Luxembourg is a major European banking and wealth management centre. As a recognised EU hub for fintech companies, banks, asset managers and insurance companies, Luxembourg has a highly developed financial services ecosystem. Since 2007, when the fintech pioneer PayPal received a full banking licence in Luxembourg, the country has seen robust growth over the past few years and has now become a home for over 200 fintechs. In particular, Brexit has led to an increase of UK companies engaging in fintech activities in Luxembourg to access the European market and benefit from EU passport authorisation. A recent executive order from the US President prohibiting US federal agencies from undertaking any action to establish, issue, or promote Central Bank Digital Currencies (CBDCs) in the US and abroad may slow down international projects to develop CBDCs, including in the Eurozone, in favour of stablecoins.

Impact of Legislative Developments

Luxembourg’s economy heavily relies on financial services, which account for around a quarter of the country’s economic activity. As a result, developing effective financial regulations is a key policy concern for the Luxembourg legislature.

The newly published Blockchain IV Law, which entered into force on 31 December 2024 integrates and formalises the use of blockchain technology, specifically DLT, in the management of dematerialised securities, both debt and equity.

At the EU level, the European legislature has made efforts to regulate various aspects of fintech. To ensure consistency and clarity in the regulatory framework across Europe, the European Commission introduced the Digital Finance Package in September 2020. This package includes several regulations, three of which have already been adopted: a pilot regime for market infrastructures based on DLT (see 2.5 Regulatory Sandbox), a regulation focused on digital operational resilience (see 2.11 Implications of Additional, Non-Financial Services Regulations) and a regulation on markets in crypto-assets (see 10. Blockchain).

In addition, the European Artificial Intelligence Act (AI Act), which came into force in August 2024, provides a legal framework aimed at managing and mitigating the risks associated with AI, in particular, to protect human rights, safeguard sustainability, and encourage investment to promote AI innovation across Europe. The new anti-money laundering (AML) directive includes an obligation for all crypto-asset service providers involved in crypto-asset transfers to collect and make accessible data on the originators and beneficiaries of the transfers they operate (see 10.3 Classification of Blockchain Assets).

Upcoming Changes in EU Legislation

As further elaborated in this chapter, many topics relating to virtual assets and other recently developed technologies used in the financial sector had not been explicitly covered by the traditional financial services regulation.

The Markets in Digital Assets Regulation (MiCA) plays significant regulatory influence on digital assets by creating a single regulatory framework for three main types of digital assets:

• asset-referenced tokens (ARTs);
• electronic money tokens (EMTs); and
• utility tokens.

With the full implementation of MiCA in January 2025, digital asset issuers and service providers (CASPs) are subject to licensing and oversight by national authorities, facilitating a harmonised and secure EU digital market.

The Digital Operational Resilience Act (DORA), which took effect in January 2025, is expected to have an impact on the financial sector, with its main goal to strengthen the cybersecurity and operational resilience of financial institutions.

The fintech market may also be impacted by the updates of several regulations and directives impacting the financial sector, including the lately adopted amendments to the MiFID II/MiFIR framework and AIFMD.

Lastly, the European Commission published a proposal for the EU Financial Data Access Regulation (FiDA), which is expected to come into effect in 2027 and is aimed at enhancing digital transformation in the financial sector through the development of open finance. The goal is to require data holders to share the financial data of customers, such as data on mortgages, crypto-assets, investments in financial instruments, insurance-based investments, or non-life-insurance products.

The recent months saw a surge in use of AI models in fintech products and services in Luxembourg, both in governmental and private initiatives. For example, the Financial Sector Supervisory Commission (CSSF) signed a strategic agreement in December 2024 to develop its own artificial intelligence initiative, enhancing the CSSF’s prudential activities and improving big data processing. This shows the commitment of governmental bodies to integrate advanced technologies and keep the pace with the growing fintech industry.

There are a variety of different types of fintech companies in Luxembourg, including payments, big data, and AI, insurtech, cybersecurity and authentication, Fundtech, regtech, lending and blockchain. Especially in the e-payment and e-commerce sectors, Luxembourg is the home to leading industry players such as Amazon, PayPal, Airbnb, and Rakuten, which are licensed and supervised by the CSSF as banks, payment service institutions, e-money institutions or virtual asset service providers, as the case may be.

Furthermore, a significant number of fintech companies in Luxembourg provide services for the compliance and regulatory needs of the financial sector. These services range from KYC obligations, data management and fraud detection to fund reporting, digital investment services and investor information tools. Luxembourg-based fintechs, such as FundsDLT and Tokeny, are also active in the development of blockchain-based market infrastructures.

While traditional players in the financial industry, including banks and insurance companies, were initially viewed as competitors to fintech companies, today there is a notable shift towards collaboration between these entities in Luxembourg. Fintechs working with legacy players offer a wide variety of services, including data analytics, asset management and open banking. By way of example, following EU legislative developments on payment services, several Luxembourg retail banks formed a leading European open banking platform, LUXHUB, in 2018.

The regulatory regime applicable to fintech players depends on the business model and activities of the company.

• Payment and electronic money institutions – entities providing payment or electronic money services are subject to the Law of 10 November 2009 on payment services, as amended (the Payment Services Law), and accordingly are subject to authorisation by the Financial Sector Supervisory Commission (Commission de Surveillance du Secteur Financier or CSSF).

• Insurtech – entities providing insurance services are subject to the Law of 7 December 2015 on the insurance sector, as amended, and accordingly are subject to authorisation by the Insurance Commissioner (Commissariat aux Assurances or CAA).
• Fundtech – entities that operate as investment funds or investment fund managers may be subject to several regulations, including the Luxembourg Law of 12 July 2013 on alternative investment fund managers, the Law of 17 December 2010 on undertakings for collective investment, the Law of 13 February 2007 on specialised investment funds and the Law of 23 July 2016 on reserved alternative investment funds, each as amended. Funds and fund managers are typically authorised by the CSSF.
• Regtech – entities that provide certain services to regulated financial services entities may need to be licensed by the CSSF as support professionals of the financial sector in accordance with the Law of 5 April 1993 on the financial sector, as amended (the Financial Sector Law).
• Lending/banking activities – lending on a professional basis would typically require a banking licence in accordance with the Financial Sector Law. Most Luxembourg banks are authorised and supervised by the CSSF, and subject to EU regulations and national legislation.
• Alternative lending – entities that provide lending services that do not qualify as banks may fall under the scope of the Financial Sector Law, which requires an entity to be licensed as a professional performing lending operations. Alternatively, an entity may also grant loans in the context of a securitisation transaction under the Luxembourg Law of 22 March 2004 on securitisation, as amended.
• Blockchain and virtual assets – entities providing virtual asset services are required to register with the CSSF and are subject to the obligations laid out in the AML Law. However, not all blockchain-related operations would qualify as virtual asset services. In addition, if the relevant assets qualify as financial instruments, rules laid out in Directive 2014/65/EU on markets in financial instruments, as amended (MiFID II), and related regulations would apply.

Most of the aforementioned legislation is accompanied by technical standards, regulations, circulars and guidance issued by the competent authorities, which should also be considered. In addition, each of the activities above may be subject to, among others, anti-money laundering regulations (see 2.14 Impact of AML and Sanctions Rules) and data protection regulations (see 2.11 Implications of Additional, Non-Financial Services Regulations).

The compensation models that industry participants are allowed to use to charge customers vary mainly depending on the service provided by the fintech entity and the relevant customer type. Disclosure obligations relating to fees vary depending on the same factors. Typically, regulated entities, such as investment firms, are subject to certain pre-contractual obligations, which include the obligation to disclose costs charged by the service provider.

As a general rule, there is no difference between the regulation of fintech companies and legacy players, as long as the services they provide fall under the scope of regulated activities. However, given the size and business model of fintech companies, certain rules applicable to legacy players would typically not apply to fintech companies. In addition, in some cases the applicable regulations depend directly on the scale of the business, for example the EU crowdfunding regulation provides certain regulatory exemptions as long as the yearly funding remains under the threshold of EUR5 million.

There is currently no general regulatory sandbox regime in Luxembourg applicable to all fintechs.

However, the adoption of Regulation (EU) 2022/858 has introduced a pilot regime for market infrastructures based on DLT (the “DLT Pilot Regime”), which is fully applicable from March 2023. The DLT Pilot Regime provides a temporary exemption from certain regulatory requirements for eligible firms for the development of market infrastructures used for the trading or settlement of financial instruments that are issued, recorded, transferred and stored using DLT.

In addition, the CSSF has established an innovation hub that seeks to foster an open and constructive dialogue with the fintech industry. The innovation hub is a single point of contact for any person who wishes to present an innovative project or exchange views on challenges facing financial innovation in Luxembourg.

Fintech companies may be supervised by several regulators in Luxembourg, of which the following are the most relevant.

The CSSF

The CSSF is the competent authority of the prudential supervision of credit institutions, professionals of the financial sector, alternative investment fund managers, undertakings for collective investment, authorised securitisation undertakings, regulated markets, payment institutions, electronic money institutions and other entities operating in the financial sector. In addition, the CSSF is also the competent authority to ensure that such supervised entities comply with the laws protecting financial consumers and with anti-money laundering laws.

The CAA

The CAA is the competent supervisory authority for the insurance sector in Luxembourg, which includes mainly insurance undertakings, reinsurance undertakings, certain pension funds, insurance professionals and insurance intermediaries.

The CNDP

The National Commission for Data Protection (Commission Nationale pour la Protection des Données or CNDP) is the national authority to verify the legality of the processing of personal data and ensures the respect of personal freedoms and fundamental rights with regard to data protection and privacy. The CNDP is the supervisory authority for Regulation (EU) 2016/679 on data protection (GDPR).

European Regulators

In addition to national regulators, technical guidelines issued by the European Banking Authority (EBA), the European Securities Market Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) apply in Luxembourg. Significant credit institutions incorporated in Luxembourg are directly supervised by the European Central Bank (ECB).

The practice of issuing “no-action” letters does not currently exist in Luxembourg. The CSSF may provide guidance, FAQs, clarifications and conduct public consultations on regulatory compliance in the financial sector, however, these are not typically referred to as “no-action” letters.

At European level, the European Banking Authority (EBA) and ESMA do issue “no-action” letters from time to time although these letters are intended to provide guidance to market participants and are not legally binding.

Authorised financial institutions may outsource their activities subject to certain restrictions. Most importantly, strategic or core functions cannot be outsourced, and the institution needs to retain the necessary expertise to efficiently monitor such services and to manage the associated risks.

Outsourcing must comply with the detailed guidance outlined in the CSSF Circular 22/806 published in April 2022. In addition, banks should take into consideration specific requirements set out in the CSSF Circular 12/552, as amended.

Due to the need to ensure the continuity of outsourced activities, certain provisions must be included in the relevant written contracts. Among others, outsourcing agreements must set out specific clauses relating to termination and the right of the entity to monitor the service provider’s performance on an ongoing basis. In addition, specific contractual clauses are required in case an outsourced IT activity relies on a cloud computing infrastructure. Furthermore, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) introduced new rules governing the outsourcing functions to ICT service providers, ensuring that operations remain reliable and secure.

The extent to which fintech providers may be deemed to be “gatekeepers” depends on the business model of the company. In general, fintech entities may be deemed liable for activities on their platforms in relation to AML obligations if the activities are within the scope of the AML Law. In addition, gatekeeper liability may come into question if the fintech entity is involved in a transaction that falls under the scope of Directive (EU) 2018/822 on mandatory automatic exchange of information (DAC 6) as a reportable cross-border transaction.

The CSSF as the supervisory authority has broad powers to impose sanctions on entities subject to its supervision. For example, in the area of anti-money laundering and counter terrorist financing (AML/CFT) supervision, the CSSF has the authority to issue warnings, reprimands, administrative fines and professional disqualification, and these sanctions may be made public.

With regard to administrative fines, the CSSF has recently imposed a fine of EUR3 million on a Luxembourg bank due to non-compliance with the applicable AML/CFT legislation. The amount of the fine is proportional to the turnover of the bank.

In addition to imposing administrative fines, the CSSF may also report cases to the prosecutor’s office regarding investment firms which claim to be established in Luxembourg and offer investment services without authorisation.

Otherwise, fintech companies may be subject to enforcement actions by the CNDP for non-compliance with the applicable data-protection rules.

Data Protection and Privacy

The GDPR together with the Luxembourg Law of 1 August 2018 regulate the processing of personal data, and such rules apply regardless of the industry sector or whether the relevant entity is a legacy player or a newly established start-up. In addition to the general rules governing the processing of personal data, the rules relating to privacy by design and privacy by default as well as automated decision-making and profiling may be relevant for fintech companies.

Cybersecurity

Management of risks relating to information and communication technologies (ICT) is an essential part of the necessary risk management by financial institutions. The CSSF has recently implemented the guidelines adopted by the EBA on ICT and security risk management, which need to be complied with by all entities authorised under the Financial Sector Law and the Payment Services Law.

In addition, specific requirements apply to entities considered operators of essential services in accordance with Directive (EU) 2016/1148, as transposed into national legislation by the Law of 28 May 2019. Certain entities of the financial sector, such as banks, may need to take specific measures to manage security risks in case their services are judged by the CSSF.

Following the adoption of DORA, all entities in scope must ensure that they can withstand ICT-related disruptions and threats. In particular, fintechs may need to adhere to strict standards to prevent and limit the impact of ICT-related incidents. DORA also provides an oversight framework on service providers (such as Big Techs) which provide cloud computing to financial institutions.

The activities of financial-sector participants are mainly reviewed by the regulators, however, auditors are typically appointed by industry participants to review their business activities. Furthermore, certain regulated entities, eg, banks, must set up internal risk control, compliance and internal audit functions.

In principle, there is no general prohibition for regulated entities to combine regulated and unregulated products. However, in certain cases the regulator must be notified of such activities and may then assess the compatibility of these services and products in more detail. For example, in the case of services and products related to virtual assets, the CSSF has published FAQs outlining its position on the possibility of banks opening virtual asset accounts. According to the CSSF, banks may open accounts, similar to securities accounts, that allow customers to deposit virtual assets, however, they cannot open virtual asset bank accounts (eg, current accounts).

In accordance with the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended, (the “AML Law”), which transposes, among others, Directive (EU) 2015/849 into national law, fintech companies that qualify as professionals under the AML Law are required to comply with several professional obligations.

The AML Law applies, eg, to banks, financial institutions, virtual asset service providers, payment institutions and electronic money institutions.

In particular, these entities are required to comply with customer due diligence obligations, adequate internal management requirements and co-operation requirements with the authorities. The CSSF is required to ensure that all the persons subject to its supervision, authorisation or registration comply with the professional AML/CFT obligations and implement a risk-based approach. Accordingly, the CSSF has broad sanctioning powers (see 2.10 Significant Enforcement Actions).

In addition, the new AML package sets up the EU Anti-Money Laundering Authority (AMLA) to directly supervise high-risk entities and mandates CASPs to comply with AML/CFT regulations, banning anonymous transactions, and enhancing transparency in the crypto sector.

Luxembourg is recognised as one of the most progressive jurisdictions in AML/CFT matters. The AML/CFT rules apply to the majority of financial entities, ensuring compliance with the Financial Action Task Force (FATF) standards. As a member of the FATF, Luxembourg adheres to over 40 FATF Recommendations and, according to the Mutual Evaluation Report 2023, is regarded as having a “solid AML/CFT” framework.

In accordance with the Financial Sector Law, third-country investment providers may rely on reverse solicitation in Luxembourg and are not obliged to establish a branch or obtain authorisation from the CSSF, provided that the services shall be provided:

• solely at the initiative of a Luxembourg client;
• without any marketing activities; and
• not to circumvent the legislation of any member state.

In addition, reverse solicitation is specifically targeted at professional investors and should not be considered a method for placing investments or offerings.

While there are no regulatory requirements in Luxembourg tailored specifically for services provided by robo-advisers, providing digital or automated services is, however, subject to the same regulatory requirements as non-automated financial advisers. Depending on the business model of the robo-adviser, specific licences will be required in accordance with the Financial Sector Law, which implements the relevant provisions of MiFID II into national law.

For example, if automated technology is used to provide personal recommendations to a client in respect of transactions relating to financial instruments, such service provider will need to be authorised by the CSSF as an investment adviser. Additionally, the Blockchain IV Law introduced the “control agent” which is responsible for managing and verifying dematerialised securities and providing a secure alternative management. Overall, this development can enhance direct distribution models, including robo-advisers.

In some cases, legacy players are implementing solutions introduced by robo-advisers. The Luxembourg bank, Banque et Caisse d’Epargne de l’Etat (BCEE), was the first retail bank in Luxembourg to launch a robo-adviser service called SpeedInvest in 2017, which helps allocate investments into certain funds. Since then, other banks have also introduced investment services based on automated tools, such as Investify, Birdee and KeyPrivate.

In accordance with the rules on best execution, the Financial Sector Law requires robo-advisers and traditional advisers to take sufficient steps when executing orders to obtain the best possible result for their clients. This includes price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. However, if the customer has given specific instructions, the order must be executed in accordance with such instructions.

With regard to regulation on online lenders, the main difference relates to whether the borrower is a consumer or not. Luxembourg legislation on lending in a professional or commercial context does not in principle separate different categories of legal entities based on, eg, the size of the business or the sector in which the borrower operates.

Loans to Consumers

Specific mandatory rules apply to credit agreements between a consumer and a lender acting in the context of any business activity. Lenders providing consumer credit need to be licensed either by the CSSF or in accordance with the Law of 2 September 2011 relating to the establishment of certain businesses and business licences. According to the Luxembourg Consumer Code, provisions on consumer credit apply to agreements under which the creditor grants consumer credit in the form of a deferred payment, loan or other similar financial accommodation, if, among others, the total amount of the credit is between EUR200 and EUR75,000. Specific obligations apply to the contractual relationship, which relate namely to the pre-contractual information, assessment of the consumer’s creditworthiness, content of the agreement, right of withdrawal and right of early repayment of the credit. In addition, similar obligations apply to mortgage credit agreements, ie, agreements where a creditor grants a credit to a borrower in view of the acquisition of a residential immovable property.

Loans in a Professional Context

The legal framework applicable to non-consumer loans includes fewer mandatory provisions, as general principles of contract law apply to the loan agreements. However, providing lending activities even in a professional context is in principle a regulated activity. According to the Financial Sector Law, professionals performing lending operations, ie, professionals engaging in the business of granting loans to the public for their own account, are subject to authorisation by the CSSF.

The underwriting process used by industry participants typically varies depending on the type of borrower and the type of credit. Specific regulatory requirements apply, namely in relation to AML/CFT obligations and consumer protection.

Obligations Relating to AML/CFT

All professionals operating in the financial sector typically need to comply with obligations relating to AML/CFT (see 2.14 Impact of AML and Sanctions Rules). In particular, the AML Law requires professionals to establish a customer acceptance policy adapted to their activities and to apply customer due diligence measures when establishing a business relationship. These KYC obligations include identifying and verifying the customer’s and the customer’s ultimate beneficial owner’s identities, and it may also be conducted through an online video conference.

Specific Obligations Relating to Consumer Lending

If a loan is qualified as a consumer credit agreement (see 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities), the lender must adhere to certain pre-contractual obligations. Prior to entering into a consumer credit agreement, the lender must provide the consumer with the necessary information to compare the different consumer credit proposals in order to make an informed decision, which is provided by using a standard European consumer credit information form. In addition, the lender must assess the consumer’s creditworthiness on the basis of sufficient information. Lastly, consumer credit agreements must be drawn up on paper or other durable medium, and each party must be provided with a signed copy of the agreement.

Fiat loans may be funded from a variety of different sources, and depending on the source of funds, different licensing requirements apply. Only entities authorised as credit institutions may receive deposits or other receivables from the public and grant credits for their own account. Other alternative sources of funds for fiat loans include securitisation and crowdfunding.

Securitisation

Luxembourg is one of the leading European centres for securitisation with a comprehensive and market-friendly legal framework. Although securitisation vehicles are exempt from the requirement to be authorised as professionals performing lending operations, authorisation by the CSSF is required if the securitisation vehicle funds its activities by issuing financial instruments to the public on a continuous basis.

Crowdfunding

Crowdfunding can be a source of fiat loans, particularly through peer-to-peer lending. Loans funded through lending-based crowdfunding platforms benefit from the newly established legal framework. The EU Crowdfunding Regulation provides a harmonised EU framework for crowdfunding services provided to non-consumer project owners relating to offers for an amount of up to EUR5 million calculated over a period of 12 months per project owner. The provision of crowdfunding services is subject to a licence as European Crowdfunding Service Provider (the ESCP) and prudential supervision by the CSSF.

Syndication of fiat currency loans provided by fintech companies is currently not market practice in Luxembourg. Loan syndication is typically used to finance larger – scale projects such as company takeovers, property projects or significant investment projects. These extensive and complex financings typically involve legacy players.

Payment processors can either use existing payment rails or alternatively create their own payment rails. However, in the latter case specific licensing requirements apply.

Luxembourg is part of the single euro payments area (SEPA), which aims to create a single euro payments area in which all scriptural (book) payments are considered as domestic; ie, without any distinction between national and cross-border payments. With regard to large-value transactions, these are currently processed through the T2 system, which settles cross-border payments in euros in real time.

When it comes to the regulation of cross-border payments, Luxembourg has implemented the Cross-Border Payment Regulation (CBPR2), Directive (EU) 2015/2366 on payment services (PSD2) (see 11.1 Regulation of Open Banking), and the SEPA Regulation. These rules integrate the EU payment market, enhancing the security of payment transactions and the regulation of cross-border payments. Additionally, AML/CFT standards require companies to verify identities, detect suspicious activities, ensure the legitimacy, monitoring of cross-border transactions, and sanction screenings.

In accordance with MiFIR/MiFID II rules, as transposed into national law, trading venues in Luxembourg can be divided into three categories: regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs). Operators of a regulated market, an MTF or an OTF are subject to the authorisation and supervision of the CSSF. The only entity authorised to operate the business of a trading venue in Luxembourg is the Luxembourg Stock Exchange, which operates the regulated market named Bourse de Luxembourg and an MTF named Euro MTF. At present, there are no OTFs based in Luxembourg.

In addition, MiCA introduced a specific legal framework applicable to CASPs, including crypto asset trading platforms, requiring these service providers to be authorised by the competent authority and setting out governance and prudential requirements to be fulfilled, including permanent minimum capital requirements.

In general, the regulatory regime relating to trading is the same for all asset classes. However, specific rules on transparency and trading are slightly different for equity and debt instruments. In addition, specific rules apply with regard to crypto-assets (see 10.5 Regulation of Blockchain Asset Trading Platforms).

The emergence of cryptocurrency exchanges and the significance of the crypto sector has led to the adoption of, and proposals for, new regulations. Following the adoption of the sixth anti-money laundering directive, CASPs are required to comply with the AML legislation by ensuring the full traceability of transactions and authentication of the users (see 1.1 Evolution of the Fintech Market).

Further, MiCA introduced a prudential regime relating to cryptocurrency exchanges.

The emergence of cryptocurrency exchanges and the growth of the sector around crypto-assets has also prompted Luxembourg to adopt the Blockchain IV Law.

Additional regulatory changes at European level are expected with respect to decentralised exchanges (see 10.9 Decentralised Finance (DeFi)).

Listing standards vary depending on the relevant trading venue and the type of financial instrument. In accordance with the Law of 30 May 2018 on markets in financial instruments, as amended, regulated markets shall have clear and transparent rules regarding the admission to trading of financial instruments. For listing on the Luxembourg Stock Exchange’s regulated market, issuers must publish a prospectus prepared in accordance with Regulation (EU) 2017/1129 on prospectuses (the “Prospectus Regulation”) that has been reviewed and approved by the CSSF. Alternatively, the prospectus may be approved by a competent authority of another EU member state and passported to Luxembourg. For listing on the Euro MTF in Luxembourg, the prospectus must be approved by the Luxembourg Stock Exchange.

Following the listing and admission to trading on either trading venue, issuers must regularly disclose regulated information concerning their business and the listed security.

In accordance with the MiFID II/MiFIR framework, the Financial Sector Law requires that investment firms and credit institutions that are authorised to execute orders on behalf of their clients must implement procedures and arrangements which provide for the prompt, fair and expeditious execution of client orders, relative to other client orders or their own trading interests. Otherwise, comparable client orders must be executed in accordance with the time of their reception.

There are currently no peer-to-peer trading platforms located in Luxembourg. The regulator has so far not provided specific guidance on the regulatory environment applicable to them, and whether or not specific rules on, eg, AML and loan origination apply, should be checked on a case-by-case basis.

The MiFID II legal framework, as transposed into Luxembourg law, in principle prohibits the possibility of routing client orders to a particular trading venue or execution venue to receive any remuneration, discount or non-monetary benefit. In practice, and as clarified by guidance issued by ESMA, payments for order flows between brokers and market makers are in general not permitted.

Fees, commissions or non-monetary benefits from a third party may only be accepted if such benefit is designed to enhance the quality of the relevant service to the client and does not impair the service provider’s duty to act honestly, fairly and professionally in accordance with the best interest of its clients. In addition, the benefits received must be clearly disclosed to the client before providing the relevant service.

The basic legal framework to preserve market integrity is laid out in the Regulation (EU) No 596/2014 on market abuse (the Market Abuse Regulation), which is directly applicable in Luxembourg.

The Market Abuse Regulation, together with the delegated and implementing acts, imposes rules regarding disclosure, recommending/inducing prohibitions on persons in possession of inside information, ongoing issuer disclosure obligations and prohibition on market manipulation. The CSSF is the competent authority in Luxembourg for the purposes of the Market Abuse Regulation and has the supervisory and investigatory powers. Non-compliance may lead to administrative sanctions or criminal liability.

The rules applicable in Luxembourg for the creation and usage of high-frequency and algorithmic trading have been implemented in the Law of 30 May 2018 on markets in financial instruments, transposing MiFID II. These rules apply to trading of all financial instruments, and no differentiation is made between different asset classes within the scope of MiFID II.

Investment firms, credit institutions and certain other entities incorporated in Luxembourg that engage in algorithmic trading must have effective systems and risk controls in place that ensure, among others, that the trading systems:

• are resilient and have sufficient capacity;
• are subject to appropriate trading thresholds and limits;
• prevent the sending of erroneous orders; and
• cannot be used for purposes that are contrary to the EU Market Abuse Regulation.

In addition, such systems need to be fully tested and properly monitored, and effective business continuity arrangements need to be in place to deal with any failure of the systems. Engagement in algorithmic trading needs to be notified to the CSSF.

Specific requirements apply in accordance with the MiFID II legal framework if the entity engaging in algorithmic trading is pursuing a market-making strategy. An entity is considered to pursue a market-making strategy when dealing on its own account, as a member or participant of a trading venue, its strategy involves posting firm, simultaneous two-way quotes of comparable size and at competitive prices relating to one or more financial instruments on a single trading venue or across different trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market. These requirements include entering into a binding market making agreement with the trading venue and carrying out the market making continuously during a specific proportion of the trading hours.

In contrast to MiFID II, MiCA covers the term “market participant”. Market participants include, but are not limited to, CASPs, which are subject to authorisation and rules of transparency and consumer protection. In addition, all digital issuers, who may also be considered market participants, should adhere to strict disclosure requirements. Therefore, market makers may fall under the scope of MiCA if they align with the role of CASPs, namely the buying and selling of financial instruments.

The applicable regulations do not distinguish between funds and dealers engaged in high-frequency or algorithmic trading.

Programmers who develop and create trading algorithms are not directly regulated, however, the investment firm using such trading algorithms or other electronic trading tools must ensure that the trading tools it uses comply with the regulatory requirements (see 7.1 Creation and Usage Regulations). An investment firm that outsources or procures software or hardware used in algorithmic trading activities remains fully responsible for its legal obligations relating to algorithmic trading.

Insurance underwriting is a licensed activity in Luxembourg, governed by the Law of 7 December 2015 on the insurance sector, as amended, and insurance companies located in Luxembourg are supervised by the CAA. In particular, insurance contracts are subject to the specific regulatory requirements laid out in the Law of 27 July 1997 on insurance contracts, as amended, which requires, eg, providing certain pre-contractual information to customers. Consumer and data protection requirements must also be taken into consideration, as applicable to the specific underwriting processes.

The main types of insurance in Luxembourg are life insurance and non-life-insurance, which are governed by separate legal provisions as outlined in the Law of 7 December 2015 on the insurance sector, as amended. Life insurance contracts under the Luxembourg legal framework provide an important part of Luxembourg’s wealth management offering. In addition, the Consumer Code applies to insurance contracts concluded with consumers, unless specific provisions of the Law of 27 July 1997 on the insurance contract, as amended, state otherwise.

Regtech providers are not directly regulated in Luxembourg. However, they might fall within the scope of the existing financial services regulation depending on their activities. If regtech companies provide services for regulated financial service entities, they may need to be licensed as a support Professional of the Financial Sector (PFS) in accordance with the Financial Sector Law. Relevant support PFS licences that may be required for regtech providers include authorisation to act as client communication agent, administrative agent, primary IT systems operator or secondary IT systems and communication networks operator. Regtech entities providing merely technical solutions would not typically be subject to these licence requirements.

There are no specific contractual terms dictated by regulation that financial service firms would need to impose on regtech service providers. In addition to terms following general industry practice, if the service provided falls under the scope of outsourcing, specific contractual requirements apply (see 2.8 Outsourcing of Regulated Functions).

Blockchain-based products and solutions are increasingly used by traditional players of the financial services industry in Luxembourg. For example, the European Investment Bank has continued to develop the digitalisation of capital markets by issuing digital bonds on private and public blockchains. Two out of the total three digital bonds issued so far are governed by Luxembourg law. The euro-denominated digital bonds issued in late 2022 also involved the Central Bank of Luxembourg, which, together with the Central Bank of France, provided a digital representation of euro central bank money in the form of tokens. Furthermore, in 2024, the CSSF authorised the launch of the first tokenised UCITS fund in its kind in Luxembourg by using a blockchain-enabled transfer agency platform.

In addition, since January 2022, the Luxembourg Stock Exchange admits security tokens to be registered onto the Securities Official List (SOL), which marks an important step towards making DLT securities mainstream and enhancing visibility. Due to the current regulatory framework applicable in the EU, security tokens cannot be admitted to trading on a regulated market or MTF. However, thanks to the DLT Pilot Regime (see 2.5 Regulatory Sandbox), MTFs can be granted temporary exemptions, for a period of up to six years, from certain existing requirements in order to enable DLT to also be used for trading (see 10.5 Regulation of Blockchain Asset Trading Platforms).

The CSSF has indicated that it applies a principle of technology neutrality towards the use of blockchain and has acknowledged that innovative processes and technologies such as DLT, when properly used, can improve the provision of financial services.

In line with this approach, in 2022 the CSSF published a non-binding document in the form of a White Paper, which aims at guiding interested professionals in the conduct of their due diligence process related to DLT and its use in the provision of services in the financial sector. The purpose of the White Paper is to ensure that risks and advantages in the use of such technologies are appropriately taken into consideration, by proposing key questions and recommendations that should be considered by market participants when performing their risk analysis and due diligence processes.

Overall, with the adoption of MiCA and the Blockchain IV Law, Luxembourg is emerging as a leading European hub in the digital finance sector. The dual framework of EU and national legislation creates a secure environment for digital assets, digital securities, and related technologies and highlights Luxembourg’s commitment to aligning with EU objectives for innovation and market security.

There is currently no general legal framework or single legal definition of blockchain assets applicable in Luxembourg. Moreover, there are several related terms often used in this context, eg, the Luxembourg regulator does not use the term “blockchain assets” in its guidance, but uses the term “virtual assets”, while the term “crypto-assets” has been used at an EU level, eg, in MiCA and in documentation issued by ESMA.

Regardless of the terminology used, blockchain assets may, or may not, be considered a form of regulated financial instruments falling within the scope of existing financial services regulation, and such assessment should be made on a case-by-case basis depending on the characteristics of the asset.

With regard to AML/CFT legislation, the Luxembourg AML Law was amended in 2020 in accordance with the fifth EU anti-money laundering directive (2018/843/EU), by introducing the obligation of virtual asset service providers to register with the CSSF and to comply with certain AML/CFT obligations. Virtual assets are defined as a digital representation of value, including virtual currencies, that can be digitally traded, or transferred, and can be used for payment or investment purposes, however, excluding virtual assets that fulfil the conditions of electronic money, as defined in the Payment Services Law, and virtual assets that fulfil the conditions of financial instruments, as defined in the Financial Sector Law.

In addition, MiCA regulates crypto-assets that so far have fallen outside of the scope of specific regulation. The definition of crypto-assets includes any digital representation of value or rights that may be transferred or stored electronically, using a distributed ledger or similar technology. The applicable new rules, which include transparency and authorisation requirements, will differ based on the characteristic of the token.

Lastly, in assessing the legal classifications of blockchain assets, financial market participants should take into account guidance published by the Luxembourg regulator. With regard to the classification of virtual assets, the CSSF has emphasised that, although all tokens constitute a digital representation value that is provided by a technology using DLT and cryptography, the tokens come with a variety of rights. The intrinsic characteristics and functions of the token determine the risks and whether or not it is possible for a professional of the financial sector to get involved in them. However, determining when virtual assets qualify as financial instruments under the Financial Sector Law remains subject to a case-by-case assessment.

In 2019, Luxembourg passed a new law which permits the use of blockchain/DLT for the holding and managing of securities accounts. This legal basis, which deemed the use of DLT and blockchain technologies equivalent to other secured electronic recording mechanisms for the transmission of securities, was supplemented in 2021 by allowing these technologies to be used also for the issuance of dematerialised securities. However, the securities issuance accounts relating to securities admitted to trading on a regulated market or an MTF can be held only with a settlement organisation.

In addition, depending on the nature of the financial instrument, the issuer may be subject to:

• the Prospectus Regulation;
• the Law of 11 January 2008 on transparency requirements for issuers;
• the AML Law;
• the Market Abuse Regulation;
• the MiFID II framework, among others; and/or
• MiCA.

The regulation of blockchain asset trading platforms depends on the regulatory status of the assets traded on the platform. For blockchain assets that do not qualify as financial instruments under the MiFID II framework, the relevant trading platforms are now subject to the regulatory requirements set out in MiCA, which fully took effect on 30 December 2024.

If the blockchain assets qualify as financial instruments under the MiFID II framework, the trading venues would also fall within the scope of the MiFID II rules on trading venues. Pursuant to advice published in 2019, ESMA took the preliminary view that if crypto-assets qualify as financial instruments, platforms trading these assets with a central order book and/or matching orders under other trading models would be likely to qualify as multilateral systems. Such platforms should therefore operate as regulated markets, MTFs or OTFs.

The currently applicable EU regulatory framework requires the transfer of any such instrument to be settled through central securities depositories (CSD) in accordance with Regulation (EU) No 909/2014 on central securities depositories, as amended (CSDR), and accordingly, DLT financial instruments cannot currently be admitted to trading on a regulated market, MTF or OTF. However, in view of encouraging technological innovation in the area of settlement, the DLT Pilot Regime provides a possibility for MTFs and CSD to be exempt from certain provisions of CSDR. The CSDR, as amended, allows the possibility to grant authorisation to non-operational CSD whose compliance with regulatory requirements cannot be assessed, if the competent authority believes that the CSD will comply by the time it begins its activities.

The provision of staking services relating to cryptocurrencies are neither addressed nor prohibited by MiCA. Nevertheless, the provisions of MiCA would apply in the event that a staking service provider holds crypto-assets in custody. If staking services are offered alongside other crypto-asset services, the CASP must obtain consent from the client before staking their crypto-assets.

The lending and borrowing services related to crypto-assets are not addressed by MiCA, but these activities are still subject to regulatory oversight, in particular for compliance with AML/CFT standards. Furthermore, licensing may be required depending on the nature of services offered, such as collateralised loans or the use of fiat currencies.

MiCA does not directly address cryptocurrency derivatives. However, derivatives that qualify as financial instruments with crypto-assets as their underlying asset are regulated under MiFID II. Since cryptocurrency is classified as a crypto-asset, these financial instruments fall under the regulation of MiFID II. Additionally, cryptocurrency derivatives are subject to the Market Abuse Regulation if they are traded on regulated markets, MTFs, or OTFs.

There are no specific regulations governing DeFi in Luxembourg. Since DeFi includes a broad range of financial services, it should be assessed on a case-by-case basis whether a certain activity or product would fall within the scope of existing financial services regulation. At European level, MiCA failed to directly address DeFi. Nevertheless, ESMA is actively monitoring DeFi developments and co-operating with international organisations such as the Internal Organisation of Securities Commissions and the Financial Stability Board.

In addition, if a party facilitates the trading of security tokens or cryptocurrencies without any intermediary, MiCA shall not apply.

While there is no specific regulation targeting funds that invest in blockchain assets, according to the recently updated ESMA Q&As on AIFMD, managers of an undertaking investing in crypto assets may be subject to the directive, if the relevant undertaking meets the definition of an alternative investment fund (AIF). Funds that raise capital from a number of investors to invest in crypto assets in accordance with a defined investment policy for the benefit of those investors, will qualify as an AIF in accordance with the AIFMD.

Although the AIFMD does not provide a list of eligible or non-eligible assets, the CSSF has published FAQs on the possibility of investment funds to invest in virtual assets. Pursuant to the position of the CSSF, an AIF may invest directly (and indirectly) in virtual assets if its units are marketed only to professional investors, and a Luxembourg authorised AIFM must obtain an authorisation from the CSSF for this investment strategy. Accordingly, the CSSF has indicated that UCITS and UCIs addressing non-professional customers and pension funds are not allowed to invest, directly or indirectly, in virtual assets (as defined in the AML Law).

In accordance with the AML Law, virtual currencies, ie, digital representations of value that are not issued or guaranteed by a central bank or a public authority, which are not necessarily attached to a legally established currency and do not possess a legal status of currency or money, but are accepted by persons as a means of exchange and which can be transferred, stored and traded digitally, are also considered to be virtual assets. Therefore, the relevant AML/CFT obligations also apply to virtual currencies (see 10.3 Classification of Blockchain Assets).

There are currently no specific provisions relating to non-fungible tokens (NFTs) and NFT platforms in Luxembourg. Unless NFTs are considered to be virtual assets or financial instruments, they would not fall within the scope of existing financial services regulations. For example, guidance issued by the FATF outlines that digital assets which are unique, rather than interchangeable, and which are used as collectibles rather than as payment or investment instruments, would generally not be considered as virtual assets.

Nonetheless, whether or not NFTs could be used for payment or investment purposes, and thus qualify as virtual assets, should be assessed on a case-by-case basis. If an NFT qualifies as a virtual asset under the AML Law, specific registration and AML/CFT obligations would apply (see 10.3 Classification of Blockchain Assets). Moreover, NFTs are also excluded from the scope of MiCA, unless their de facto uses or features would qualify as crypto-assets under MiCA.

The main regulation governing open banking, PSD2 has been transposed into Luxembourg law by the Law of 20 July 2018 amending the Payment Services Law. PSD2 enables customers to share their data securely via application programming interfaces with banks and third parties, allowing the customers to compare products, initiate payments and request account information.

Although PSD2 has significantly impacted the payment sector in the EU, it can be argued that so far open banking in Europe has not fully lived up to its expectations. Some technical issues faced by third-party providers due to PSD2 rules have required further fine-tuning to the legal framework, which has, for example, required the EBA to extend the frequency of customer re-authentication from 90 days to 180 days.

Concerns raised by open banking include risks relating to data protection and security breaches. Both topics are highly regulated by the EU, as the GDPR also applies to open banking, and financial sector regulation, including PSD2 and DORA, which applies from January 2025 and includes strict requirements to increase cybersecurity and the resilience of ICT infrastructures. So far, there have not been any significant enforcement actions by the competent authorities in Luxembourg relating to open banking.

There are no specific elements relating to fraud in financial services. The general definition of fraud under the Luxembourg criminal code applies, which requires the employment of fraudulent manoeuvres or abuse of trust or credulity. The CSSF has highlighted the main elements to detect suspicious providers, including unsolicited contact, offers of high profits or returns, tight deadlines, trial investments, and unclear identification of contracting parties, among other suspicious manoeuvres.

The CSSF provides recommendations and warnings in order to detect and report fraudulent activities. In particular, the CSSF is mostly vigilant with respect to falsification of websites of supervised entities, identity theft and cold calling.

Fintech service providers are governed by the Payment Service Law according to which they are responsible for customer losses in cases of unauthorised transactions and are obliged to refund the customer.

In accordance with MiCA, CASPs are responsible to their clients for any losses resulting from incidents related to ICT, including cyber-attacks, theft, or any system failures, as well as for any loss of crypto-assets resulting from providing custody and administration services. Besides, the CSSF has the power to impose administrative penalties and other administrative sanctions (see 2.10 Significant Enforcement Actions).