9 recent EU updates every compliance professional in financial services should know (Q3 2025)

1. AMLA and MiCA: central oversight of crypto and AML risks

The Anti-Money Laundering Authority (AMLA) has been operational since July 2025 as the new European supervisor. It coordinates the EU’s anti-money laundering (AML/CFT) framework and works closely with national authorities. One of its first priorities: supervision of crypto service providers (CASPs).

Under the new MiCA Regulation, CASPs must now be licensed and comply with strict KYC and transaction monitoring rules.

Why it matters: crypto transactions are fast, borderless, and partly anonymous. AMLA wants to ensure this channel is not misused for money laundering or terrorist financing.

Source: European Commission, AMLA

2. SupTech & RegTech: technology as opportunity and risk

In August 2025, the EBA (European Banking Authority) published a report on SupTech , i.e. supervisory technology such as AI, data analytics, and dashboards that help regulators monitor institutions more efficiently. While promising, the report highlights challenges: GDPR compliance, lack of expertise, and poor data quality.

At the same time, the EBA warned that many financial institutions misuse or underuse RegTech solutions, creating false security and new vulnerabilities.

Why it matters: technology can strengthen compliance and supervision but poor implementation increases risk instead of reducing it.

Source: EBA SupTech Survey 2025; EBA Risk Analysis 2025

3. Governance obligations tightened: EBA guidelines

In August 2025, the EBA released new internal governance guidelines. Institutions must explicitly integrate AML/CFT risks into their governance framework, with oversight from both the board and senior management. Responsibilities also extend to non-EU subsidiaries. New focus areas include ESG risks, cybersecurity, and diversity.

Why it matters: compliance is no longer a standalone function: it is now recognised as a core element of governance and risk management.

Source: EBA Guidelines on Internal Governance (August 2025 update)

4. New EU list of high-risk countries (July 2025)

The European Commission updated its list of jurisdictions with strategic AML/CFT deficiencies. Newly added:

• Algeria
• Angola
• Ivory Coast
• Kenya
• Laos
• Lebanon
• Monaco
• Namibia
• Nepal
• and Venezuela.

Financial institutions must apply Enhanced Due Diligence (EDD) when dealing with entities or clients from these countries.

Why it matters: this has a direct impact on onboarding, payments, and risk scoring. Institutions that fail to apply EDD face heavy sanctions.

Source: Delegated Regulation (EU) 2025

5. DORA in force: digital resilience as compliance priority

The Digital Operational Resilience Act entered into force at the start of 2025. It requires ICT risk management, incident reporting, third-party contract oversight, and regular TLPT testing. On 15 July 2025, the European Supervisory Authorities published guidance on monitoring critical ICT providers, while the ECB finalised its cloud outsourcing guide.

Why it matters: cyber incidents, from outages to attacks, can cause both financial and reputational damage. DORA makes digital resilience a core part of compliance.

Source: www.digital-operational-resilience-act.com

6. NIS2 Directive: tougher cybersecurity rules for financial entities

The NIS2 Directive extends EU cybersecurity requirements. Financial institutions are classified as essential entities and must meet higher standards for security, risk management, and incident reporting. Management bodies carry direct responsibility.

Why it matters: cyber threats are growing, and NIS2 enforces stricter, harmonised obligations for organisations that are part of Europe’s critical infrastructure.

Source: ENISA & EUR-Lex – NIS2 Directive

7. PSD3 & PSR move into trilogue: fraud and SCA in focus

This summer, the European Parliament and Council moved the new Payments Services Directive (PSD3) and the Payment Services Regulation (PSR) into trilogue negotiations. The big focus: stronger rules on fraud prevention, data sharing, and customer authentication.

Why it matters: now’s the time to run a quick gap-assessment. Review your current Strong Customer Authentication (SCA) setup and incident reporting flows. Map where customer data is stored and shared (new obligations will require better governance and traceability). Expect additional fraud monitoring requirements for PSPs and banks.

Source: European Parliament

8. Crypto “Travel Rule”: the transition period is over

As of 31 July 2025, the EU’s “Travel Rule” (Regulation 2023/1113) is fully in force. Crypto-asset service providers (CASPs) can no longer rely on temporary workarounds: all crypto transfers must include full originator and beneficiary information — without thresholds.

Why it matters: Regulators are expected to scrutinise how CASPs detect and handle exceptions in real time. Ensure your messaging and IT systems can transmit the required data fields across all transfers and put due diligence procedures in place for counterparty VASPs.

Source: EUR-lex

9. SFDR: new Q&As and clarifications for ESG compliance

In August 2025, the European Supervisory Authorities (EBA, ESMA, EIOPA) released new Q&As on the Sustainable Finance Disclosure Regulation (SFDR). These provide clarity on how financial products should be labelled as sustainable, and what data institutions must report.

Why it matters: With greenwashing under scrutiny, these clarifications help define what can and cannot be marketed as sustainable.

Source: European Commission

Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details or stay in touch via our newsletter ⬇️.