Financial Regulations in European Union

Country Overview

The COVID-19 pandemic ravaged the European Union, causing over 31 million infections and 700,000 deaths,¹ severe economic contractions, and a worrying increase in sophisticated cyberattacks against EU and member state institutions. Meanwhile, the pandemic spurred on digital transformation as cash use and in-person onboarding plummeted, banks and fintech were quick to partner, and the regulatory landscape strengthened. The Next Generation EU (NGEU) recovery plan, the largest stimulus package in EU history at EUR 750 billion (approximately USD $890 billion), puts digitalization front and center. Per EU values of democracy and respect for human rights, its digitalization efforts will dovetail with inclusion measures, as well as sustainability and climate transformation. This increasingly all-encompassing approach to digitalization could influence other regulatory waves across the globe, just as nations worldwide were quick to emulate the GDPR.

Digitalization also opens the EU to a rapidly evolving threat and risk landscape, with the escalation of novel means of cyberattack, fraud and money laundering. This will require a regulatory response and an even more harmonized and coordinated approach across the 27 member states, which might prove difficult as EU legislative acts are often discretionary. This allows for member states to transpose and implement them in different ways—often across regulatory frameworks already in existence, creating a convoluted and sometimes divergent application. The EU’s slow vaccine rollout points to cracks in European integration and complications in the implementation of a speedy, system-wide scheme. 

Still, the EU shows unwavering confidence in and dedication to its digitalization efforts, with the recent MiCA and AI proposals, investigation into a digital euro, a proposed framework for a European Digital Identity and the Digital Services package, amongst others. Consumer protection will continue to dominate—2020-2021 saw huge crackdowns on big tech and other organizations for GDPR violations—alongside curbs on unfettered AI technology and crypto exchange, support for R&D and economic modernization. Although some of the legislation could cause disruption and deter certain players from the fintech landscape, especially given strict non-compliance measures, the rights-based approach will encourage financial inclusion and greater demand for online banking services. 

Regulatory Bodies

The European Central Bank (ECB) is the central bank for the Eurozone, the 19 EU countries that have adopted the euro. The ECB’s main objective is to safeguard the purchasing power of the euro and maintain financial stability in Europe, though it gives occasional guidance regarding consumer data protection and privacy.

Other Financial Agencies:

The European Banking Authority (EBA) is the EU’s primary regulatory authority based in Paris. The EBA supervises financial institutions across the European banking sector and develops regulations to safeguard financial institutions from risk and address vulnerabilities.

The European Investment Bank (EIB) is a publicly-owned EU financial institution that was established as a “policy-driven bank” advancing various EU projects and programs, mostly related to social initiatives.

Other EU Agencies:

The European Commission (EC) is the executive branch of the EU that sustains EU treaties, proposes  legislation and manages day-to-day operations of the EU.

The European Union Agency for Cybersecurity (ENISA) is the EU’s dedicated cybersecurity agency with jurisdiction across Europe. The agency was mandated by the EU Cybersecurity Act and established in 2004. The agency develops and disseminates cross-sectoral cybersecurity policies.

The European Data Protection Board (EDPB) is the EU’s data protection agency with supervisory jurisdiction over 27 member states; Iceland, Liechtenstein and Norway are the most recent members. The EDPB’s oversight includes supervision of uniform GDPR application and compliance. It accomplishes this through cybersecurity coordination between member states.

The European Data Protection Supervisor (EDPS) is another independent EU data protection authority. Headed by an elected supervisor, the EDPS’s goal is to ensure personal data protection and privacy when any EU institution processes personal information; it also advises EU institutions on personal data processing.

Standards, Laws and Regulations 

European Commission

European Commission Unveils AML/CFT Legislative Package, 20 July 2021

The European Commission unveiled a comprehensive AML/CFT legislative package, which aims to strengthen the existing framework, improve the detection of suspicious transactions and activities, close loopholes that enable criminal activity and harmonize the AML/CFT approach across the EU. The package includes four legislative proposals:

1. 1. The regulation establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) 1094/2010, (EU) 1095/2010: this regulation would establish an EU-wide Authority for Anti-Money Laundering (AMLA). AMLA would supervise financial transactions and spearhead cooperation with national supervisors and national financial intelligence units. The authority is expected to be operational in 2024, with its direct supervision work to begin in 2026.²
2. 2. The regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing: this regulation would expand the list of obliged entities to include cryptoasset service providers, streamline beneficial ownership requirements, impose new requirements on the processing of certain categories of personal data and clarify requirements on customer due diligence.
3. 3. The regulation on information accompanying transfers of funds and certain crypto-assets (recast): this regulation would extend traceability requirements to cryptoassets.
4. 4. The Directive on the mechanisms to be put in place by the Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and repealing Directive (EU) 2015/84: this directive aims to promote a harmonized approach to AML/CFT and strengthen cooperation amongst financial intelligence units (FIUs), supervisors and other authorities.

Jan Ceyssens, the European Commission’s Head of the Digital Finance unit, stated that “[MiCA and the new AML/CFT legislative package] will be two sides of the same coin, so that operators in this space, whether that is issuers, service providers, wallet providers, or trading venues are subject to the same set of rules throughout the EU.”³ The package will now proceed to discussion between the European Parliament and the Council. 

European Commission Proposes Framework for European Digital Identity, 03 June 2021

The European Commission proposed a framework for a European Digital Identity, which will allow citizens, residents and businesses to access public and private services across the EU, even offline. According to the press release, “Under the new Regulation, Member States will offer citizens and businesses digital wallets that will be able to link their national digital identities with proof of other personal attributes (e.g. driving licence, diplomas, bank account). These wallets may be provided by public authorities or by private entities, provided they are recognised by a Member State. The new European Digital Identity Wallets will enable all Europeans to access services online without having to use private identification methods or unnecessarily sharing personal data. With this solution they will have full control of the data they share.” The proposal aims to reduce fraud, promote trust in e-commerce and facilitate the access to services across member states.⁴

EU Adequacy Decision for the UK on Cross-Border Transfers of Personal Data, 28 June 2021

The European Commission adopted an adequacy decision under the GDPR allowing for the free flow of personal data between the EU and the UK. The adequacy decision includes a sunset clause, which caps the duration of the adequacy at four years, in the case that UK personal data protection standards diverge.

EU and US Release Joint Statement on EU-US Privacy Shield: Revamping Negotiations, 25 March 2021

Per a joint statement issued by European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Gina Raimondo, the EU and US have decided to revamp negotiations towards an EU-US Privacy Shield in compliance with the 20 July 2020 European Union Court of Justice (EUCJ) judgment in the Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II) case. The Schrems II case struck down the former EU-US Privacy Shield that allowed cross-border transfers between the jurisdictions. Per an argument by the Irish Data Protection Commission, the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU/EEA (SCCs) could not protect personal data from NSA and other US government agency surveillance. Increasing suspicion towards American interference was influenced in part by NSA whistleblower Edward Snowden’s 2013 revelations.

European Commission Publishes Communication on the 2030 Digital Compass, 09 March 2021

The European Commission presented the 2030 Digital Compass: the European way for the Digital Decade, a vision that seeks to make Europe a digital leader by 2030. The vision hinges on four main tenets: digital empowerment of EU citizens, security and sustainability in digital infrastructures, the digitalization of business and digitalization of public services. Regarding digitalization in business, the EU aims to create a more attractive landscape functional for startups, which will include a more integrated and operational Single Market and boosting access to finance. With its usual mind towards fairness and leveling out the playing field, the communication also speaks to the importance of small and medium-sized enterprises (SME) in the growth of the digital ecosystem. By 2030, the vision aims for SMEs to have achieved fair and easy access to digital technologies through the support of over 200 Digital Innovation Hubs and industrial clusters. Furthermore, 75% of European enterprises will have adopted cloud computing services, big data and AI and 80% of EU citizens will be utilizing an e-ID per the Commission’s goals. The fintech industry will especially benefit from this increasing amenability to and demand for the integration of technology into business and everyday life. 

European Parliament

European Parliament Adopts Resolution on Commission Evaluation Report on Implementation of GDPR, 25 March 2021 

The resolution on the European Commission’s evaluation report, which comes two years after the GDPR’s implementation, concludes that the regulation has been an “overall success,” with no need for revisions or updates. The resolution pays particular attention to EU citizens’ increasing awareness of their rights with regard to data protection, and the GDPR’s influence in sparking similar initiatives worldwide. 

Council of the European Union

Adoption of Retail Payments Strategy, 22 March 2021

The Council adopted the Retail Payments Strategy, first proposed in September 2020 by the Commission as part of the Digital Finance Package. The strategy hinges on four pillars: innovation and competition in payments markets, facility of cross-border payments, interoperable payment systems and digital, instant payment systems across the EU. Per the Council’s press release, “The Council also highlights the many challenges to be taken into account when further developing and regulating the market, such as financial inclusion, security and consumer protection, data protection and anti‑money laundering aspects.”

Adoption of Cybersecurity Strategy, 16 December 2020

The Council adopted a cybersecurity strategy that “aims to safeguard a global and open Internet by harnessing and strengthening all tools and resources to ensure security and protect European values and the fundamental rights of everyone.”⁵ The strategy is ambitious and broad in scope. One of the primary initiatives includes an EU-wide Cyber Shield, a network of Security Operations Centres that will employ AI and machine learning to detect and deter cyberattacks at an early stage. The European Commission is also spearheading a Joint Cyber Unit to bolster cooperation between EU member states and EU authorities. The Joint Cyber Unit will help to share information on the threat landscape with relevant stakeholders, as well as coordinate responses to attacks, especially cross-border ones. The Commission aims for the Joint Cyber Unit to be operational by June 2022 and fully functional by June 2023.⁶

Member States 

Compliance with the 6th Anti-Money Laundering Directive, 03 June 2021

Regulated entities operating in the EU were required to be compliant with the 6th Anti-Money Laundering Directive (6AMLD) by 3 June 2021. The 6AMLD aims to expand the scope of previous AML directives, harmonize the AML approach across member states, impose stricter penalties and close loopholes in national legislation. It standardized the definition of money laundering across the EU, resulting in a list of 22 predicate offenses which must be criminalized by member states. This has required financial institutions to finetune their KYC, CDD and transaction monitoring processes to ensure its scope applies encompasses the broadened money laundering definition. Harsher criminal liability will also crack down on any “legal persons” involved, which extends to companies, partnerships, consultants, accountants or others acting on behalf of an entity. Furthermore, because money laundering is often transnational, the 6AMLD implements information-sharing requirements to aid EU states in adopting a facilitated and harmonized approach to prosecution.

Member States Sign Berlin Declaration on Digital Society and Values-Based Digital Government, 08 December 2020

The Berlin Declaration—signed by relevant ministers of all member states—affirms the pursuit of an inclusive digital transformation and modernized Single Market, and outlines a generalized strategy in achieving progress by 2024. The EU’s Fundamental Charter of Human Rights heavily underpins the declaration’s vision, which spells out seven principles in guiding digitalization: 

• Validity and respect of fundamental rights and democratic values
• Social participation and digital inclusion to shape the digital world
• Empowerment and digital literacy
• Trust and security in digital government interactions
• Digital sovereignty and interoperability
• Human-centred systems and innovative technologies in the public sector, and towards a resilient and sustainable digital society 

The declaration outlines strategies and member states’ commitments towards each principle, alongside a call upon the European Commission and other EU institutions to implement actions per their competences. Key points include:

• “taking steps to make widely usable, secure and interoperable electronic identification and trust services for electronic transactions available for each European resident and providing trustworthy, user-centric, accessible and reliable public services and information”
• “working towards developing an EU-wide Digital Identity framework allowing citizens and businesses to securely and seamlessly access online public and private services, while minimising disclosure and retaining full control of data”
• “agreeing on common European requirements for technology providers and solutions in the public sector (including security, data protection, interoperability, reusability) by accommodating existing requirements of the EU and Member States”⁷

The declaration reiterates its commitment to digital sovereignty, data protection, a secure cloud infrastructure, ethical AI and facilitating the flow of public-sector data. The EU’s increasingly well-articulated digital vision and strengthening regulatory framework points to an attractive landscape for fintech, although stringent non-compliance measures and oversight—alongside strict data localization and other data protection measures—might dissuade some entities from entering the scene. On the user end, digital inclusion measures will be instrumental in increasing the use of cashless electronic payments, online banking and remote customer onboarding, and digital authentication.

European Central Bank

Investigation Phase on Digital Euro, 14 July 2021

The European Central Bank’s Governing Council approved the investigation phase of a digital euro project, which will run for about two years with a subsequent three-year implementation period. The digital euro will function as legal tender issued by the ECB and complement the use of banknotes and coins in the 19-country Eurozone, and it could operate alongside a digital wallet. The endeavor seeks to counter the rising influence of privately-issued digital currencies like Bitcoin and Ethereum, especially as cash use continues to decline. The ECB will now focus on the technical design of the digital euro in consultation with a variety of stakeholders, and will confer with lawmakers in addressing the need for potential legislative changes.  

On 14 April 2021, the ECB published the Eurosystem report on the public consultation on a digital euro. The consultation revealed that respondents most prioritize privacy, with 43% of them ranking it number one. Trailing behind are “security (18%), the ability to pay across the euro area (11%), no additional costs (9%) and offline usability (8%).”⁸ Most people supported the integration of a digital euro into banking and payment systems already in existence. The consultation, which garnered 8,221 responses, revealed generally positive support for the development of a digital euro, and the ECB reiterated the importance of accommodating people’s “evolving needs” and the economy as a whole. As for safeguarding against risks to financial stability, ECB board member Fabio Panetta has raised the possibility that digital euro accounts be capped at EUR 3000 (approximately USD $3548) to prevent bank runs.⁹ 

European Banking Authority

European Banking Authority Launches Public Consultation on Draft Regulatory Technical Standards on AML/CFT, 06 May 2021

The European Banking Authority launched a public consultation on draft Regulatory Technical Standards (RTS) in the establishment of a central database on anti-money laundering and counter-financial terrorism. The draft RTS lays out rules safeguarding the effectiveness and confidentiality of the database, which would help to coordinate and harmonize the EU approach to AML/CFT. This is especially important as EU AML directives are discretionary—allowing member states to transpose them onto national law and implement them in different ways—which has not necessarily allowed for a pan-European approach. As cybercrime becomes more sophistication and international amidst increasing digitalization, a central database will streamline AML/CFT measures across the EU. The RTS will further ensure that the database adheres to data protection laws. The deadline for comments was 17 July 2021.

European Banking Authority Publishes Revised Guidelines on Money Laundering and Terrorist Financing, 01 March 2021

The European Banking Authority (EBA) published final, revised guidelines outlining changes to the AML/CFT regulatory framework with regard to evolving ML/FT risks. The report aims to help financial institutions in compliance efforts and strengthen their ability to recognize and mitigate risks. The guidelines point to the importance of a business-wide risk assessment in supporting AML/CFT controls and procedures. They outline updated customer risk factors, including the customer’s and customer’s beneficial owner’s reputation, nature and behavior, and business or professional activity. 

Implementation of Strong Customer Authentication (SCA) Requirements, 01 January 2021

Per the European Banking Authority, the full implementation of SCA requirements according to PSD2 was supposed to have been accomplished by the first of the year. Enforcement and timeline concerns—alongside the complexity of B2B payments—have long plagued the requirements, and the verdict as to their feasibility and success remains uncertain. According to global payments consultancy CMS Payments Intelligence Limited, SCA requirements have caused friction in online card payments to the extent that CMSPI estimates the annual sales at risk of being abandoned or declined might reach EUR 102 billion.¹⁰ 

European Securities and Markets Authority Issues Guidelines on Outsourcing to Cloud Service Providers, 10 May 2021

The European Securities and Markets Authority (ESMA) issued guidelines on outsourcing to cloud service providers in an effort to help certain financial institutions understand and address the risk landscape. They lay out compliance measures, with an emphasis on a risk-based approach to assessment, pre-outsourcing analysis and due diligence. Guidance on a smooth exit strategy is also supplied. The guidelines went into effect 31 July 2021. The publication is crucial in helping firms to wade through an increasingly complex regulatory landscape and harsher non-compliance measures.

Legislation

European Commission

European Commission Unveils Proposed Artificial Intelligence Act, 21 April 2021

As part of the European strategy for data, the European Commission published a far-reaching 108-page proposal regulating the use of AI, with particular regard to “high risk” systems and contexts. The regulation would apply to all providers and users located within the EU, as well as extra-territorial providers whose services are utilized within the EU. The Commission proposes a four-tired, risk-based approach. AI systems that pose a minimal risk—which includes the majority of such systems—will not be subject to further regulation. Limited-risk AI will be subject to transparency requirements, for example, a warning to a user that they are interacting with a chatbot. High-risk AI—defined as systems that pose a risk to users’ rights per the EU Charter of Fundamental Rights—will be subject to requirements on human oversight, transparency, quality of data sets used, technical documentation and record keeping. Should an AI system pose an unacceptable risk, it is to be banned altogether. Unacceptable risk applies to systems that implement “social scoring” and manipulate human behavior through subliminal methods. Fintech entities that operate in the EU, or outside of the EU with an effect on users within the EU, utilize AI systems that are already regulated by existing legislation. AI systems that have not yet been adopted will face increased scrutiny. The proposal must still advance through the EU legislative procedure, but it is expected to be a vanguard in global AI regulations in much the same way the GDPR has been with regard to data protection.

European Commission Submits Proposal for Digital Services Package, 15 December 2020

The European Commission submitted its proposed Digital Services Package—part of the “Shaping Europe’s Digital Future”—to the European Parliament and European Council. The proposal includes the Digital Services Act (DSA) and Digital Markets Act (DMA). Together, the legislative acts seek to promote online safety while safeguarding fundamental rights, review the liability regime of digital services acting as intermediaries, address issues derived from the gatekeeper power of digital platforms, strengthen the Single Market for digital services, bolster innovation alongside a rights-based approach, and address other emerging issues and opportunities, including online advertising and smart contracts. The EU Charter of Fundamental Rights strongly grounds the proposal, with its attention to fairness, inclusivity, transparency and accountability.

The Digital Services Act covers rules for online intermediary services—including obligations and sanctions—and seeks to strengthen the existing EU e-commerce regulatory framework. It calls for an improved approach to digital services mechanisms in removal of illegal content and the protection of user data. Indeed, this past year has seen a heightened focus on content governance and online safety, even amidst increased online privacy. On 28 April 2021, Parliament approved legislation that requires online platforms to institute a one-hour takedown of terrorist content. A day later, 29 April 2021, the Council and European Parliament agreed on a temporary measure allowing providers of electronic communications services to continue in their efforts to track and remove child abuse content until permanent legislation was announced.

The Digital Markets Act aims to cultivate a fairer business landscape by conferring a gatekeeper status upon large tech firms, and imposing obligations and non-compliance measures on them. Gatekeepers will be defined by three criteria, including stability over time, “a strong economic position” and “a strong intermediation position, meaning that it links a large user base to a large number of businesses”.¹¹ This includes big tech firms like Google, Microsoft, Apple, Facebook and Amazon. In leveling competition and lessening unfair advantages, the EU would smooth the entryway for new and smaller firms and create a more inclusive market. This antitrust stance—support for SMEs, cultivating a level playing field, and loosening big tech’s monopoly—has been central to the recent EU agenda. It will be key in diversifying the fintech landscape, spurring on innovation through competition, giving consumers more choice, and promoting its ideal of inclusive digitalization. 

European Commission Publishes Proposal for Data Governance Act, 25 November 2020

The European Commission has issued its proposed Data Governance Act as part of the European Strategy for Data, “which aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU.”¹² It offers an alternate method of data handling and processing than that employed by big tech, which will face increasingly stringent compliance measures. The proposal outlines rules for the access to and sharing of public sector data—both personal and non-personal (that which is unprotected by the GDPR)—that would have otherwise been protected, per commercial confidentiality and intellectual property rights, for example. A European Data Innovation Board would be established as an expert group to conduct oversight of data sharing service providers and advise the Commission. Furthermore, the act lays out the procedures for data altruism, wherein individuals or companies consent to having their data shared for the greater good. The reuse of data is especially key in advancing research. Despite concerns, the act is fully compliant with the GDPR. Similar to other acts within the EU’s broad digital empowerment agenda, the proposal implements a rights-based approach premised on trustworthiness, privacy and accountability. 

European Commission Publishes Fintech Action Plan, 24 September 2020

The European Commission published the FinTech Action Plan, a follow-up to the 2018 one. The plan outlines a Digital Finance Strategy Package that includes legislative proposals on crypto-assets, digital operational resilience and retail payments. 

The proposed Markets in Crypto-Assets Regulation (MiCA) is broad and ambitious, aiming to establish a comprehensive crypto-assets regulatory framework and enhance legal certainty and harmonization across the EU. Main priorities include transparency, consumer protection, prevention of market abuse, authorization and supervision. The definition of crypto-assets is classified into three categories: e-money tokens, asset-referenced tokens, and a third group covering all other types like utility tokens and algorithmic stablecoins. Issuers will be subject to regulatory requirements based on which crypto-assets are sold, with all issuers of e-money tokens and asset-referenced tokens obligated to be authorized and established within the EU.

The Commission’s Retail Payments Strategy, adopted by the Council of the European Union in March 2021, focuses on four tenets: innovation and competition in payments markets, facility of cross-border payments, interoperable payment systems and digital, instant payment systems across the EU. The pan-European approach seeks to boost integration amidst a fragmented payments landscape—as most payment systems only work within domestic borders—which also prevents fintech companies from successfully scaling-up across the Single Market.

The proposal on Digital Operational Resilience for the Financial Sector presents, for the first time, a comprehensive framework addressing digital risk in finance. The act calls for regular testing of Information and Communications Technology (ICT) systems by financial entities in order to expose vulnerabilities. It also requires a risk-monitoring system in the event that ICT services are outsourced to third-party services providers, an improved system for the reporting of ICT-related risks, and updated ICT systems that ensure both technological resilience and data processing. The risk-based approach will prove especially crucial as pandemic era cyberattacks have shown an increasing sophistication and breadth, with multiple EU and member state institutions having faced attacks. Meanwhile, the act will complement the soaring use of digital payment technologies and crypto-assets, alongside the possibility of a digital euro launch.

Council of the European Union

Council of the European Union Agrees on Negotiating Mandate on e-Privacy Regulation, 10 February 2021 

Four years after the regulation was initially proposed by the European Commission, the Council of the European Union (“the Council”) has agreed on a negotiating mandate to replace the e-Privacy Directive 2002/58/EC with the e-Privacy Regulation. The draft legislation must now advance to trilogues between the European Parliament and European Commission, so its details can still change, but its main priorities outline rules for electronic communications, with regard to data protection and confidentiality of communications. It applies to both personal data and metadata, and extends to instant messaging apps, machine-to-machine communication and Voice over Internet Protocol (VoIP) platforms. Per the legislation, electronic communications data is private, and intrusion—such as listening to and monitoring—is forbidden. Before the processing of electronic communications metadata, electronic communications network and service providers must first obtain user consent. Like the GDPR, the legislation has extra-territorial scope in that it applies to any entity with EU users, regardless of location.

---

Reference:

^{1. “COVID-19 situation update for the EU/EEA, as of 17 May 2021.” European Centre for Disease Prevention and Control, 2021. https://www.ecdc.europa.eu/en/cases-2019-ncov-eueea.}

^{2. Hutchinson, Lorna. “EU unveils new anti-money laundering package.” The Parliament Magazine, 21 July 2021. https://www.theparliamentmagazine.eu/news/article/eu-unveils-new-antimoney-laundering-package.}

^{3. “MiCA And New AML Regulation Will Interlink, Says EU Commission – ACAMS.” VIXIO, 17 July 2021. https://vixio.com/insight/paymentscompliance/mica-and-new-aml-regulation-will-interlink-says-eu-commission-acams/.}

^{4. Cunningham, Francine. “European eID Regulation aims to facilitate cross border transactions.” Lexology, 08 July 2021. https://www.lexology.com/library/detail.aspx?g=a8aa2786-957b-4c37-903a-1ae6ec09376b.}

^{5. “New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient – Questions and Answers.” European Commission, 16 December 2020. https://ec.europa.eu/commission/presscorner/detail/en/QANDA_20_2392.}

^{6. Leyden, John. “EU pushes plans for Joint Cyber Unit in fight against increased cyber-attacks.” The Daily Swig, 23 June 2021. https://portswigger.net/daily-swig/eu-pushes-plans-for-joint-cyber-unit-in-fight-against-increased-cyber-attacks.}

^{7. “Berlin Declaration on Digital Society and Value-Based Digital Government.” EU2020.de, 08 December 2020.}

^{8. “ECB publishes the results of the public consultation on a digital euro.” European Central Bank, 14 April 2021. https://www.ecb.europa.eu/press/pr/date/2021/html/ecb.pr210414~ca3013c852.en.html}

^{9. Look, Carolyn. “ECB’s Panetta Floats 3,000-Euro Limit on Digital Cash.” Bloomberg, 09 February 2021. https://www.bloomberg.com/news/articles/2021-02-09/ecb-s-panetta-floats-3-000-euro-limit-on-digital-cash-spiegel.}

^{10. Patel, Mohammed. “Strong Customer Authentication (SCA) ;– Impact Assessment – January 2021.” CMSPI, 23 February 2021. https://cmspi.com/eur/resources/sca-january-updates/}

^{11. “The Digital Markets Act: ensuring fair and open digital markets.” European Commission. https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en}

^{12. “Proposal for a Regulation of the European Parliament and the Council on European Data Governance (Data Governance Act).” European Commission, 25 November 2020.}

---

^{*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.}

Last updated: November 2021