Dear colleagues,
in this issue, we look at key regulatory developments in the financial and IT sector. These include new BaFin guidelines on crypto investments, the EU Commission’s cybersecurity strategy and ESMA’s technical standards as part of CSDR-Refit. We also look at current analyses on IT security and the regulatory control of critical third-party providers under DORA.
Table of Contents
- News from calendar week 8
- ESMA consults on criteria for assessing knowledge and competence under MiCA
- ESAs’ joint roadmap for the designation of CTPPs under DORA
- ESMA proposes guidelines for product complements
- IOSCO concludes thematic review on technological challenges for effective market surveillance
- US court allows lawsuit against Russian Sberbank in connection with MH17 downing
- News from calendar week 9
- BaFin publishes circular on crypto investments
- EU Commission presents new cybersecurity strategy for crisis management
- BSI publishes analysis on perspectives of Windows architectures
- ESMA publishes first technical standards as part of CSDR refit
- ESAs publish roadmap for designating critical third party providers under DORA
- Proportionality in regulation: BaFin speech and EU Commission approach
- Would you like to be up to date on a daily basis?
- Receive the most important compliance reports every week free of charge
News from calendar week 8
ESMA consults on criteria for assessing knowledge and competence under MiCA
Summary: The European Securities and Markets Authority (ESMA) has published a consultation paper proposing guidelines for the assessment of knowledge and competence under the Markets in Crypto Assets Regulation (MiCA). The aim is to establish uniform standards for professionals in the crypto-asset sector in order to strengthen investor protection and promote confidence in this growing market.
Opinion: The introduction of clear criteria for knowledge and competence under MiCA is a crucial step towards professionalizing the crypto-asset market. For compliance professionals, this means that they need to familiarize themselves with the new requirements and implement appropriate training in their organizations to ensure regulatory compliance.
Link: https://www.esma.europa.eu/press-news/esma-news/esma-consults-criteria-assessment-knowledge-and-competence-under-mica
ESAs’ joint roadmap for the designation of CTPPs under DORA
Summary: The European Supervisory Authorities (ESAs) have published a roadmap outlining the process for designating Critical Third Party Providers (CTPPs) under the Digital Operational Resilience Act (DORA). This roadmap aims to ensure that third-party providers that provide essential services to financial institutions are subject to rigorous prudential standards to ensure the operational resilience of the financial sector.
Opinion: The identification and monitoring of CTPPs is essential as financial institutions increasingly rely on third-party providers for critical services. Compliance and risk management teams should proactively evaluate relationships with their third-party providers and ensure they are compliant with upcoming DORA requirements to minimize operational risk.
Link: https://www.esma.europa.eu/press-news/esma-news/esas-provide-roadmap-towards-designation-ctpps-under-dora
ESMA proposes guidelines for product complements
Summary: ESMA has published a consultation paper on guidelines for so-called “product supplements”, which introduce new types of securities into a base prospectus. The aim is to harmonize the supervisory practice of national competent authorities (NCAs) in this area and thus ensure greater clarity and uniformity in the European financial market.
Opinion: The proposed guidelines provide issuers and compliance professionals with clear guidelines for the preparation and submission of product supplements. A uniform supervisory practice facilitates cross-border activity and reduces uncertainties in the preparation of prospectuses. It is advisable to follow developments in this area closely and adapt internal processes accordingly.
Link: https://www.esma.europa.eu/press-news/esma-news/esma-proposes-guidelines-product-supplements
IOSCO concludes thematic review on technological challenges for effective market surveillance
Summary: The International Organization of Securities Commissions (IOSCO) has completed a thematic review on the implementation of its 2013 recommendations on technological challenges to market surveillance. The review found that most market surveillance authorities have made progress, but concerns remain about insufficient organizational and technical capabilities, particularly in light of rapid technological developments.
Opinion: For compliance professionals, this report highlights the need to continually invest in modern surveillance technology and training. This is the only way to ensure that market abuse is effectively detected and prevented. Organizations should regularly evaluate their surveillance strategies and adapt them to technological advances.
Link: https://www.iosco.org/news/pdf/IOSCONEWS758.pdf
US court allows lawsuit against Russian Sberbank in connection with MH17 downing
Summary: A US appeals court has ruled that the family of Quinn Schansman, a US citizen who died in the downing of Malaysia Airlines flight MH17 in 2014, can sue Russia’s Sberbank. The plaintiffs accuse the bank of carrying out financial transactions for the Russian-backed separatist group Donetsk People’s Republic, which is held responsible for the downing. The court ruled that Sberbank cannot invoke state immunity as the activities in question are to be classified as commercial.
Opinion: This ruling has far-reaching implications for financial institutions worldwide. It shows that banks, even if they are state-controlled, can be held liable for supporting terrorist organizations. Compliance departments should therefore closely monitor their customer and transaction due diligence processes to identify and avoid potential links to sanctioned or terrorist organizations.
Link: h ttps://www.govinfo.gov/content/pkg/USCOURTS-ca2-22-03097/pdf/USCOURTS-ca2-22-03097-0.pdf
News from calendar week 9
BaFin publishes circular on crypto investments
Summary: On February 25, 2025, BaFin published a circular on the regulatory requirements for crypto investments. The document describes the regulatory expectations for financial institutions offering digital asset services, particularly in terms of transparency, risk management and consumer protection.
Opinion: This circular provides important guidance for companies developing or distributing crypto products. Compliance teams should review the requirements and ensure that their internal policies are in line with BaFin’s requirements to minimize regulatory risks.
Link: https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Meldung/2025/meldung_2025_02_25_Krypto-Investments_Rundschreiben.html
EU Commission presents new cybersecurity strategy for crisis management
Summary: The European Commission has unveiled a new cybersecurity strategy aimed at improving coordination in cyber crises in the EU. The initiative includes measures to strengthen cooperation between member states and to respond quickly to cyber attacks.
Opinion: Increasing cyber threats require close cooperation between states and companies. Compliance and IT security experts should familiarize themselves with the new strategies and examine how they can be integrated into existing security concepts.
Link: https://digital-strategy.ec.europa.eu/en/news/commission-launches-new-cybersecurity-blueprint-enhance-eu-cyber-crisis-coordination
BSI publishes analysis on perspectives of Windows architectures
Summary: The German Federal Office for Information Security (BSI) has published an analysis on the future development of Windows architectures. The report evaluates security-relevant aspects of new Windows versions and provides recommendations for IT security strategies for companies and authorities.
Opinion: Advancing digitalization requires constant adaptation to new IT architectures. Companies should take the BSI’s findings into account and adapt their IT security concepts to the new challenges.
Link: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/250224_Perspektiven_Windows-Architekturen.html
ESMA publishes first technical standards as part of CSDR refit
Summary: ESMA has published the first technical standards for the adaptation of the Central Securities Depository Regulation (CSDR-Refit). These include measures to reduce settlement fails and improve market stability.
Opinion: The new standards could have a significant impact on the market structure. Compliance professionals should ensure that their organizations integrate the new requirements into their processes to avoid sanctions.
Link: https://www.esma.europa.eu/press-news/esma-news/csdr-refit-esma-publishes-first-set-technical-standards-recalibrate-and
ESAs publish roadmap for designating critical third party providers under DORA
Summary: The European Supervisory Authorities (ESAs) have published a roadmap for the designation of Critical Third Party Providers (CTPPs) under the Digital Operational Resilience Act (DORA). The aim is to subject third-party providers with systemic relevance to stricter supervision.
Opinion: Financial institutions should check whether their IT service providers fall under this regulation in order to minimize compliance and IT security risks. The increased regulation underlines the importance of a robust IT risk management strategy.
Link: https://www.esma.europa.eu/press-news/esma-news/esas-provide-roadmap-towards-designation-ctpps-under-dora
Proportionality in regulation: BaFin speech and EU Commission approach
Summary: In a speech on 26 February 2025, BaFin emphasizes the need for proportional regulation, in which supervisory requirements are adapted to the size, complexity and risk profile of institutions. This approach is supported by an identical speech by the EU Commission, which emphasized in its press conference that regulatory measures must be proportionate and balanced in order to promote both consumer protection and competitiveness.
Opinion: The discussion about proportionality in regulation is essential for the financial sector. A balanced approach enables companies to implement regulatory requirements efficiently without restricting their innovative strength. The supervisory authority’s view is to be welcomed, but falls short in terms of content and should not be limited to quantitative risk-bearing capacity. In our opinion, consideration should also be given to limiting the very high administrative burden in other areas to a proportionate level based on the type and scope of an institution’s business activities.
Links:
BaFin speech: https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Meldung/2025/meldung_2025_02_26_Reden_Proportionalitaet.html
EU Commission: https://ec.europa.eu/commission/presscorner/detail/en/speech_25_632
Would you like to be up to date on a daily basis?
Our Legal Rights Monitoring Software gives you access to all notifications and allows you to filter them by relevance, type and area. You can create and download summaries. Get in touch with us.
We wish you a successful week.
Your Riscreen team.
Receive the most important compliance reports every week free of charge
Many compliance officers already use our free service and receive the most important news from the areas of compliance, money laundering prevention, data protection and IT security. We provide a weekly overview of the most important reports and categorize them.