Regulatory Update: areas of focus for Q2 2026 for financial institutions

Revised European Benchmarks Regulation

The revised BMR is now in force. The most significant change: non-significant benchmarks are no longer within scope of the regulation, meaning 95% of all benchmarks now fall outside it. Benchmarks that remain in scope include EURIBOR and EU climate benchmarks.

Anti-Money Laundering Action Plan Act enters into force

The Act has come into effect, with one exception: the obligation to accept cash payments below €3,000 will follow at a later date, once the accompanying decision on exceptions is finalised. Among other things, the Act enables banks to carry out joint transaction monitoring.

High-risk country list updated

Two regulations entered into force on 9 and 29 January 2026, amending the list of high-risk countries.

• Added: Russia, Bolivia and the British Virgin Islands
• Removed: Burkina Faso, Mali, Mozambique, Nigeria, South Africa and Tanzania

GDPR: greater clarity, less administrative burden

When does the GDPR apply?

The proposal clarifies that data which an organisation itself cannot link to an individual does not constitute personal data for that organisation. Additionally, limited exceptions are introduced for processing sensitive data, for instance in cases such as:

• Facial recognition for identity verification, where the data subject retains control
• Training AI systems where sensitive data ends up in a dataset unintentionally

Practical reliefs

• The obligation to inform individuals about data processing is lifted where it can reasonably be assumed that they are already aware of the processing and no high risk is involved
• Organisations are given more scope to refuse or charge for requests that are excessive or clearly abusive
• The breach notification deadline is extended from 72 to 96 hours
• A data breach only needs to be reported to the supervisory authority if it also poses a high risk to individuals, aligning the threshold for both notification obligations

DPIA’s and cookies

The rules on privacy impact assessments (DPIAs) will be harmonised at European level, so organisations operating across multiple countries no longer face diverging national lists. Cookie rules will henceforth be incorporated directly into the GDPR, including the option for users to set their preferences automatically via browser settings.

Incident reporting: a single point of entry replaces multiple channels

Currently, organisations are often required to report the same incident to multiple supervisory authorities, through different channels and in varying formats. That is set to change.

What will change?

• A single central reporting point: an organisation submits a notification once, and the system automatically forwards it to all relevant authorities
• The substantive reporting obligations remain unchanged, but the process will be significantly streamlined
• The single point of entry applies under several European laws simultaneously, including DORA and the GDPR
• The Commission intends to further harmonise reporting content through common templates, drawing on existing DORA formats as a starting point

For compliance and legal teams, this means less duplication of effort, but also a concrete adaptation of internal reporting processes once the system becomes operational.

AI Act: greater room for workability

The Commission aims to make the AI Act more practically applicable without lowering the level of protection.

Simplifications for all organisations

• The obligation to promote AI literacy internally becomes a government responsibility
• Smaller and medium-sized companies will have access to simplified documentation requirements
• AI systems that are assessed as not posing a high risk will no longer need to be registered in the EU database

More flexibility for high-risk AI systems

• Compliance deadlines will be linked to the availability of European standards, with final dates of December 2027 and August 2028
• Existing systems do not need to be adapted immediately unless substantial modifications are made
• Greater scope for real-world testing through a new EU-wide testing platform under the supervision of the AI Office

In November 2025, the Council and the European Parliament reached a provisional agreement on the successors to PSD2: the Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3). The final texts were expected in Q1 2026 but have not yet been published.

Fraud prevention and consumer protection take centre stage

The agreement places strong emphasis on tackling authorised push payment (APP) fraud, where victims are deceived into approving a payment, often after a fraudster poses as a bank employee through spoofing.

Key measures include:

• Payment service providers must compensate losses resulting from spoofing within fifteen working days, unless the consumer acted with demonstrable gross negligence
• The IBAN name check will be extended to a broader range of payment types
• Payment service providers are required to share fraud data with one another
• Non-compliance renders the provider liable for any resulting damages

Additional consumer protections

• Mandatory cost transparency at ATMs
• Improved cash accessibility in non-urban areas
• Merchants must display recognisable trade names on payment statements
• Technical barriers for open banking providers must be removed to improve their ability to compete with banks

Notable new addition

Large online platforms such as Google will be required to stop displaying advertisements for unlicensed payment service providers. Where a consumer suffers harm as a result of such an advertisement, the platform may be held liable for the damages.

Since the final texts are still awaited, a number of elements from earlier proposals remain uncertain.

In November 2025, the European Commission published a far-reaching revision of the SFDR, the regulation that requires transparency on sustainability in financial products.

Revised scope

The revised SFDR applies only to parties that create, manage or offer financial products, such as fund managers, insurers and pension funds. Investment advice and discretionary portfolio management fall outside the SFDR, though they remain subject to sustainability requirements under other frameworks such as MiFID II.

Three new product categories

The familiar Article 8 and Article 9 classification disappears. Three new categories will take its place:

• Sustainable (Art. 9)
• Transition (Art. 7)
• ESG Basics (Art. 8)

For all three, at least 70% of investments must align with the product’s sustainability strategy. The proposal also explicitly recognises impact investing for products targeting measurable social or environmental outcomes. EU-wide exclusions apply to all categories, including controversial weapons, tobacco production and serious violations of international norms. The Sustainable category carries the strictest exclusion criteria. Only products within one of the three categories may use sustainability claims in their name.

Reduced reporting obligations

• Shorter pre-contractual documents, fewer mandatory indicators and standardised website requirements
• The mandatory PAI reporting at entity level is abolished, partly because this information is already captured under the CSRD
• Reporting on alignment with the EU Taxonomy is no longer required, though products with at least 15% taxonomy-aligned assets automatically satisfy the 70% threshold

Transitional arrangements

No general transitional period is foreseen. Pension products and insurance-based investment products receive an additional 12 months of implementation time. Existing closed-end funds that no longer accept new investments fall outside the scope. The exact date of entry into force remains unknown, as the proposal must first be approved by the European Parliament and the Council.

In the next Regulatory Update, we will take a closer look at:

• Retail Investment Strategy
• International Sanctions Act
• Guidelines on the suitability assessment of members of management bodies and key function holders

Ruler automatically monitors all relevant regulatory sources and alerts your team the moment something changes, tailored to your type of organisation. So you’re always one step ahead.