Germany’s fintech market has entered a phase of regulatory maturity. The past 12 months have been defined by the full application of MiCA and DORA, marking the most material shift in Germany’s financial regulatory architecture since the introduction of MiFID and PSD2. Germany moved faster than other EU member states, opting for a strict 12-month MiCA transition period and becoming the jurisdiction with the highest number of CASP authorisations in the EU by the end of 2025.

An especially noteworthy consequence of this shift is the changing competitive dynamic between incumbents and new entrants. Traditional financial institutions are leveraging existing licences to expand into crypto-asset services through streamlined notification procedures under MiCA, effectively reaching the market faster than crypto-native firms navigating full CASP authorisation. This dynamic is reshaping the competitive landscape in ways that pure fintech players need to anticipate.

These structural shifts also set the agenda for the coming months. The operational reality of DORA compliance will become visible for the first time through audit cycles covering thousands of German financial entities. In parallel, the PSD3/PSR package will begin to reshape payment services regulation, and tokenisation of financial instruments is moving from pilot stage into institutional production.

AI adds a further dimension. No longer a differentiator but a baseline component of fintech infrastructure, it now raises its own regulatory questions. Aligning AI governance with the EU AI Act’s high-risk classification framework remains a practical challenge, especially for credit decisions, insurance underwriting and AML screening, where clear supervisory guidance from BaFin is still developing.

Germany’s fintech market is characterised by a broad range of verticals that have matured at different speeds. Digital banking and neobanking, neobrokerages and payment services represent the most established segments, with several players now reaching profitability after years of growth-focused strategies. Crypto-asset services, insurtech and regtech are earlier in their development cycle but attracting increasing regulatory and investor attention.

What distinguishes the German market from many of its European peers is the depth of the legacy banking sector. Germany’s dense network of savings banks, co-operative banks and large commercial institutions means that fintechs rarely operate in a vacuum. Instead, many business models have evolved around collaboration rather than pure disruption. Banking-as-a-Service arrangements, where a licensed bank provides the regulated infrastructure while a fintech handles the customer-facing product, remain a widely used model, though recent regulatory scrutiny has prompted both sides to re-evaluate governance and compliance responsibilities.

A notable shift over the past two years has been the rise of B2B fintech. Payment infrastructure providers, compliance automation platforms and embedded finance solutions are increasingly the growth drivers, as the B2C segment faces margin pressure and higher customer acquisition costs. At the same time, traditional institutions are building or acquiring fintech capabilities in-house, in areas such as digital asset custody, tokenised deposits and AI-driven risk management.

Germany has no separate fintech regulatory framework. The regime depends entirely on the services provided. A fintech offering payment services faces the same licensing requirements as a major bank running the same business line.

The core regulatory pillars: the Banking Act (KWG) for deposit-taking and lending, the Securities Institutions Act (WpIG) for investment services, the Payment Services Supervision Act (ZAG) for payments and e-money, and the Insurance Supervision Act (VAG) for insurance. MiCA has governed crypto-asset services since 30 December 2024, replacing the earlier national regime under the KWG.

The complexity lies in the layering of national and EU regulation. MiCA, DORA and MiFIR apply directly as EU regulations, while PSD2 requires national transposition through the ZAG. Many fintech business models span multiple regimes. A company offering crypto exchange services alongside fiat payment processing may simultaneously need CASP authorisation under MiCA and a ZAG licence. Navigating these overlaps is one of the central challenges for market participants.

BaFin supervises across all regimes, supported by the Bundesbank. At the EU level, MiCA, DORA and MiFIR increasingly set the substantive requirements, while national law governs licensing procedures and supervisory practice.

German fintechs use a range of compensation models: transaction fees, subscription pricing, spread-based models, interest margins and commissions. The choice is driven as much by competitive positioning as by regulation, though the disclosure requirements differ considerably depending on the service classification.

MiFID II imposes the strictest disclosure regime on investment services. Firms must provide ex-ante and ex-post cost information covering all direct and indirect charges, inducements and third-party payments. This granularity often creates a real operational burden for smaller fintech firms. Payment service providers under the ZAG must disclose all fees before transaction execution. For consumer credit, the annual percentage rate must appear prominently.

For crypto-asset services, MiCA requires transparent, non-misleading pricing disclosure before client onboarding. While the specific requirements are less prescriptive than MiFID II, BaFin’s expectations are moving toward comparable standards. The bar for pricing disclosure will continue to rise across all verticals.

In principle, German regulation draws no distinction between fintech companies and legacy players. The same activity triggers the same licensing and compliance requirements regardless of the provider’s size, history or technology stack. A neobank offering current accounts faces the same KWG requirements as a 200-year-old savings bank.

In practice, however, differences emerge in two directions. BaFin uses the principle of proportionality to calibrate supervisory intensity. A fintech with a narrow product offering and limited systemic relevance will face less demanding day-to-day supervision than a large universal bank, even though both operate under the same licence. This proportionality gives smaller firms room to scale before facing the full weight of supervisory expectations.

At the same time, MiCA has introduced a structural advantage for incumbents in the crypto space. Firms that already hold a banking or investment services licence can expand into crypto-asset services through a simplified notification to BaFin, rather than undergoing full CASP authorisation. This means that established institutions can enter the crypto market much faster than new entrants building from scratch.

Germany does not operate a regulatory sandbox. What it offers instead is an innovation hub approach. BaFin maintains a dedicated fintech unit that serves as a point of contact for early-stage companies seeking to understand whether their business model triggers licensing requirements. These interactions can be valuable for structuring a business model correctly from the outset, though it is important to note that BaFin does not provide legal advice in this context and the enquiry process requires a high level of specificity.

The closest equivalent to a sandbox at the EU level is the DLT Pilot Regime, which permits authorised firms to test DLT-based market infrastructure for tokenised financial instruments under modified regulatory conditions. Practical uptake has been limited, though ESMA’s 2025 review may lead to an expanded scope in the next legislative cycle.

BaFin supervises nearly everything that matters in German fintech regulation: banking, investment services, payments, e-money, insurance and crypto-asset services. The Bundesbank supports BaFin in prudential oversight and regulatory reporting analysis.

The EU dimension is growing in importance. ESMA co-ordinates MiCA supervision across member states and maintains the register of authorised CASPs. The EBA’s technical standards effectively shape much of BaFin’s supervisory practice. From 2026, AMLA will exercise direct AML supervisory functions over selected high-risk entities.

For cross-border fintech operations, mapping the correct supervisory authority for each activity and jurisdiction is an increasingly critical part of regulatory planning.

German regulators do not issue formal no-action letters. BaFin will not provide a binding statement that a particular activity falls outside the regulatory perimeter or will not trigger enforcement.

The practical alternative is BaFin’s individual enquiry process. Companies can ask whether a specific, clearly described business model needs a licence. BaFin’s responses are non-binding but carry informal weight and can reduce regulatory uncertainty at the structuring stage. The key requirement is specificity: BaFin will not engage with abstract or hypothetical questions. Beyond individual guidance, BaFin’s published circulars and interpretive notices provide general clarity on how it applies the law to particular business models.

At the EU level, a form of no-action communication has emerged in limited situations. In June 2025, the EBA recommended that national authorities temporarily defer enforcement of PSD2 authorisation requirements for payment services involving e-money tokens, acknowledging the overlap with MiCA. A narrow precedent, but it shows that regulatory pragmatism can emerge even in a system that does not formally recognise the concept.

Outsourcing is permitted but does not shift regulatory responsibility. The regulated entity remains fully accountable to BaFin, regardless of what functions it delegates to third parties.

BaFin requires detailed contractual frameworks covering service levels, audit rights extending to the regulator, data protection, sub-outsourcing controls and exit arrangements. Material outsourcing requires BaFin notification. Since January 2025, DORA has raised the bar for ICT outsourcing specifically, requiring a register of all third-party arrangements and minimum contractual standards on security, incident reporting and resilience testing.

Outsourcing to a regulated entity is not required but can simplify due diligence, as regulated counterparties are more likely to already meet the governance and security standards the framework demands.

There is no single “gatekeeper law” in Germany; rather, the concept is woven into virtually every regulatory framework governing fintech platforms. Under the Money Laundering Act (GwG), regulated entities must conduct ongoing customer due diligence, monitor transactions and file suspicious activity reports. MiCA takes this further for crypto trading platforms, requiring dedicated market surveillance systems and compliance with the market abuse provisions discussed in 6.8 Market Integrity Principles. Regulators expect fintech providers to take active ownership of the integrity of the transactions they facilitate. Companies that design their compliance architecture around this reality from the start will find it far easier to scale than those that treat gatekeeper obligations as an afterthought.

BaFin has shifted from a cautious supervisor to an enforcement-oriented regulator, a trajectory that accelerated after the Wirecard scandal.

In fintech, recent enforcement has focused on three areas. BaFin intensified scrutiny of BaaS providers, most notably Solaris, imposing operational restrictions over AML and governance deficiencies. BaFin has actively used its FinmadiG powers to publicly warn against firms operating crypto-asset services without MiCA authorisation, and neobanks and payment institutions have faced enforcement action over AML compliance failures.

The pattern is consistent: BaFin acts early and publicly. Market participants should treat the regulator’s name-and-warn strategy as a permanent feature of the German supervisory landscape, not a temporary posture.

Beyond financial regulation, fintech companies face a growing web of horizontal requirements that can be equally demanding. Data protection under the GDPR is a primary concern, especially for companies relying on AI-based analytics or open-banking services.

DORA, the EU AI Act (classifying many financial AI applications as high-risk), and the NIS2 Directive collectively impose layered cybersecurity, resilience and AI governance obligations.

Unlike legacy banks, which have long operated under detailed BaFin IT security circulars (BAIT, ZAIT), fintech entrants may face a steeper compliance curve in aligning with these multi-layered requirements, where they rely on cloud infrastructure and third-party technology providers.

Annual audits by independent auditors (Wirtschaftsprüfer) are mandatory for regulated fintech companies. For KWG-licensed institutions, the resulting regulatory audit reports go directly to BaFin and the Bundesbank and regularly trigger follow-up where deficiencies are identified.

Beyond statutory requirements, market practice is driving additional review layers. Crypto companies commission smart contract audits and proof-of-reserve attestations. B2B fintechs routinely obtain SOC 2 certifications. Industry bodies such as Bitkom publish best practice standards that shape market norms even without legal force.

Combining regulated and unregulated services within a single company is widespread in German fintech. Payment services alongside analytics tools, crypto custody alongside unregulated advisory content: these combinations are the norm.

BaFin expects clear delineation. The unregulated business must not compromise the compliance standards of the regulated one. Separate legal entities are an option but not a requirement. What matters is demonstrating where the boundary between regulated and unregulated activity lies and maintaining the controls to enforce it.

AML and sanctions compliance is one of the heaviest operational burdens in German fintech. The Money Laundering Act (GwG) requires all regulated entities to maintain KYC programmes, transaction monitoring, suspicious activity reporting and record-keeping. Germany’s requirements exceed the EU minimum in certain areas, especially for crypto-asset service providers.

For unregulated fintechs, the impact is indirect but real: banking partners routinely impose contractual AML obligations that extend the compliance perimeter beyond formally regulated entities. The forthcoming EU AML Regulation and AMLA will tighten the framework further from 2026.

Early investment in AML infrastructure pays off. Companies that treat compliance as a core operational function rather than a cost centre are better positioned both for regulatory interactions and for maintaining banking relationships.

Germany is a founding FATF member and its AML framework closely follows FATF standards, implemented through EU anti-money laundering directives and national law. Germany’s last FATF Mutual Evaluation Report (2022) rated the country as largely compliant, though it identified areas for improvement in beneficial ownership transparency and the effectiveness of sanctions enforcement. The FATF Travel Rule is implemented through the EU Transfer of Funds Regulation (recast), which requires the transmission of originator and beneficiary information for crypto-asset transfers, a requirement that applies directly to MiCA-licensed CASPs since 30 December 2024.

The reverse solicitation exception exists but offers far less protection than many non-EU firms assume.

MiCA Article 61 permits non-EU firms to serve EU clients only where the client acts on their own exclusive initiative. ESMA’s 2025 guidance confirmed that any marketing directed at EU audiences, whether through websites, apps, social media or influencers, disqualifies a firm from relying on this exception. BaFin’s position mirrors this: foreign providers actively targeting German clients need a German licence.

As a practical matter, reverse solicitation is not a market entry strategy. It may cover isolated, genuinely unsolicited transactions, but any firm planning to build a business in Germany should plan for full licensing from the outset.

Different asset classes require different regulatory setups. Robo-advisers managing traditional financial instruments need MiFID II authorisation through the WpIG or KWG, with full suitability testing, best execution and inducement compliance.

For crypto-assets, portfolio management and investment advice now fall under MiCA’s CASP regime. Security tokens qualifying as financial instruments remain under the traditional securities framework (see 10.3 Classification of Blockchain Assets for the classification framework).

The complexity arises where a platform spans both worlds. A robo-adviser offering a mixed portfolio of ETFs and crypto-assets must comply with both MiFID II and MiCA, each with its own conduct and disclosure requirements. The initial asset classification is the single most important structuring decision for any robo-adviser entering this space.

Major German banks and asset managers have widely adopted robo-advisory capabilities, though mostly as extensions of their existing platforms rather than standalone products. Several large institutions offer algorithmic portfolio management through their digital banking interfaces, typically combining automated asset allocation with the option for human advice on more complex decisions.

Most have built in-house or partnered with white-label providers rather than acquiring standalone platforms. Robo-advisory is no longer a differentiator but an expected feature of competitive wealth management.

MiFID II sets the benchmark: investment firms must obtain the best possible result for clients across price, cost, speed and execution likelihood. Firms must maintain an execution policy, disclose it and regularly monitor execution quality.

MiCA takes a lighter approach. CASPs must act in the client’s best interest but face no equivalent of MiFID II’s detailed framework. For platforms operating across both asset classes, this creates a practical gap that requires careful internal governance.

The EU ban on payment for order flow, effective 2026, will further sharpen this issue. Neobrokers that built their model around PFOF will need to restructure their execution arrangements and demonstrate that client outcomes are not compromised. How neobrokers solve this will shape the competitive dynamics of the German brokerage market for years to come.

The regulatory gap between consumer and commercial lending is material. Consumer credit triggers full protective requirements: pre-contractual disclosure, withdrawal rights, APR transparency, and a mandatory creditworthiness assessment. CCD II will extend these requirements further into digital lending models including buy-now-pay-later.

Commercial lending faces lighter conduct requirements but the same licensing threshold: deposit-funded lending at commercial scale requires a KWG banking licence. Crowdlending models that merely intermediate rather than lend on balance sheet may operate under the ECSP Regulation or national intermediation rules.

The structuring of the funding model is what determines which regime applies. Getting this right early avoids costly re-structuring later.

Regulation prescribes the obligation, not the method. For consumer credit, a creditworthiness assessment is mandatory, drawing on data from agencies such as SCHUFA. The lender must decline if the assessment is negative. CCD II will tighten the requirements around data sources and methodology.

How that assessment is conducted is left to the lender, which has created space for AI-driven and alternative-data underwriting models. These must comply with GDPR’s rules on automated decision-making and the EU AI Act’s high-risk classification for credit scoring. The practical challenge is building underwriting systems that are both commercially effective and regulatorily explainable.

Each funding source has distinct regulatory implications. Deposit-funded lending generally requires a full KWG banking licence. By contrast, marketplace models in which the platform only intermediates and does not lend on balance sheet require a structure-specific analysis and may fall within the ECSP regime or other German intermediation rules. Warehouse funding from banks or institutional investors may mitigate licensing issues at platform level, but does not eliminate the need to assess who originates the loan and which regulated activities are carried out.

Loan syndication takes place in Germany, though for fintechs it most commonly appears through the front-bank model, where a licensed bank originates the loan and distributes participation interests to institutional investors.

The regulatory classification depends on the structure. A straightforward assignment of loan receivables differs from a product that tranches credit risk, which may trigger the EU Securitisation Regulation. Facilitating the distribution of participations can itself constitute investment brokerage under the KWG or WpIG.

The key is to design the distribution mechanism with the regulatory classification in mind from the outset, rather than fitting regulation around a structure that has already been built.

Existing payment rails dominate: TARGET2 for wholesale, SEPA for retail, card networks for point-of-sale and e-commerce. WERO, launched by the European Payments Initiative, is the most notable recent addition for instant payments.

New rails are not prohibited, but any service transferring funds on behalf of third parties requires ZAG authorisation. The framework is technology-neutral in principle but licence-dependent in practice.

Under MiCA, transfers of crypto-assets constitute a distinct service category. However, where crypto-asset transfers involve e-money tokens (EMTs) that function as means of payment, they may additionally fall within the scope of PSD2/ZAG, potentially requiring dual authorisation – a challenge that the EBA has addressed through transitional guidance.

Cross-border payments require ZAG authorisation and compliance with the Transfer of Funds Regulation, which mandates complete payer and payee information for every transfer. For crypto-asset transfers, the recast regulation applies the Travel Rule without a minimum threshold.

AML/CFT compliance is the dominant regulatory concern. BaFin and the Bundesbank actively monitor cross-border payment flows, and the obligations are tightening. PSD3/PSR will introduce mandatory verification-of-payee for all credit transfers, real-time fraud monitoring requirements and broader provider liability for authorised push-payment fraud.

For payment service providers, cross-border compliance is becoming more technically demanding with each regulatory cycle. Firms that invest in scalable compliance infrastructure now will be better positioned than those that treat each new requirement as a standalone project.

Germany permits several types of trading platforms for financial instruments, each under a distinct regulatory framework. Regulated markets (Börsen) are operated under the German Exchange Act (Börsengesetz, BörsG) and supervised by the respective exchange supervisory authority of the relevant federal state. Multilateral Trading Facilities (MTFs) and Organised Trading Facilities (OTFs) operate under MiFID II as transposed by the BörsG and WpHG.

For crypto-assets that do not qualify as financial instruments, trading platforms require CASP authorisation under MiCA. MiCA-licensed platforms can passport their services across the EU. For tokenised financial instruments, the DLT Pilot Regime (discussed in 2.5 Regulatory Sandbox) provides an additional pathway, allowing integrated trading and settlement on a single DLT-based platform – though uptake of this framework has been limited.

The regulatory treatment of different asset classes in Germany follows a bifurcated model. The WpHG, WpIG, and BörsG govern financial instruments, including security tokens that qualify as transferable securities under MiFID II. The German Electronic Securities Act (eWpG) enables the issuance of electronic securities without a physical certificate (see 10.1 Use of Blockchain in the Financial Services Industry for detail), but these remain subject to the full securities regulation framework.

Crypto-assets that do not qualify as financial instruments are regulated under MiCA, classified as ARTs, EMTs or other crypto-assets. The classification boundary can be nuanced and is assessed by BaFin on a case-by-case basis (see 10.3 Classification of Blockchain Assets for detail). This initial determination drives the entire downstream regulatory framework.

Crypto exchanges have been the single biggest catalyst for regulatory change in this area. Germany moved early by bringing crypto custody under KWG supervision in 2020, and that experience shaped MiCA’s EU-wide framework.

Centralised exchanges now need CASP authorisation under MiCA, with full prudential, governance and market surveillance obligations. BaFin actively enforces against unlicensed operators.

Decentralised exchanges are the open question. Where a DEX has identifiable governance structures or operators, BaFin may assert jurisdiction. Truly decentralised protocols remain difficult to regulate, though both BaFin and ESMA have signalled that governance token holders and front-end operators are not beyond reach. The MiCA review, expected to address DeFi by 2027, will determine how this grey area is resolved.

For traditional securities, listing on a regulated market requires compliance with EU prospectus, market abuse and ongoing transparency requirements. For crypto-assets under MiCA, issuers must publish a crypto-asset white paper that meets the content and format requirements specified in MiCA Title II, which must be notified to the relevant NCA.

Regulated crypto-asset trading platforms have an obligation under MiCA to establish and publish their listing and delisting rules. Industry practice is evolving, with most platforms applying criteria such as liquidity, security audit results, team transparency and regulatory compliance. For token issuers, understanding the listing requirements of their target platform early in the structuring process avoids costly delays.

For financial instruments, MiFID II requires firms to execute client orders promptly, fairly and transparently, with established execution policies and conflict-of-interest controls.

MiCA is less prescriptive for crypto orders: CASPs must act in the client’s best interest and disclose their execution policy, but the detailed rules of MiFID II do not apply. BaFin expects high standards regardless.

P2P trading platforms have grown primarily in the crypto space, posing regulatory challenges because MiCA is designed around intermediated services. Where a platform merely provides technical infrastructure without matching orders or holding funds, it may fall outside the regulated perimeter.

However, BaFin’s position is that the actual function performed, not the label used, determines the regulatory classification. If a P2P platform effectively matches orders, provides escrow services, or exercises control over the trading process, it is likely to be treated as operating a trading platform under MiCA and requires authorisation accordingly.

Payment for order flow (PFOF) has been a contentious issue in the German market, driven by the rise of zero-commission neobrokers. Under MiFID II as amended by the MiFIR review, the EU banned PFOF for orders from EU clients with effect from March 2024. Germany is currently the only member state using the grandfathering exemption under Article 39a(2) MiFIR, which permits domestic PFOF until 30 June 2026. BaFin requires full transparency and disclosure during this transitional period.

The incoming ban will require German neobrokers and other platforms that have relied on PFOF as a primary revenue model to restructure their pricing. Many affected firms have already begun transitioning to alternative compensation models, including small per-trade commissions or subscription-based pricing.

The Market Abuse Regulation (MAR) sets the standard for traditional financial instruments: no insider dealing, no unlawful disclosure of inside information, no market manipulation. BaFin enforces these rules, backed by criminal sanctions under the WpHG.

MiCA Title VI extends analogous prohibitions to crypto-asset markets. CASPs operating trading platforms must run surveillance systems to detect suspicious activity and report to BaFin. Issuers must publicly disclose inside information that could affect token prices.

For platforms operating across both asset classes, the practical consequence is that market integrity obligations now apply regardless of whether the traded asset is a traditional security or a crypto-asset. Building unified surveillance infrastructure from the start is more efficient than maintaining parallel systems.

High-frequency and algorithmic trading in Germany is regulated under MiFID II, transposed through the WpHG. Firms engaging in algorithmic trading must have effective systems and risk controls, including kill switches, maximum order-to-trade ratios and pre-trade risk limits. They must notify BaFin of their algorithmic trading activity.

High-frequency trading firms using direct electronic access to German trading venues must be authorised as investment firms. These requirements apply uniformly across asset classes traded on regulated markets and MTFs. For crypto-asset trading, MiCA does not introduce specific algorithmic or high-frequency trading rules, but CASPs operating platforms must ensure fair and orderly trading, which may require analogous controls.

Market makers operating on German trading venues need a licence as investment firms under the WpIG or as financial services institutions under the KWG. Regulated markets and MTFs may impose additional requirements on designated market makers, including minimum quoting obligations and maximum spread commitments.

Under MiCA, there are no specific market-maker registration requirements for crypto-asset markets. However, a CASP dealing in crypto-assets on its own account must hold authorisation for the relevant service category. The absence of a formal market-maker label does not mean the activity is unregulated.

The distinction is clear. Funds fall under the KAGB (implementing AIFMD/UCITS), with regulated managers, custody requirements and investor protection rules. Dealers fall under the KWG or WpIG, with own-funds requirements and market risk-focused organisational standards. Both face MiFID II algorithmic trading rules when trading on regulated venues.

The practical choice between the two models depends on the business. Fund structures suit strategies that raise external capital and need regulated investor protections. Dealer structures suit proprietary strategies where speed and operational flexibility matter more. The regulatory treatment follows from that choice, not the other way around.

Programmers and software developers who create trading algorithms are not directly regulated as financial service providers under German law, provided they do not themselves deploy the algorithms in a trading context or retain ongoing control over their deployment. The regulatory obligation falls on the investment firm or trading entity that uses the algorithm.

That said, the firm deploying the algorithm must be able to explain its functioning to BaFin, maintain adequate testing and monitoring procedures, and ensure the algorithm does not contribute to disorderly trading. Where a software provider effectively controls the trading decisions through its product, BaFin may examine whether the provider itself is performing a regulated activity. The line between tool provider and de facto decision-maker is not always obvious, and firms on both sides of that line should understand where it sits.

The EU AI Act introduces a further dimension. Where trading algorithms qualify as high-risk AI systems, the developer may face obligations around conformity assessment, documentation and transparency, even if it is not itself a regulated financial entity. This is a developing area where the intersection of AI regulation and financial regulation has not yet been fully tested in practice.

Insurtech companies in Germany use a range of technology-driven underwriting approaches, including AI-based risk assessment, automated claims processing and telematics data analysis. Regulation does not prescribe a specific underwriting methodology but sets boundaries around how it is applied.

BaFin expects that insurers and intermediaries using automated underwriting systems maintain transparency, fairness and non-discrimination in their processes. The EU AI Act classifies certain insurance underwriting applications as high-risk AI systems, requiring conformity assessments, documentation and human oversight. BaFin has indicated that algorithmic underwriting models must be explainable and that insurers retain ultimate responsibility for underwriting decisions.

German insurance regulation under the VAG distinguishes between life, health and non-life (property and casualty) insurance, each with distinct capital, reserving and policyholder protection requirements.

Insurtech activity in Germany is concentrated in non-life segments: household, travel, pet, gadget and embedded insurance products. These segments offer shorter product cycles and lower regulatory barriers to entry. 

The market includes both full-stack insurtechs holding their own VAG licence and intermediary models that distribute products underwritten by established carriers. The intermediary route is faster to market but limits control over product design and pricing. Full-stack models offer more flexibility but require considerably more regulatory capital and governance infrastructure. The trend is toward hybrid arrangements where insurtechs handle distribution and technology while partnering with licensed carriers for risk-bearing.

Regtech providers are generally not subject to financial regulation in their own right. A company offering compliance software, AML screening tools or regulatory reporting automation is typically classified as a technology vendor, not a financial services provider.

The regulatory exposure comes indirectly. Financial institutions that outsource compliance-critical functions to regtech providers must ensure those providers meet the standards required by MaRisk and DORA. If a regtech provider is designated as a Critical ICT Third-Party Provider under DORA, it becomes subject to direct oversight by the relevant EU Lead Overseer, a material step that transforms a commercial vendor relationship into a regulated one.

There is also a functional boundary: where a regtech provider effectively performs regulated services rather than just supplying tools, it may cross into the regulatory perimeter. The line between enabling compliance and performing compliance is not always obvious.

Financial institutions in Germany impose increasingly stringent contractual terms on regtech and other technology providers, driven by a combination of regulatory requirements and hard-won operational experience.

Under DORA, the contractual framework for ICT services provided to financial entities must include specific minimum provisions covering service descriptions, data handling, security measures, audit rights, exit strategies and incident reporting obligations. These requirements are dictated by regulation and represent a compliance floor that cannot be contracted away.

Industry practice goes further. Common additions include performance guarantees with defined SLAs, liability and indemnification provisions tied to accuracy and uptime, source code escrow arrangements, step-in rights in the event of provider failure, sub-outsourcing restrictions and notification obligations, and benchmarking clauses. The overall trend is toward contracts that treat regtech providers less like software vendors and more like operational partners whose failure would directly affect the institution’s regulatory standing.

Traditional financial institutions in Germany are actively implementing blockchain technology across multiple use cases. Deutsche Börse has developed a digital asset strategy including a crypto spot-trading platform for institutional clients. Several major banks have explored tokenised deposits, and DZ Bank and Commerzbank have issued digital bonds on DLT infrastructure.

The German Electronic Securities Act (eWpG, 2021) was a landmark, enabling the issuance of electronic securities – including bonds and fund units – on distributed ledgers (crypto securities, Kryptowertpapiere). Originally limited to bearer bonds, the eWpG was extended to fund units in 2022 and, through the Zukunftsfinanzierungsgesetz (ZuFinG), to electronic shares since November 2025. This legislation removed the requirement for a physical certificate and created a regulated framework for DLT-based securities issuance within the existing securities law architecture. BaFin maintains the crypto securities register for centrally registered electronic securities.

The Bundesbank is actively participating in the Eurosystem’s digital euro project, and Germany’s financial industry has been a strong advocate for ensuring that wholesale central bank money settlement remains available for tokenised securities transactions.

BaFin has taken a constructive but firm approach. Germany moved early: crypto custody under the KWG (2020), the eWpG (2021) and MiCA implementation via the FinmadiG (2024).

The posture is innovation-friendly within clear boundaries. BaFin does not champion blockchain but has systematically removed legal uncertainty for firms building within the framework. By the end of 2025, Germany had more MiCA-authorised CASPs than any other EU member state.

Current areas of regulatory focus include stablecoin supervision under MiCA Titles III and IV, the treatment of DeFi protocols, standards for tokenised deposit instruments and AML controls for blockchain-based services. BaFin has also co-ordinated closely with ESMA on implementing MiCA’s market abuse provisions for crypto-asset markets.

Not all blockchain assets are treated as regulated financial instruments in Germany. The classification is determined on a case-by-case basis and is the critical threshold question for determining the applicable rules.

Security tokens that represent transferable securities, such as tokenised shares, bonds or fund units, qualify as financial instruments under MiFID II and are regulated under the WpHG and eWpG. The full securities framework applies, including prospectus requirements, market abuse rules and MiFID II conduct obligations.

Crypto-assets that do not qualify as financial instruments fall under MiCA’s tripartite classification: asset-referenced tokens (ARTs) backed by a basket of assets, e-money tokens (EMTs) pegged to a single fiat currency and other crypto-assets including utility tokens. Each category carries distinct issuance, reserve and service provider requirements.

BaFin determines the classification on a case-by-case basis. The boundary is not always intuitive: a token with profit participation rights or dividend-like features may be a security even if it looks and behaves like a typical crypto-asset. This classification is the single most consequential regulatory decision for any token project, because it determines which licences, disclosures and conduct rules apply downstream.

The issuer regime depends on the classification. For security tokens (financial instruments), public offerings exceeding the applicable thresholds require a BaFin-approved prospectus under the EU Prospectus Regulation. The eWpG provides the framework for issuing electronic securities, requiring entries in a crypto securities register maintained by a registered custodian.

For crypto-assets under MiCA, issuers of other crypto-assets (including utility tokens) must publish a white paper and notify it to BaFin at least 20 working days before the offering. ART issuers require authorisation and must maintain reserve assets. EMT issuers need authorisation as credit institutions or e-money institutions.

Tokenisation of real-world assets is gaining momentum but faces practical challenges. The eWpG covers bearer bonds, fund units and electronic shares, meaning that tokenised real estate still requires more complex legal structuring. The interaction between on-chain records and off-chain legal title is not yet fully resolved, and secondary market liquidity remains limited.

Crypto-asset trading platforms need CASP authorisation under MiCA, covering organisational requirements, prudential standards, conflict-of-interest rules and market surveillance. Authorised platforms benefit from the EU passport.

For tokenised financial instruments, trading must occur on a MiFID II venue (regulated market, MTF, or OTF) or under the DLT Pilot Regime (see 2.5 Regulatory Sandbox). Peer-to-peer trading is not explicitly addressed by MiCA, but platforms that effectively match orders may, depending on the concrete services provided, be classified as operating a trading platform.

As with other areas of crypto regulation, BaFin looks at what a platform actually does, not what it calls itself.

The regulatory treatment of staking services in Germany under MiCA is still developing. MiCA does not explicitly list staking as a regulated crypto-asset service. However, depending on the specific structuring, staking services may be classified as custody and administration of crypto-assets on behalf of clients (a regulated CASP service) if the service provider holds the client’s crypto-assets and delegates them for staking.

BaFin has not issued definitive guidance on staking. Most providers operate under CASP custody licences. Where staking involves pooling client assets with expected returns, a collective investment scheme classification under the KAGB is theoretically possible but has not been formally pursued. The classification depends on the specific operational model.

Crypto lending is regulated, but the applicable framework depends on the structure. Accepting deposits or granting credit on a commercial basis requires a KWG banking licence, regardless of whether the loans are denominated in fiat or crypto. Where a platform accepts crypto-assets as collateral, it may simultaneously trigger MiCA custody obligations and KWG lending requirements.

Peer-to-peer crypto lending models where the platform does not lend on its own balance sheet may fall outside the banking licence requirement but could trigger investment intermediation or crowdlending regulation. The collapse of several centralised crypto lending platforms globally has sharpened BaFin’s focus on this area, especially around client asset segregation and the transparency of lending terms.

MiFID II treats cryptocurrency derivatives as financial instruments. This includes futures, options, contracts for difference (CFDs) and other derivative instruments referencing crypto-assets. Firms offering crypto derivatives need authorisation under the WpIG or KWG and must comply with MiFID II’s full conduct, prudential and reporting framework.

BaFin has historically taken a restrictive approach to the retail distribution of crypto derivatives, including CFDs. Product intervention measures limit the leverage available to retail clients and require standardised risk warnings. ESMA has also imposed EU-wide restrictions on the marketing, distribution and sale of CFDs to retail investors, including those referencing crypto-assets.

The regulatory treatment of DeFi in Germany remains one of the most complex questions in the current landscape. MiCA explicitly excludes fully decentralised services without an identifiable intermediary from its scope. However, both BaFin and ESMA have emphasised that the determination of whether a service is truly decentralised must be assessed based on the actual degree of decentralisation, not merely the label used.

Where a protocol has identifiable governance structures, whether through a foundation, DAO or governance token holders with meaningful control, regulators may hold those persons responsible. Front-end operators and deployers are also potential points of regulatory attachment.

The practical challenge is enforcement. Fully decentralised, permissionless protocols operating without identifiable operators present real difficulties for regulators. The European Commission has indicated that DeFi regulation will be a focus of the MiCA review, expected to produce proposals by 2027.

The German Capital Investment Code (KAGB), implementing the AIFMD and UCITS directives, governs funds investing in blockchain assets. UCITS funds face strict restrictions on investing in crypto-assets due to eligible asset limitations. Alternative investment funds (AIFs) managed by licensed alternative investment fund managers (AIFMs) have greater flexibility and may invest in crypto-assets, subject to the risk management and disclosure requirements of the AIFMD.

BaFin has permitted special AIFs (Spezial-AIFs) to invest in crypto-assets within defined limits, and the market has seen growing interest in crypto-focused AIFs and tokenised fund units under the eWpG. The interaction between MiCA and the KAGB/AIFMD is an area of ongoing regulatory development, especially around custody requirements where fund assets include both traditional securities and crypto-assets.

The term “virtual currency” is now largely a terminological relic. MiCA uses the broader concept of “crypto-asset”, classified into ARTs, EMTs and other crypto-assets. Bitcoin and similar payment-oriented tokens fall into the “other crypto-assets” category under MiCA Title II.

Before MiCA, the KWG defined crypto-assets as “Kryptowerte”: digital representations of value not issued by a central bank, accepted as means of exchange or serving investment purposes. MiCA’s EU-wide classification has superseded this national definition, though some transitional provisions still reference it.

For practical purposes, the distinction between “virtual currency” and “crypto-asset” no longer carries regulatory significance. What matters is the MiCA classification.

NFTs are not regulated under MiCA, which excludes unique and non-fungible crypto-assets from its scope. However, this exclusion has clear limits. NFTs issued in large series or collections, or tokens that are functionally fungible or fractionalisable, may fall within MiCA’s perimeter.

Under German securities law, an NFT could qualify as a financial instrument if it incorporates investment-like features such as profit participation or revenue sharing. BaFin assesses this on a case-by-case basis. Most pure collectible or art NFTs fall outside the regulatory perimeter, while fractionalised NFTs or those linked to financial returns are likely to be regulated.

MiCA provides a detailed regulatory framework for stablecoins. The regulation distinguishes between asset-referenced tokens (ARTs), which are backed by a basket of assets, and e-money tokens (EMTs), which are pegged to a single fiat currency. Both categories carry specific issuance, reserve management and redemption requirements.

EMT issuers need authorisation as credit institutions or e-money institutions and must ensure that tokens are redeemable at par value at any time. Reserve assets must be held in secure, segregated custody. ART issuers require BaFin authorisation and must maintain a reserve of assets corresponding to the tokens in circulation, subject to composition and custody requirements.

In 2025, BaFin approved Germany’s first euro-denominated stablecoin under MiCA, issued by AllUnity – a joint venture between DWS (Deutsche Bank), Flow Traders and Galaxy Digital. This milestone underscored Germany’s position as a leading jurisdiction for regulated stablecoin issuance. Significant stablecoins, as determined by ESMA and the EBA, are subject to enhanced requirements including higher capital buffers and direct EBA supervision. For firms considering stablecoin issuance, early engagement with BaFin on the classification and reserve structure is essential.

Open banking in Germany is built on PSD2, transposed into German law through the ZAG. The framework gives licensed third-party providers, Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), the right to access payment account data held by banks, subject to the account holder’s explicit consent and strong customer authentication.

Implementation has been uneven. API quality varies considerably across banks, SCA requirements have created friction in user journeys, and the scope of data access rights has been a recurring point of contention between banks and third-party providers. BaFin has intervened in individual cases to require banks to improve their API interfaces, but the overall experience has been one of gradual progress rather than rapid transformation.

The PSD3/PSR package will reshape this landscape by removing the option for banks to maintain fallback interfaces, mandating dedicated APIs with defined performance and functionality standards and strengthening fraud prevention in open banking transactions. Beyond payments, the Financial Data Access Regulation (FIDA) will extend data-sharing principles to savings, investments, pensions and insurance, moving Germany from open banking toward a broader open finance ecosystem. For fintech companies, this represents both a major opportunity and a new layer of compliance.

Data privacy and security are the central tensions in open banking. Under GDPR, sharing personal financial data requires a lawful basis, with explicit consent as the primary mechanism. Banks and third-party providers must implement strong customer authentication, encrypted data transmission and granular access controls.

The practical challenges go beyond legal compliance. API reliability varies across institutions, data formats are not fully standardised, and the allocation of liability when something goes wrong in a multi-party data chain remains a source of friction between banks and fintechs. BaFin and the Federal Data Protection Commissioner both exercise supervisory authority in this space, which can create overlapping expectations.

DORA adds operational resilience requirements to the picture. API infrastructure must be treated as critical ICT, with corresponding risk management, testing and incident reporting obligations. The industry is moving toward standardised API frameworks and security certifications, but full harmonisation is still some distance away. PSD3/PSR’s stricter API performance standards should accelerate this convergence.

Fraud in the German financial services context plays out across three dimensions that can hit simultaneously.

• On the criminal side, both traditional fraud through deception and computer fraud through manipulation of digital systems are prosecuted. The latter is increasingly relevant as fintech products are inherently software-driven and therefore exposed to digital manipulation vectors that did not exist in traditional banking.
• On the regulatory side, BaFin pursues unauthorised financial services, market manipulation and misleading marketing. MiCA has extended these enforcement powers to crypto-asset markets, where insider dealing and price manipulation are now explicitly prohibited and actively monitored.
• On the civil side, customers and counterparties can bring claims for mis-selling, deceptive practices, and misrepresentation under general civil and competition law.

The critical point for fintech companies is that these layers are not alternatives. A single incident, such as a data breach exploited for unauthorised transactions, can trigger a criminal investigation, a BaFin enforcement proceeding and civil litigation at the same time. Building fraud prevention into the product architecture rather than bolting it on as a compliance function is the most effective way to manage this multi-dimensional exposure.

Three areas dominate BaFin’s fraud focus.

• Authorised push-payment fraud – social engineering attacks are becoming more sophisticated, increasingly aided by AI, and BaFin views the current liability framework as insufficient. PSD3/PSR will introduce mandatory payee verification and shift more responsibility onto providers who fail to prevent these attacks.
• Unlicensed crypto offerings – BaFin uses its name-and-warn powers aggressively, publicly identifying suspect operators before formal proceedings conclude. The reputational damage alone can be fatal for a business.
• AML failures at fast-growing fintechs – several neobanks and payment institutions have faced enforcement action for scaling their customer base faster than their compliance infrastructure. BaFin has made clear that this pattern will not be tolerated.

The expectation is proactive prevention. Firms that build detection and response into their operations are better positioned than those that wait for the regulator to identify the problem.

Liability depends on the service type. Payment service providers under the ZAG bear liability for unauthorised transactions, with a customer co-payment of up to EUR50 for lost or stolen payment instruments (unless the customer acted with gross negligence). For authorised push-payment fraud, the current framework places limited liability on the provider, though PSD3/PSR will expand provider obligations.

Investment firms under MiFID II face liability for breaches of best execution, suitability requirements or conflicts of interest management. CASPs under MiCA face liability for operational failures, custody breaches or failure to protect client assets.

General civil liability under the BGB applies across all service types. The direction of travel is clear: PSD3/PSR will shift the balance further toward provider responsibility, especially where adequate fraud-prevention measures were not in place. Building robust prevention systems is no longer just good practice – it directly reduces legal exposure.