February 2026 Regulatory Roundup

EBA and AMLA complete handover of AML/CFT mandates

On 1 January 2026, the European Banking Authority (EBA) and the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) completed the transfer of all AML/CFT mandates and functions from the EBA to AMLA.

The handover concludes the EBA’s stand-alone AML/CFT mandate that began in 2020 and is part of the new EU AML/CFT package which established AMLA at the centre of an integrated, European system of AML/CFT supervision.

Markets In Crypto-Assets Regulation (MICA)

ESMA publishes official translations of the guidelines for the criteria on the assessment of knowledge and competence under MICA

On 28 January 2026, ESMA published official translations of its final guidelines under MICA specifying the criteria for assessing the knowledge and competence of staff at crypto-asset service providers (CASPs).

The guidelines, first published in July 2025, aim to promote greater convergence in the criteria for assessing the knowledge and competence of staff providing advice or information about crypto-assets or related services and their application.

The guidelines will apply from 28 July 2026. Competent authorities must notify ESMA by 28 March 2026 whether they comply or intend to comply with guidelines or, where relevant, provide ESMA with their reasons for non-compliance. CASPs are not required to report on whether they comply.

UCITS and AIFMD

ESMA report on marketing requirements on cross-border distribution of funds

On 6 January 2026, ESMA published its third report on marketing requirements and marketing communications under the regulation on cross‑border distribution of funds.

Drawing on data submitted by national competent authorities, ESMA confirms that there have been no significant changes to national marketing rules since its previous 2023 report. The report now incorporates, for the first time, statistics on cross‑border fund marketing notifications. The new statistical insights show that Luxembourg and Ireland remain the dominant jurisdictions for notifying cross‑border fund marketing activity, representing 59% and 30% of notifications, respectively. UCITS account for the majority of notifications (56%), with AIFs comprising the remaining 44%.

Money market funds

ESMA final updated guidelines on stress test scenarios under MMF Regulation

On 13 January 2026, ESMA published its final report with guidelines on stress test scenarios under the Money Market Funds Regulation (MMF Regulation).

ESMA updates these guidelines at least annually. These new guidelines follow the previous version published in January 2025, along with their official translations in February 2025. This report sets out revised stress test scenarios and risk parameters to ensure that MMF managers have the necessary information to complete the reporting template required under Article 37 of the MMF Regulation and Commission Implementing Regulation (EU) 2018/708.

Once the official translations of the guidelines are published on ESMA’s website, national competent authorities will have two months to confirm whether they will comply, after which the updated guidelines, including the new 2025 parameters, will apply. From that point, MMF managers must report results based on the new parameters in their quarterly submissions; until then, they should continue using the parameters set out in the 2024 guidelines.

Taxonomy

Delegated regulation to simplify EU taxonomy reporting and screening criteria published in Official Journal

On 8 January 2026, Commission Delegated Regulation 2026/73 was published in the Official Journal of the European Union.

The Delegated Regulation, adopted on 4 July, amends Delegated Regulation (EU) 2021/2178 to simplify reporting requirements for environmentally sustainable activities under the EU Taxonomy Regulation.

It also amends Delegated Regulations 2021/2139 and 2023/2486 to simplify certain technical screening criteria for determining whether economic activities cause no significant harm to environmental objectives. These include materiality-based exemptions, reduced and simplified key performance indicators and streamlined reporting templates.

The Regulation enters into force on the twentieth day following publication in the Official Journal, applying from 1 January 2026. Undertakings may, however, apply Delegated Regulations (EU) 2021/2178, (EU) 2021/2139 and (EU) 2023/2486 as applicable on 31 December 2025 for the financial year that starts between 1 January and 31 December 2025. 

Sustainable Finance

ESAs publish joint Guidelines on ESG stress testing

On 8 January 2026, the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published their Joint Guidelines on environmental, social, and governance (ESG) stress testing.

These Guidelines provide national insurance and banking supervisors with clear guidance on how to integrate ESG risks into supervisory stress tests, both when using established frameworks and when conducting complementary assessments of ESG risk impacts.

The Guidelines set common standards for embedding ESG risks into stress testing methodologies across the EU’s financial system. They provide guidance on designing ESG-inclusive stress tests and outline the necessary organisational and governance arrangements.

The Guidelines are designed to support a consistent, long-term approach to ESG stress testing while allowing flexibility to accommodate future methodological advances and improvements in data availability. Importantly, they do not introduce new requirements for competent authorities to carry out ESG-focused supervisory stress tests.

The Guidelines will be subject to a ‘comply or explain’ procedure by the National Competent Authorities and will be translated into all the official languages of the EU in the first quarter of 2026.

ESMA promotes clarity in communications on ESG strategies

On 14 January 2026, ESMA published a second thematic note on sustainability-related claims, focusing on ESG strategies.

The note concentrates on ESG integration and ESG exclusions, as references to these strategies are often made by market participants and widely referenced in marketing communications directed to retail investors.

ESG integration and ESG exclusions can mean different things to different market participants. Lack of transparency when using these terms poses a notable greenwashing risk to investors. The aim of the note is not to define these strategies, but to call on market participants to be clear about what they mean when referencing them.

Similarly to the first thematic note on ESG credentials, this publication offers practical do’s and don’ts for making sustainability claims. These are illustrated through concrete examples of good and poor practices that are based on observed market practices.

ESG Ratings Activities Regulation

European Commission consults on draft Delegated Regulations supplementing the ESG Rating Regulation

On 20 January 2026, the European Commission published two draft Delegated Regulations (dated 16 October 2025) supplementing Regulation (EU) 2024/3005, the environmental, social and governance (ESG) Rating Regulation, on the transparency and integrity of ESG rating activities.

The first draft Delegated Regulation concerns the supervisory fees to be charged by ESMA. The second draft Delegated Regulation establishes the procedural framework for ESMA’s imposition of fines and periodic penalty payments on ESG rating providers.

The deadline for feedback on both draft Delegated Regulations is 13 February 2026. The European Commission expects to adopt both Delegated Regulations during Q1 2026.

ESMA

ESMA publishes Principles for risk-based supervision

On 9 January 2026, ESMA published its principles for risk-based supervision. These principles support a common and effective EU-wide supervisory culture and strengthen the EU single market.

The principles on risk-based supervision outline key concepts and foundational elements for use by ESMA and National Competent Authorities (NCAs), and provide a structured framework for identifying, assessing, prioritising and addressing risks. They are designed to support a supervisory framework that is consistent, proportionate, and effective across the Union.

A risk-based approach is the cornerstone of EU securities markets supervision, allowing regulators to focus on and address risks that pose the greatest threats to investor protection, financial stability, and orderly markets. Risk-based supervision is also one of ESMA’s flagship projects supporting the simplification and burden reduction agenda, through its contribution to boosting supervisory efficiency and value.

ESMA and NCAs will work together to advance the implementation of effective risk-based supervision and foster high quality supervisory outcomes for market participants.

ESMA’s Digital and Data strategies support supervision of EU financial markets

On 13 January 2026, ESMA adopted a new Digital Strategy and updated its Data Strategy.

They reflect ESMA’s commitment to smarter regulatory reporting and technology-driven supervision, promote synergies and innovation while reducing unnecessary complexity.

The digital strategy aims to continue ESMA’s digital transformation, while the Data Strategy update is oriented to capitalise on opportunities to simplify, better integrate and streamline data management and technology.

The new Digital Strategy 2026–2028 sets out a roadmap for innovation, efficiency, and resilience. The key objectives include:

• Building EU digital synergies
• Enhancing digital capabilities of ESMA and the European System of Financial Supervision (ESFS)
• Bolstering operational efficiency
• Establishing a secure and future-ready ecosystem.

The Data Strategy 2023–2028 has been updated to reflect the focus on burden reduction, the evolving technological landscape, and ESMA’s desire for unlocking efficiency opportunities. While its key objectives remain the same, the key new actions include:

• Flagship initiatives related to streamlining supervisory reporting, relating to transaction data and in the funds domain
• Expanding the capacity of the ESMA Data Platform to benefit national and European authorities
• Implementing next phases of the MICA joint supervisory tool for crypto-market monitoring
• Finalising the development of the European Single Access Point (ESAP).

These goals are in line with ESMA’s wider simplification and burden reduction initiative launched last year.

With the alignment of both the digital and data strategies, ESMA ensures that innovation and technology translate into tangible benefits for stakeholders, with more possibilities for synergies and digital transformation across ESMA and the ESFS at large.

ESMA’s Data and Digital work will be guided by the roadmaps under both strategies. By 2029, ESMA expects to converge the two into one unified strategy.

Consultation Paper CP-01-2026: Consultation Paper on amending the fees payable by Investment Firms and Market Operators

On 12 January 2026, CySEC published Consultation Paper CP-01-2026 proposing amendments regarding the fees payable by entities operating under the Investment Services and Activities and Regulated Markets Law (‘L. 87(I)/2017’).

This consultation paper concerns the Cyprus Investment Firms within the meaning of L. 87(I)/2017, operators of Regulated Markets of the Republic, as well as branches established in the Republic of Investment Firms from other Member States and from third countries to the extent that they are subject to CySEC oversight.

The proposed amendments concern the annual fees payable by, as well as the fees for assessing/ processing the applications submitted to CySEC and the information notified post authorisation.

Responses are due by 13 February 2026 and must be submitted by email to policy@cysec.gov.cy using the format outlined in the consultation.

Consultation Paper CP-02-2026: Consultation Paper on the fees and charges for PRIIPs Regulation

On 12 January 2026, CySEC has published Consultation Paper CP-02-2026 ) to seek for the views of interested parties, in relation to the fees and charges for the entities falling under Regulation (EU) 1286/2014 on key information documents for packaged retail and insurance-based investment products (‘PRIIPS’).

This consultation concerns all entities supervised by CySEC that fall within the scope of Regulation (EU) 1286/2014 on Packaged Retail and Insurance-based Investment Products (PRIIPs), namely PRIIP manufacturers as well as persons providing investment advice on, or selling, PRIIPs.

Key proposals include:

• Annual fee of €8,000 for PRIIP manufacturers.
• Annual fee of €4,000 for persons providing advice on, or selling, PRIIPs.
• Fees are cumulative for entities performing both roles.
• Fees to be paid annually by 30 November, based on self-categorisation submitted to CySEC between 1–15 September each year.
• In case of licence grant or withdrawal during the year, fees will be applied pro rata.

CySEC invites regulated entities to respond to the Consultation by 13 February 2026.

Circular C750: AMLA’s consultation on the draft ITS under article 15(3) AMLAR

On 13 January 2026, CySEC issued Circular C750 through which informed the Regulated Entities that the Anti-Money Laundering Authority (the ‘AMLA’) has launched a public consultation in regard to the Draft Implementing Technical Standards (the ‘ITS’) on cooperation within the AML/CFT supervisory system for the purposes of direct supervision under article 15(3) of Regulation (EU) 2024/1620 (AMLA Regulation, the ‘AMLR’).

Comments to the Consultation Paper can be sent by following the ‘RESPONSE’ link on the AMLA’s consultation page. The deadline for the submission of comments is 27 January 2026.

The CySEC encourages the Regulated Entities to respond to the said consultation paper.

Circular C751: Digital Operational Resilience Act – Reporting, Governance and Portal-related obligations

On 19 January 2026 CySEC issued Circular 751 to provide guidance to Regulated Entities in relation to certain obligations under the Digital Operational Resilience Act (the DORA), which are:

A. Major ICT- Related Incident Reporting:

CySEC has identified deficiencies in the manner in which Regulated Entities classify and report ICT-related incidents. In this respect, CySEC requires Regulated Entities to carefully consult Commission Delegated Regulation 2024/1772 on the criteria of the classification of ICT-related incidents and cyber threats, and to take into consideration the diagram included in the Annex thereto, in order to ensure that major ICT-related incidents are correctly classified and reported to CySEC promptly upon detection.

B. Register of Information – Submission format

Regulated Entities are required to submit the Register of Information in XBRL-CSV format, as communicated in Circular C719, since the “Build in Excel” file is no longer accepted via the XBRL Portal.

Furthermore, Regulated Entities must use XBRL-compatible software that supports mapping and validation against EBA rules and enables the generation of fully compliant XBRL files. Once completed, the XBRL files should be compressed (zipped) and submitted via the CySEC XBRL Portal.

The Register of Information must be submitted to CySEC on an annual basis, by 28 February each year, with the reference date being 31 December of the preceding year.

C. ICT risk management framework

Article 6 of DORA sets out the requirements for Regulated Entities to establish, implement, and maintain a well-documented ICT risk management framework that enables effective and continuous management of ICT risks. CySEC highlights the following requirements pursuant to Article 6:

• Regulated entities, other than microenterprises, should assign responsibility for managing and overseeing ICT risk to a dedicated control function with sufficient independence to avoid conflicts of interest. Regulated Entities should ensure appropriate segregation and independence between ICT risk management functions, control functions and internal audit functions, in accordance with the three lines of defence model, or an equivalent internal risk management and control framework.
• The ICT risk management framework should be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents, following supervisory instructions or following conclusions derived from relevant digital operational resilience testing or audit processes. A report on the review of the ICT risk management framework shall be submitted to CySEC upon request.
• The ICT risk management framework of regulated entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT risk, and shall operate with an appropriate level of independence. The frequency and scope of ICT audits shall be commensurate to the ICT risk profile of the financial entity.
• Based on the conclusions of the internal audit review, Regulated Entities shall establish a formal follow-up process, including procedures for the timely verification and remediation of critical ICT audit findings.
• Small and non-interconnected (Class 3) investment firms are subject to a simplified ICT risk management framework, in line with the principle of proportionality indicated in Title III of Commission Delegated Regulation (EU) 2024/1774.

D. Information on CySEC Portal

Regulated Entities, other than microenterprises, are required to designate in the CySEC Portal:

• The ICT auditor responsible for the internal audit of the ICT risk management framework as per Article 6(6) of DORA. This should be completed under the Auditors section, including the details of the legal entity or individual and selecting the “Is ICT” option.
• The person responsible for the control function entrusted with the management and oversight of ICT risk as per Article 6(4) of DORA.

For any queries, Regulated Entities may contact CySEC in writing via email at prudential@cysec.gov.cy.

Circular C752: ESMA publication of thematic notes on clear, fair & not misleading sustainability-related claims – Second Note: ESG Strategies

On 21 January 2026 CySEC issued Circular C752, to inform the Regulated Entities in relation to ESMA’s publication of the Second Thematic Note on clear, fair & not misleading sustainability-related claims (‘the Thematic Note’).

Kindly note that the Thematic Note was published on January 14, 2026, focusing on ESG strategies, most notably ESG integration and ESG Exclusions.

CySEC urges the Regulated Entities to ensure they remain updated regarding the publication of such Thematic Notes and expects that the guidance provided in the Thematic Notes is considered when complying with their relevant ESG obligations.

Circular C753: CySEC survey on the benefits arising in the Cypriot Economy from CySEC’s Supervised Entities

On 28 January 2026 CySEC issued Circular C753 to inform the Regulated Entities in relation to CySEC’s survey on the benefits arising in the Cypriot Economy from CySEC’s Supervised Entities, conducted by KPMG on an anonymised basis.

The objective of this activity is to quantify the direct economic impact of CySEC regulated entities as well as their economic interconnectedness within the Cyprus economy. The assessment covers the reporting period 1 January – 31 December 2025 and includes:

• Direct impact: Economic impact that results from the revenue and expenditure generated by the entities in the supervisory/registration remit of CySEC.
• Indirect impact: Economic impact that results from added expenditure on purchases of goods and services of CySEC supervised/registered entities’ supply chain
• Induced impact: Economic impact that is generated when employees of either CySEC supervised/registered entities or from their supply chain spend their income on goods and services.

This online questionnaire is addressed to all entities under CySEC’s supervision remit, that were authorised as at 31 of December 2025 and to all entities that were registered with CySEC and were operational as of 31st of December 2025. Participating regulated/registered entities are expected to complete the online questionnaire and submit it, by 27 of February 2026, at the latest. Responses must cover Cyprus operations only and may be based on management accounts or audited financial statements, with all figures reported in EUR (excluding VAT).

Moreover, respondent entities should:

• Review the PDF version of the questionnaire prior to submission (Appendix of the Circular).
• Use the English language for all responses.
• Submit the questionnaire via the online platform, ensuring their Microsoft account is used to enable editing or re-submission.
• Contact CySEC at survey@cysec.gov.cy for any clarifications.

Entities may access and complete the online questionnaire for completion here.

The collected data will be kept strictly confidential, used only for the stated economic impact study, and processed in line with GDPR and applicable data protection laws.

Directive DI87-12: On the Supplementary Supervision of Investment Firms, Asset Management Companies and Alternative Investment Fund Managers that form part of a Financial Conglomerate of Mixed Activities (Amending) Directive of 2026

On 30 January 2026, CySEC published a policy directive proposing amendments to the CySEC Financial Conglomerates Directive (DI87-12). The purpose of the amendments is to align Cyprus’s national framework with EU digital data access requirements, specifically by transposing the relevant provisions of Directive (EU) 2023/2864.

The key objective of the update is to ensure that certain regulatory disclosures made by investment firms, asset management companies, and alternative investment fund managers (AIFMs) that are part of a financial conglomerate are made available through the European Single Access Point (ESAP), the EU’s centralised digital gateway for financial and sustainability information.

The amendment enhances the visibility and accessibility of key regulatory and financial information by aligning national disclosure practices with EU law, contributing to increased transparency and comparability across Member States. Integration with ESAP is intended to improve investor access to information and facilitate regulatory oversight across the EU’s single market.