two funds that invest directly in bitcoin (Arquant Dynamic BTC) or ether (Arquant Dynamic ETH). The exposure to crypto-assets that are held directly can vary between 0% and 100% in order to reduce volatility.

In October 2024, the first sub-governor of the BdF emphasised in his speech during the conference titled “What Future for the World of Crypto-Assets?” that it is still premature to discuss whether there is any systemic risk capable of affecting financial stability with respect to spot Bitcoin index funds, due to their limited significance. Indeed, as of January 2024, spot Bitcoin index funds had raised USD15 billion since their market launch, while the market value of stablecoins stood at USD164 billion.

The regime established by the PACTE Act and more recently by MiCAR does not treat cryptocurrencies differently from other “crypto-assets”. Similarly, Regulation No 2018-07 of the ANC considers cryptocurrencies, such as bitcoin or ether, as “tokens” for accounting purposes. In any case, there is no plan to give certain prominent cryptocurrencies any preferential legal treatment, such as acknowledging their use as money or as a medium of exchange.

In a decision of 26 February 2020, the Nanterre Commercial Court ruled that a bitcoin loan agreement can be governed by the general rules applicable to loans of non-monetary assets. This ruling was deemed controversial since it assumed that bitcoin (and thus, most digital assets) is fungible.

Non-binding documentation the AMF also acknowledges the existence of digital asset lending, although it does state clearly whether such activity is regulated under the regulation of digital assets or that of payment services or credit operations.

Overall, regulators and legislators have mainly expressed their interest in utility tokens and the use of ICOs as a new method of financing start-ups and SMEs. Cryptocurrencies, on the other hand, are still treated with suspicion, and it remains a priority of the legislature to prevent their use in money-laundering schemes.

MiCAR provides a definition of NFTs, even though they are excluded from its scope: “Crypto-assets that are unique and not fungible with other crypto-assets, including digital art and collectibles, whose value is attributable to each crypto-asset’s unique characteristics and the utility it gives to the token holder.”

Under French law, it is unclear whether they would qualify as digital assets or according to the underlying item (if any). NFTs are very diverse and have many use cases, making it difficult to apply a unified regime based on the classification of the underlying item.

In any case, what is at stake with the classification of NFTs is mainly their tax treatment. Under French law, if NFTs qualify as digital assets, exchanging them against other digital assets benefits from a tax exemption (at least for individuals). If their classification depends on the underlying, all transactions between digital assets and NFTs may be taxed.

In May 2023, the French General Inspectorate of Finance (Inspection générale des finances, IGF), an entity under the Ministry of the Economy and Finance, published a report on commercial-purpose crypto-assets. In this report, it notably emphasises that NFTs associated with an image cannot be legally classified as works of art, nor, more generally, considered as a form, even a degraded one, of ownership over the work or its medium. The IGF thus calls for a legal clarification of NFTs and for separate regulation of these assets, from both a legal and fiscal perspective.

In 2024, France introduced new forms of games with monetisable digital objects (jeux à objets numériques monétisables, JONUM) into the French legal framework. These games are mostly based on non-fungible tokens that merge two aspects: financial earnings and gamification. A text was adopted by the French Parliament’s Joint Committee on 28 March 2024. This text still has some points to be interpreted, but these will be clarified by decrees currently being prepared. This text, like the Pilot Regime, will be tested for a period of three years, during which JONUM will have to notify the ANJ of their operations. In essence, this new regime will impose new obligations on these players, ranging from combating money laundering and the financing of terrorism to protecting minors from the risks of addiction. Moreover, strict limitations notably on communication or on the characteristics of the rewards (often NFTs or other crypto-assets) that can be granted to users will be imposed.

As French and European law currently stands, NFTs and NFT trading platforms do not fall under any legal regime. However, clarifications from regulators are expected in the coming months, since NFT trading platforms could be subject to AML risks if they remain unregulated.

Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market (PSD2) was transposed into French law in August 2017. PSD2 aimed to modernise payment services in the EU by taking advantage of the emergence of online and mobile banking. The cornerstone of that modernisation is the right to access a bank account to perform services, eg, to collect and consolidate information on the different bank accounts of a consumer in a single place, or to allow customers to make internet payments without using a credit card (ie, by sending a direct wire transfer from the customer’s account to the seller’s account). In practice, PSD2’s major contribution to the growth of open banking was the creation of two new categories of payment services under French law (the payment initiation service and the account information service) and the removal of certain barriers which prevented third parties from providing these payment services. Several successful French fintech companies, such as Linxo and Lydia, are already providing regulated services under these new categories.

On 28 June 2023, the European Commission presented its draft regulation on access to financial data (“FiDA Regulation”), which is still under debate. This regulation will complement the Open Banking framework established by the PSD2. It is based on the principle that financial data belongs to the user and stipulates that, at the user’s request, data holders must make this data accessible free of charge, in real-time, continuously and electronically, in accordance with the conditions outlined in the FiDA Regulation.

The draft also proposes the establishment of a financial information service provider status, which will require approval from the relevant authority in the EU Member State where the provider is based. This status will also be available to third-country providers, provided they obtain the necessary authorisation from the Member State in which they wish to offer their services.

However, further clarifications are awaited regarding the feasibility of this bill. Meanwhile, the ACPR has announced that its involvement in the FiDA Regulation negotiations will be one of its strategic priorities for early 2025.

Creation of APIs

The transposal of PSD2 into French law forced banks to share certain personal data relating to their clients (eg, information relating to clients’ bank accounts) with various fintech companies. In order to share this information, banks need to create secure application programming interfaces (APIs). It was reported recently that banks had been slow to create these APIs and justified their reluctance by invoking the need to guarantee the security of clients’ bank accounts and data. The deadline to implement these APIs was set at September 2019.

At the end of 2020, the level of technical implementation of APIs was not consistent among all actors. According to the co-founder of Linxo, an account aggregator, the potential of PSD2-compliant APIs is still “under-exploited”.

At the end of 2022, in France, only 45 banks and account providers had implemented PSD2-compliant APIs. 

Web-Scraping Methods

If they are unable to use APIs, third-party providers such as account aggregators and payment initiation providers will have to keep using web-scraping methods in order to access clients’ banking data, although these methods are not considered sufficiently secure.

GDPR Compliance

In addition, the obligation to share clients’ personal data raises the issue of the compliance of PSD2 with the GDPR, as certain payment data may prove sensitive. In any case, both banks and fintech companies must comply with the GDPR when processing clients’ personal data.

PSD2 is currently being amended at the European level to account for recent technological developments. The European Commission is currently examining the proposals received through a public consultation launched in 2022. The PSD2 has been badly perceived by professionals, who experience it as a constraint. The debates on PSD3 focus on several challenges that PSD2 failed to address (among them, the use of biometric authentication with behavioural analysis during a payment is discussed, for instance) while further limiting fraud.

In recent years, there has been a significant increase in fraud techniques based on user manipulation and identity theft. While the introduction of strong customer authentication under PSD2 has enhanced the security of remote payments and reduced certain types of fraud, these transactions remain a major source of disputes for clients. This issue was observed and highlighted by the AMF and the ACPR in 2023.

Regarding payment methods, on 21 January 2025, the ACPR presented fraud statistics for the first quarter of 2024. The data indicates that 38% of fraud cases involved card payments and 26% of fraud cases involved bank transfers.

The ACPR noted that the most common types of fraud were manipulation fraud and fraud related to online payments.

This trend also extends to investment services. In January 2025, the AMF and the ACPR updated their blacklist of unauthorised actors offering investments, particularly in forex and crypto-asset derivatives, in France. In 2024, more than 100 new actors were added to this list.

In 2024, the ACPR added 1,290 actors to its blacklist, mainly for fraudulent offers of loans or savings books. Over 64% of these cases involved identity theft of financial institutions authorised to market these products in France or in the European Economic Area.

French regulators’ priorities are driven by the fraud trends observed. Between 2021 and 2023, the ACPR conducted a series of inspections on the handling of payment transactions (including card payments, wire transfers and direct debits) that customers disputed as unauthorised. The aim was to ensure that payment service providers comply with the reimbursement framework established under PSD2 for unauthorised transactions.

Additionally, in 2022 and 2023, the ACPR observed an increase in the use of French IBAN accounts, opened by French or European entities, often using stolen identities, to receive proceeds from wire transfer frauds where the payer is manipulated by the fraudster.

In 2023, the ACPR focused its inspections particularly on the money transfer and crypto-asset sectors, in response to risks highlighted in the ACPR’s sectoral analysis of money laundering and terrorist financing risks in France published in June 2023.

In parallel, the AMF worked on several initiatives addressing the role of influencers in financial matters (“finfluencers”) on social media, improving systems to alert investors to financial fraud and raising awareness among internet service providers about online fraud.

In 2024, the Observatory for the Security of Payment Means (Observatoire de la sécurité des moyens de paiement, OSMP), with regard to remote card payments, adopted an action plan aimed at strengthening the security of unauthenticated payments made without the 3-D Secure technical protocol. These payments are still two to three times more likely to be subject to fraud compared to those using the 3-D Secure protocol. Initial measures have been implemented as of 10 June 2024, including the introduction of a cap on the acceptance of such transactions.

The transposition of PSD2 into French law specifies that payment service providers must ensure the security of payments and protect users from unauthorised or incorrectly executed transactions.

Articles L. 133-18 and L. 133-22 of the French Monetary and Financial Code impose an obligation for immediate reimbursement of unauthorised or incorrectly executed payments, provided the user reports the incident within 13 months. In cases of suspected fraud, the payment service provider may deviate from this reimbursement obligation, provided that it informs the BdF of its justification.

Regarding the loss or theft of a payment instrument, Article L. 133-19 of the French Monetary and Financial Code sets out the respective responsibilities of the payer and the payment service provider. If the loss is attributable to the payer, the payer bears full responsibility. However, if the loss is reported in a timely manner, the payer’s liability is limited to EUR50 for transactions executed before the report. The payment service provider assumes full responsibility if the loss is not attributable to the payer.

In the case of an erroneous beneficiary designation by the payer, the payment service provider is not required to immediately refund the payer. However, the provider is obligated to make reasonable efforts to recover the funds. Lastly, if the payer disputes a payment, the payment service provider is required, under Article L. 133-23 of the French Monetary and Financial Code, to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts, and not affected by a technical breakdown or some other deficiency of the service provided by the payment service provider.