December 2025 Regulatory Roundup

Anti-money laundering and counter-terrorist

Commission adds Russia to list of high-risk jurisdictions to strengthen international fight against financial crime

On 3 December 2025, the European Commission listed Russia as a high-risk country with strategic deficiencies in its anti-money laundering and counter-terrorist financing frameworks (AML/CFT).

On 8 July 2025, the Commission adopted Delegated Regulation (EU) 2025/1393. This Regulation committed the Commission to conclude, by the end of 2025, a review of third countries not listed by the Financial Action Task Force (FATF), but whose membership is suspended. The aim is to assess the need for amending the EU AML list based on this review. As Russia falls under the scope of this Delegated Regulation, the Commission conducted a technical assessment using well-defined methodologies and incorporating information collected from public sources, Member States’ competent authorities and the European External Action Service. This assessment concluded that Russia meets the criteria to be designated as a high-risk third country.

In accordance with the 4th Anti-money Laundering Directive (4AMLD) the Commission is therefore taking action to preserve the integrity of the EU financial system, by adding Russia to its list of high-risk jurisdictions presenting strategic deficiencies in their national AML/CFT regimes. EU entities covered by the AML framework are required to apply enhanced vigilance in transactions involving these jurisdictions.

The delegated regulation will enter into force after scrutiny and non-objection of the European Parliament and the Council within a period of one month. This can be prolonged for another month. The Commission will monitor the progress of all listed countries and will continue to follow relevant developments.

European Commission updates list of high-risk countries to strengthen international fight against financial crime

On 4 December 2025, the European Commission has updated its list of high-risk jurisdictions presenting strategic deficiencies in their national anti-money laundering and countering the financing of terrorism (AML/CFT) regimes. This update follows the  decisions taken at the  Financial Action Task Force (FATF) and its list of ‘Jurisdictions under Increased Monitoring’ (‘grey list’), following the Plenaries of June and October 2025.

EU entities covered by the AML framework are required to apply enhanced vigilance in transactions involving the listed countries. This is important to protect the integrity of the EU financial system

The EU has added new third-country jurisdictions to the list (Bolivia and the British Virgin Islands) and delisted a number of others (Burkina Faso, Mali, Mozambique, Nigeria, South Africa and Tanzania). 

As a founding member of the FATF, the Commission is closely involved in monitoring the progress of the listed jurisdictions, helping them to fully implement their respective action plans agreed with the FAFT. Alignment with the FATF is important for upholding the EU´s commitment to promoting and implementing global standards. 

Article 9 of the fourth Anti-money Laundering Directive requires the Commission to regularly update the list of high-risk third-country jurisdictions. The update of the list takes the legal form of a delegated regulation, which will enter into force after scrutiny and non-objection of the European Parliament and the Council within a period of one month (which can be prolonged for another month). 

Digital Operational Resilience Act (DORA)

ESAs designate critical ICT third-party providers under DORA

On 18 November 2025, the European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) publish the list of designated critical ICT third-party providers (CTPPs) DORA. This designation marks a crucial step in the implementation of the DORA oversight framework.

The list of the CTPP designated by the ESAs is accessible through this link.

The designation process followed the methodology mandated by DORA. First, the ESAs collected data from the Registers of Information maintained by financial entities, which detail their contractual arrangements for ICT services. Second, the ESAs conducted a detailed criticality assessment in cooperation with the Competent Authorities (CAs) across the EU from the banking, insurance and pensions, and securities and markets sectors. This assessment was carried out in line with the multifaceted criteria set out in DORA, which required a complete evaluation of a provider’s systemic importance, its role in supporting critical or important functions for financial entities, and the level of substitutability of its services. Third, ICT third-party providers assessed as critical were formally notified, after which they benefitted from their right to be heard by providing a reasoned statement. The final designation decisions were adopted following a careful review of all relevant information, ensuring the integrity of the process.

The designated CTPPs provide a range of ICT services (e.g. from core infrastructure to business and data services) to financial entities of all types and sizes across the European Union, reflecting their pivotal role within the financial ecosystem.

The objective of the DORA Oversight Framework, mandated to the ESAs, is to promote the sound management of ICT risk by the critical providers. Through direct oversight engagement, the ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities. This serves to mitigate risks that could impact the operational resilience of the financial sector of the EU.

The ESAs will keep engaging with CTPPs in the course of upcoming examination activities.

UCITS and AIFMD

ESMA finds that distribution costs account for almost half of the total costs paid to invest in UCITS

On 6 November 2025, ESMA published its report on total costs of investing in UCITS and AIFs.

This is the first comprehensive assessment of the total costs charged to investors in EEA investment funds. Notably, the report provides an innovative analysis on distribution costs, which account for 48% of total costs for UCITS. These high costs are primarily driven by the traditional and dominant role of credit institutions and investment firms in the distribution chain across many Member States. In contrast, digital platforms – such as neo-brokers offering execution-only services – are less expensive.

The report also confirms that inducements play a central role for ongoing costs. When there are inducement agreements between the distributor and the manufacturer of a UCITS (non-independent advice), these payments account for up to 45% of the ongoing costs.

This analysis was enabled by an ad-hoc data collection exercise and provides a useful contribution to the ongoing Savings and investments union debate, especially in relation to retail participation.

European Commission adopts two Delegated Regulations under AIFMD and UCITS framework on liquidity management tools

On 17 November 2025, the European Commission adopted two Delegated Regulations: (i) Delegated Regulation supplementing AIFMD and; (ii) Delegated Regulation supplementing UCITS.

These regulations lay down regulatory technical standards (RTS) specifying the characteristics of liquidity management tools (LMTs), following the recent amendments made to AIFMD and UCITS by Directive (EU) 2024/927.

The RTS aim to harmonise the characteristics of LMTs across the EU for open-ended AIFs and UCITS, enhancing investor protection and financial stability. The harmonised list of tools, which are set out in the annexes to the Directives, include: suspension of subscriptions, repurchases and redemptions; redemption gates; extension of notice periods; redemption fees; swing pricing; dual pricing; anti-dilution levy; redemption in kind; and side pockets.

Under the amended Directives, managers must select at least two appropriate LMTs from this list for potential use, considering the fund’s investment strategy, liquidity profile and redemption policy. The Council of the EU and the European Parliament will scrutinise the Delegated Regulations. If neither object, they will enter into force 20 days after publication in the Official Journal of the European Union and apply from 16 April 2026. The RTS also establish a transitional period of application for existing funds constituted before this date.

ESMA identifies measures to further enhance depositary supervision

On 17 November 2025, ESMA published the results of a peer review which assessed the supervision of depositaries, in particular their oversight and safekeeping obligations.

Overall, the peer review found that the foundational frameworks for the supervision of depositaries are in place. However, it also found notable divergences across jurisdictions in terms of the depth and maturity of supervisory approaches. While some National Competent Authorities (NCAs) demonstrated highly developed and granular practices, others displayed areas for improvement.

 In addition, there were several transversal findings, including:

• The need for supervisory engagement to be more frequent and proportionate to the associated risk, given the concentration of depositaries within the markets of the assessed NCAs and their potential systemic significance.
• Concerns regarding the depth and intrusiveness of the supervisory assessments of several NCAs with respect to depositaries entrusting third parties with significant tasks, bearing in mind the obligation of depositaries to perform control-related activities autonomously.

The peer review focused on five jurisdictions: Czechia (CNB), Ireland (CBoI), Italy (Bank of Italy), Luxembourg (CSSF), Sweden (SFSA) and examined the supervisory and enforcement practices of these National Competent Authorities (NCAs) across key areas of depositary business activities.

The objective of peer reviews is to promote consistent and effective supervisory practices across the EU and high-quality supervisory outcomes, as well as to foster a level playing field among NCAs. In that context, the report intends to aid all NCAs in their supervision of depositaries, and it is particularly relevant considering the ongoing discussion on the importance of the investment management sector to European capital markets.

ESMA will continue promoting further discussion on the supervision of depositaries and will follow up on the recommendations in the report in due course.

Sustainable Finance Disclosure Regulation

ESAs update Q&As on SFDR

On 4 November 2025, the Joint Committee of the European Supervisory Authorities (ESAs) published an updated version of its consolidated Q&A on SFDR and the SFDR Delegated Regulation (Commission Delegated Regulation (EU) 2022/1288).

A new Q&A has been added clarifying the requirements under Article 6(2) of the SFDR Delegated Regulation concerning principal adverse impact (PAI) disclosures.

European Commission adopts a proposal to amend SFDR simplifying transparency rules for sustainable financial products

On 20 November 2025, the European Commission adopted a proposal for a regulation to amend SFDR.

SFDR, which has been in application since March 2021, sets detailed sustainability disclosure requirements for financial intermediaries and financial products regarding consideration of environmental, social, and governance (ESG) factors. The proposed amendments are aimed at simplifying the framework and making disclosures more retail friendly. An European Commission review found that the current regime produces lengthy, complex disclosures that hinder investor understanding and comparability.

Key elements of the proposal include: (i) removing entity-level disclosure requirements on principal adverse impacts and reducing product-level requirements; (ii) introducing a new clear categorisation system comprising of three product categories for ESG claims, based on existing market practice and the latest regulatory guidance; and (iii) repealing Commission Delegated Regulation (EU) 2022/1288  supplementing the SFDR, to remove the complex templates and entity-level requirements under it. The European Commission proposal will now be submitted to the European Parliament and Council of the EU for their deliberation.

Taxonomy

European Commission call for evidence on proposed amendments to Taxonomy Delegated Acts

On 6 November 2025, the European Commission published calls for evidence on proposals to amend two Delegated Regulations: the Taxonomy Climate Delegated Act and the Taxonomy Environmental Delegated Act.

The Taxonomy Climate and Environmental Delegated Acts, adopted respectively in 2021 and 2023, specify the technical screening criteria for activities contributing to the six EU climate and environmental objectives including climate change mitigation, climate change adaptation, sustainable use and protection of water and marine resources, circular economy, pollution prevention and control and biodiversity. The proposed amendments aim to simplify, clarify and enhance usability of these criteria. This initiative forms part of the European Commission’s broader effort to reduce reporting burdens for companies and support sustainable finance through clearer and more proportionate rules.

The deadline for comments on both proposals was 5 December 2025.

European Commission Market integration package

On 4 December, the European Commission published a Communication to the European Parliament, the European Council, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions on further development of capital market integration and supervision within the Union, announcing a set of major legislative reforms.

The package seeks to address obstacles to innovation and barriers to integration resulting from divergent rules, duplicative requirements and inconsistent supervision. The European Commission proposes a suite of amendments to key EU financial services and capital markets legislation in a package described as a central component of the savings and investments union (SIU), specifically a:

• Regulation which will amend: (i) the European Securities and Markets Authority (ESMA) Regulation; (ii) the European Markets Infrastructure Regulation (EMIR); (iii) the Markets in Financial Instruments Regulation (MIFIR); (iv) the Central Securities Depositories Regulation (CSDR); (v) the Distributed Ledger technology Pilot Regulation (DLTPR); (vi) the Markets in crypto asset Regulation (MICAR); and (vi) the Cross-Border Distribution of Funds Regulation (CBDR). It also includes targeted amendments, in line with the changes proposed to the ESMA regulation aimed at making EU supervision more efficient, to: (a) the Central Counterparties Recovery and Resolution Regulation (CCPRRR); (b) the Securities Financing Transactions Regulation (SFTR); (c) the Credit Ratings Agency Regulation (CRAR); (d) the Benchmark Regulation (BMR); (e) the simple, transparent and standardised (STS) securitisation Regulation; (f) the European Green Bond Regulation (EuGB Regulation); (g) the Environmental, Social and Governance (ESG) rating Regulation.
• Directive which will amend: (i) the Undertakings for Collective Investment in Transferable Securities (UCITS) Directive; (ii) the Alternative Investment Fund Managers Directive (AIFMD); and (iii) the Markets in Financial Instruments Directive (MIFID).
• Regulation replacing the Settlement Finality Directive and amending the Financial Collateral Directive (FCD).

The proposed changes relate to: 

• Supervision: Transferring direct supervision of significant trading venues, CCPs, CSDs, and all crypto asset service providers to ESMA, strengthening supervisory convergence tools, and introducing a new Executive Board for impartial EU-level decisions.
• Market integration: Removing barriers to cross-border trading and settlement, streamlining passporting for funds and infrastructure, and introducing an optional Pan-European Market Operator license to simplify operations across Member States.
• Simplification: Converting directives into directly applicable regulations, reducing gold-plating and duplicative requirements, and harmonising authorisation and reporting processes to cut compliance costs and improve legal certainty.
• Innovation: Modernising rules to support Distributed Ledger Technology (DLT), expand the scope and flexibility of the DLT Pilot Regime, and ensure technological neutrality in settlement and collateral frameworks to foster digital finance.

The proposals must now be reviewed, negotiated and approved by the European Parliament and the Council.

Announcement: ESAs F’nP Registry & Changes in submission of applications / notifications

On 04 November 2025, CySEC issued an announcement to inform public that on the 20th of November 2024, the European Supervisory Authorities (EBA, EIOPA, ESMA – the “ESAs”) have published Joint Guidelines on the system established by the ESAs for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities (the “Joint Guidelines”).

The joint Guidelines aim at establishing consistent, efficient and effective supervisory practices within the European System of Financial Supervision, and at ensuring the common, uniform and consistent application of Union law with regard to the use of the system established by the ESAs. The Joint Guidelines can be found on ESMA’s website.  CySEC has fully adopted the content of the Joint Guidelines and for this purpose has:

• amended all of its application forms to reflect the adoption of the Guidelines, and
• published a new Form which must accompany all applications/notifications submitted to CySEC from the date of this announcement onwards (Form FnP00-001).

Circular C737: EU Council’s Restrictive Measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine – 19th package

On 7 November 2025, the Cyprus Securities and Exchange Commission (CySEC) issued Circular C737 drawing the attention of Regulated Entities to the 19th package of EU Restrictive Measures against Russia, adopted by the European Council on 23 October 2025.

CySEC wishes to draw the attention of the Regulated Entities to the inclusion of the definitions of ‘owning’ and ‘controlling’ a legal person, entity or body in Article 1 of Regulation (EU) 269/2014. While the EU Commission has previously provided guidance and best practices on the concepts of ownership and control, the definitions are now set out explicitly in the said regulation. The definitions of ‘owning’ and ‘controlling’ a legal person, entity or body are included in Regulation (EU) 2025/2037 (which amends Regulation (EU) 269/2014).

CySEC further wishes to draw the attention of the Regulated Entities to the amended paragraph 2 of Article 5b and new Article 5ah of Regulation (EU) 833/2014, via Regulation (EU) 2025/2033.

In relation to the amended paragraph 2 of Article 5b, it is prohibited to provide, directly or indirectly, crypto-asset services, issuing of payment instruments, acquiring of payment transactions or payment initiation services, and issuing of electronic money to Russian nationals or natural persons residing in Russia, or to legal persons, entities or bodies established in Russia. It is further noted that the same prohibition is also applicable for Belarusian nationals or natural persons residing in Belarus, or to legal persons, entities or bodies established in Belarus, through the amended Article 1u(2) of Regulation (EC) No 765/2006, via Regulation (EU) 2025/2041.

Regarding the introduction of Article 5ah, paragraph 1 prohibits the acquisition of any new or the extension of any existing participation in ownership or control of any legal person, entity or body which is registered as a resident of, or whose registered office, principal place of business, or permanent establishment is located within, the special economic, innovation or preferential zones of the Russian Federation listed in Part A or B of Annex LII. It furthers prohibits the creation of any new joint venture, branch, or representative office, or enter into any new contract or arrangement for the supply of goods or services, or of related intellectual property rights or trade secrets to, from, or for use in these special economic zones. Paragraph 2 further prohibits, as of 25 January 2026, the maintenance of the above existing arrangements, while paragraph 3(b) prohibits the provision of investment services directly related to the activities referred above. Paragraph 4 states that the above prohibitions are also applicable to any legal person, entity or body outside the special economic, innovation or preferential zones listed in Annex LII that is owned or controlled by a legal person, entity or body referred to in paragraphs 1 or 2.

The Regulated Entities, which have business relationships that are affected by the prohibitions of paragraph 2 of Article 5ah, are requested to inform CySEC within one month, at the latest, at the email address eu.sanctions@cysec.gov.cy, by providing data/information of the affected business relationships and the applicable actions/measures taken or intended to be taken by the Regulated Entity for compliance with paragraph 2 of Article 5ah.

CySEC urges Regulated Entities to review and implement all applicable restrictive measures introduced under the 19th package, in line with EU Best Practices and Commission Consolidated FAQs.