Blockchain law IV
The law of 20 December 2024, known as Blockchain Law IV, aims at improving the current legal framework for dematerialised securities by taking advantage of new technologies, in particular distributed electronic register and databases. It introduces a new player: the control agent for the issuance of dematerialized securities. The Control Agent is appointed by the issuer to (i) maintain the issuance account in or through a secure electronic recording device, including a distributed ledger technology (“DLT”) or database; (ii) monitor at any time the chain of custody of dematerialised securities held in securities accounts and (iii) carry out the reconciliation between the aggregate amount of securities issued recorded in an issuance account and the sum of securities recorded in the account holders' securities accounts.
For more information on this subject, please refer to (i) our eAlert “Bill of law - Blockchain law IV aiming at facilitating the use of distributed ledger technology in dematerialised securities”, (ii) our eAlert “ESMA Guidelines to apply for permission to operate a DLT market infrastructure” and (iii) our eAlert “Implementation of the DLT pilot regime in Luxembourg – Blockchain law III”.
CRD VI / CRR III
On 19 June 2024, Regulation (EU) 2024/1623 amending Regulation (EU) No 575/2013 as regards requirements for credit risk, credit valuation adjustment risk, operational risk, market risk and the output floor (“CRR III”) and Directive (EU) 2024/1619 amending Directive 2013/36/EU as regards supervisory powers, sanctions, third-country branches, and environmental, social and governance risks (“CRD VI”) were published in the Official Journal of the European Union.
CRR III is generally applicable from 1 January 2025, while CRD VI must be implemented into Luxembourg law by 11 January 2026, except for the provisions on third-country branches, which are applicable from 11 January 2027.
For their application, CRR III and CRD VI also require several implementing texts at EU level, such as delegated regulations, regulatory technical standards, implementing technical standards and guidelines.
For more information on specific topics of CRD VI, please refer to our eAlert “The management of ESG risks by credit institutions pursuant to CRD VI” and our eAlert “Third country branches regime under CRD 6”.
DORA
Regulation 2022/2554 and Directive 2022/2556 on digital operational resilience for the financial sector (“DORA”) applies as from 17 January 2025. For the application thereof, the European Commission and the European Supervision Authorities were appointed to draft and publish delegated regulations, regulatory technical standards (“RTS”), implementing technical standards (“ITS”), and guidelines.
Some of them are already in force notably regarding (i) the information and communication technology (“ICT”) risk management framework), (ii) the classification of major incidents and significant cyber threats, (iii) the register of information, (iv) the policy on ICT services supporting critical or important functions, and (v) critical ICT third-party service providers.
Some others are at their final stageincluding notably (i) draft RTS on subcontracting, (ii) draft RTS on the determination of the composition of the joint examination team, (iii) joint draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities, (vi) joint guidelines on estimation of aggregated costs/losses caused by major ICT-related incidents and (v) joint guidelines on oversight cooperation.
Finally, draft RTS and ITS on major incident reporting and threat-led penetration tests are at an earlier stage.
Furthermore, DORA was implemented into Luxembourg law by way of a law of 1 July 2024. The Commission de surveillance du secteur financier (CSSF) has released notifications in this respect. More information is available in our eAlert “Implementation of EU acts on digital operational resilience (DORA) into Luxembourg law: new requirements upon entities of the financial sector”.
For more information on DORA, please refer to (i) our eAlert “A new step in the adoption of the Digital Finance Package”, (ii) our DORA Regulation Guide as well as our CMS dedicated webpage.
Instant payment
On 19 March 2024, Regulation (EU) 2024/886 amending (i) Regulations (EU) 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro, (ii) Regulation EU 2021/1230 on cross-border payments in the Union as regards instant credit transfers in euro, (iii) Directive 98/26 on settlement finality in payment and securities settlement systems (the “Finality Directive”) and (iv) Directive 2015/2366 on payment services in the internal market (“PSD 2”) as regards instant credit transfers in euro was published in the Official Journal of the European Union.
On 20 November 2024, a bill of law was filed with the Luxembourg Parliament to implement the amendments to PSD2 and to the Finality Directive. Most of the articles of the bill of law are in line with the above-mentioned European directives. The bill of law is undergoing the legislative process and may be amended.
For more information on Regulation (EU) 2024/886, please refer to our eAlert “Publication in the Official Journal of the European Union of the Regulation on instant credit transfers”.
MiCAR
Regulation 2023/1114 on markets in crypto-assets (“MiCAR”) is now fully applicable for issuers of asset-referenced tokens (“ARTs”) and e-money tokens (“EMTs”) and crypto-assets service providers (“CASPs”).
The European Commission and the European Supervision Authorities were appointed to draft and publish delegated regulations, regulatory technical standards, implementing technical standards and guidelines (the “Implementing Texts”).
The Implementing Texts regarding ARTs and EMTs are in force, such as Commission delegated regulations specifying (i) certain criteria for classifying the ARTs and EMTS as significant, (ii) fees charged by the European Banking Authority to issuers of significant ARTs and EMTs, or (iii) appropriate public disclosure of inside information and for delaying the public disclosure of that information.
The Implementing Texts regarding crypto-assets and CASPs are either already or will be very soon applicable and including notably guidelines on (i) the suitability assessment of members of management body of issuers of asset-referenced tokens and of crypto-asset service providers, (ii) the suitability assessment of shareholders and members, whether direct or indirect, with qualifying holdings in issuers of asset-referenced tokens and in crypto-asset service providers, or (iii) redemption plans.
However, several Implementing Texts, regardless of their nature and object, are at an earlier stage and yet to be finalised and adopted which may create difficulties for the full application of MiCAR.
For more information on MiCAR, please refer to (i) our eAlert on “MiCAR Levels 2 and 3 measures – where do we stand?”, (ii) our eAlert “Adoption of MiCAR” with links to 11 short MiCAR-dedicated videos, (iii) our eAlert “New EBA guidelines to manage AML risks as part of the activities of crypto-asset service providers” and our “CMS Expert Guide to Crypto Regulation in Luxembourg”.
Furthermore, MiCAR is being implemented into Luxembourg law through bill of law 8187, which aims at (i) designating the Commission de surveillance du secteur financier (“CSSF”) to oversee the application of MiCAR, (ii) providing the CSSF with the supervisory and investigative powers necessary to carry out its duties and (iii) adopting an appropriate sanctions framework.
MiFID 3 / MiFID 2
Directive 2014/65/EU on markets in financial instruments and Regulation (EU) 600/2014 were respectively amended by Directive (EU) 2024/790 (“MiFID 3”) and Regulation (EU) 2024/791 as regards enhancing data transparency, removing obstacles to the emergence of consolidated tapes, optimising the trading obligations and prohibiting receiving payment for order flow (“MiFIR 2”). ESMA (“European Securities and Markets Authority”) launched consultations in May, July and October 2024 to review regulatory technical standards in this respect.
For more information, please refer to our eAlert “Adoption of MiFID 3 and MiFIR 2 to enhance transparency on markets in financial instruments” (March 2024).
Furthermore, on 13 December 2024, the Luxembourg Council of Ministers approved the bill of law implementing MiFID 3 and setting out rules for the application of MiFIR 2.
PSD 3 and PSR
The payment services sector will be modernised by the future new European legislation, i.e. (i) a regulation on payment services in the internal market (the “Draft PSR”) and (ii) a directive on payment services and electronic money services in the internal market (the “Draft PSD 3”) amending the current Directive 2015/2366 on payment services in the internal market (the so-called PSD 2).
The Draft PSR and the Draft PSD 3 organise the legal framework for new providers of payment services or electronic payment services in an open-banking context and enhance consumers’ protection through new requirements.
The Draft PSR and the Draft PSD 3 were adopted in first reading by the European Parliament in April 2024. They are currently awaiting the Council’s first reading position, meaning that they are still under discussion.
For more information on draft PSR and Draft PSD 3, please refer to our eAlert “Contemplated new framework to modernize payment services” (September 2023).
