EU Compliance for Fintech & Financial Services
EU regulations directly affecting Fintech & Financial Services organisations — including obligations, deadlines, and maximum fines. Use our regulation checker to map your exact exposure.
Which EU regulations apply to Fintech & Financial Services businesses?
Fintech & Financial Services organisations operating in the EU are subject to 10 key regulations, including AI Act, NIS2, DORA and 7 more. The most significant obligations cover Classify AI systems by risk tier; Implement cybersecurity risk management measures. Use the regulation checker to map your exact exposure in under 2 minutes.
- AI Act: max fine €35M or 7% of global turnover — Classify AI systems by risk tier
- NIS2: max fine €10M or 2% / €7M or 1.4% (essential / important entities) — Implement cybersecurity risk management measures
- DORA: max fine CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law — Implement ICT risk management framework
- Pay Transparency: max fine Per member state (compensation + penalties) — Publish salary ranges in job adverts
| Regulations applicable | 10 |
| Key regulations | AI Act, NIS2, DORA |
| Highest fine | €10M or 2% / €7M or 1.4% (essential / important entities) |
Regulations that apply to Fintech & Financial Services
AI Act
The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.
Max fine: €35M or 7% of global turnover
NIS2
NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.
Max fine: €10M or 2% / €7M or 1.4% (essential / important entities)
DORA
DORA creates a comprehensive framework for ICT risk management in the financial sector. It requires resilience testing, third-party risk management, and incident reporting.
Max fine: CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
Pay Transparency
The Pay Transparency Directive requires employers to disclose salary ranges in job postings, report on gender pay gaps, and enable employees to compare pay. Targets the gender pay gap across the EU.
Max fine: Per member state (compensation + penalties)
Whistleblower
The Whistleblower Directive protects persons who report breaches of EU law. It requires organisations with 50+ employees to establish internal reporting channels and prohibits retaliation.
Max fine: Per member state
MiCA
MiCA creates a comprehensive regulatory framework for crypto-assets in the EU, covering issuers of asset-referenced tokens and e-money tokens, and crypto-asset service providers (CASPs).
Max fine: €15M or 12.5% (ART/EMT issuers); €5M or 3% (CASPs); €15M or 15% (market abuse)
eIDAS 2.0
eIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.
Max fine: Per member state
CSRD
CSRD expands mandatory sustainability reporting to large companies and listed SMEs. Companies must report according to European Sustainability Reporting Standards (ESRS) covering environment, social, and governance matters.
Max fine: Per member state (audit-based enforcement)
CS3D
CS3D requires large companies to conduct due diligence on actual and potential adverse impacts on human rights and the environment in their operations and supply chains.
Max fine: At least 5% of net worldwide turnover (member state minimum floor, Art. 27)
EAA
The EAA sets harmonised accessibility requirements across the EU for key products and services, ensuring people with disabilities have equal access to the digital economy and essential services.
Max fine: Per member state
Which regulations apply to your Fintech & Financial Services business?
Answer 5 questions and get a personalised compliance map — free.
Run the regulation checkerExplore by regulation
- EU AI Act
- General Data Protection Regulation
- NIS2 Directive
- Cyber Resilience Act
- Digital Operational Resilience Act
- EU Data Act
- ePrivacy Directive
- Digital Services Act
- Digital Markets Act
- Pay Transparency Directive
- Whistleblower Directive
- Markets in Crypto-Assets Regulation
- eIDAS 2.0 Regulation
- Product Liability Directive (Revised)
- Corporate Sustainability Reporting Directive
- Corporate Sustainability Due Diligence Directive
- Green Claims Directive
- European Accessibility Act
- EU Machinery Regulation
Frequently asked questions
Which EU regulations apply to fintech companies?
Fintech companies in the EU are subject to: GDPR (data protection); DORA (Regulation (EU) 2022/2554, digital operational resilience, applicable from January 17, 2025); NIS2 (banking and financial market infrastructure sectors); EU AI Act (AI Act risk classification for credit scoring, insurance underwriting, and fraud detection systems that may fall under Annex III); PSD2 and PSD3/PSR (payment services regulation); and MICA (Markets in Crypto-Assets Regulation, applicable from December 2024). Fintech companies acting as ICT third-party service providers to regulated entities are also subject to DORA's third-party oversight regime.
What does DORA require from fintech companies?
DORA (Regulation (EU) 2022/2554) requires financial entities to establish and maintain a comprehensive ICT risk management framework including: ICT strategy and governance; ICT risk identification and asset classification; ICT-related incident management and regulatory reporting; digital operational resilience testing (including threat-led penetration testing for significant entities); third-party ICT risk management with a formal register of ICT service providers; and participation in information-sharing arrangements. ICT third-party service providers to financial entities face direct oversight obligations under Chapter V.
Does the EU AI Act apply to credit scoring and fraud detection AI?
Yes. EU AI Act Annex III covers AI systems used for evaluating the creditworthiness of natural persons or establishing their credit score (Section 5(b)) and AI systems used in insurance for risk assessment and pricing in relation to natural persons (Section 5(c)). These are classified as high-risk and require: a risk management system (Article 9); data governance measures (Article 10); Annex IV technical documentation; registration in the EU AI database; and conformity assessment before market placement.
What are the DORA incident reporting requirements for fintechs?
DORA Article 19 requires financial entities to classify and report major ICT-related incidents to competent authorities. Classification is based on: number of clients affected; duration of service disruption; geographic spread; criticality of affected services; and economic impact. The initial notification must be made without undue delay, followed by an intermediate report, and a final report within one month of incident resolution. Cyber threats that could have constituted a major incident must be reported as significant cyber threats under Article 19(2).
How does MICA affect crypto-asset fintechs?
MICA (Regulation (EU) 2023/1114) applies to crypto-asset service providers (CASPs) from December 30, 2024 and to issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs) from June 30, 2024. CASPs must obtain authorisation from a Member State competent authority, maintain own funds and insurance, follow custody and safeguarding rules, and comply with transparency and disclosure obligations. MICA also requires CASPs to maintain ICT systems and security protocols as a general operational requirement.
For informational purposes only. This is not legal advice — consult qualified legal counsel.