The free ride is over: The EU fintech single rulebook arrives
Six key regulations now form a single supervision system across Europe. Consequently, we have finished the phase of adding more laws. Now, the only thing that matters is enforcement. MiCA, DORA, the AI Act, PSD3, FIDA, and the new AML package impose rules that no one can ignore. For the fintech sector, worth $378 billion and growing at 21% a year, this is the biggest test in its history. In fact, no other digital industry has ever faced such comprehensive control.
Key findings
- MiCA — the licensing deadline for CASP entities falls on 1 July 2026. EY estimates the certification process takes eight months. Therefore, waiting any longer to apply puts a company in a zone of pure operational risk. However, gaining approval opens the door to passporting services across all 27 EU countries (Deloitte).
- DORA — compliance costs for 96% of institutions fall between €2 million and €5 million; 39% of firms dedicate 5–7 FTEs to compliance (Deloitte Wave 3 Survey). Since November 2025, 19 designated CTPs have been under direct ESA supervision (Deloitte).
- AMLA — on 1 January 2026, the Frankfurt-based authority took over AML/CFT mandates from EBA. By 2028 it will directly supervise the 40 largest financial institutions (EY).
- PSD3/PSR — political agreement reached November 2025; application Q3–Q4 2027 at the earliest. UK benchmark: £112 million in fraud refunds in nine months (Deloitte UK).
- Digital euro — pilot from mid-2027, full launch in 2029. Banking-sector investment costs: €4–5.8 billion (ECB).
- AI Act — high-risk obligations from August 2026 (possible 16-month delay per Deloitte). Fines up to 7% of global turnover. Over 70% of banks already use AI agents (EY).
- Geopolitics — the US (GENIUS Act) deregulates; the EU harmonises and aims to cut red tape by 25% (Omnibus Package). The EU strategy rests on harmonisation and competitiveness, not liberalisation (EY, Taylor Wessing).
Context: A mature sector meets mature regulations
A shift in scale
To understand the rules of 2026, we must first see the major shift in the sector itself. The BCG and QED Investors Fintech’s Next Chapter report from June 2025 shows the scale of this change. Fintech turnover grew globally by 21%, hitting $378 billion in 2024. That is three times faster than the wider financial services sector.
Just as importantly, EBITDA margins rose to 16%. Also, 69% of listed companies in the sector are now profitable. BCG points out that firms with over $500 million in annual turnover now account for about 60% of total fintech revenue. These leaders have left their infancy behind. After years of rapid growth, they are entering a stage of mature, predictable business.
The regulator’s motivation
McKinsey describes this same change in its Global Banking Annual Review 2025. However, they look at it from the view of traditional banks. Banks spend a combined $600 billion a year on technology. Yet, productivity remains low. At the same time, their profits are under threat from fintechs, private credit markets, and artificial intelligence.
This combination gives the regulator the perfect reason to close the net. Profitable, mature fintechs mixed with inefficient banks create a situation no European regulator could ignore. Consequently, lawmakers felt forced to act. Deloitte calls this environment the “Regulatory Remix” in its Financial Services Regulatory Outlook 2026. It is not a grand liberalisation. Instead, we see specific simplifications running alongside tighter rules in priority areas.
The EY global regulatory outlook sums it up in one sentence. The US deregulates for innovation. The UK puts growth over risk. But the EU focuses on simplification, harmonisation, and competitiveness. It is not rolling back regulations. The key is realising that rules in Europe are not getting softer. Rather, they are getting more consistent. This deep unification makes 2026 a critical date for the whole sector.
Pillar I. MiCA marks the end of the experiment
The architecture of regulation
The MiCA regulation (Regulation EU 2023/1114) came fully into force on 30 December 2024. This followed a two-step launch. The first phase, in June 2024, covered issuers of asset-referenced tokens (ART) and e-money tokens (EMT). Later, the second phase brought regulation for CASP services and tools to prevent market abuse, as detailed in the EY Switzerland guide. The European Banking Authority and ESMA published over a dozen packages of technical standards. These define everything from minimum capital requirements to how to hold client assets, as outlined by Deloitte EMEA.
Rules on minimum funds for crypto service providers are split into categories. They depend on the type of activity and the risk it creates. For example, a firm offering only advice needs €50,000. But exchanges need €125,000, and custodians need €150,000. This strategy is based on lessons from banking. Thus, it confirms that EU laws treat the crypto sector seriously.
June 2026 is the hard deadline
The Deloitte EMEA Regulatory Strategy analysis explains the transition period. Entities that operated under national laws before 30 December 2024 can keep going only until 1 July 2026. Or, they must stop if their licence application is rejected before then. In practice, it is messy. Individual countries could shorten this period. A company in the Netherlands has a transition of just six months. So, it faces a tighter deadline than one in Ireland. However, MiCA will remove this fragmentation for good.
As the EY report notes, getting a CASP licence takes about eight months from the moment you apply. So, if you did not apply by February 2026, you have almost no chance of getting approved before the deadline. ESMA has repeatedly warned firms against “badge washing”. This means using MiCA compliance status to market unauthorised products. As a result, ESMA can restrict services if it sees a threat to market integrity, as experts at Deloitte underline. Deloitte states clearly that the market will face a correction. Specifically, some companies will leave. But others will strengthen their position thanks to clear rules.
Global context: MiCA vs GENIUS Act
2025 brought a major geopolitical shift with the US GENIUS Act. This is the first federal regulation for stablecoins. The World Economic Forum compared both legal frameworks. Surprisingly, they found more similarities than differences. Both require 1-to-1 reserves and redemption rights at face value. Yet, the GENIUS Act is in some ways more conservative than MiCA. It bans holding reserves in long-term bonds.
The global stablecoin market hit a supply of $273 billion in December 2025. This is up 47% year-on-year, according to data from Deloitte UK. But the change in quality matters more than the numbers. Stablecoins have evolved from gambling chips into a modern payment standard. Currently, B2B transactions make up 66% of the volume. Consequently, entering the e-money token ecosystem under MiCA is unavoidable.
Pillar II. DORA means moving from paper to oversight
The new framework
DORA became effective on 17 January 2025. It covers 20 types of financial institutions and tech providers. The rules rest on five main pillars. These include ICT risk management, incident reporting, and resilience testing, as described by the official DORA tracking resource.
Most importantly, a joint supervision system began operating on 18 November 2025. Three European Supervisory Authorities published the list of designated technology providers. For the first time, the EU regulator has direct power over tech giants like AWS and Google Cloud. Joint Examination Teams now supervise each of the 19 designated entities.
Also, the ECB published final guidelines on cloud outsourcing in July 2025. The document adds no new laws. But it clarifies what supervisors expect from banks. Practically, banks can no longer treat moving to the cloud as just a technical choice. They must link the process fully to risk protection procedures.
The real cost of compliance
For years, the discussion on DORA costs was just guesswork. Now, 2025 has given us the first market data. The Deloitte Wave 3 Survey reveals the scale of spending. Specifically, 96% of financial institutions have estimated their compliance costs. Most expect to spend between €2 million and €5 million.
However, only 50% reached full compliance by the end of 2025. Another 38% plan to finish in 2026. This means nearly half of all institutions enter 2026 with unfinished work. Staffing challenges are just as severe. For instance, 39% of organisations are allocating five to seven full-time roles to manage these new rules. Nearly half of respondents point to the Register of Information as the hardest part.
Fines for DORA breaches reach 2% of global annual turnover for financial entities. On their own, these seem moderate compared to GDPR. But this “comfort” is misleading. DORA sanctions stack on top of penalties from MiCA and the AI Act. Thus, they create a massive threat to finances. The EY and IIF Global Bank Risk Management Survey 2025 sheds light on the context. 75% of global risk officers view cybersecurity as their top threat.
Impact on outsourcing
For fintechs that rely on external cloud providers, DORA changes the calculation completely. Deloitte states bluntly that building infrastructure in-house is becoming a regulatory duty. Institutional clients will choose partners who can guarantee databases across multiple regions. As a result, the pressure goes beyond the law itself. It creates new commercial expectations from financial institutions.
Pillar III. AMLA becomes the main watchdog
Institutional change
Analysts often miss this part of the 2026 landscape. Yet, it is a cornerstone of the new system. On 1 January 2026, responsibility for all EU AML/CFT tasks transferred to the new European Anti-Money Laundering Authority (AMLA) in Frankfurt — as confirmed by the EBA. This is more than an administrative shuffle. Now, we have the EU’s first central body for direct AML/CFT supervision.
AMLA operates on a legislative package adopted in 2024. As the EBA stated on 1 January 2026, AMLA now develops and enforces common EU rules. Also, it directly supervises selected high-risk financial institutions. The EBA keeps a role in prudential matters. But the core AML mandate has moved to Frankfurt.
Schedule and crypto implications
AMLA will be fully operational by 2028. By then, it will directly supervise the 40 largest financial institutions that operate across borders. This group includes entities most exposed to money laundering risks. Other institutions will be supervised indirectly through national bodies, as explained by the European Commission.
Experts at EY clarify the double value of this agency. First, it creates a consistent system to fight financial crime. Second, Frankfurt gains a chance to build a regulatory technology hub. Crucially, AMLA is expected to standardise control standards. This will eliminate the practice of companies choosing countries with the weakest oversight.
Regarding crypto, updated rules on money transfers force every firm to collect full data on the sender and receiver. AMLA will coordinate this across all EU countries. Therefore, the days of using poor communication between national offices are over, underscores the European Commission. Combined with MiCA licensing, this creates a double barrier.
Pillar IV. PSD3 and PSR introduce new payment rules
Current status
After nearly three years of work, the legislation is nearing the finish line. A political agreement was reached on 27 November 2025, as reported by Taylor Wessing. We expect the final texts in the first half of 2026. However, an eighteen-month transition period applies. So, the new rules will not start before late 2027.
Challenges for business
The first conflict point is fraud liability. PSD3 introduces a duty to refund victims of impersonation scams. Consequently, the financial burden is very real. Deloitte points to UK data. There, firms paid out £112 million in refunds in just nine months after similar rules started.
The PSR regulation goes even further. It extends liability to online platforms. If a platform fails to remove harmful content, it shares responsibility for the losses. For e-commerce sites, this introduces a new financial risk.
The next problem affects non-bank payment institutions. Deloitte indicates that conditions for these entities are worsening. Raising outside capital remains hard. Also, income from interest will drop as rates fall. Worryingly, data from EY highlights that 65% of European banks cannot yet define how the rules will impact revenue.
The third issue is the new face of Open Banking. The PSR will stop banks from blocking access to data. This change ends the era where banks could profit from exclusive control over customer data. According to EY, the FIDA reform will drive the highest costs because it forces a rebuild of systems.
Pillar V. The Digital Euro is a real plan
Project status
On 29 October 2025, the ECB Governing Council decided to move to the next phase of the digital euro project, according to the official ECB statement. The Eurosystem is now focusing on three tracks. These are technical readiness, market cooperation, and legislative support. The ECB assumes the first issuance could happen in 2029. But this depends on EU lawmakers adopting the regulations in 2026.
Hard data on costs
The ECB has published detailed investment estimates. Costs for the banking sector will range from €4 billion to €5.8 billion. The ECB views these amounts as comparable to earlier forecasts. Crucially, a separate ECB analysis confirmed the solution is secure. Using the digital euro for daily payments maintains financial stability.
Strategic impact
The digital euro creates uneven risks. To encourage growth, the ECB is inviting fintech firms to help distribute the new currency. Nearly 70 entities took part in work on the platform. Only licensed institutions in the EU will have the right to offer the digital euro. This rule builds a barrier against big tech giants. But it opens a door for regulated fintechs.
On the risk side, the digital euro might dominate daily transactions. If so, it could reduce profits from payment margins. The ECB explicitly states the project aims to reduce reliance on non-European card schemes. For solution architects, this is a chance to build new payment infrastructure.
Pillar VI. The AI Act sets new rules for algorithms
Execution schedule
The EU AI Act entered into force on 1 August 2024. The ban on dangerous systems has applied since February 2025. Next, requirements for high-risk systems kick in on 2 August 2026, as detailed by Deloitte.
However, the Deloitte Financial Services Regulatory Outlook 2026 suggests a significant shift. The implementation for high-risk systems might be delayed by up to sixteen months. This is due to unfinished technical standards. While this pause gives firms time, the lack of guidelines is no excuse to delay. Standards will apply retroactively.
Specifics of the financial sector
In finance, “high-risk” covers algorithms used for credit scoring and risk management. Requirements include data quality, human oversight, and transparency. Also, the potential sanctions are worrying. Breaking bans carries a penalty of up to €35 million. Failing obligations for high-risk systems can cost up to €15 million, as outlined by Deloitte.
For global firms, the AI Act is likely the most expensive regulation. The EY Global Financial Services Regulatory Outlook 2026 describes AI adoption. Over 70% of banks use AI agents to some degree. So, finance leads in AI adoption. The paradox is that the biggest enthusiasts of this technology will be hit hardest by the rules.
Overlap with other regulations
In November 2025, the European Parliament called on supervisors to remove inconsistencies, as reported by Taylor Wessing. These connections are multi-layered. For example, an AI system used for credit scoring falls under the AI Act, DORA, and PSD3 all at once. Currently, ambiguities stem directly from the lack of coherence between these legal frameworks.
Pillar VII. FIDA sets data standards for the decade
Logic and scope
FIDA builds on PSD2 foundations. But it expands that logic. The regulation covers data from deposits, investments, pensions, and insurance. Experts at EY consider FIDA the most impactful reform in the package. The reason lies in the technology. Implementing these rules requires a fundamental rebuild of data management systems. Also, FIDA creates a new category of regulated entities.
A key exclusion in FIDA makes it unique. Digital platforms designated as “gatekeepers” cannot act as these service providers. This is the first EU regulation to limit big tech giants from entering retail finance in this way.
Timeline
The finalisation of FIDA is expected in the first half of 2026, as noted by Taylor Wessing. A transition period of 18 to 24 months follows. So, the new rules will apply in 2027–2028. However, 2026 is the time for firms to clean up their data infrastructure. The scale of changes resembles the shift to Open Banking. But FIDA covers a much wider range.
Analysis of connections
A major weakness in industry analysis is treating each regulation as a separate island. In reality, regulations interact. The friction points between them create the biggest risks.
First, the relation between DORA and the AI Act requires systems to meet both sets of rules. The lack of consistency was flagged by the European Parliament, as Taylor Wessing reports.
Second, at the intersection of MiCA and AMLA, crypto providers face double duties. Fund transfer rules extend ID requirements to all transactions. And AMLA will enforce this — based on communications from EBA and analyses by EY.
Third, the link between PSD3 and FIDA shows a conflict. The PSR regulation creates open banking for payments. FIDA extends this to the entire portfolio. But the two regulations rely on different technical standards. A firm building solutions for PSD3 will have to rebuild them for FIDA, warns EY. This creates a risk of paying for technology twice.
Finally, the connection between the digital euro and stablecoins is complex. The ECB states that without a central bank currency, stablecoins will fragment the system.
Geopolitics: Exploiting regulatory differences
EU vs USA
The EY global outlook identifies the most important divide in 2026. The US is deregulating to support innovation. In contrast, the EU chooses harmonisation to support competitiveness. This difference is fundamental. It affects capital flows and access to talent.
The US has moved to clear rules of conduct. For instance, the Federal Reserve allowed state banks to be active in crypto. Also, the FDIC retracted earlier reporting requirements — these shifts are detailed in the World Economic Forum comparison. Consequently, entry barriers in the US have dropped.
Meanwhile, the EU plans to cut administrative duties by 25%, as analysed by CEPS. Deloitte describes this as “surgical removal” of red tape. Changes are secondary where rules overlap. But full requirements remain untouched in priority areas.
Shopping for rules
EU countries are fighting each other for crypto firms. The choice of headquarters depends on how fast a local office issues licences. Malta, Germany, and France have different approaches. However, AMLA aims to stop this by taking over supervision of the biggest players.
Estimates: What different firms will pay
Here is a breakdown of expected costs for fintech firms in 2026–2027. Data comes from Deloitte, EY, BCG, and ECB.
Large fintech (Revenue > €500m)
For the biggest players, expenses are high. DORA implementation costs €2–5 million plus 5–7 FTEs for ongoing work (Deloitte Wave 3 Survey). Annual maintenance adds another €1–2 million. Obtaining a MiCA licence involves a one-off cost of up to €1.5 million. AI rules require €1–3 million. Changes from PSD3 mean spending up to €10 million.
Total: €8 million to €25 million in 2026–2027. With an EBITDA margin of 16%, as reported by BCG, this is a heavy cost. But large entities can bear it.
SME fintech (Revenue < €50m)
Smaller firms are in a harder position. Compliance costs are largely fixed. So, they do not scale down. The same €2–5 million for DORA applies to an entity making €20 million a year. In this scenario, DORA compliance consumes up to 25% of turnover. Deloitte warns that smaller players will have to choose. They must merge or drop their model. Basically, the 2026 rules act as a mechanism for natural selection.
Talent and operations
One of the most overlooked aspects is the shortage of staff. The demands of DORA, MiCA, and AI create a need for specialists. But the market cannot meet this need.
The BCG 2025 report shows the trend. Leading banks are transforming control departments into engines of resilience. Therefore, combining regulatory knowledge with AI skills is essential. The EY and IIF 2025 survey shows that cybersecurity is the top priority for 75% of risk directors.
To build this readiness, firms must hire experts. However, salaries for oversight roles rose by 40% in 2024–2025. This creates an imbalance. Large institutions pay these costs easily. But smaller firms struggle.
Automating supervision is a partial solution. PwC Strategy& points to rapid growth in this market. Firms that build control mechanisms directly into their products will gain an advantage. For big players, this means better margins. For small ones, it is a condition of survival.
Simplification plans
A significant element of 2026 is the European Commission’s work to simplify rules. In December 2025, the Council of the EU adopted guidelines to cut red tape, reports Taylor Wessing. At the same time, the ECB published recommendations on simplifying reporting.
The February 2025 package promises to cut bureaucracy by 25%. However, CEPS analysis warns that the line between sensible simplification and mindless deletion is thin. Deloitte notes that this easing is a key EU goal. But do not expect a revolution. These are precise cuts, not a system change.
Conclusion
All these changes lead to one conclusion. In 2026, fintech rules in Europe turn into a cohesive system. This is the first time such a huge digital market has a single legal framework.
Each element plays a role. MiCA is the product licence. DORA is the operational licence. AMLA ensures integrity. The AI Act is the algorithmic licence. PSD3 creates infrastructure. Finally, the digital euro provides the asset.
For companies that find their place, 2026 offers a chance to gain an advantage. But for the rest, these regulations will become an impassable barrier. BCG experts are clear. Efficient regulatory management is now a main factor in valuation. For firms planning an IPO, this message should set the priorities for the next two years.
EU Regulation Schedule 2026–2029
| # | Date | Regulation | Event |
|---|---|---|---|
| 1 | 1 VII 2025 | AMLA | AMLA operational – launch of main provisions of Reg (EU) 2024/1620 |
| 2 | 1 I 2026 | AMLA | Takeover of AML/CFT mandate from EBA (art. 103) |
| 3 | H1 2026 | FIDA | Expected finalisation (trilogue ongoing, risk of delay) |
| 4 | H1 2026 | PSD3/PSR | Publication of final texts in Official Journal (political deal 27 XI 2025) |
| 5 | 1 VII 2026 | MiCA | End of max transition period for CASP (art. 143(3) MiCA) |
| 6 | 2 VIII 2026 | EU AI Act | Obligations for high-risk AI systems from Annex III (standalone) |
| 7 | Late 2026 / Early 2027 | Digital Euro | Expected adoption of legislation by Council and EP |
| 8 | H2 2027 – H1 2028 | PSD3/PSR | Application after transition (18–24 months from pub.) |
| 9 | 2 VIII 2027 | EU AI Act | Obligations for high-risk AI from Annex I / art. 6(1) (embedded systems) |
| 10 | 2028–2030 | FIDA | Phased operation: Wave 1 (24m) → Wave 2 (36m) → Wave 3 (48m) – per KPMG Cyprus |
| 11 | H1 2028 | AMLA | Full operation and direct supervision of max 40 entities (AMLA) |
| 12 | 2029 | Digital Euro | Possible first issuance by ECB (conditional on legislation) |
Frequently Asked Questions
What is the MiCA licensing deadline for crypto companies in 2026?
The final deadline for Crypto-Asset Service Providers (CASPs) is 1 July 2026. However, the certification process takes about eight months according to EY. Therefore, companies that missed the February 2026 application window face critical operational risks. Failing to get approved means they must stop all services across the EU.
What are the estimated DORA compliance costs for financial institutions?
Most financial institutions will spend between €2 million and €5 million to comply. This data comes from the Deloitte Wave 3 Survey. On top of this, annual maintenance adds another €1 million to €2 million. For smaller fintech firms with revenue under €50 million, these costs are severe. In fact, they can consume up to 25% of total turnover.
Who supervises anti-money laundering (AML) under the new EU rules?
The European Anti-Money Laundering Authority (AMLA) in Frankfurt is the new supervisor. It took over the mandate on 1 January 2026. By 2028, AMLA will directly supervise the 40 largest cross-border financial institutions. This change harmonises standards and closes the loopholes that companies previously used to avoid strict oversight.
When is the Digital Euro launch date and pilot programme?
The European Central Bank plans to launch the digital euro in 2029. Before that, a pilot programme is scheduled to start in mid-2027. However, this timeline depends on EU lawmakers adopting the regulations in 2026. The project is designed to reduce Europe’s reliance on non-European card schemes.
How does the EU AI Act impact banks and fintech algorithms?
The Act classifies algorithms used for credit scoring and risk management as “high-risk”. Consequently, strict obligations for these systems kick in on 2 August 2026. Yet, Deloitte predicts a potential sixteen-month delay due to unfinished technical standards. Non-compliance carries massive fines of up to 7% of global turnover or €35 million.
What are the fraud refund risks under PSD3 and PSR?
The new rules require firms to refund victims of impersonation scams. This creates a major financial liability for payment institutions. For comparison, similar rules in the UK forced firms to pay out £112 million in just nine months. Additionally, the FIDA reform mandates a costly rebuild of data management systems.
Is the EU Omnibus Package reducing fintech regulations?
The Omnibus Package aims to cut administrative red tape by 25%. However, experts describe this as a “surgical removal” of duplicate rules rather than true deregulation. The core requirements in priority areas like crypto (MiCA) and operational resilience (DORA) remain strict. Thus, the EU is simplifying the process, not softening the rules.
This blog post was created by our team of experts specialising in AI Governance, Web Development, Mobile Development, Technical Consultancy, and Digital Product Design. Our goal is to provide educational value and insights without marketing intent.
