Ireland is home to well-developed and globally recognised technology and financial services sectors, and is one of the leading European jurisdictions for fintech activity. The Central Bank of Ireland (Central Bank) has recognised that the fintech sector is of increasing importance to both the Irish and EU financial services landscapes, and that the industry has seen significant growth in recent years.

Key Trends Over the Past 12 Months

Fintech activity continues to be particularly prevalent in the payments sector, although it is not limited to this area. Key trends in the fintech sector over the past 12 months include the following.

• The rise of new banking models – the rise of neobanks is reshaping banking at a consumer level. Monzo received its banking licence from the Central Bank in December 2025.
• Growing crypto-asset services sector – significant growth has appeared in the crypto-asset service provider (CASP) sector, with 11 CASPs authorised by the Central Bank as of February 2026.
• AI implications – AI and machine learning are transforming financial services by enabling business model opportunities for firms and enhancing customer experience.
• Tokenisation – the use case of tokenising real-world assets gained increasing traction throughout 2025, with legacy players exploring tokenisation structures to seek operational efficiencies, particularly in the asset management sector.

Upcoming Changes to EU Regulation

Key regulatory developments and initiatives include the following.

Simplification agenda

The European Commission is driving simplification in financial regulation through omnibus packages to reduce regulatory burdens and strengthen EU competitiveness. As part of a December 2025 report, the Central Bank noted that it is also engaging in a domestic programme to enhance the effectiveness and efficiency of its work. In particular, the Central Bank is continuing to be more future-focused, including through continued digitalisation of the financial sector, with its work on the Digital Euro, a forthcoming discussion paper on tokenisation, and the second Innovation Sandbox.

Implementation of CRD VI

On 9 July 2024, Directive (EU) 2024/1619 (CRD VI) entered into force with the aim of further harmonising the banking supervisory framework across the EU, including the provision of core-banking services into the EU by non-EU undertakings. CRD VI requires non-EU (third-country) undertakings to establish an authorised EU branch to commence or continue carrying out certain core-banking activities in an EU member state, unless an exemption applies. The deadline for member state transposition of CRD VI was 10 January 2026, and the requirements for the establishment and authorisation of a branch in the EU must be applied from 11 January 2027.

AI Act

The AI Act entered into force on 1 August 2024, with most of its provisions set to apply two years after this date, although certain exceptions apply. The ban on prohibited AI systems has applied since 2 February 2025. The AI Act establishes a regulatory framework aimed at harmonising rules for AI across the EU. It seeks to regulate providers who market or deploy AI systems within the EU, as well as users of these systems. On 19 November 2025, the European Commission released its Digital Omnibus Package, which proposes adding targeted simplification measures to the AI Act’s provisions.

Payments

In 2023, the European Commission published the proposal for a Directive on payment services and electronic money services (PSD3), which will modernise and repeal the revised Payment Services Directive (PSD2) and the revised Electronic Money Directive (EMD2), and a new Payment Services Regulation (EU PSR). In November 2025, the European Parliament and the Council of the EU announced a provisional political agreement on PSD3 and the EU PSR, and it is expected that its provisions will apply by late 2027/early 2028.

The Instant Payments Regulation has a phased implementation schedule extending from January 2025 to July 2027. It aims to ensure that instant euro payments are accessible to both consumers and businesses throughout the EU by amending existing EU payments regulations.

Markets integration package

On 4 December 2025, the European Commission proposed a comprehensive package of measures aimed to simplify the EU regulatory and supervisory landscape. The legislative package proposes to amend the Markets in Crypto-Assets Regulation (MiCAR) to transfer the authorisation, monitoring and supervision of all CASPs from national competent authorities (NCAs) to the European Securities and Markets Authority (ESMA). Regarding tokenisation, the proposed Regulation on settlement finality together with proposed amendments to the Central Securities Depository Regulation and the EU DLT Pilot Regulation aim to remove regulatory barriers to innovation related to DLT and to encourage the adoption of new technologies in the financial sector.

Outside of payments business, which has driven the majority of fintech activity, significant growth has appeared in the CASP sector. Other areas for innovation include regtech, insurtech and digital identity. Traditional players are also looking to incorporate new technology such as blockchain and AI into their existing operations, for example through tokenisation initiatives in the asset management space.

Fintech firms must look to the existing regulatory regimes that may be applicable to their business model on a case-by-case basis.

Payments

In relation to the provision of payment services or the issuance of electronic money, the primary rules to be considered are:

• the European Union (Payment Services) Regulations 2018 (PSR), which transpose PSD2 into Irish law; and
• the European Communities (Electronic Money) Regulations 2011 (EMR), which transpose EMD2 into Irish law.

The domestic Irish regime governing money transmission businesses under the Central Bank Act, 1997 (CBA 1997) may be relevant to a money transmission service falling outside the PSR.

Banking

Challenger banks seeking to undertake “banking business” or accept deposits from the public require a bank licence under the Central Bank Act, 1971 and will be subject to the Irish implementation of the EU Capital Requirements Directive (as amended) and the directly applicable EU Capital Requirements Regulation.

Investment Services/Asset Management

Depending on the services provided, a fintech firm providing investment services or asset management solutions may be subject to regulation. For example, if the activities constitute “investment services” in respect of “financial instruments” for the purposes of the European Union (Markets in Financial Instruments) Regulations 2017 (MiFID Regulations), an investment firm authorisation will be required, unless an exemption applies. The MiFID Regulations implement Directive 2014/65/EU (MiFID II) into Irish law.

Firms appointed to manage a collective investment undertaking (such as a UCITS fund or an alternative investment fund) will require authorisation under the European Communities (Undertakings for Collective Investment in Transferable Securities) Regulations 2011 or the European Union (Alternative Investment Fund Managers) Regulations 2013, as appropriate, unless an exemption applies.

Crowdfunding

The operation of a loan or investment-based crowdfunding platform is a regulated activity under Regulation (EU) 2020/1503 (Crowdfunding Regulation).

Blockchain and Crypto-Assets

Entities providing certain crypto-asset services within the EU are required to be authorised as CASPs. CASPs authorised under MiCAR will be subject to a range of obligations, including the prudential and conduct-of-business requirements under MiCAR as well as other requirements, such as in relation to anti-money laundering.

MiCAR also applies to offerors and persons seeking admission to trading of crypto-assets in the EU, including stablecoin issuers. In relation to the application of MiCAR to CASPs, stablecoin issuers and offerors/person seeking admission to trading of crypto-assets, please see 10. Blockchain.

Passporting

Depending on the regulatory framework, entities may passport their authorisation into Ireland form other EEA countries or passport out of Ireland to EEA countries, subject to relevant notifications. For example, a passporting framework is available under the Capital Requirements Directive, MiFID II, PSD2 and EMD2, the Crowdfunding Regulation and MiCAR.

Anti-Money Laundering (AML)

The applicability of AML rules, including customer due diligence and ongoing monitoring requirements, will depend primarily on whether a fintech company falls within the categories of “designated persons” under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (CJA 2010). Designated persons include a wide range of financial services companies as well as certain other entities – eg, casinos, or persons trading or acting as an intermediary in the trade of works of art.

The Transfer of Funds Regulation (Regulation (EU) 2023/1113) (TFR) became applicable on 30 December 2024 and extends the obligation to include information about the originator and beneficiary (the so-called “travel rule”) to CASPs. The EBA has also issued guidelines expanding on the TFR requirements and guidelines addressed to CASPs on effectively managing exposure to money laundering and terrorist financing risks and on compliance with restrictive measures/sanctions.

Digital Operational Resilience Act

The EU Digital Operational Resilience Act (DORA) applies to certain financial entities, with the objective of ensuring that entities operating in the EU financial services industry can withstand, respond to and recover from all types of disruptions and threats relating to information and communication technology (ICT). DORA also applies to critical ICT third-party service providers to the financial services industry and provides a framework for the oversight of such entities by the European Supervisory Authorities (ESAs).

Security Requirements

Fintech firms will also need to be aware of and comply with specific security requirements introduced under PSD2 (eg, strong customer authentication) if they provide payment services, and, more broadly, cross-industry and industry-specific guidance from the Central Bank and EU regulators in relation to ICT and cyber-risks.

DORA and the Central Bank’s Guidance on Outsourcing and on Operational Resilience also set out specific requirements for certain financial institutions in the context of the security of network and information systems. Other cybersecurity and criminal legislation or guidance may also be relevant.

Furthermore, the technical, operational and organisational cybersecurity measures contained in Directive (EU) 2022/255 (NIS2) are applicable to in-scope essential and important entities, which include cloud computing service providers.

Data Privacy

Fintech firms will need to comply with data privacy laws, including the European Union General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR), in respect of any processing of personal data. The GDPR is broad in application, such that the vast majority of companies are impacted regardless of their regulatory status or the services being provided.

CPC 2025

On 24 March 2025, the Central Bank published the Consumer Protection Code 2025 (CPC 2025), comprising:

• the Consumer Protection Code Central Bank Reform Act 2010 (Section 17A) (Standards for Business) Regulations 2025 (Standards for Business Regulations); and
• the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Consumer Protection) Regulations 2025 (Consumer Protection Regulations).

The new provisions came into effect on 24 March 2026. The Standards for Business Regulations set out governance, resource, risk management and conduct standards for regulated financial service providers, and the Consumer Protection Regulations set out cross-sectoral requirements and other sector-specific requirements for regulated entities providing certain financial services.

Fitness and Probity (F&P) Regime

The Central Bank’s F&P Regime was established under the Central Bank Reform Act 2010 and applies to persons performing certain roles in regulated financial service providers (RFSPs). It applies to persons performing certain prescribed “controlled functions” (CFs) and “pre-approval controlled functions” (PCFs). PCFs include directors, chairs of the board and committees, the chief executive and heads of certain internal control functions, amongst other functions. A regulated firm must not permit a person to perform a CF or PCF unless it is satisfied on reasonable grounds that the person complies with the Central Bank’s Standards of Fitness and Probity.

Individual Accountability Framework and the Senior Executive Accountability Regime (SEAR)

Amongst other things, the Central Bank (Individual Accountability Framework) Act 2023 (IAF Act) introduced a requirement for persons in CF and PCF roles in regulated firms to take any steps reasonable in the circumstances to ensure that certain prescribed conduct standards are met.

The SEAR, which imposes additional requirements on firms, applies to credit institutions, insurance undertakings and certain investment firms.

The permissible compensation models and disclosure requirements will depend on the type of service firms provide, their customer base and regulatory status, and the rules applicable to those services or customer types.

As a general rule, there is no differentiation between services provided by fintech firms or legacy players, but some regulated activities are more likely to be performed by fintech firms.

The Central Bank has established an Innovation Sandbox Programme to inform the early-stage development of selected innovative initiatives and provide regulatory advice and support to firms on their innovative projects. The Sandbox Programme framework comprises workshops, ongoing bespoke engagement with dedicated Sandbox Relationship Managers, and access to data platforms.

As part of the Digital Finance Package, the EU DLT pilot regime commenced in March 2023, creating a sandbox for DLT operators of market infrastructure to conduct the trading and settlement of DLT financial instruments.

The Central Bank is the financial services regulator in Ireland, with responsibility for the authorisation and supervision of financial services providers. It supervises Irish firms from both a prudential and conduct-of-business perspective. For EEA passporting firms, the Central Bank will generally have a level of competence in relation to conduct-of-business requirements, rather than prudential requirements.

The European Central Bank is the competent licensing authority for new Irish credit institutions (banks), and supervises significant credit institutions directly.

The Data Protection Commission is the Irish supervisory authority for the GDPR.

Coimisiún na Meán is the designated Digital Services Co-ordinator in Ireland, implementing and enforcing the Irish Digital Services Act 2024. The Competition and Consumer Protection Commission is also designated for certain matters relating to online marketplaces.

The Central Bank does not issue “no-action” letters as part of its enforcement regime. Nonetheless, the ESAs have a legal basis to issue no-action letters in certain circumstances. Where the ESAs issue a no-action letter stating that competent authorities should not prioritise any supervisory or enforcement action in relation to a certain legislative act, this may influence actions taken by the Central Bank.

If a regulated function is outsourced, the vendor is likely to require authorisation to provide that service, unless it can rely on an exemption. Separately, a number of rules and requirements may apply to already regulated firms that are engaged in the outsourcing of regulated and unregulated functions. These are generally sector-specific – eg, the PSR and MiFID II contain outsourcing requirements that are relevant to in-scope firms.

By contrast, the Central Bank Cross-Industry Guidance on Outsourcing (CBI Outsourcing Guidance) applies across sectors to all regulated firms and must be considered alongside specific outsourcing rules under the various sectoral legislation. The CBI Outsourcing Guidance is heavily influenced by the EBA Guidelines on outsourcing arrangements (EBA Outsourcing Guidelines), which are applicable to credit institutions, payment institutions and electronic money institutions, for example.

In addition, DORA applies to in-scope financial entities and requires that all contracts between financial entities and ICT third-party service providers for the use of outsourced ICT services must meet certain minimum contractual requirements.

The extent to which any fintech provider is deemed a “gatekeeper” for activities on its platform will depend on its activities or the services it provides. Fintech providers may be subject to various authorisation requirements or may fall within the scope of Irish AML legislation.

The Criminal Justice Act 2011 imposes a reporting obligation on a person who has information that said person “knows or believes might be of material assistance” in preventing or prosecuting a “relevant offence”, who must disclose this information to the Garda Síochána (the Irish police force).

The Digital Markets Act (Regulation (EU) 2022/1925) (DMA) became applicable from May 2023 and requires gatekeepers that have established a “core platform service” – search engines, social networking services, app stores, web browsers, etc – to abide by various requirements around fairness and transparency.       

The Central Bank took four enforcement actions in 2025 in a broad range of areas where breaches of financial services legislation have been committed by regulated entities. In November 2025, the Central Bank fined Coinbase Europe Limited EUR21,464,734 for breaching its anti-money laundering and counter-terrorist financing transaction monitoring obligations as required by the CJA 2010 between 2021 and 2025.

Firms will need to ensure that they operate in accordance with non-financial services requirements in Ireland, including data protection laws, cybersecurity requirements, consumer protection legislation, company law and intellectual property law.

The Digital Services Act (Regulation (EU) 2022/2065) (DSA) and the DMA form a single set of rules to create a fairer digital space for users. The DMA applies to online gatekeepers that reach certain turnover volumes, while the DSA regulates online intermediaries and platforms.

Where companies are required to produce audited financial statements, their statutory auditors will review their financial accounts. In 2023, the Central Bank required Irish payment and e-money firms to obtain a safeguarding audit.

As part of its supervisory expectations, the Central Bank expects CASPs to ensure that independent third-party assurance is provided on an annual basis, confirming that the safeguarding frameworks CASPs have in place are compliant with requirements.

A broad range of authorities may be relevant during a firm’s life cycle, including tax authorities, the Office of the Director of Corporate Enforcement, exchanges and the Financial Services and Pensions Ombudsman.       

For the most part, it is possible for a regulated entity to offer regulated and unregulated services, unless it is restricted by its financial services licence. Under both the PSR and EMR, the Central Bank is empowered to require firms that undertake additional activities to establish separate entities.

In their Joint Report on recent developments in crypto-assets, the EBA and ESMA highlighted examples of regulated entities providing both regulated and unregulated services.

The applicability of AML rules will depend primarily on whether a fintech company falls within the categories of “designated persons” under the CJA 2010. Where a fintech firm is regulated by the Central Bank, it will typically be a designated person.

EU and Irish financial sanctions rules will apply to all fintech firms regardless of authorisation status.

Ireland has been a member of the FATF since 1991. The AML and sanctions rules in Ireland closely follow the laws issued by the EU, which in turn are heavily influenced by the FATF standards.

The legislative framework under MiFID II and MiCAR provides for a reverse solicitation regime.

MiFID II

Under the MiFID Regulations, a third-country firm, as defined, will generally need to establish a branch in Ireland and obtain prior authorisation from the Central Bank before providing investment services or activities to retail clients and opted-up professional clients. However, there is an exemption where retail clients or opted-up professional clients initiate the provision of an investment service by a third-country firm, at their own exclusive initiative. Where a third-country firm solicits clients or potential clients in the EU, including through an entity acting on its behalf or having close links with it, it is not deemed a service provided at the own exclusive initiative of the client. Reverse solicitation does not entitle the third-country firm to market new categories of investment products or investment services to that individual.

The Markets in Financial Instruments Regulation (MiFIR) requires third-country firms that deal with certain “per se” professional clients or eligible counterparties to register with ESMA, unless the service was provided at the exclusive initiative of the client. The registration requirement only applies following the adoption of an equivalence decision by the European Commission and is not currently in force, as no equivalency determinations yet exist. As a result, national laws govern the access of third-country firms to these client types.

MiCAR

MiCAR also provides for a reverse solicitation exemption for the provision of CASP services by third-country firms to EU clients. In February 2025, ESMA published its guidelines on reverse solicitation under MiCAR, providing a non-exhaustive list of examples of solicitation.

It is generally accepted that the reverse solicitation rules contained in MiFID II and MiCAR will be interpreted very strictly.

Once the activities of a robo-adviser constitute MiFID II “investment services” in respect of “financial instruments”, the robo-adviser will require authorisation as a MiFID II investment firm under the MiFID Regulations, unless an exemption applies. The MiFID II investment services most likely to be triggered by robo-adviser activity are portfolio management and/or the provision of investment advice.

The MiFID Regulations requirements in relation to suitability assessments will also affect robo-advisers, and certain of the ESMA Guidelines on MiFID Suitability are stated to be particularly applicable to robo-advisers, given the limited amount or total absence of human involvement.

Where robo-advisers involve crypto-assets, entities will also need to consider their licensing and related conduct requirements under MiCAR, including in relation to suitability assessments where providing advice or providing portfolio management services.

The Consumer Protection Regulations 2025, which have applied since 24 March 2026, impose certain standards on regulated entities engaging with consumers by means of a digital platform for the purposes of providing financial services.

No information is available in this jurisdiction.

A robo-adviser that is authorised under the MiFID Regulations and executes orders on behalf of clients is subject to the MiFID II rules, including the client order handling rules and best execution requirements. MiFID II and the MiFID Regulations also set out related requirements for portfolio managers placing orders or where firms receive and transmit orders. MiCAR introduces best execution requirements for CASPs.

There are significant differences between the regulation of lending to individuals and to companies in Ireland.

Commercial Lending

Commercial lending (ie, lending to corporates) does not generally require a financial services licence in Ireland, although AML registration and reporting to the Central Credit Register may be required.

Loans to Individuals and SMEs

By contrast, lending to individuals may require a retail credit firm authorisation under the CBA 1997, subject to certain exemptions. The scope of the Irish retail credit regime captures credit agreements, including buy-now-pay-later products or other indirect credit, as well as hire-purchase agreements and consumer-hire agreements. The Consumer Credit Act, 1995 contains another domestic-only regime for persons providing “high-cost credit” to consumers.

Lending to consumers is subject to a range of consumer protection requirements.

RFSPs (including EEA lenders operating in Ireland on a cross-border basis) may also be subject to certain conduct-of-business rules when lending to individuals, certain small companies or SMEs. These rules include the Consumer Protection Regulations and the Central Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Small and Medium-Sized Enterprises) Regulations 2015 (SME Regulations).

Credit Servicing

Credit servicing (including legal title loan ownership, managing or administering a credit agreement and related borrower communications) in relation to loans to individuals and SMEs requires authorisation in certain circumstances under the CBA 1997. This regime also applies to hire-purchase agreements and consumer-hire agreements.

Separately, the EU-wide Credit Servicers Directive (Directive (EU) 2021/2167) has been introduced and regulates credit servicers in certain circumstances.

Crowdfunding

The Crowdfunding Regulation facilitates peer-to-peer business lending, with regulated crowdfunding service providers being authorised to facilitate the granting of loans. Crowdfunding service providers can also perform individual portfolio management of loans for investors within certain criteria.

CRD VI Implications

From 11 January 2027, non-EU (third-country) undertakings must establish an authorised EU branch to commence or continue carrying out certain core-banking activities in an EU member state, unless an exemption applies. The core-banking services impacted by CRD VI include lending activities to consumers and non-consumers, where the third-country undertaking would qualify as a credit institution if it were established in the EU.

Irish conduct-of-business rules and legislation require creditworthiness or suitability assessments in certain circumstances; for example, the European Communities (Consumer Credit Agreements) Regulations 2010, the Consumer Protection Regulations and the SME Regulations are relevant in this regard.

Ireland has established a Central Credit Register under the Credit Reporting Act 2013, which lenders must check before advancing in-scope credit; the Act also requires lenders to report lending information.

Credit institutions such as banks raise funds for their lending activities from a wide range of sources, including deposits, inter-bank lending, issuing debt and securitisations. Deposit-taking in Ireland triggers a requirement for a banking licence, and securitisations are subject to a number of Irish and EU rules.

Dedicated lending entities (eg, retail credit firms) may raise funds for their lending activities from securitisations or lending from other investors or institutions. Funds may also be sourced through peer-to-peer lending (eg, via a crowdfunding service provider).

It is not typical for consumer loans or loans to small businesses to be syndicated. The Crowdfunding Regulation provides a European framework for peer-to-peer lending platforms.

Payment processors may use existing payment infrastructure or create or implement new payment rails, as long as they operate within the bounds of their financial services authorisation and adhere to relevant regulatory requirements. The Central Bank is responsible for approving the establishment of new payment systems in Ireland under the CBA 1997. The Central Bank also conducts oversight assessments of relevant entities and systems against oversight principles and standards such as the Payment Instruments, Schemes and Arrangements (PISA) Framework.

Cross-border payments may be regulated under the PSR. There are also requirements in respect of wire transfers, credit transfers and direct debits (eg, the Single Euro Payments Area). The PISA Framework is also relevant to companies enabling or supporting the use of payment cards, credit transfers, direct debits, e-money transfers and digital payment tokens, including e-wallets.

Crowdfunding Platforms

The activity of operating a peer-to-peer crowdfunding platform is regulated under the Crowdfunding Regulation, which provides a European framework for loan and investment-based crowdfunding.

Investment Services, Exchanges and Trading Platforms

The provision of investment services, exchanges and trading platforms in respect of MiFID II financial instruments is primarily regulated by the Central Bank under the MiFID Regulations, which provide for the regulation of market operators and investment firms operating various types of trading venues, such as regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs).

Crypto-Asset Exchanges

The operation of a crypto-asset exchange from Ireland involving exchange services between crypto-assets and/or crypto-assets and fiat currencies and/or the operation of a trading platform for crypto-assets will require authorisation as a CASP under MiCAR.

MiCAR applies only to crypto-assets that are not covered by existing EU legislation. MiCAR categorises in-scope crypto-assets into ARTs, EMTs and other type of crypto-assets, including utility tokens.

The provision of investment services (such as operating a trading venue) in relation to MiFID financial instruments (including those issued through DLT) is regulated under the MiFID Regulations.

MiCAR regulates the provision of crypto-asset exchange services and the operation of a trading platform for crypto-assets. MiCAR will apply to persons and to the crypto-asset services and activities performed, provided or controlled by them, directly or indirectly, including when part of such activities or services is performed in a decentralised manner.

Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of the MiCAR authorisation requirement, although each model will need to be considered separately.

No formal listing standards exist for unregulated platforms. General contractual principles should apply, and certain general consumer protection rules may also apply. Trading venues established under MiFID or MiCAR are required to have detailed operating rules.

No formal order handling rules apply for unregulated platforms; general contractual principles should apply. Detailed order handling rules apply to MiFID II investment firms of MiCAR CASPs when executing orders.

For information on decentralised exchanges, see 10.9 Decentralised Finance (DeFi).

The MiFID II inducements, conflicts of interest and best execution rules will apply to all MiFID II investment firms, including in the context of payment for order flow, which is the practice of brokers receiving payments from third parties for directing client order flow to them as execution venues.

MiFIR prohibits financial intermediaries, when acting on behalf of retail clients or clients that have opted up to the professional client, from receiving a fee, commission or non-monetary benefit from any third party for their execution on a particular execution venue, or for forwarding orders of those clients to any third party for their execution on a particular execution venue.

Under MiCAR, CASPs receiving and transmitting orders for crypto-assets on behalf of clients are prohibited from receiving any remuneration, discount or non-monetary benefit in return for routing orders received from clients to a particular trading platform or to another CASP.

In addition to domestic requirements, Ireland has implemented EU securities markets legislation, some of which is directly applicable. This legislation includes:

• the Prospectus Regulation;
• the Market Abuse Regulation (Regulation (EU) 596/2014 – MAR);
• the Transparency Directive;
• the Short Selling Regulation;
• the Securities Financing Transaction Regulation;
• Regulation 648/2012 on OTC Derivatives, Central Counterparties and Trade Repositories (EMIR); and
• MiFID II.

The MAR establishes a common EU regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation (“market abuse”), and measures to prevent market abuse.

Market manipulation, as defined under the European Union (Market Abuse) Regulations 2016, is an offence in Ireland. MiCAR introduces provisions to prevent and prohibit market abuse involving certain crypto-assets, as well as white paper requirements for crypto-asset issuances.

The primary method of regulating these technologies is under the MiFID Regulations. The definition of algorithmic trading contained in the MiFID Regulations is limited to trading in MiFID II financial instruments.

For asset classes outside the scope of regulation under the MiFID Regulations, it would be important to consult the requirements applicable to the particular asset class.

Market makers in financial instruments will generally require authorisation under MiFID and must comply with specific rules if engaging in algorithmic trading to pursue a market-making strategy.

No information is available in this jurisdiction.

If programs or programmers are carrying out regulated activities, the applicable regulations will be relevant, but this will need to be assessed on a case-by-case basis. The AI Act will apply to providers who place AI systems on the market or put them into service in the EU, and to users of AI systems located or with establishments within the EU.

Only authorised insurance companies are permitted to underwrite insurance contracts in Ireland. Some insurtech companies are authorised as insurance companies, while others act as insurance intermediaries and require authorisation for that activity.

An insurance company must be authorised as a life insurer or a non-life insurer but not both (with limited exceptions). Life and non-life insurers are subject to different requirements.

Specific requirements in relation to motor insurance are set out in the European Union (Motor Insurance) Regulations 2023 due to the requirement for minimum compulsory cover for third-party motor insurance. There are a limited number of other kinds of compulsory insurance – eg, in relation to aircrafts and shipping.

Insurance products with an investment component are treated differently to other insurance products and are subject to the Packaged Retail and Insurance-based Investment Products (PRIIPs) Regulation.

Commercial and consumer insurance products are treated differently. Additional obligations apply when dealing with consumers, including the CPC 2025, the Consumer Protection Act 2007 and the Consumer Insurance Contracts Act 2019.

Generally speaking, the provision of regtech services is less likely to be a regulated activity, but this will depend on the nature of the regtech service performed and the nature of the entity to which such services are provided.

When outsourcing or sourcing ICT services, regulated entities may be obliged to impose certain contractual provisions on their service providers.

The CBI Outsourcing Guidance

Outsourcing is a particularly topical issue for the Central Bank. The CBI Outsourcing Guidance applies to all Irish regulated firms and is to be implemented alongside any specific sectoral legislative outsourcing requirements. It imposes similar contractual requirements to the EBA Outsourcing Guidelines (which apply directly to certain firms, such as credit institutions and payments/e-money institutions).

The EBA Outsourcing Guidelines

The EBA Outsourcing Guidelines require, inter alia, that outsourcing agreements specify service levels and precise quantitative and qualitative performance targets to allow for the timely monitoring of the performance of the outsourced function. Specific termination rights, provisions around business continuity, data and access and audit rights for the regulated firm and its regulators are also required. Other EU-level guidelines may also apply, depending on the outsourced service.

DORA

A key requirement of DORA is that all contracts between financial entities (as defined in DORA) and ICT third-party service providers for the use of ICT services must meet certain minimum contractual requirements. Additional contractual requirements are placed on arrangements with ICT third-party service providers that support a critical or important function of the financial entity.

Traditional domestic and international institutions operating in Ireland are investigating the use of blockchain, and certain institutions have conducted trials in this area. Ireland is also home to a number of crypto-led businesses, and this population is expected to grow.

The Central Bank’s Approach

Firms providing certain services in relation to crypto-assets are required to obtain a CASP authorisation. In December 2024, the Central Bank released its supervisory expectation for CASPs, outlining its risk appetite for crypto-asset services in Ireland.

Outside of these processes, the Central Bank has issued consumer explainers and warnings, and remains cautious on the benefits and risks of crypto. However, it has acknowledged that technological innovation is a key feature of the environment in which it seeks to deliver its mandate.

On 22 October 2024, the Department of Finance published its final report on the review of the “Funds Sector 2030”. One of the areas being examined is how technological change and innovation will influence future development, including mapping a pathway for the broader adoption of tokenisation. The Central Bank is also looking at tokenisation structures in the investment funds space and is due to publish a discussion paper on tokenisation.

The Central Bank has confirmed in a consumer warning that virtual currencies are not legal tender.

Crypto-Assets in Scope of MiCAR

MiCAR defines a crypto-asset as “a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology”. The regulation applies only to crypto-assets that are not covered by existing EU legislation, and categorises in-scope crypto-assets into ARTs, EMTs and other crypto-assets, including utility tokens.

Significance of MiFID II Definition of Transferable Securities to Regulatory Approach

The MiFID Regulations apply to financial instruments, including those issued by means of DLT.

One area of focus has been whether a particular blockchain asset qualifies to be considered as a MiFID II financial instrument, typically focused on the definition of a transferable security.

Certain types of crypto-assets could instead qualify as other MiFID II financial instruments, such as units in collective investment undertakings, money-market instruments or derivatives; a case-by-case analysis is required. Depending on classification, a range of other regimes could be triggered – eg, a transferable security falls within the regulatory scope of, inter alia, MiFID II, the Prospectus Regulation and MAR.

In March 2025, ESMA published its Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments, which provide further clarity on the approach to be taken.

Crypto-Assets and Payment Services

Only electronic money institutions authorised under the Electronic Money Directive and credit institutions can issue EMTs – ie, crypto-assets that purport to maintain a stable value by referencing the value of one official currency.

If a person performs a “payment service” as listed in PSD2 with a blockchain asset that qualifies as “electronic money” under EMD2, such activity would fall within the scope of PSD2 by virtue of constituting “funds”.

Assuming the blockchain assets are not governed by any existing EU legislation, the issuance of crypto-assets is governed by MiCAR. The issuance of a crypto-asset other than ARTs and EMTs is itself not a regulated activity under MiCAR if it does not constitute an offer to the public, seeking admission to trading, or a crypto-asset service. Certain market abuse requirements under MiCAR are nonetheless applicable to issuers.

The regulatory classification of tokenised real-world assets (RWAs) requires a case-by-case analysis. Based on the tokenisation structure used and the specific rights and obligations attached to the token, a tokenised RWA may, for example, constitute a financial instrument under MiFID, or an ART under MiCAR.

See 10.13 Stablecoins regarding the regulatory framework under MiCAR for issuers of ARTs and EMTs.

MiCAR requires offerors and persons seeking admission to trading of crypto-assets other than ARTs and EMTs to notify a white paper to an EU NCA and abide by certain disclosure and conduct requirements. Exemptions are available to certain offers to the public, which need to be assessed on a case-by-case basis.

Where blockchain assets constitute MiFID II financial instruments such as transferable securities, the operation of a trading platform will be in the scope of existing regulatory regimes. The operation of a trading platform may involve the issuance of electronic money or the provision of payment services, in order to facilitate wallet and payment features. MiCAR imposes requirements on CASPs operating a trading platform for crypto-assets or engaging in exchange services between crypto-assets and/or crypto-assets and funds.

MiCAR does not contain provisions specific to staking and therefore does not create specific requirements or licensing obligations for staking. However, the European Commission confirmed that where the staking service provider holds the private keys to the staked crypto-assets, the service provider is required to be authorised under MiCAR to provide custody and administration of crypto-assets on behalf of clients. Depending on the arrangements between staking service providers and customers, other MiCAR CASP services may be relevant.

The provision of staking services may fall within existing regulatory regimes, depending on the legal classification of the crypto-asset in question.

MiCAR does not specifically address the lending and borrowing of crypto-assets, including EMTs; instead, it proposes that the Commission shall present a report to the European Parliament containing an assessment of the necessity and feasibility of regulating lending and borrowing of crypto-assets. To assist the European Commission with this report, the EBA and ESMA have published a Joint Report on recent developments in crypto-assets, including lending and borrowing of crypto-assets.

Lending services relating to crypto-assets may fall within existing regulatory regimes, depending on the legal classification of the crypto-asset in question.

In March 2025, ESMA published its Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments, which provide further clarity on the classification of crypto-assets as derivative contracts.

Firstly, with regards to crypto-assets as an underlying asset for derivatives, ESMA notes that NCAs and financial market participants should consider the possibility for crypto-assets to be eligible underlying assets in derivative contracts for the purposes of MiFID II.

Secondly, ESMA notes that crypto-assets themselves can be qualified as derivatives. In this regard, NCAs and financial market participants should consider the following as part of their assessment:

• whether the rights of the crypto-asset holders are contingent upon a contract based on a future commitment, creating a time-lag between the conclusion and performance of the obligations under such contract;
• whether the crypto-asset’s value is derived from that of an underlying asset; and
• whether the crypto-asset follows the settlement modalities as referred to in MiFID II.

Where the crypto-asset serves as an eligible asset in derivative contracts for the purposes of MiFID, or where the crypto-asset itself amounts to a derivative contract within scope of MiFID II, entities providing investment services, as defined in MiFID II, in relation to such crypto derivatives may need to consider the impact of MiFID II on their business.

DeFi presents challenges for EU regulatory authorities, as it does not sit neatly within the existing regulatory landscape. DeFi transactions and decentralised exchanges will require a case-by-case analysis to determine the regulatory categorisation of the activities involved and jurisdictional questions regarding applicable legislation and relevant regulatory bodies. This is a rapidly developing area, and there is expected to be increasing regulatory interest in DeFi.

MiCAR should not apply where crypto-asset services are provided in a fully decentralised manner without any intermediary. MiCAR instead proposes that the Commission shall present a report to the European Parliament containing an assessment of the development of DeFi in the crypto-assets markets and of the adequate regulatory treatment of decentralised crypto-asset systems without an issuer or CASP, including an assessment of the necessity and feasibility of regulating DeFi. In January 2025, the EBA and ESMA published a Joint Report on recent developments in crypto-assets, including DeFi.

Irish regulated investment funds are authorised either as UCITS or as alternative investment funds (AIFs).

The Central Bank has provided guidance on investment in digital assets, which are generally considered to be assets that exist in digital form and that attach ownership rights that depend primarily on cryptography and distributed ledger or similar technology. This guidance recognises that the nature and characteristics of digital assets vary considerably, and distinguishes, for example, between digital assets that are tokenised traditional assets and digital assets that are based on intangible or non-traditional underlying assets.

For the purposes of its requirements, the Central Bank considers “digital assets” to be the latter type of digital asset. Its guidance states that the Central Bank is highly unlikely to approve a UCITS or an AIF marketed to retail investors proposing any exposure (either direct or indirect) to digital assets.

In April 2023, the Central Bank increased the investment limits for qualifying investors AIFs (QIAIFs) seeking exposure to the latter type of digital assets, as follows:

• where a QIAIF is open-ended, it can gain exposure to digital assets of up to 20% of NAV; and
• where a QIAIF is closed-ended or is open-ended with limited liquidity, it can gain exposure to digital assets of up to 50% of NAV.

In order to avail of these limits, the alternative investment fund manager must ensure the following requirements are satisfied:

• an effective risk management policy is implemented to address all risks relevant to investment in digital assets, at a minimum addressing risk relating to liquidity, credit, market, custody, operational, exchange risk, money laundering, legal, reputational and cyber-risk;
• appropriate stress testing on the proposed investment in digital assets, reflecting the asset price volatility of digital assets, including the potential entire loss of value in the investment;
• an effective liquidity management policy is in place, which includes a sufficient suite of tools to enable the AIF manager to manage liquidity events arising in the QIAIF;
• the prospectus of the QIAIF must contain clear disclosure in relation to the nature of the proposed investment in digital assets and a clear articulation of the risks associated with that investment; and
• the QIAIF should assess the overall construction of its portfolio to ensure that there is alignment between the redemption profile, the level of investment in digital assets and the likelihood of illiquidity (in both normal and stressed conditions) in the types of digital assets invested in.

Direct exposure by QIAIFs to digital assets continues to be prohibited by the Central Bank, pending satisfactory demonstration that the depositary safekeeping obligations can be complied with in accordance with the Alternative Investment Fund Managers Directive (Directive 2011/61/EU). The Central Bank provides for a pre-submission approval process in the event a QIAIF proposes to invest indirectly in digital assets in excess of the thresholds outlined above or to seek to make any direct investment in digital assets.

In June 2025, ESMA’s technical advice to the European Commission on the review of the UCITS Eligible Assets Directive (2007/16/EC) highlighted that crypto-assets are not included in the list of eligible assets in the UCITS Directive and, therefore, legislative amendment to the UCITS Directive would be required to accommodate alternative asset classes. ESMA is of the view that any such expansion of the list of directly eligible asset classes would need to be carefully assessed in a separate workstream in the future and that any large-scale investments in alternative assets such as crypto with their idiosyncratic risks would be better done under the AIFMD framework. Under ESMA’s proposals, any indirect exposure of a UCITS to ineligible assets such as crypto would be capped at an aggregate of 10% of its assets, provided all relevant requirements are met.

The legal treatment of any cryptocurrency or other blockchain asset will be determined by whether that particular asset’s features come within the scope of existing legislative and regulatory regimes. Typically, a pure cryptocurrency will not be considered a financial instrument under MiFID II but would be considered a crypto-asset within the scope of MiCAR.

MiCAR will not apply to crypto-assets that are unique and not fungible with other crypto-assets. The recitals to MiCAR state that the fractional parts of a unique and non-fungible crypto-asset should not be considered unique and non-fungible, and that the issuance of crypto-assets as NFTs in a large series should be considered as an indicator of their fungibility. Therefore, categorisation will depend on the individual characteristics of an NFT.

A case-by-case analysis is also required to understand if an NFT would be considered a financial instrument under MiFID.       

Under MiCAR, a person cannot make an offer to the public or seek admission to trading of an ART or EMT unless that person is the issuer and:

• in the case of an ART, that issuer is established in the EU and authorised under MiCAR, or alternatively is authorised as a credit institution, unless an exemption applies; or
• in the case of an EMT, the issuer is authorised as a credit institution or an e-money institution, unless an exemption applies.

There are a number of obligations an issuer must comply with, including conduct, prudential and disclosure requirements, such as publishing a white paper containing information on the relevant ART/EMT, as well as redemption requirements. ART issuers must maintain a reserve of assets to ensure risks associated to the asset referenced are covered and any liquidity risks are addressed. Furthermore, stabilisation mechanisms and custody procedures must be accounted for and described in policies. EMT issuers must ensure that funds received in exchange for EMTs are invested and safeguarded in accordance with MiCAR. Additional obligations are imposed on issuers of significant ARTs/EMTs, as classified in MiCAR.

PSD2 introduced two new regulated payment services which, in summary, allow customers to use third parties to obtain payment initiation services, and enable third parties to access payment data to provide account information services. This facilitates open banking. Application programming interfaces are to be used for third-party access to online payment accounts.

As part of the review of PSD2, the Commission carried out a targeted consultation on the open finance framework and data sharing in the financial sector. PSD3 will seek to improve the functioning of open banking through the removal of the remaining obstacles to the provision of open banking services, by improving customers’ control over their payment data and by enabling new innovative services to enter the market.

PSD2 imposes certain conditions on access to and use of data by firms providing a payment initiation service or account information service. This includes a requirement for customer consent and other requirements in relation to security and the use of data.

In addition, the GDPR requires customers to be made fully aware – in a clear, concise and transparent fashion – of how their personal data will be used and by whom. It also provides for the rights to withdraw consent, to access data and for information to be erased. In sharing data with third parties such as account information service providers, banks will need to be aware of the potential for fraud or other risks.

Fintech firms are at the forefront of fraud-related incidents, with the most common examples being credit card fraud, identity fraud and scam-related activity. Many firms have reported concerns relating to:

• transactions and access or ownership of virtual asset wallets;
• prominent use of fake identification documents or stolen KYC data; and
• the involvement of shell companies and bank accounts opened by a third party.

Given the increasing prevalence of fraud in the fintech space, it has been paramount to address fraud through regulation. PSD2 actively addressed account takeover fraud via Strong Customer Authentication (SCA), but steps are now being taken to update PSD2 to help stem the tide of the emerging types of fraud.

The Central Bank noted in its Regulatory Supervisory Outlook Report 2025 that, while digitally enhanced business models are providing many benefits for consumers and enhancing ease and speed of access to financial services, they are also leading to an increase in the risk of fraud and financial crime. The Central Bank sees fake comparison websites and fraud recovery schemes increasing in frequency and becoming more sophisticated. The Central Bank has noted a rise in AI being used to create realistic social media ads and profiles impersonating public or business figures (deepfakes).

Under the MiFID Regulations, investment firms that safeguard client financial instruments and funds must introduce adequate organisational arrangements to minimise the risk of the loss or diminution of client assets, or of rights in connection with those assets, as a result of misuse of the assets, fraud, poor administration, inadequate record-keeping or negligence.

Investment firms are required to participate in investor compensation schemes. Such schemes compensate investors, for instance, if an investment firm goes bankrupt and is unable to return financial instruments belonging to an investor.

PSD2 provides that, in the case of an unauthorised payment transaction, the payment service provider should immediately refund the amount of that transaction to the payer. However, in certain circumstances, the payment service provider should be able to conduct an investigation, within a reasonable time, before refunding the payer.

MiCAR provides that CASPs providing custody and administration of crypto-assets on behalf of clients shall be liable to their clients for the loss of any crypto-assets or of the means of access to the crypto-assets as a result of an incident that is attributable to them. The liability of the CASP shall be capped at the market value of the crypto-asset that was lost, at the time the loss occurred. In contrast to the rules under the MiFID Regulations for investment services, crypto-assets will not be covered by an investor compensation scheme.

Regulated financial service providers may also be subject to fines and compensation requests for contraventions of financial services legislation as part of the administrative sanction procedure or pursuant to a private right of action for damages by customers who suffered loss or damage as a result of such contraventions.