Looking back
Which regulations have recently come into force?
- As of 1 January 2026, the revised European Benchmark Regulation (BMR) has come into effect. With this revision, non-significant benchmarks are no longer in scope of the BMR, meaning that approximately 95% of benchmarks are excluded. Key benchmarks that remain in scope include EURIBOR and EU climate benchmarks.
- On 1 January 2026, the Dutch Anti-Money Laundering Action Plan Act came into force, with the exception of the obligation to accept cash payments under €3,000. This requirement will only take effect once the decree outlining exceptions has been finalised. The Act enables, among other things, increased joint transaction monitoring by banks.
- On 9 and 29 January 2026, new regulations came into force updating the list of high-risk countries. As a result, Russia, Bolivia and the British Virgin Islands have been added to the list of countries with increased money laundering risk, while Burkina Faso, Mali, Mozambique, Nigeria, South Africa and Tanzania have been removed.
In this article, we will cover the following developments:
The Digital Omnibus proposal
On 19 November 2025, the European Commission introduced the Digital Omnibus package, aimed at simplifying the EU’s digital regulatory framework.
This initiative forms part of the broader policy agenda for “a simpler and faster Europe”. It introduces targeted technical amendments to existing digital regulations to reduce administrative burden, clarify overlaps between rules, and simplify the application of legislation across Europe.
The package includes, among others, changes to GDPR, incident reporting requirements, and the AI Act.
Amendments to GDPR
The European Commission proposes several adjustments to GDPR to make the rules clearer and reduce administrative burden, without lowering the level of protection.
A first set of changes clarifies when GDPR applies. For example, data that an organisation cannot use to identify an individual will no longer be considered personal data for that organisation. Limited exceptions will also be introduced for processing sensitive data, such as facial recognition for identity verification (where the individual remains in control), or when sensitive data is unintentionally included in AI training datasets.
A second set of changes makes existing obligations more practical. Organisations will no longer need to actively inform individuals about data use if it can reasonably be assumed they are already aware and there is no high risk. Excessive or clearly abusive data access requests may be refused or charged. The data breach notification period will be extended from 72 to 96 hours, and reporting to authorities will only be required where there is a high risk to individuals.
Finally, rules on Data Protection Impact Assessments (DPIAs) will be harmonised across Europe, reducing fragmentation for organisations operating in multiple countries. Cookie rules will also be integrated directly into GDPR, including the option for users to manage preferences via browser settings.
Changes to incident reporting
The European Commission aims to simplify incident reporting (such as data breaches or IT disruptions).
Currently, organisations often need to report the same incident multiple times to different authorities, using different formats. The proposed solution: one single reporting point.
Organisations will submit one report, which is then automatically shared with all relevant authorities. While the reporting obligations themselves remain unchanged, the process becomes significantly more efficient.
This applies across multiple EU regulations, including DORA and GDPR. The Commission also plans to harmonise reporting formats using standard templates, largely based on existing DORA frameworks.
For compliance and legal teams, this reduces duplication, but requires preparation: internal processes will need to be aligned with the new central system once implemented.
Amendments to the AI Act
The European Commission aims to make the AI Act more practical without lowering protection standards.
Key simplifications include:
- Responsibility for AI literacy shifts from companies to governments
- SMEs gain access to simplified documentation requirements
- AI systems deemed not high-risk no longer need to be registered
For high-risk AI systems, compliance deadlines will be linked to the availability of EU standards, with final deadlines set for December 2027 and August 2028. Existing systems do not need immediate updates unless significantly modified.
Additionally, more room is created for real-world testing through a new EU-wide testing platform under supervision of the AI Office.
Revision of PSD2 (PSD3 & PSR)
In November 2025, the Council and European Parliament reached a provisional agreement on PSD3 and the Payment Services Regulation (PSR). Final texts were expected in Q1 2026 but have not yet been published.
A large part of the agreement focuses on combating fraud and protecting consumers. Central to this is tackling so-called authorised push payment (APP) fraud, in which victims themselves approve a payment to a fraudster—often following spoofing, where the fraudster impersonates a bank employee. Under the new rules, payment service providers must reimburse losses resulting from spoofing within fifteen working days, unless the consumer demonstrably acted with gross negligence. The already familiar IBAN name check will be extended to cover more types of payments, and payment service providers will be required to share fraud data among themselves. Those who fail to comply with these measures will be liable for the losses incurred.
A notable new element, not included in earlier draft proposals, is an obligation for large online platforms such as Googleto no longer display advertisements from unlicensed payment service providers. If they fail to do so and a consumer suffers losses via such an advertisement, the platform may be held liable for the costs.
Furthermore, consumers will be better protected through mandatory cost transparency at cash machines, improved access to cash in non-urban areas, and an obligation for retailers to display recognisable trading names on payment statements. In the area of open banking, technical barriers must be removed to enable open banking providers to compete more effectively with banks.
Although the agreement already provides significant direction, the final texts will remain decisive. A number of topics that featured prominently in earlier proposals are not mentioned in the announcement. Whether these points will be reintroduced will become clear once the final texts are published.
SFDR 2.0
In November 2025, the European Commission published a major revision of the Sustainable Finance Disclosure Regulation (SFDR), affecting both scope and product classification.
Revised scope
The SFDR will apply only to parties that create, manage or offer financial products (such as asset managers, insurers and pension funds). Investment advice and discretionary portfolio management are excluded but remain subject to other regulations like MiFID II.
New product categories
The current Article 8 and 9 classifications will be replaced by three categories:
- Sustainable (Art. 9)
- Transition (Art. 7)
- ESG Basics (Art. 8)
For all three, at least 70% of the investments must be aligned with the product’s sustainability strategy. In addition, the proposal explicitly recognises impact investing for products aimed at achieving measurable social or environmental outcomes. EU-wide exclusions apply to all categories, such as controversial weapons, tobacco production, and serious breaches of international standards. The Sustainable category is subject to the strictest set of exclusions.
Simplification of reporting and claims
Reporting requirements are being eased on several fronts: shorter pre-contractual documents, fewer indicators, and standardised website requirements. The mandatory PAI reporting at entity level (Article 4 SFDR) will be abolished, partly because this information is already covered under the CSRD.
Reporting on alignment with the EU Taxonomy will also no longer be mandatory. However, products with at least 15% taxonomy-aligned assets will automatically meet the 70% threshold. Only products that fall within one of the three categories may use sustainability-related claims in their name.
No general transitional period has been предусмотрed. Only pension products and insurance-based investment products will be granted an additional 12 months for implementation. Existing closed-end funds that no longer accept new investments fall outside the scope.
The exact date of entry into force is not yet known, as the proposal still needs to be approved by the European Parliament and the Council.
Looking ahead
What other upcoming legislation and regulation should you take into account?
In our next Regulatory Update article, we will explore developments such as:
- Retail Investment Strategy
- International Sanctions Act
- Guidelines on the suitability assessment of members of the management body and key function holders
Request a Regulatory Update
We hope this article has provided you with a clear overview of recent developments. As legislation and regulation are constantly evolving, you will want to ensure that nothing is overlooked. We therefore invite you to request a tailored Regulatory Update (available in both Dutch and English).
With this quarterly report, you will receive a clear overview of current developments, upcoming legislative changes, and relevant publications and consultations – fully tailored to your organisation and activities. Our experienced consultants will guide you through the key points, answer your questions on the interpretation of legislation, and support you in determining next steps and practical implementation. If desired, they can work with you to develop a concrete action plan for updating policies and procedures.
This ensures you remain well prepared for new regulation and maintain control over its impact on your organisation.
