The first quarter of the new year is over, and many new regulations have come into force and already been widely discussed. DORA, MiCA, CRR III, AMLD – the list of exciting abbreviations in financial market supervision is getting longer every year, and new
regulations are increasingly affecting more than just financial service providers and other companies that are already regulated. The changes affect not only new legal regulations but also the focus of supervisory practice set by the competent authorities.
This article looks at the most significant regulatory developments and their impact on the financial market. We summarise what will remain important in 2025, what is new, and what we should expect in the coming years.
EU banking package in force: New capital requirements for credit institutions
Among the most significant changes for credit institutions is the introduction of the revised Capital Requirements Regulation (CRR III), which is directly applicable and has been in force since 1 January 2025, and the Capital Requirements Directive (CRD
VI), which still needs to be transposed into national law.
These regulations implement the final elements of the Basel III standards and aim to increase the financial stability of credit institutions. In particular, the calculation methodology for capital adequacy requirements has been adjusted. The calculation
of credit risks (i.e., the required capital backing for credit risks) has been revised so that banks now have little room for manoeuvre for individual credit risk assessment. The new regulations include stricter capital requirements and extend the consideration
of environmental, social, and governance (ESG) risks in banking regulation. With the further regulation of capital requirements, financial market risks shall be countered even more effectively by better taking into account individual risks for credit institutions
and creating additional security.
Initial practical experience with the implementation of CRR III and CRD VI shows that financial institutions have had to make significant
adjustments to their capital and business management strategies.
Sustainability factors
At the EU level in particular,
supervision focuses more on sustainability. ESG risks were previously not a mandatory risk factor for banks. With the new capital requirements, banks are now forced to examine, for example, which environmental risks they may be affected by and the extent
to which provisions need to be made for them. The new regulations aim to increase the financial sector’s resilience to environmental and climate risks. This is tough for credit institutions, as typically, there is still a lack of sufficient data to create
a valid basis for ESG risk analysis.
Digital Operational Resilience Act (DORA) and supervisory focus on IT
DORA is another key element of the new EU regulation, which came into force in 2025. DORA aims to strengthen digital operational security in the financial sector. It includes IT security requirements, reporting obligations for security incidents, and requirements
for dealing with critical IT service providers. These regulations are intended to ensure that financial organisations are resilient to digital threats.
Even though institutions and financial service providers had two years to implement the requirements, there are still many gaps, and even large institutions are lagging behind in making their contracts with IT service providers DORA-compliant. Smaller IT
service providers in particular, and those that do not specialise solely in the financial sector are finding implementation difficult, and the costs associated with the high security requirements seem disproportionate.
It remains to be seen when everything will be finalised and whether there will be further guidance from the supervisory authority on individual questions of interpretation or improvements to the existing regulations. The German Federal Financial Supervisory
Authority (BaFin) has also promised to provide further training and information on DORA.
The DORA requirements are extensive. From the due diligence for the careful selection of service providers, the requirement for certifications, and the extensive risk analyses of IT structures and outsourcing, to the requirement to hold trainings for ICT
service providers, full compliance is difficult. However, this is opposed by the sole responsibility of the management of the financial institution to ensure compliance with the DORA requirements.
In its
outlook for its supervisory priorities in 2025, BaFin clearly emphasised the need to intensify the monitoring of outsourcing companies and ensure that financial companies take appropriate measures to protect themselves against cyber-attacks, which continue
to be the biggest risk factor in the financial market. Companies should consistently uncover and eliminate security gaps, with particular focus on the new security risk reporting obligations under DORA and the implementation of penetration tests to identify
vulnerabilities.
Markets in Crypto-Assets Regulation (MiCA)
Also, of note in 2025, MiCA came into full force, establishing for the first time a uniform EU-wide regulation for crypto-assets and licensing requirements for crypto-asset service providers. Individual countries already had regulation at the national level
in this area, but the decisive factor here is precisely the classification of crypto-assets and the corresponding obligations of the relevant market participants.
Now, all EU countries can and must fall back on a uniform standard, but the entire market is far from being reorganised. Both market participants and supervisory authorities are finding their way and encountering issues and ambiguities with the new regulatory
standards. How to deal with providers from other countries that currently offer crypto-assets in Germany without regulation is also becoming a matter of interest.
A lot is still in motion here, especially with regard to the valuation of individual crypto-assets in practice and the practical application of MiCA.
Anti-money laundering
The establishment of the EU Anti-Money Laundering Authority (AMLA) in Frankfurt am Main marks another important step in the prevention of money laundering in the EU. From 2026, the AMLA will assume direct supervision of around 40 high-risk institutions and
should lead to the harmonisation of national anti-money laundering regulations.
There is currently still a major imbalance here. Alongside the new authority, 2025 has already seen the first milestone in Germany with the entry into force of BaFin’s new interpretation notes on 1 February. The rapid implementation of the innovations contained
therein (e.g., with regard to updating customer data) will keep the obligated parties busy well beyond the year.
Since various requirements are already included that are congruent with the EU AML package’s anti-money laundering directive, this can also be seen as the starting signal for dealing with its implementation in principle. More of the announced level 2 and
level 3 legislation is expected to come into force this year, especially when the AMLA begins its scheduled operation in summer 2025.
EMIR 3.0
In December 2024, EU Regulation 2024/2987 (EMIR 3) – amending EU Regulation 648/2012 on the European Market Infrastructure Regulation (EMIR) – entered into force. The new rules will apply to the trading and clearing of derivatives in the EU.
EMIR 3 introduces a requirement for certain EU counterparties to open and maintain an account with a central counterparty (CCP) established in the EU and makes targeted amendments relating to the clearing thresholds and certain exemptions.
The new rules are aimed at increasing clearing at EU CCPs and reducing dependence on clearing in the UK.
Geopolitical risks and economic uncertainties
Both BaFin and the EU supervisory authorities see significant risks for the financial market amid ongoing geopolitical tensions and economic uncertainties. The instability in individual countries, including in the EU, as well as the effects of the war in
Ukraine, pose challenges that have a comprehensive impact on the EU financial market. The supervisory authorities are planning to step up their monitoring measures in these areas to ensure the stability of the financial market.
Savings and Investments Union
Beside these measures already in force or at least clearly envisaged, the EU Commission recently published its new strategy for a Savings and Investments Union.
So far, this is only a strategy, but with clear target structures and proposed measures that, if implemented, will significantly transform the EU financial market in the next few years. But at present it is still dependent on many political factors and the
goodwill of the member states.
The commission’s goal is clear: higher independence of the EU market, easier channelling of financial flows into investments, and the creation of a more attractive and easily accessible single capital market. It will be worth continuing to follow the commission’s
plans closely in this matter.
As every year in the ever-evolving financial market regulation, the changes to financial supervision in 2025 will bring significant changes in Germany and the EU. The new legal regulations and increased supervisory measures are aimed at increasing the stability
and resilience of the financial sector. Financial institutions (and, with regards to EMIR 3, non-financial institutions if they are dealing with derivatives) must adapt to these changes and adjust their strategies accordingly to meet the new requirements.