Market Evolution – The Resilience of the French Ecosystem

The French fintech ecosystem has established itself as a leading hub within the European Union (EU), with a network of approximately 1,200 companies (including 12 unicorns) and around 50,000 jobs. In 2025, the French market demonstrated strong resilience; by September 2025, French fintech companies had raised approximately EUR825 million in equity, reaching a total of around EUR1.1 billion by year-end, despite the sharp decline in fundraising observed throughout 2023 and 2024.

A Dynamic Ecosystem

Moving into 2026, the French fintech ecosystem remains highly dynamic but has structurally matured, entering a phase defined by a “flight to quality”. Investors and founders have shifted their focus from rapid cash-burn strategies to profitability, sustainable business models, and robust B2B solutions (such as embedded finance, CFO tools and cybersecurity). Consolidation is also accelerating, with a notable increase in M&A activity. Internationalisation has also become a major growth driver, with many French fintechs operating (or planning to operate) outside their home market. The ecosystem’s trajectory will be heavily influenced by its ability to absorb a new wave of EU regulations, including the Digital Operational Resilience Act (DORA) and the AI Act.

AI has transitioned from an experimental discipline to the central nervous system of French fintech development. Over 80% of surveyed fintechs in France now rely on AI as a core technology. The use cases for AI models have become more sophisticated and diverse, notably in relation to fraud detection algorithms and the enhancement of anti-money laundering (AML) systems through real-time behavioural pattern analysis. AI is also being deployed to create highly personalised customer experiences.

From a forward-looking perspective, these developments could profoundly reshape the nature of the internet, with traffic increasingly dominated by autonomous agents rather than human users. These AI agents could become primary economic actors, relying on programmable, digital representations of money as a settlement layer and thereby enabling a “machine-to-machine economy”.

The French fintech ecosystem comprises various business models, including a wide range of:

• neobanks, payment apps and e-money institutions;
• personal finance/wealth management apps;
• crowdfunding and crowdlending platforms;
• asset management solutions; and
• digital asset players or hardware wallet makers.

The ecosystem also features AI-driven solutions and regtech providers, which help financial institutions to manage compliance and risks, and provide AML tools (transaction monitoring, KYC, automated reports, etc).

From a business perspective, a clear distinction has emerged between “digital native” players and legacy institutions launching “digital first attacker” products. For example, LCL (a major French bank) has rolled out a 100% digital banking offer dedicated to entrepreneurs, designed to compete with neobanks.

Furthermore, an increasing number of fintechs are integrating environmental and social impact objectives directly into their core architecture. This shift is primarily driven by stringent EU regulations (such as the Corporate Sustainability Reporting Directive (CSRD) and the Sustainable Finance Disclosure Regulation (SFDR)) and by investor expectations.

In France, there is no fintech-specific regulation. The applicable regime, mostly derived from EU law, depends on the underlying business model and activity. Depending on the vertical, several regulatory regimes may apply.

Neobanks and Payment Apps

These generally operate under payment services providers (PSPs), credit institutions or electronic money institutions (EMIs) licences. Notably, account aggregators and payment initiation tools are specifically regulated as account information service providers (AISPs) or payment initiation service providers (PISPs) under the PSD2 framework.

Personal Finance and Wealth Management Apps

Depending on the services provided, these are generally regulated as AISPs, financial investment advisers (Conseillers en investissements financiers – CIFs) or investment services providers (Prestataires de services d’investissement – PSIs), including robo-advisers. Insurtechs and robo-advisers that include life insurance products or brokerage features must also be registered as insurance intermediaries (IAS) with ORIAS, the French register of banking, finance and insurance intermediaries.

Crowdfunding and Crowdlending Platforms

These are regulated as crowdfunding services providers, under the Regulation on European Crowdfunding Service Providers (ECSP). Residual activities not covered by the EU regulation – such as certain types of donations (cagnottes) or specific intermediaries in crowdfinancing (IFP) for projects outside the ECSP’s scope – remain subject to French law.

Digital Asset Players

Where applicable, these are subject to the PACTE law and the digital asset services providers (DASPs) regime, until 30 June 2026. Following the Markets in Crypto-assets Regulation’s (MiCAR) full application in 2025:

• new players must be authorised as crypto-assets services providers (CASPs); and
• existing DASPs can continue operating while finalising their transition to full CASP status.

Consequently, from 1 July 2026, all crypto-asset companies must have obtained a CASP licence from the Financial Markets Authority (Autorité des Marchés Financiers – AMF) to operate in France and benefit from the European passport.

Compensation models used by French fintechs are diverse, ranging from transaction-based fees and subscriptions to performance-based commissions. While these models are generally flexible, they are governed by strict transparency mandates to protect retail and professional clients.

Banks and Neobanks

For banks and neobanks, compensation is mostly based on monthly subscriptions and per-transaction fees. A critical regulatory cap remains for payment incident fees (limited to EUR25 per month for financially vulnerable clients). Furthermore, several neobanks have popularised cashback systems; legally, these often operate as commercial rebates or affiliate commissions from merchant partners. Under French consumer law, any fees charged specifically for a “cashback” service (ie, cash withdrawal at a merchant) must be disclosed prior to completion of the transaction.

Investment Firms and Brokerage (PFOF Prohibition)

A major shift has occurred in 2026 with the EU-wide ban on Payment for Order Flow (PFOF) under the MiFIR review. Reinforcing the “best execution” principle, French investment firms are now strictly prohibited from receiving fees or commissions from third parties for routing client orders to specific market makers.

CIFs and Investment Firms

These remain subject to the MiFID II inducement regime, which requires them to disclose any benefits received from third parties, and to demonstrate that such benefits enhance the quality of the service provided to the client.

CASPs

Since the entry into application of MiCAR, these must comply with harmonised disclosure rules and are required to publish their fee structure on their website (transaction fees, custody costs, etc). The MiFID II inducements framework served as a foundation for MiCAR, which imposes similar obligations on CASPs.

French law does not distinguish between “fintech” and “legacy” players. As a result, the regulatory burden is determined by the specific financial services provided and the scale of the associated risks. A principle of proportionality is generally applied in favour of smaller fintech companies by the French regulators. The regulation is therefore activity-based and strictly tied to the nature of the services provided rather than the type of entity.

Legacy players (banks, insurers, EMI, ISPs, etc) are in a monopolistic position and generally operate under institutional frameworks, such as CRR3/CRD6 for banking or Solvency II for insurance, with strong capital requirements, specific governance schemes and systemic risk-prevention obligations.

A key distinction remains for fintechs acting purely as technology providers (eg, pure AI providers, regtech, or Software as a Service (SaaS) for banks – as long as they do not provide payment or investment services). These players often remain outside the direct scope of financial licensing.

Because they are mindful of the rapid evolution of the market, French regulators have established dedicated teams (such as the Prudential Supervision and Resolution Authority’s (Autorité de contrôle prudentiel et de résolution – ACPR) Pôle Fintech-Innovation) and events (such as the AMF-ACPR Fintech Forum) to provide guidance for entrepreneurs. France has therefore opted for a proportional support model rather than regulatory sandboxes. This landscape is evolving in 2026: following the EU AI Act, France is establishing a dedicated AI sandbox that shall be effective by August 2026.

The French regulatory landscape is defined by a “Twin Peaks” model, with two authorities operating in separated fields.

The ACPR (prudential supervision), attached to the Banque de France, is in charge of preserving the stability of the financial and banking system. It grants authorisations for banking, payment services and insurance. Its jurisdiction covers solvency, capital requirements and AML procedures.

The AMF (market conduct supervision) is an independent authority focused on market integrity and investor protection. The AMF is in charge of granting licences for portfolio management companies, ECSPs and DASPs.

In some cases, the ACPR and the AMF work together – for instance, for the approval of activity programmes for entities applying as ISPs: if the licence is formally granted by the ACPR, the AMF oversees how their products are marketed to the public. 

There is no possibility for French regulators to issue “no-action” letters like those of the US SEC; only the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) may issue such recommendations. On 10 June 2025, the EBA issued a formal “no-action” letter (EBA/Op/2025/08) addressing the interplay between PSD2 and MiCAR. Since e-money tokens (EMTs) are legally classified as “funds”, the EBA confirmed that their transfer or custody for third parties constitutes a payment service, theoretically requiring a dual authorisation as both a CASP and a payment institution.

This letter introduced a transitional period ending on 2 March 2026, which was further clarified by an EBA opinion on 12 February 2026, regarding supervisory priorities. For the French ecosystem, the ACPR has implemented a simplified licensing process, allowing CASPs to submit a lightened payment institution application provided their activities are strictly limited to EMTs. However, this administrative simplification does not extend to prudential requirements: firms must meet the own funds standards of both MiCAR and PSD2 cumulatively and ensure that capital is not mutualised between the two regimes.

The framework for outsourcing in France relies on the principle that, while operational responsibility can be delegated, regulatory responsibility remains strictly non-transferable. Moreover, regulated functions can only be outsourced to regulated entities, which are authorised/licensed to perform these functions. EBA guidelines on outsourcing are entirely implemented into French law. In this regard, the Decree of 3 November 2014 expressly provides that “the outsourcing of activities shall give rise to a written contract” between the parties.

Under EBA Guidelines, contracts for “critical or important” functions must include specific mandatory clauses. Notably, the regulated entity is required to contractually secure full and unrestricted rights of inspection/audit over the service provider. This right allows the institution to monitor the provider’s compliance with its obligations and is essential, as financial institutions remain responsible for the actions of their providers.

This regulatory framework has been enhanced by the full entry into application of DORA. This Regulation introduces a harmonised European regime regarding third-party ICT service providers. In principle, the requirements under DORA apply in parallel to the outsourcing requirements.

As a general principle, fintech providers, when they are regulated entities, are deemed to ensure that the services they provide are not linked to illicit activities or money laundering – bearing in mind that unregulated players are also strictly forbidden from knowingly facilitating illicit activities. For this purpose, they are subject to strict AML/CFT legislation, requiring them to prevent their platforms from being used for criminal ends (KYC, proactive fraud reporting, transaction monitoring, etc).

The AMF and ACPR can conduct on-site investigations and initiate disciplinary proceedings. At the heart of their enforcement framework are independent “Sanction Commissions” (Commissions des Sanctions), which act as autonomous courts capable of imposing significant administrative fines and even professional bans to ensure market integrity and consumer protection. Part of the sanction is to be published, to let third parties know about the decision of the commission.

French regulators have increased their activity in the field of crypto-assets, in the context of the approaching end of the MiCAR transitional period. In 2025 alone, the AMF added 71 new websites to its blacklist for illegally offering crypto-asset services. In February 2026, the AMF reiterated that all providers failing to obtain the mandatory CASP authorisation by the 1 July 2026 deadline must immediately cease their activities in France or face severe criminal penalties. To enforce these rules, the regulator will publish blacklists of unauthorised platforms and is prepared to seek court orders to block access to their websites.

Moreover, in its 2026 roadmap, the AMF announced that it will conduct targeted inspections to ensure the robustness of regulated entities’ cybersecurity systems, specifically focusing on their alignment with the DORA framework.

All industry participants in the French fintech ecosystem face a dual burden where financial regulation intersects with transversal non-financial regulation. Both legacy players and fintechs are subject to the General Data Protection Regulation (GDPR) and the supervision of the French data authority, the CNIL (Commission nationale de l'informatique et des libertés). In the context of open banking, they handle vast amounts of data, making its management a critical competitive and legal stake.

Beyond data privacy, cybersecurity has become a major non-financial stake for the industry (under the authority of the National Cybersecurity Agency – Agence nationale de la sécurité des systèmes d’information, ANSSI). While legacy banks and large-scale institutions were previously the main targets of cybersecurity mandates under Directive (EU) 2016/1148 of 6 July 2016 (the Network and Information Security Directive), DORA now applies to them. Moving into 2026, French fintechs must now adhere to stringent ICT risk management frameworks and reporting standards.

Furthermore, the French ecosystem is uniquely impacted by the Law of 9 June 2023 on commercial influence, which regulates social media activities. This law forces industry participants to strictly monitor their digital marketing strategies, as influencers are now prohibited from promoting financial services or crypto-assets unless the underlying provider is duly registered or licensed as a competent regulated player (such as a PSAN/DASP).

In France, the activities of industry participants are routinely reviewed by third parties in addition to regulators. As a matter of corporate law, the appointment of a statutory auditor (commissaire aux comptes) is mandatory for all sociétés anonymes and, once certain size thresholds are met, for sociétés par actions simplifiées (EUR10 million in turnover, EUR5 million in balance sheet total, or 50 employees). Furthermore, any entity engaging in regulated financial activities must engage a certified accounting firm to ensure the integrity of its financial reporting.

For regulated financial institutions, external review is layered on top of stringent internal control requirements. To obtain and maintain their licences, firms must implement a robust compliance and risk-management framework, including permanent control, periodic control and internal audit functions. These internal functions are complemented in practice by external advisers (audit firms, compliance consultants, IT and cybersecurity specialists) who perform independent reviews, testing and remediation work on internal policies, procedures and systems. A significant portion of the ongoing oversight of regulated entities is outsourced to such third-party professionals, under the ultimate responsibility of the regulated firm.

French regulated entities may offer non-regulated services alongside their authorised activities, provided they maintain strict structural and operational boundaries. Credit institutions, for instance, can perform “ancillary operations” as long as these non-monopoly activities remain limited – typically under 10% of their net banking income – to avoid distorting competition.

Moreover, specific actors such as crowdfunding intermediaries are generally prohibited from engaging in activities outside their authorised scope (except as PSP agents).

Regulated fintechs operate under the same stringent AML/CFT and sanctions framework as legacy players. This framework requires massive investment in customer due diligence, real-time transaction monitoring, and robust internal governance, with high regulatory expectations from the AMF and the ACPR. Furthermore, considering the upcoming EU AML Package (including the direct application of the AMLR in July 2027), regulated actors must begin upgrading their compliance infrastructures immediately to align with new harmonised European standards. Consequently, compliance can be a significant structural barrier and a high “cost of entry” for smaller, under-resourced start-ups.

Conversely, unregulated fintechs remain outside the formal scope of AML laws.

France has been a member of the Financial Action Task Force (FATF) since 1990 and is therefore bound by its standards on AML/CFT.

In 2022, the FATF reviewed how effectively France combats money laundering and terrorist financing, as well as its level of compliance with FATF standards. The evaluation found that France has a strong and sophisticated system in place, delivering solid results in several areas – particularly law enforcement efforts, asset confiscation and international co-operation. However, the report also highlighted the need for stronger oversight of professionals involved in managing legal entities and the real estate sector.

France performs especially well in the use of financial intelligence and in conducting money‑laundering investigations and prosecutions, with authorities giving priority to complex, high‑value cases. Nonetheless, despite increases in staffing, the shortage of specialised investigative resources continues to prolong inquiries, particularly in more intricate money‑laundering matters.

For traditional banking, the entry into force of the CRD VI Directive in autumn 2026 mandates that third-country entities must provide banking services (lending, deposits, etc) through an authorised EU branch. Reverse solicitation remains an exception but is strictly interpreted under the EBA guidelines: the core banking service must be provided at the own exclusive initiative of the EU client or counterparty – which makes marketing activities by the third-country entity incompatible with reverse solicitation. The same principle of reverse solicitation as an exception applies to investment services.

For crypto-asset services, these reverse solicitation principles are much stricter: MiCAR provides that a third-country entity can provide a crypto-asset service to EU residents under a reverse solicitation principle: the service must be provided at the own exclusive initiative of the EU client. This framework codifies long-standing French practice that relies on a “bundle of clues” to identify active solicitation, such as the use of a “.fr” domain, French contact details, or promotional communications directed at French residents.

According to the ESMA Guidelines of February 2025, solicitation is defined broadly and in a “technology-neutral” manner, encompassing any promotion, advertisement or offer made through internet commercials, social media, mobile applications or sponsorship deals. These guidelines provide that third-country entities are deemed to be soliciting if they utilise geo-targeted digital ads, country-specific SEOs, or websites in official EU languages not customary in international finance.

While legacy players traditionally rely on human intervention, some fintechs use wholly automated processes, gathering client data through standardised questionnaires to provide automated advice or management. These activities generally fall under the MiFID II framework, requiring licensing as an investment service provider (ISP) or a financial investment adviser (CIF), while insurance-focused models must register with ORIAS.

The introduction of crypto-assets has added a new layer of complexity to these models. However, for platforms managing security tokens (which are digital representations of financial instruments) or traditional listed assets (stocks, bonds, ETFs), the business model remains anchored in the MiFID II framework.

French and EU law make a clear distinction between security tokens and other crypto-assets, which is driven by whether a crypto-asset:

• qualifies as a financial instrument under MiFID II; or
• falls under the MiCAR regime.

Depending on this qualification, the underlying activity requires different business models and mandatory licences.

Traditional financial institutions have progressively integrated robo-advisers to modernise their offerings and maintain their competitive edge. To achieve this, many have adopted a hybrid model that blends automated advice with human expertise. In this framework, robo-advisers are deployed for routine, low-value tasks, freeing up human wealth managers to step in for more complex situations and address highly specific client needs.

Meanwhile, other incumbent players have chosen to develop their own automated advisory platforms – either by building them in-house or by forging strategic partnerships – to complement their client services. Through these initiatives, robo-advisory capabilities are embedded into their existing product suites.

When robo-advisers provide investment services, they are subject to the full suite of regulations applicable to that activity. In particular, MiFID II requires investment service providers to ensure they obtain the best possible results when executing orders for their clients and implement a dedicated policy.

As of 2026, the French crowdlending market is governed (almost) entirely by the European Crowdfunding Service Provider (ECSP) Regulation, which has superseded the domestic regime introduced in 2014. Whereas the original French framework created a narrow exemption from the banking monopoly with strict quantitative caps – such as a EUR2,000 limit per lender and a EUR1 million ceiling per project – the current harmonised European regime offers a more streamlined environment for business financing.

The applicable regulatory framework is structured as follows.

• Platforms must be authorised as crowdfunding service providers (CSPs) by the AMF. Where their business model includes the facilitation of loans, the ACPR must also give its prior assent.
• Proportionate regulation: unlike traditional lenders, which must be licensed as full credit institutions, crowdlending platforms are subject to a regulatory framework calibrated to their role as financial intermediaries.
• The former French “crowdfunding intermediary” (IFP) status is now maintained solely for platforms whose activities are strictly confined to donations and interest-free loans, which fall outside the scope of the EU ECSP Regulation.

In the French crowdlending market, underwriting is primarily driven by each platform’s internal credit policies rather than by prescriptive rules on how to assess credit risk. Platforms generally combine borrower onboarding (KYC/AML, identity and legal checks, sector exclusions) with financial analysis of the borrower and the project (financial statements, cash flow forecasts, leverage, collateral/guarantees where relevant), often supported by proprietary scoring models used to grade risk and set pricing and eligibility thresholds. For SME and corporate borrowers, these models are increasingly enriched with sector-specific stress scenarios, behavioural data (payment incidents, covenant breaches) and forward-looking indicators (order book, macroeconomic sensitivity).

Regulation does not impose a standardised underwriting methodology but indirectly shapes these processes through stringent information and investor-protection requirements under Regulation (EU) 2020/1503. Crowdfunding service providers must produce a key investment information sheet for each offer, ensure that disclosures are fair, clear and not misleading, and implement procedures to assess whether investors can bear the risks associated with the proposed investments. In addition, CSPs are required to perform project due diligence proportionate to the nature, scale and complexity of the transaction, to document their credit decisions, and to implement robust internal controls over their scoring models (periodic back-testing, model validation and governance). They must monitor portfolio performance (defaults, restructurings, recovery rates) and adjust their underwriting standards accordingly, as these metrics are scrutinised by regulators.

The primary source of funds for fintech-led loans was individual retail investors. Today, this is strictly governed by Regulation (EU) 2020/1503, which harmonises the rules for crowdfunding service providers across the EU. The key distinction lies in the classification of sophisticated and unsophisticated investors. Unsophisticated investors benefit from a “reflection period” and stricter investment limits, while sophisticated investors are afforded more flexibility.

While the banking monopoly strictly prohibits fintechs from using public deposits to fund lending activities, firms innovate through special purpose vehicles or “fronting” partnerships with licensed banks.

The ECSP Regulation focuses on intermediation between lenders and project owners. To date, in the field of crowdlending, syndication of loans (a common practice in large-scale corporate banking) remains prohibited under French law.

In France, while traditional processors have historically relied on existing interbank networks, the current landscape increasingly supports the development of alternative infrastructures. This allows fintech firms to design proprietary settlement layers that can offer higher speeds and lower costs, provided these new rails maintain the required levels of security, operational resilience and interoperability with the broader financial ecosystem.

An important shift has occurred with the integration of stablecoins under the MiCAR framework, which has established a legal path for payments using EMTs. These digital representations of fiat money are legally categorised as electronic money, allowing payment processors to build hybrid or native digital rails that bypass traditional correspondent banking bottlenecks and in theory automate complex payment flows through smart contracts.

Cross-border payments and remittances remain strictly governed by the standard payment services framework, provided they involve the transfer of “funds” as defined under French and EU law. The regulatory focus is primarily on AML/CFT compliance, notably ensuring that international flows are monitored for financial crime.

Under French law, there are three categories of trading platforms: regulated markets, multilateral trading facilities (MTFs, and Organised MTFs), and organised trading facilities (OTFs). In addition, since the entry into force of MiCAR, trading platforms for crypto-assets are also regulated. While all platforms must adhere to fundamental transparency requirements and market abuse prohibitions, they differ significantly in their operational rules and the types of instruments they support.

Regulated markets are authorised by government decree (following a proposal by the AMF) and managed by an entreprise de marché (market undertaking). In contrast, both MTFs and OTFs may be operated by either a market undertaking or an ISP.

French law also maintains the specific “Organised MTFs” status, which is subject to stricter regulatory standards than those found in EU regulation for MTFs.

Unlike other venues, OTFs are prohibited from trading shares. Their scope is restricted to specific asset classes, including debt securities, structured finance products, emission allowances, derivatives, and physically settled wholesale energy products.

Under French law, the regulatory regime depends on whether an asset is classified as a financial instrument (eg, shares, security tokens) or a crypto-asset.

Financial instruments (MiFID II/MAR) can be listed on regulated markets and MTFs, while OTFs are restricted to specific non-equity instruments. All are strictly subject to the Market Abuse Regulation (MAR), which prohibits insider dealing and market manipulation.

Crypto-assets that do not qualify as financial instruments (eg, Bitcoin or e-money tokens such as USDC) fall under MiCAR and are subject to a dedicated regime for transparency and investor protection. MiCAR includes its own market abuse framework, mirroring MAR’s principles.

The emergence of cryptocurrency exchanges led to the creation of a specific regime for digital asset services providers (Prestataires de services sur actifs numériques – PSANs) under the PACTE law, which is now superseded by MiCAR. Centralised platforms that target clients residing or established in France (fiat/crypto or crypto/crypto exchange, custody, operation of a trading platform) must be licensed with the AMF (with ACPR oversight for AML/CFT), failing which they risk criminal sanctions, and are subject to fit‑and‑proper, organisational, security and AML/CFT requirements. They must also comply with prudential rules and the MiCAR market abuse regime. 

Decentralised exchanges (DEXs) occupy a more complex space, as they are not subject to any specific regime under French law. In theory, MiCAR exempts services provided in a fully decentralised manner – without intermediaries. This exemption is strictly conditional on a substance-over-form assessment by the regulators to ensure that no single person or group exercises any kind of influence over the protocol. The specific criteria for qualifying for such decentralisation (eg, technical architecture, governance, etc) remain subject to further regulatory clarification.

Please also refer to 10.5 Regulation of Blockchain Asset Trading Platforms.

Under French law, trading venue operators must maintain clear and transparent rules setting out the objective criteria used to determine which financial instruments may be admitted to trading. In addition, regulated markets must ensure that their rulebooks guarantee fair, orderly and efficient trading conditions. While each operator defines its own specific listing rules, they generally rely on the issuer’s compliance with applicable European and domestic legislation, and on the quality and reliability of the information made available to investors.

The EU Listing Act has further harmonised listing standards across the Union, notably by simplifying prospectus requirements and streamlining ongoing disclosure obligations. In parallel, under MiCAR, crypto-asset trading platforms must ensure that any digital asset admitted to trading is backed by a compliant White Paper and meets stringent technical, governance and security standards. Beyond these binding rules, industry standards often entail higher requirements for ESG disclosures and corporate governance, which have become de facto prerequisites for attracting institutional investors in the French market.

Order handling rules in France require ISPs to take all sufficient steps to obtain the best possible result for their clients, considering various factors such as price, costs, speed, and likelihood of execution. While this “best execution” obligation is comprehensive, ISPs must prioritise specific client instructions, which override general policy for the relevant parts of the order. For a retail client, the best possible result is determined by the total cost, which includes the price of the financial instrument and all execution-related expenses (fees, settlement costs).

To meet these requirements, ISPs must establish a policy that identifies the specific venues used for each asset class and the factors influencing their selection. This policy must be communicated clearly to clients, and their prior consent is required before it can be applied. Finally, ISPs are subject to an ongoing transparency duty, meaning they must be able to demonstrate to their clients, upon request, that their orders were executed in full compliance with the established “best execution” policy.

So far, the rise of peer-to-peer (P2P) trading platforms has had limited direct impact on the core business of traditional trading venues, which remain focused on MiFID-regulated financial instruments. P2P platforms, which facilitate direct transactions between users, initially appeared to sit outside this scope by operating on a bilateral basis. In 2023, ESMA clarified that a system is considered multilateral if it allows multiple third-party trading interests in financial instruments to interact within the same facility, regardless of whether the specific transaction at a given moment is bilateral. This broad interpretation ensures that P2P platforms cannot bypass MiFID II regulation simply by virtue of their direct-matching architecture.

The AMF’s “Guide to best execution” defines payment for order flow (PFOF) as “the granting of monetary or non-monetary benefits by some execution venues to their clients/members in exchange for order flows” – those benefits taking diverse forms such as non-public price reductions, the provision of technical tools, or free share allocations. Such payments were only considered lawful under French law if they met three strict cumulative requirements: ensuring full transparency for clients, enhancing the quality of the service rendered, and complying with the duty to act in the client’s best interest.

The regulatory landscape has shifted significantly following the February 2024 MiFIR review, which introduced a general prohibition on PFOF under Article 39a to address concerns over market integrity and retail investor protection. While this ban will be fully enforceable across the EU starting 1 July 2026, France has declined to exercise the temporary exemption that would have allowed its domestic firms to continue these practices. Therefore, investment firms in France must ensure their venue selection is driven strictly by best-execution obligations and the management of conflicts of interest, as the industry transitions towards a complete phase-out of incentive-based routing.

Market Integrity in France is governed by MAR and the Market Abuse Directive (MAD), which establish a harmonised framework to prevent and sanction illicit behaviors in the financial ecosystem. Market abuse is categorised into three core offences:

• insider dealing (which involves transactions executed based on non-public price-sensitive information);
• the unlawful disclosure of inside information; and
• market manipulation (which involves actions that give false or misleading signals to the market).

To ensure transparency, the system relies on a dual-track architecture of prevention and enforcement. On the preventative side, market participants are required to maintain insider lists and immediately report any suspicious activity via Suspicious Transaction and Order Reports (STORs) to the AMF. Furthermore, issuers must disclose inside information directly concerning them to the public as soon as possible.

On the enforcement side, to ensure that all participants operate on a level playing field, the system relies on a dual-track approach, enabling the AMF to impose administrative sanctions, while reserving criminal penalties – through the judiciary – for serious violations.

The applicable regulatory framework for algorithmic trading is primarily governed by MiFID II and MAR. Regulated firms engaging in algorithmic trading are required to implement adequate and effective internal controls, to ensure that their trading systems cannot be used for purposes contrary to MAR.

ISPs are required to notify the AMF that they use algorithmic trading and to provide detailed information on their parameters and risk-monitoring arrangements put in place. There are no specific rules that differentiate between underlying asset classes for the purpose of algorithmic trading: the same regulatory framework applies irrespective of the type of financial instrument traded.

Under French law, entities dealing on own accounts through algorithmic trading systems must be licensed as ISPs (even where they do not act on behalf of or for the accounts of clients). There is no separate licensing category dedicated to “market makers” as such.

Under French law, management companies of collective investment undertakings (UCITS and AIFs) are not classified as investment firms (entreprise d’investissement) and fall outside the scope of the provisions governing algorithmic trading.

Programmers who design and develop trading algorithms or other electronic trading tools are not regulated as such under French or EU financial regulation: the applicable rules target the regulated entities that use these tools.

Underwriting processes used by insurtech companies must comply with the French Insurance Code, which provides substantive and formal requirements to ensure validity of the insurance policy. This process is heavily influenced by the Insurance Distribution Directive (IDD), requiring firms to conduct a “demands and needs” test to ensure product suitability before any signature, ensuring that the client subscribes to the policy with full knowledge of its terms and implications.

As most transactions occur online, non-professional policyholders are protected by consumer law, particularly regarding cooling-off rights and distance marketing regulations.

Furthermore, automated underwriting and AI-driven risk assessments are strictly governed by the GDPR, ensuring transparency and the right to human intervention when applicable.

Each category of insurance – such as life, annuities, and property and casualty (P&C) – is governed by its own specific legal framework and technical rules under the French Insurance Code. While the ACPR maintains a consistent level of rigorous oversight across the entire sector, industry participants must tailor their operations to the unique risks of each class.

Regtech providers are not, as such, subject to a dedicated regulatory status under French law. They typically offer technology-driven compliance support services (reporting, transaction monitoring, KYC/AML tools, sanctions screening, transaction filtering, regulatory reporting dashboards, etc), which, in principle, do not constitute regulated investment, banking or payment services.

However, regtech providers are subject to significant indirect regulatory pressure: they must have a profound and continuously updated understanding of evolving EU and French financial regulations (in particular AML/CFT, MiFID II/MiFIR, MAR, PSD2/PSD3, CRD/CRR, SFDR and related ESG disclosure frameworks) in order to accurately address their clients’ compliance needs and to avoid creating regulatory breaches for supervised entities.

In addition, where their tools are embedded in the core processes of regulated institutions (eg, client onboarding, transaction monitoring, trade surveillance, regulatory reporting), regtech providers are often treated in practice as critical or important outsourcing providers and must comply, via contract, with stringent requirements on governance, information security, business continuity, audit and access rights imposed by the ACPR/AMF outsourcing and cloud guidelines.

Moreover, certain regtech providers may fall within the scope of DORA as critical ICT third-party service providers, in which case they will be subject to direct EU-level oversight and enhanced obligations regarding ICT risk management, resilience testing, incident reporting and co-operation with competent authorities.

A contract between a regtech provider and a regulated entity is not, as such, subject to a dedicated regulatory regime. Its legal qualification (software licence, SaaS, services agreement, outsourcing, cloud, etc) determines the applicable rules, in particular where the arrangement falls within the scope of the EBA Guidelines on outsourcing, the ESMA guidelines or the DORA framework.

If the agreement is qualified as an outsourcing contract – especially where the regtech solution supports a critical or important function – the regulated entity must, prior to signing, carry out and document thorough due diligence on the provider (financial soundness, technical and organisational capabilities, information security, business continuity, regulatory expertise, subcontracting chain, location of data and processing, etc). The contract should then include detailed service level agreements (SLAs), incident management and reporting procedures, data protection and confidentiality clauses, business continuity and exit provisions, as well as robust audit and access rights for the institution and its regulators.

In any event, the regulated entity remains fully responsible for complying with its prudential, conduct and AML/CFT obligations, even where a breach originates from the regtech provider’s failure to perform. The management body retains ultimate responsibility for all activities and internal control systems, and cannot delegate its duties nor alter the conditions of its authorisation through any third-party arrangement. Contractual clauses must therefore preserve the institution’s regulatory responsibilities and ensure that the use of a regtech solution does not undermine its ability to meet supervisory expectations.

The French financial sector has developed in a supportive environment for crypto-assets, which evolved from early experimentations to an industrial-scale implementation of blockchain technology. Traditional institutions have actively integrated distributed ledger technology (DLT) into their core processes. A leading example of this development is Société Générale, with its subsidiary, SG-FORGE, a pioneer in the issuance of securities on public blockchains. This trend towards “on chain” securities issuance is further evidenced by the rise of Spiko, a French fintech that launched the first tokenised UCITS money market funds approved by the AMF. In 2025, SG-FORGE reached another global milestone by issuing EURCV and USDCV, the first MiCAR-compliant stablecoins issued by a major bank.

The regulatory landscape reached a turning point in late 2025 with the EU DLT Pilot Regime. In October 2025, the French ACPR granted a DLT TSS (Trading and Settlement System) licence to LISE (Lightning Stock Exchange), making it the first European infrastructure authorised to operate a fully tokenised equity exchange.

At the institutional level, the Banque de France remains at the forefront of central bank digital currency (CBDC) research and development. Following a series of successful wholesale CBDC experiments, the Banque de France and the Eurosystem expanded their exploratory work, preparing for the potential launch of a “wholesale digital euro” for interbank settlements by late 2026.

The stance regarding crypto-assets is rigorous supervision and frequent public warnings, despite a supportive attitude. While the regulators are benevolent towards the development of a regulated market, they consistently alert retail investors to the high volatility of crypto-assets and the risks of fraud.

In contrast, the regulators’ attitude on blockchain technology tends towards active promotion/institutional integration. Blockchains are viewed by the French authorities as a strategic tool for the modernisation of traditional financial infrastructure. This pro-innovation position is anchored in the pioneering “Blockchain Ordinance” of 2017, which provided a secure legal framework for the registration and transfer of unlisted securities via DLT. It further evolved with the implementation of the EU DLT Pilot Regime.

French and European legal frameworks establish a clear division between blockchain assets that mirror traditional securities and others. If an asset behaves like a stock or a bond, it remains governed by MiFID II. MiCAR excludes such financial instruments.

Under French law, the legal umbrella of “digital assets” encompasses three distinct pillars.

• Tokens defined as incorporeal assets representing rights in digital form, provided they do not qualify as financial instruments.
• Digital representation of value – assets that function as a medium of exchange.
• MiCAR crypto-assets, which further classifies crypto-assets into three harmonised categories based on their stabilisation mechanism and function: 
1. asset-referenced tokens (ARTs);
2. e-money tokens (EMTs); and
3. other crypto-assets such as utility tokens, which are intended to provide access to a specific good or service.

Following the entry into application of MiCAR, the landscape for token issuers has transitioned from an optional, national “visa” for initial coin offerings (ICOs) regime to a harmonised and mandatory European framework. By 30 June 2026, all new offerings must comply with the MiCAR regime.

• Issuance of stablecoins (ARTs or EMTs) is strictly regulated. Issuers of EMTs must be licensed as credit institutions or electronic money institutions and are supervised by the ACPR. Issuers of ARTs must obtain prior authorisation and maintain a reserve of assets.
• For other crypto-assets, including utility tokens, the regime is based on a notification to the competent authority. Issuers must submit a White Paper before the offer, which details the conditions of the issuance, the characteristics of the issuer, the rights attached to the crypto-asset, the underlying DLT (consensus mechanisms such as PoS or PoW), a statement on its environmental and climate-related impact, etc.

The regulation of blockchain asset trading platforms is now governed by the CASP status, which replaces the previous national DASP (PSAN) framework (registration and optional licensing). The CASP status is largely inspired by the DASP status, which was created by the PACTE law. Entities that held the PSAN status will have to cease their activities after 30 June 2026, unless they obtain a CASP licence.

Crypto-asset trading platforms are subject to specific organisational rules. They must establish non-discretionary rules for the admission of crypto-assets, publish a transparent fee policy on their website, and maintain resilient systems to prevent market abuse (wash trading, insider dealing).

In France and the EU, the provision of staking services is not regulated as a standalone activity. Instead, its regulatory treatment depends on the underlying technical model and whether it is coupled with other regulated services.

Under the current framework, the AMF, in its DOC-2020-07 position, distinguishes between the technical maintenance of a blockchain and financial intermediation. While staking itself is not a digital asset service, it often requires a CASP licence if it includes custody of digital assets, which is defined as the ability to move assets in a distributed ledger in place of the client or holding a wallet where clients’ private keys are recorded. Then, providing purely technological solutions as a “validator as a service”, such as those offered by platforms like Kiln (which allows users to keep exclusive control over their private keys), does not constitute a regulated custody service.

This approach also aligns with the views of the ESMA and the EBA, which, in their 2025 joint report, identified risks such as liquidity risks, “slashing” penalties for validator errors and custody risks, which may be enhanced in the event of market concentration.

Under French and EU law, crypto-related lending is not qualified as a specific, standalone service. MiCAR, as explicitly stated in its recital 94, does not address the lending and borrowing of crypto-assets, including e-money tokens. Consequently, these activities do not currently benefit from a harmonised European regulation.

French and EU law does not feature a specific category for crypto derivatives. The regulation of crypto derivatives is governed by a functional legal analysis. Following a 2018 legal analysis, the AMF considers that any derivative with a crypto-asset as an underlying asset that is settled in cash is legally classified as a financial contract. According to the French Monetary and Financial Code, these contracts (including CFDs, binary options and rolling spot forex) constitute financial instruments. They fall under the strict regime of MiFID II and MiFIR rather than the MiCAR framework, which explicitly excludes financial instruments from its scope. Any platform offering such products in France must then hold a licence as a credit institution or an investment firm, and a simple CASP licence is insufficient for this activity.

Many activities performed by decentralised finance (DeFi) protocols could be reclassified as regulated services under existing laws, such as decentralised exchanges (DEXs), which facilitate the exchange of crypto-assets.

DeFi currently operates in a sort of regulatory “grey zone” in France and the EU, as it is not yet governed by a bespoke or comprehensive legal framework. While MiCAR provides a framework for centralised providers, it largely excludes services provided in a “fully decentralised manner without any intermediary”.

Assessing whether a protocol is “fully decentralised” is one of the major challenges for regulators, as it determines whether or not MiCAR regulations apply. This analysis raises questions, particularly regarding the role of decentralised autonomous organisations (DAOs): regulators could struggle to identify a person to be held accountable regarding compliance requirements.

Since 2019, the PACTE law allows professional specialised investment funds (fonds professionnels spécialisés – FPSs) and professional private equity funds (fonds professionnels de capital investissement – FPCIs) (with an allocation limited to 20% of their assets) to invest directly in crypto-assets, provided they are reserved for professional investors.

From an operational point of view, any asset manager that intends to manage a fund investing in blockchain assets must obtain a licence extension from the AMF. This extension requires a modification of the asset manager’s programme of activity. The asset manager must also appoint a custodian to monitor assets and verify ownership, while the actual custody of private keys and the execution of trades must be handled by a registered or licensed DASP/CASP. Moreover, these asset managers are required to implement rigorous internal policies to ensure that the assets are fairly valued.

Virtual currencies are a type of crypto-asset used as a means of exchange without necessarily representing a right on their issuers. In France and the EU, the regulatory framework does not distinguish between “virtual currencies” (such as Bitcoin or Ether) and other blockchain assets, treating them under the unified umbrella category of digital assets (under the PACTE law in France) or crypto-assets (under MiCAR).

NFTs are excluded from the digital asset and crypto-asset scope, as MiCAR states in its Article 2(3): “[t]his Regulation does not apply to crypto-assets that are unique and not fungible with other crypto-assets”. The AMF aligns with MiCAR and considers that NFTs are not digital assets unless they meet certain specific criteria.

Regarding the determination of the fungible or non-fungible nature of a crypto-asset, Recital 11 of the Regulation specifies that fractional parts of a unique and non-fungible crypto-asset should not be considered unique and non-fungible.

Furthermore, the issuance of crypto-assets as NFTs in a large series or collection should be regarded as an indicator of their fungibility. Finally, the mere attribution of a unique identifier to a crypto-asset is not sufficient to classify it as unique and non-fungible.

This approach is reinforced by ESMA, which promotes a “substance over form” and casuistic analysis. If an NFT, regarding its structure or the right it confers, functions as a financial instrument, it must be regulated as such. This means that if an NFT provides rights to future profits or capital appreciation, or represents a claim on other assets, it essentially loses its exemption and falls under MiCAR or MiFID II.

Stablecoins are crypto-assets that are designed to maintain a stable value by reference to an underlying asset or a basket of assets (such as commodities or fiat currencies, which are issued by a central bank or other monetary authority). Under French law, stablecoins are regulated by MiCAR, which has been directly applicable for its stablecoin-specific provisions since 30 June 2024. MiCAR distinguishes between two categories of stablecoins: EMTs and ARTs.

EMTs are stablecoins that reference a single official currency (such as Circle’s USDC, EURC or SG-Forge’s EUR CoinVertible). These stablecoins can only be issued by credit institutions or electronic money institutions. These issuers must grant holders a contractual right to redeem their tokens at any time and at par value against the single official currency they reference. Furthermore, the funds received in exchange for EMTs must be invested in safe, low-risk assets denominated in the same official currency to eliminate cross-currency risks. Under certain conditions, significant EMT issuers must maintain a reserve of assets to back the value of the tokens.

ARTs maintain their value by reference to multiple fiat currencies or other assets (including other crypto-assets) – or any “value or right”. This type of stablecoin is a catch-all category, which includes tokens pegged to commodities (such as PAX Gold), liquid staking or wrapped tokens (eg, stETH, WBTC, wstETH). For ART issuers, specific authorisation is required from a competent authority unless the issuer is already a credit institution. They are subject to own funds requirements calculated as a percentage of the reserve of assets to mitigate financial stability risks. Unlike EMTs, the redemption right for ARTs is generally based on the market value of the referenced assets or through the physical delivery of those assets. They must also maintain a reserve of assets to back the value of the tokens.

For both categories, issuers are required to draw up, notify and publish a detailed crypto-asset White Paper that includes essential information on the issuer, the characteristics of the project, and the risks involved.

Open banking in France is primarily governed by PSD2, which requires that banks provide third-party providers (TPPs) with secure access to payment account data. This framework introduced two key regulated activities: account information services (AIS), allowing for data consolidation, and payment initiation services (PIS), enabling direct credit transfers. Banks must establish secure APIs to enable the sharing of personal data (eg, bank account information) with fintech companies.

While successful for retail players, adoption remains modest among corporate clients. To address friction and technical barriers, the upcoming PSD3 and Payment Services Regulation (PSR) aim to refine these requirements. 

The proposed Financial Data Access (FIDA) Regulation seeks to transition from “Open Banking” to “Open Finance” by extending the data-sharing framework – initially introduced by PSD2 for payment accounts – to a broader range of financial products. This regulation was proposed by the European Commission in June 2023 as part of the Open Finance legislative package and is still currently being discussed. The proposal has faced strong opposition from traditional banks and insurers due to high compliance costs and technical complexity. Once adopted, it will apply 24 months after its approval.

The Open Banking requirements under PSD2 have raised several issues over privacy, security and the increased risk of cyber-attacks on third-party applications and APIs. These risks could create complex legal issues regarding liability between banks and TPPs in the event of a security breach.

Furthermore, the obligation to share extensive personal data raises compliance challenges with the GDPR, especially given the sensitive nature of certain payment information. Consequently, both banks and fintech companies must strictly adhere to GDPR standards when processing client data to maintain user trust and security.

Fraud techniques have undergone profound mutation, evolving towards approaches based on psychological manipulation and identity theft. While the introduction of strong customer authentication (SCA) under PSD2 has strengthened the security of remote payments and reduced certain forms of technical fraud, transactions remain a major source of litigation for clients, notably due to the rise of social engineering (ie, the use of psychological manipulation to deceive users into bypassing technical security measures, such as “spoofing”, where attackers impersonate bank officials to convince clients to authorise fraudulent transactions themselves).

According to a survey conducted for the AMF, the proportion of French people falling victim to financial investment scams has practically tripled in three years. The Paris Prosecutor’s Office estimates the total damage to be at least EUR500 million per year, generally involving transfers to accounts controlled by fraudsters.

To safeguard the market, the AMF and ACPR maintain a strategic blacklist of unauthorised financial operators, serving as a vital tool to prevent misappropriation of funds. Updated in January 2026 to reflect 2025’s activity, the registry flagged 58 Forex platforms and 29 crypto-derivative sites. The ACPR reported an even steeper rise, blacklisting 1,190 entities illegally marketing loans or savings accounts. This surge is fuelled by fraudulent misrepresentation: 65% of these fraudulent offers involve the identity theft of regulated professionals to exploit investor trust.

French authorities align their focus with the shifting landscape of fraud. In 2024, the ACPR centred its oversight on manipulation-based scams – which include “fake bank advisers”, at 32% of total fraud value in 2024, accounting for EUR382 million in losses.

The Observatory for the Security of Payment Means (OSMP) has simultaneously accelerated its crackdown on unauthenticated remote card payments (those bypassing 3-D Secure), which carry a fraud risk three times higher than secure channels. Following a transitional cap of EUR1.01 in May 2025, the threshold for these non-authenticated internet payments was slashed to EUR0.01 on 1 January 2026, effectively mandating authentication for nearly all transactions.

Instant transfer fraud has also surged to the top of the agenda following a EUR37 million increase in damages in 2024. To mitigate this, regulators supervised the nationwide roll-out of the Verification of Payee service (matching IBANs to beneficiary names – resulting from the implementation of EU Regulation 2024/886), which became fully operational on 9 October 2025, to secure transfers for both retail and professional clients.

Furthermore, the regulators are intensifying their monitoring of AI-driven fraud in the context of the emergence of deepfakes used to solicit fraudulent investments.

The liability of fintechs, and especially of PSPs for customer losses, is governed by a strict immediate reimbursement obligation for unauthorised transactions under Articles L 133-18 and L 133-22 of the French Monetary and Financial Code. However, this obligation to return funds may be suspended if the financial institution provides evidence to the regulatory authorities justifying suspicion of fraudulent activity on the part of the customer.

Since the entry into force of EU Regulation 2024/886, payment service providers have been required to provide a tool for verifying the match between the name entered and the bank identifier at no cost to the individual. If the service fails to signal a detected inconsistency before the order is validated, it assumes the resulting financial loss and must restore the client’s initial balance without delay.

Conversely, if the alert was duly transmitted but the payer decides to override it with full knowledge of the facts, the provider is released from any obligation to reimburse. Finally, in the event of a dispute, the burden is on the provider to demonstrate that the transaction was correctly authenticated and did not suffer from any technical failure.