To avoid compliance risks and fines, financial service providers need to deal with this quickly. The IT service provider adesso names the most important new requirements:
- Sustainability reports become mandatory with the CSRD: The EU Taxonomy Regulation already requires financial companies to assess their economic activities and investments in terms of environmental sustainability. However, the Corporate Sustainability Reporting Directive (CSRD), which came into force in January 2023, creates significantly more extensive reporting obligations – including the European Sustainability Reporting Standards (ESRS), which lay down detailed requirements for the structure and content of sustainability reports. Many banks and insurers have to prepare a CSRD report for the first time for the 2024 financial year, which has just ended, and in many cases they are still doing this manually. With more than 1,000 datapoints, however, it makes sense to automate this process as early as possible. In other words, this means analysing data from various sources using intelligent software and integrating it into the report.
- DORA is designed to ensure greater cyber resilience: The Digital Operational Resilience Act (DORA), which has been in force since 17 January 2025, is intended to make banks and insurers more resilient to attacks on and disruptions to information and communication technology (ICT) by, among other things, prescribing measures for risk management and incident handling. An important point here is an overview of the services obtained from third parties – such as cloud providers and ICT service providers – known as the information register. In Germany, this must be submitted to the financial regulator BaFin by 11 April 2025 at the latest and is intended to help both the regulator and the companies themselves to identify interconnections and dependencies. The financial regulator has already announced that it will examine the third-party risk in the sector as quickly as possible.
- The EU AI Act defines a framework for the use of AI: The EU’s AI Act was adopted last May and will be applied gradually until August 2027. AI systems with unacceptable risks, such as those that manipulate people or classify them based on social characteristics, have been banned since February of this year. Starting in August, various obligations will be added for general-purpose AI models, such as technical documentation and compliance with copyright. Most of the requirements affecting banks and insurers will not be applied until August 2026 or August 2027. These include, for example, the obligation to disclose when humans are interacting with AI systems such as chatbots and particular diligence in the selection of training data for high-risk AI. Nevertheless, financial companies should be mindful not to put the matter off. After all, they are already introducing many AI systems that will later be subject to the provisions of the EU Artificial Intelligence Act. Violations can result in severe fines. They should pay particular attention to data protection, now that the European Data Protection Board (EDPB) has clarified under which conditions a “legitimate interest” can be considered as the basis for the processing of personal data by AI.
- SEPA Instant Payments simplify the payment process: The EU has a new regulation to accelerate the introduction of real-time transfers. Since January of this year, banks and insurers that have a banking licence and offer payment services must be able to receive instant payments. They must be able to transmit these as from 9 October 2025. There must be no additional cost for real-time transfers, in order to increase their acceptance and put them on an equal footing with traditional SEPA transfers. As it is more difficult to check with real-time transfers whether certain sanctions have been imposed on payers or payees, the regulation also recommends regular, at least daily checks instead of transaction-based checks. Payment service providers must adapt to these changes and the increasing demands on IT infrastructures that instant payments bring.
- Regulation on accessibility improves access to digital channels: Many websites and apps are difficult to use for older people or people with disabilities. The barriers include low contrast, a lack of alternative text for images, and information that is difficult to understand. The German Accessibility Reinforcement Act is intended to change this. It comes into force on 28 June 2025 and is supplemented by an ordinance that sets out specific requirements for the provision of information and services. Among other things, information must be provided via more than one sensory channel and be presented in an understandable way. Financial companies must adapt their websites, customer portals, and apps accordingly. For banking services, the ordinance also stipulates accessible authentication methods and payment services, which is associated with a number of challenges. This is because many text-based security prompts, QR codes, and captchas are not considered accessible, therefore alternatives have to be integrated to confirm logins or authorise payments.
