Josefine Spengler, Author at PAYMENT.TECHNOLOGY.LAW.

Datenschutzrechtliche Zulässigkeit verpflichtender Nutzerkonten im E-Commerce EDPB

7 minute read

Data Protection Law Permissibility of Mandatory User Accounts in E-Commerce

byJosefine Spengler
8. January 2026

On 3 December 2025, the European Data Protection Board (EDPB) published its “Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites”. The recommendations are currently still in the phase of public consultation, which runs until 12 February 2026.

AArtificial Intelligence

Illustration zum Artikel KI im Finanzsektor

13 minute read

AI in the financial sector: Classification and practical significance of the new BaFin guidance on the use of AI

byJosefine Spengler
18. December 2025

With the ongoing integration of artificial intelligence into the business models, processes and decision-making structures of financial companies,…

DDORA & IT Security

Illustratives Bild zu: ESAs Liste kritischen IKT-Dienstleister

1 minute read

European Supervisory Authorities publish list of critical ICT third‑party providers

byJosefine Spengler
21. November 2025

On 19 November 2025, the European Supervisory Authorities (EBA, EIOPA, ESMA) for the first time designated 19 critical ICT third‑party providers under Article 32(1)…

FFinTech

Von Outsourcing zu Third Party Arrangements: Die neuen EBA-Leitlinien zum Drittparteienmanagement • Teil 1: Überblick über die wichtigsten Neuerungen

5 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 2/2

byJosefine Spengler
23. October 2025

The new EBA Guidelines significantly expand the approach to third-party risk. In this second part, we explore what this means in practice for banks, payment and e-money institutions – from new organisational requirements to integration with DORA. What are the biggest challenges and where do opportunities arise?

LLegal

7 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 1/2

byJosefine Spengler
9. October 2025

On 8 July 2025, the European Banking Authority (EBA) published a new consultation paper on the EBA Guidelines for third-party risk management. The draft goes well beyond the previous Outsourcing Guidelines from 2019. The objective is to establish a harmonised European framework for managing third-party risks, aligned in particular with the Digital Operational Resilience Act (DORA). Part 1 of the analysis highlights the key innovations and main content; a practical assessment will follow in Part 2.

DData Protection

4 minute read

Milestone in Data Protection: CJEU Rules on Pseudonymisation, Anonymisation and Transparency Obligations

byJosefine Spengler
30. September 2025

In its ruling of 4 September 2025, the CJEU reaffirmed key principles of EU data protection law: pseudonymised and subjective data qualify as personal data. The decision underlines transparency obligations when sharing data – and is directly relevant for the GDPR.

DData Protection

4 minute read

Cyber Resilience Act: The Overlooked Puzzle Piece in Financial IT

byJosefine Spengler
11. September 2025

Digital products like baby monitors and smartwatches have become an integral part of everyday life – but they carry security risks, especially when manufacturers fail to provide updates. The EU’s new Cyber Resilience Act (CRA), in force since 10 December 2024, aims to change that. But what does it mean for the financial sector?

FFinTech

5 minute read

From Onboarding to Offboarding: Lifecycle Management of ICT Third-Party Relationships under DORA

byJosefine Spengler
28. August 2025

The DORA Regulation (EU) 2022/2554 obliges financial institutions to manage their ICT third-party relationships in a structured way across the entire lifecycle – from selection to exit. For FinTechs, this means that ad hoc purchases of IT services are a thing of the past. Instead, documented and auditable processes are required, taking into account risks, supervisory requirements, and exit strategies.

DDORA & IT Security

4 minute read

The new DORA-RTS SUB is here!

byJosefine Spengler,Peter Frey
21. August 2025

On 2 July 2025, the European Commission adopted the Regulatory Technical Standard RTS SUB (Delegated Regulation (EU) 2025/532). It specifies the requirements that financial institutions must meet when (sub-)contracting ICT services that support critical or important functions – particularly with regard to risk assessment and the management of sub-service providers.

DDORA & IT Security

5 minute read

NIS2 meets DORA – What changes for financial institutions as a result of the NIS2 Implementation and Adjustment Act (NIS2UmsuCG)?

byJosefine Spengler
12. August 2025

On 30 July 2025, the German Federal Government presented the draft of the NIS2UmsuCG. This transposes the NIS2 Directive (EU) 2022/2555 into German law and expands the IT security framework. For the financial sector, which has been subject to the DORA Regulation (EU) 2022/2554 since 17 January 2025, the question arises: Do we still need to concern ourselves with NIS 2 – or are we exempt?

PPodcast

2 minute read

Under Scrutiny: How DORA Is Reshaping Resilience Testing | ALLES LEGAL #105

byJosefine Spengler,PayTechLaw-Team
16. July 2025

In the final episode of our DORA series, we focus on one of the regulation’s key aspects: the mandatory testing of digital resilience.

PPodcast

2 minute read

Business Continuity under DORA | ALLES LEGAL #104

byJosefine Spengler,PayTechLaw-Team
9. July 2025

What happens when your cloud provider fails or a cyberattack takes down your systems? This episode is all about Business Continuity Management (BCM) – and why it’s a critical regulatory requirement for banks and fintechs under DORA. Tune in now!

PPodcast

2 minute read

In an Emergency, Every Minute Counts – What DORA Requires in Case of an IT Incident | ALLES LEGAL #103

byJosefine Spengler
2. July 2025

A severe IT incident – and the clock is ticking. Why DORA leaves no leeway when it comes to reporting IT incidents and how companies can prepare is explained by Josefine Spengler in this episode. Tune in now!

PPodcast

2 minute read

Digital resilience is a matter for top management | ALLES LEGAL #102

byJosefine Spengler
25. June 2025

In the third episode of our podcast series ‘Alles Legal – Fintech-Recht kompakt’, Josefine Spengler, lawyer at Annerton, talks to host Dana Wondra from Payment & Banking about a key innovation in financial supervisory law: What does DORA require in terms of ICT risk management – and why is digital resilience now a top priority?