to the point: financial regulation | 11/2025

·       The European Commission has proposed amendments to the Sustainable Finance Disclosure Regulation (SFDR) that substantially simplify what financial institutions and advisors must report and how they may market sustainable products. For obliged entities and persons, the changes mean a clear reduction in administrative burden, lower compliance costs and more legal certainty. Entity-level disclosures on principal adverse impacts will be removed for most financial market participants, eliminating duplications with the Corporate Sustainability Reporting Directive (CSRD) and sparing smaller players from complex ESG data collection, as only the largest institutions under CSRD thresholds will continue to report their environmental and social impacts. Product-level disclosures will be trimmed to information that is genuinely available and comparable, enabling providers to design and describe sustainability features without navigating excessive or ambiguous requirements. A new three-tier product categorisation system: "sustainable", "transition" and "ESG basics" categories will replace the previous de facto labelling, bringing clearer rules for what claims can be made and requiring categorised products to maintain at least 70 % alignment with their stated sustainability strategy while excluding harmful activities such as tobacco, human-rights violators, prohibited weapons and certain fossil fuels. For obliged entities, this framework clarifies how products may be marketed, reduces the risk of greenwashing accusations, improves consistency across disclosures and provides a more predictable compliance environment.

·       EBA has published a new Guidelines on environmental scenario analysis, which introduce substantially higher expectations for obliged entities, namely EU banks and other institutions subject to CRD6 and CRR3, by requiring them to integrate environmental risk considerations into both their short-term stress-testing and long-term strategic planning processes. From 1 January 2027, institutions must be able to demonstrate that environmental risks, including transition and physical risks, are embedded within their existing stress-testing frameworks so that the immediate financial impact of such risks can be quantified, and capital and liquidity buffers can be shown to remain adequate. At the same time, they must conduct resilience analysis to assess how environmental risks and opportunities may shape their business models, strategies and risk profiles over the medium and long term, ensuring that forward-looking sustainability factors influence decision-making at a structural level. These requirements mean obliged entities must develop robust methodologies, collect and manage relevant environmental data, enhance internal governance around ESG risk, and ensure that scenario analysis becomes a routine and auditable component of risk management.

·       The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) have published the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). For banks, insurers, pension funds, investment firms and other regulated financial institutions, the publication of the official list means that their relationships with these designated ICT providers now fall under a reinforced, centralised EU oversight regime. Financial entities must therefore ensure that their outsourcing arrangements, contractual terms, monitoring procedures and ICT-risk management frameworks comply with the heightened expectations applicable when working with a CTPP, including more rigorous due diligence, ongoing risk assessment and effective incident-reporting channels. The designation also gives supervisors a clearer view of systemic dependencies, meaning obliged entities can expect closer scrutiny of how they manage concentration risk and the substitutability of crucial outsourced functions. For the critical providers themselves, the new framework imposes direct supervisory engagement by the ESAs, which will assess governance, resilience measures and the robustness of services delivered to the financial sector. In practice, this means CTPPs must demonstrate strong operational resilience, transparent risk-management structures, and readiness to undergo examinations and provide information on request.

·       The new EU rules on payment services (see last PSR proposal and PSD3 proposal) significantly change what is expected from obliged entities by imposing stricter anti-fraud duties, greater transparency obligations and clearer liability. Payment service providers will now have to implement a comprehensive fraud-prevention framework that includes mandatory sharing of fraud-related information, systematic checks matching IBAN numbers to account names before executing transfers, and the use of preventive tools whose absence will trigger liability if consumers suffer losses. Providers will therefore face higher compliance expectations, closer supervisory scrutiny and a direct financial risk if they fail to meet the new standards. Major online platforms and search engines will only be allowed to advertise financial services that originate from duly authorised entities in the relevant Member State, creating new responsibilities for platforms to verify regulatory status and reducing the scope for fraudulent or unregulated operators. Transparency duties will expand as ATM operators must display all fees and exchange rates before transactions, and card payment facilitators must clearly break down the fees they charge merchants, giving both consumers and businesses clearer price information. Merchants themselves must ensure that the trading name used in daily operations matches the one shown on customers' bank statements, reducing disputes and helping consumers identify legitimate charges. Retailers will also gain a regulated ability to offer cash withdrawals without requiring a purchase, but this will obligate them to use chip-and-PIN verification and comply with a EUR 150 limit. Overall, the new framework demands more robust fraud controls, clearer disclosures and more responsible advertising practices from obliged entities, while also opening space for innovation by enabling authorised service providers to access bank account information and develop modern payment solutions within a safer and more transparent regulatory environment.

·       EIOPA has submitted two sets of draft regulatory technical standards (RTS on liquidity risk management plans and RTS on macroprudential analyses in Own Risk and Solvency Assessments and prudent person principle) to the European Commission on new macroprudential tools that have been introduced in the Solvency II framework following its recent review, introducing significant obligations for insurers and groups, particularly those above the EUR 20bln asset threshold or those whose risk profiles warrant inclusion by supervisors. Obliged entities must now prepare comprehensive Liquidity Risk Management Plans that go beyond short-term assessments and include medium and long-term liquidity analyses, ensuring they maintain sufficient liquidity to meet all obligations even in stressed conditions. These plans must be updated at least annually and immediately whenever material changes occur in their risk exposures or external environment. Insurers must also incorporate macroprudential analyses into their Own Risk and Solvency Assessment and into the application of the prudent person principle, embedding system-wide risk considerations into their core risk-management processes. The rules give supervisors discretion to opt undertakings in or out based on risk, meaning smaller entities can still fall under the enhanced regime if their activities pose liquidity or systemic concerns. For obliged entities, this results in more detailed data collection, additional modelling and monitoring duties, stricter governance expectations, and closer supervisory scrutiny of liquidity preparedness and macroprudential awareness. Hence, insurers must adopt more forward-looking, comprehensive and systemically aware risk-management practices, strengthening their resilience and the stability of the wider financial sector.

·       The Czech National Bank (CNB) launched the option of accepting instant payments for all institutions that have an account with it, enabling individuals and companies to pay taxes, fees, insurance premiums and other levies within seconds at any time, including weekends and holidays. This step is part of the broader digitisation of CNB services and significantly simplifies communication with state authorities, including tax offices, the social security administration, health insurance companies, ministries and other public organisations. It is now possible to pay administrative fees and taxes directly on the spot, with the payment appearing in the tax office's account within seconds, reducing the risk of delays and eliminating the uncertainty associated with weekends and holidays. Instant payments are very widespread in the Czech Republic, available to 99 % of consumers and used not only by individuals but also by businesses and e-shops, which are attracted by their speed, reliability and lower costs compared to other payment methods. Moreover, their number is growing rapidly, as in October 2025, an average of 1.65 million instant payments were made daily, accounting for 41 % of all interbank payments, which is a significant increase compared to previous years.