Author: Selwyn Manning

Source: European Banking Authority

The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published today a report on the feasibility of further centralisation in the reporting of major ICT-related incidents by financial entities according to Article 21 of the Digital Operational Resilience Act (DORA).

In line with the DORA mandate, the ESAs’ joint report explores the potential for further centralisation regarding financial entities’ reporting of major ICT-related incidents to competent authorities.

The report assesses the feasibility of three different models: the baseline model, a model with enhanced data sharing arrangements and a fully centralised model. It considers the potential burden and cost reductions, as well as the efficiency and effectiveness gains that each model would bring for cross-sector supervisory practices.

Next steps

The joint report has been submitted to the European Parliament, the European Council and the European Commission, which will consider its findings for potential future developments in relation to the further centralisation of major ICT-related incident reporting in the financial sector.

Background

The report, prepared jointly by the ESAs in accordance to Article 21 of DORA, is based on input received from Competent Authorities and the ESAs’ Stakeholders Groups. The ESAs also drew on the expertise of a renowned IT strategy firm and consulted the ECB and ENISA while drafting the report.

Source: European Banking Authority

The European Banking Authority (EBA) today repealed its Guidelines on major incidents reporting under the Payment Services Directive (PSD2) due to the application of harmonised incident reporting under the Digital Operational Resilience Act (DORA) from 17 January 2025. The repeal of the Guidelines aims at simplifying the reporting of major incidents by payment service providers (PSPs) and providing legal certainty to the market.

DORA, which will start applying from 17 January 2025, introduces harmonised incident reporting requirements that apply to financial entities across the banking, securities/markets, insurance and pensions sectors. This includes most PSPs, namely credit institutions, payment institutions, e-money institutions and account information service providers. DORA also disapplies the incident reporting requirements under PSD2 for those PSPs.

In that regard, to ensure legal clarity and certainty for the payment service providers covered by DORA, and to simplify the overall reporting of major incidents by PSPs, the EBA has decided to repeal its Guidelines on major incident reporting under PSD2.

It is important to note that incident reporting requirements under PSD2 still apply for other types of PSPs (e.g. post-office giro institutions and credit unions) that are not covered by DORA. However, the EBA has decided to repeal the Guidelines in their entirety because:

• the number of such institutions is very low with no sizable market share at EU level;
• these PSPs operate in less than half of the EU Member States and provide services at national level only;
• the number and significance of incident reports received from these PSPs at EU-level is negligible.

Finally, the EBA notes that those PSPs that are still subject to incident reporting requirements under the PSD2 can be subject to national incident reporting requirements, regardless of the existence of the EBA Guidelines. Competent authorities willing to retain the incident reporting approach included in the EBA Guidelines for those PSPs can continue to do so under their national legal framework or supervisory measures. 

Source: European Banking Authority

​Legal basis and next steps

Source: European Banking Authority

The European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) today published a Joint Report on recent developments in crypto-assets, analysing decentralised finance (DeFi) and crypto lending, borrowing and staking. This publication is the EBA and ESMA’s contribution to the European Commission’s report to the European Parliament and Council under Article 142 of the Markets in Crypto-Assets Regulation (MiCAR).

EBA and ESMA find that DeFi remains a niche phenomenon, with value locked in DeFi protocols representing 4% of all crypto-asset market value at the global level. The report also sets out that EU adoption of DeFi, while above the global average, is lower than other developed economies (e.g. the US, South Korea).

The EBA and ESMA observe that the number of DeFi hacks and the value of stolen crypto-assets has generally evolved in correlation with the DeFi market size. Since flows on decentralised exchanges represent 10% of spot crypto trading volumes globally, DeFi protocols present significant risks of money laundering and terrorist financing (ML/TF).

The EBA and ESMA find the implications of maximal extractable value (MEV) on DeFi markets are widespread in DeFi and negative externalities of MEV would require technical solutions.

On the lending, borrowing and staking of crypto-assets, the report contains an analysis of the main types and typical features of the business models observed in the market, in both centralised and decentralised forms. These services are offered by a number of crypto-asset service providers (CASPs) in EU jurisdictions which in some cases also offer regulated crypto-asset services.

Based on the existing (limited) evidence, there appears to be limited engagement of EU consumers and financial institutions with crypto lending, borrowing and staking services. The report sets out and assesses the specific risks associated with each of them, such as excessive leverage, information asymmetries, exposure to ML/TF risks, and systemic risks arising from re-hypothecation and collateral chains, procyclicality and interconnectedness. In particular, some users may receive insufficient information on the terms and conditions of these services in areas such as fees, interest rates paid or yields, changes to collateral requirements, among other relevant disclosures. However, the EBA and ESMA have not identified current risks from a financial stability perspective. 

Background and next steps

Article 142 of MiCAR mandates the European Commission (EC) to submit, after consulting the EBA and ESMA, a report to the European Parliament and Council on recent developments in crypto-assets. On the basis of that provision, the EC is mandated to assess, among others, a) the development of DeFi in crypto-asset markets and the appropriate regulatory treatment of decentralised crypto-asset systems without an issuer or CASPs, including an assessment of the need for and feasibility of regulating DeFi; and b) the feasibility and necessity of regulating the lending and borrowing of crypto-assets. In a letter dated 9 February 2024, the EC requested that EBA and ESMA provide a contribution focusing on certain elements related to DeFi and the lending and borrowing of crypto-assets, including staking.

The EBA and ESMA will continue to assess market developments as part of their ongoing mandate to monitor innovative activities in the EU banking, payments and securities sectors.

Source: European Banking Authority

The European Banking Authority (EBA) today launched a public consultation on its draft Guidelines on Environmental, Social and Governance (ESG) scenario analysis. The draft Guidelines set out expectations for institutions when adopting forward-looking approaches and incorporating the use of scenario analysis as part of their management framework to test institutions’ financial and business model resilience to the negative impacts of ESG factors. They complement the EBA Guidelines on the management of ESG risks, published on 9 January this year. The consultation runs until 16 April 2025.

Climate change, environmental degradation, social issues and other environmental, social and governance factors are posing considerable challenges for the economy that impact the financial sector. The risk profile and business model of institutions may be affected by ESG risks, in particular environmental risks through transition and physical risk drivers.

To ensure the safety and soundness of institutions in the short, medium and long term, the Guidelines set out expectations for developing a framework and using scenarios to support thinking and decision-making in a changing economic and physical environment. As part of this, the Guidelines set out principles for testing the financial resilience, capital and liquidity, of an institution to ESG-related shocks, starting with climate, and the resilience of its business model to different plausible scenarios, including the achievement of climate neutrality in the EU by 2050.

Consultation process

Comments to the consultation paper can be sent by clicking on the “send your comments” on the EBA’s consultation page. The deadline for the submission of comments is 16 April 2025. The EBA will consider the feedback received to this consultation when finalising the Guidelines.

All contributions received will be published following the end of the consultation, unless requested otherwise.

The EBA will hold a virtual public hearing on the consultation paper on 17 March 2025 from 14:30 to 16:00 CET. The EBA invites interested stakeholders to register using this link by 13 March 2025 at 16:00. The dial-in details will be communicated to those who have registered for the meeting.

Legal basis and background

The draft Guidelines were developed in line with the EBA Roadmap on Sustainable Finance and as part of the planned EBA’s actions  for the implementation of the EU banking package. Together with the Guidelines on the management of ESG risks, they deliver on the mandate laid down in Article 87(a)5 of the Capital Requirements Directive (CRD6), (Directive 2013/36/EU). 

Source: Government of the Netherlands

News item | 15-01-2025 | 09:00

The new policy will apply, for example, to specific measuring and inspection equipment that can be used in the production of advanced semiconductors. This announcement was made by Minister for Foreign Trade and Development Reinette Klever in the Government Gazette on Wednesday. The expansion of the export control measure covers only a very limited number of technologies and goods.

As the minister has stated: “We believe it is important to maintain control over who gains possession of what technology. The government closely monitors semiconductor manufacturing technology. Technological developments may make it necessary to modify the rules. We are observing increased security risks associated with the uncontrolled export of this specific equipment. For this reason an export authorisation will henceforth be required.”

This new authorisation requirement is the second time the national export control measure has been amended since it was introduced on 1 September 2023.

Security risks

Until now the national measure covered a number of very specific technologies in the production cycle of semiconductors, such as lithography equipment. A limited set of technologies for other steps in the manufacturing process is now also subject to an authorisation requirement. The security risks associated with the uncontrolled export of these technologies have increased. These technologies can be combined with technologies from other countries to produce advanced semiconductors. Such advanced semiconductors can then in turn play a key role in advanced military applications.

Authorisations

Under the national authorisation requirement, the export of these technologies will now also require an export authorisation. The government will decide on a case-by-case basis whether to grant an authorisation. The national measure applies to exports from the Netherlands to all destinations outside the EU. It does not constitute an export ban.

“The semiconductor industry is international. The Netherlands plays a unique role in this sector. It is important that we do not disrupt the chip industry unnecessarily. In expanding the export control measure, we have therefore set to work with the utmost care,” said Minister Klever.

Certain textual changes, some of a technical legal nature, have been made to the ministerial order as well. This was done in part to clarify the existing measure for the benefit of implementing agencies and the industry.

Source: Government of the Netherlands

News item | 10-01-2025 | 15:45

Study

To be able to actually take faster, more effective and targeted action against deliberately disruptive actions that involve violations of the law, and thus also maintain public support for demonstrations, the government wants to distinguish more sharply between peaceful protests and actions that disrupt public order. The study being conducted via the Scientific Research and Documentation Centre (WODC) announced earlier is expected to help make a sharper distinction. The results of this study are expected in summer 2025.

Exploratory survey on ban on face-covering clothing

Also, in parallel to this survey, the government will already take steps to address issues surrounding demonstrations. For instance, during the first quarter of 2025, a legal ban on face-covering clothing at demonstrations will be explored. Indeed, there have been a number of demonstrations where rioters wearing face-covering clothes have broken the law, for example by destroying property or committing violence. Face-covering clothing can make it more difficult to track down these rioters afterwards.

Pressure on capacity of police and Public Prosecution Service

The total number of demonstrations in the Netherlands more than tripled between 2015 and 2022.  Police deployment at demonstrations has also increased by 84% since 2017. The chief of police has indicated urgently that this deployment is putting heavy pressure on the police organisation. The Public Prosecution Service, too, is making ever sharper choices to ease the criminal justice chain. One is that, in principle, the Public Prosecution Service does not institute criminal proceedings for a violation of the Public Assemblies Act, partly because practice shows that judges usually impose low or no sentences for the relatively minor offences committed in relation to a peaceful demonstration.

Crimes such as vandalism, threats, (group) defamation, discrimination or arson are, in principle, criminally prosecuted. Multiple consecutive offences can also be prosecuted. This is possible only if detained protesters are registered. This is now done to a limited extent because protesters sometimes do not carry ID and registration takes a lot of police capacity. The government will discuss with police and the Public Prosecution Service whether additional actions are needed to prosecute criminal behaviour more than at present.

Online calls

Public order disturbances incited online are a relatively new problem. These are physical disturbances or threatened disturbances which start online or are amplified online. Think of the online calls for people to rise up during the corona-era curfew riots and an out-of-control giveaway at a shopping centre, as well as calls for people to block motorways.

Preventing the posting of utterances online affects the constitutional freedom of expression (the prohibition of censorship). Reactive action because of the content of an utterance is possible, however; take, for example, prosecution for incitement. In addition, the aim is to have such utterances taken offline as soon as possible and to punish the persons posting them more often and faster.

The minister for Justice and Security is therefore preparing a legislative proposal to improve the information position of police around public order enforcement. In the first half of this year, a legislative proposal will be submitted for consultation regulating the power to systematically collect information in publicly accessible online sources. At the same time, the possibility of giving the police access to private app and chat groups as part of public order enforcement is being worked hard on, as requested by MP Yeşilgöz-Zegerius in her motion.

Staying engaged

In addition, the Ministries of Interior and Kingdom Relations and Justice and Security continue to engage with various stakeholders such as municipalities, police, civil society organisations and protester advocacy groups. This dialogue is essential to strike the balance between protecting the right to demonstrate and tackling the small group that misbehaves. By working with all stakeholders, the government aims to achieve a broadly supported approach that both allows for peaceful demonstrations and contributes to a safe and orderly society.

Source: Government of the Netherlands

News item | 10-01-2025 | 15:11

Conference on sanctions compliance and enforcement

On 15 January 2025 the Ministry of Foreign Affairs is hosting a conference on sanctions compliance and enforcement. This event will bring together policymakers, legal experts, financial institutions and representatives of the business sector to discuss how sanctions can be complied with and enforced effectively at national, European and international level.

Sanctions are an important instrument for holding countries, organisations and individuals responsible for their actions. For instance, the sanctions imposed on Russia are intended to make it as difficult as possible for the country to continue waging war against Ukraine, and to put pressure on Russia, or anyone else involved, to stop this aggression. However, whether the intended aims are achieved ultimately depends on effective compliance and enforcement. It is therefore important to continuously monitor whether sanctions are practicable and effective. This conference will provide a platform for exchanging information, sharing observations and learning from each other’s experiences. This in turn will help the Netherlands and other member states tackle new attempts at sanctions circumvention.

Programme

The conference will be opened by foreign minister Caspar Veldkamp, who will deliver a speech on the importance of enhanced compliance and enforcement. Other speakers include President Zelenskyy’s special adviser, Vladyslav Vlasiuk, EU sanctions envoy David O’Sullivan, Finnish foreign minister Elina Valtonen and Latvian foreign minister Baiba Braže,

Exhibition

There will also be an exhibition at the conference venue showing objects used by Russia in its war that, despite the sanctions, contain Western components. The exhibition was created by NAKO, an anti-corruption research organisation from Ukraine.

Source: European Banking Authority

The European Banking Authority (EBA) today published its final Guidelines on the management of Environmental, Social and Governance (ESG) risks. The Guidelines set out requirements for institutions for the identification, measurement, management and monitoring of ESG risks, including through plans aimed at ensuring their resilience in the short, medium and long term.

The Guidelines specify requirements regarding the internal processes and ESG risk management arrangements that institutions should have in place in accordance with the Capital Requirements Directive (CRD6). They will contribute to ensuring the safety and soundness of institutions as ESG risks intensify and the EU transitions towards a more sustainable economy.

The Guidelines specify the content of plans to be prepared by institutions with a view to monitoring and addressing the financial risks stemming from ESG factors, including those arising from the adjustment process towards the objective of achieving climate neutrality in the EU by 2050. These plans will support the preparedness of institutions for the transition and should be consistent with transition plans prepared or disclosed by institutions under other pieces of EU legislation.

The Guidelines will apply from 11 January 2026 except for small and non-complex institutions for which the Guidelines will apply at the latest from 11 January 2027.

Legal basis and background

The Guidelines are based on Article 87(a)5 of the CRD. They will be complemented by Guidelines on ESG scenario analyses. The Guidelines on the management of ESG risks have been developed in line with the EBA’s roadmap on sustainable finance and as part of the EBA actions outlined in the roadmap on the implementation of the EU banking package.

Source: European Banking Authority

The European Banking Authority (EBA) today published a Consultation Paper on its draft Regulatory Technical Standards (RTS) to specify the technical elements necessary for institutions to calculate and aggregate crypto-asset exposures in relation to the prudential treatment of such exposures. These RTS will address implementation aspects and ensure harmonisation of the capital requirements on crypto-assets exposures by institutions across the EU.

Considering the rapidly evolving crypto-market, the Capital Requirements Regulation (CRR 3) introduced a transitional prudential framework for institutions holding crypto-assets exposures. The provisions consider the legal requirements introduced in the Markets in Crypto Assets Regulation (MiCAR) and specify, amongst others, the capital treatment of exposures to electronic money tokens (‘EMTs’), asset reference tokens (‘ARTs’) that reference one or more traditional asset(s) and ‘other’ crypto-assets – including for example ARTs referencing a crypto-asset – and – unbacked crypto-assets, such as Bitcoin.

These draft RTS further develop the relevant capital treatment for credit risk, counterparty credit risk (‘CCR’), market risk (‘MR’) and credit valuation adjustment risk for ‘ARTs’ and ‘other’ crypto-assets exposures and align, to the extent possible, the capital treatment with the elements specified in the Basel standard on prudential treatment of crypto-asset exposures.

These draft RTS also include all the relevant technical elements on the use of netting, aggregating of long and short positions, criteria to allow hedge recognition for other crypto-assets, and the underlying formulas relevant for calculating the exposure value of crypto-assets for the CCR and MR treatment.

In addition, these draft RTS propose that all fair valued crypto assets within the scope of MiCAR under the applicable accounting framework shall be subject to the requirements for prudent valuation under the CRR 3. 

Transitional provisions in the CRR 3 together with the rules set out in these draft RTS enable institutions to adequately capitalise their crypto-asset exposures until a permanent prudential treatment comes into force.

Consultation process

Comments to the consultation paper can be sent by clicking on the “send your comments” button on the EBA’s consultation page. The deadline for the submission of comments is 8 April 2025.

The EBA will hold a virtual public hearing on 4 March 2025 from 10:00 to 12:00 CET. The EBA invites interested stakeholders to register using this link by 28 February 2025 at 16:00 CET. The dial-in details will be communicated to those who have registered for the meeting.

All contributions received will be published following the end of the consultation, unless requested otherwise.

Legal basis

Regulation (EU) 2024/1623 amending Regulation (EU) No 575/2013 (CRR 3) introduces in Article 501(d) of the CRR3 a transitional prudential treatment for crypto-assets.

The EBA has developed these draft RTSs in accordance with Article 501d(5) of CRR 3 which mandates the EBA to specify the technical elements necessary for institutions to calculate their own funds requirements in accordance with the approaches set out in paragraph 2, points (b) and (c), including how to calculate the value of the exposures and how to aggregate short and long exposures for the purposes of paragraphs 2 and 3.

According to the mandate, the EBA shall take into consideration the relevant internationally agreed prudential standards as well as existing authorisations in the Union under Regulation (EU) 2023/1114 (MiCAR).

Background

The development of crypto-assets markets and activities has been marked by significant market innovation and advancements. Institutions have shown increasing interest in getting involved in crypto-assets activities. This interest is driven by the potential for new revenue streams and the need to stay competitive in a rapidly evolving financial landscape. Institutions are exploring various roles, including acting as custodians of crypto-assets, issuing crypto-assets, and providing related services such as trading and lending on behalf of their clients. However, this involvement also comes with challenges, including regulatory compliance, risk management, and the need for a robust technological infrastructure.