Josefine Spengler, Author at PAYMENT.TECHNOLOGY.LAW.

Datenschutz im Zahlungsverkehr – Rechtliche Grundlagen und Besonderheiten Data Protection in Payment Services – Legal Framework and Key Particularities

10 minute read

Data Protection in Payment Services – Legal Framework and Key Particularities

byNataša Adzic,Josefine Spengler,Svetlana Ulrici
21. May 2026

Data protection in payment services operates within the complex interplay of the GDPR, PSD2 and the German ZAG. A key challenge lies in the legal classification of payment data, as transaction data may reveal highly sensitive insights into individuals’ private lives. This article analyses the principal legal bases for data processing as well as the allocation of data protection responsibilities among payment service providers, PISPs and AISPs.

DDORA & IT Security

6 minute read

Escrow Agreements under DORA: Requirements for an Effective Resilience Instrument

byJosefine Spengler
9. April 2026

Escrow agreements under DORA are considered a key instrument for mitigating critical ICT dependencies. But when are they truly effective? This article explains why standard solutions often fall short and what really matters in practice.

PPodcast

KI-Regulierung in der Praxis: Was die Aufsicht zu KI im Finanzsektor wirklich sehen will | ALLES LEGAL #126 AI Regulation in Practice

2 minute read

AI Regulation in Practice: What Supervisors Really Expect to See from AI in the Financial Sector | ALLES LEGAL #126

byJosefine Spengler
18. February 2026

Annerton partner Josefine Spengler explains how supervisory authorities assess AI systems in the financial sector in practice. AI is not treated as a regulatory special case but as an ICT system embedded within existing frameworks, particularly DORA. The focus lies on governance, accountability, traceability and ongoing monitoring. The interaction between DORA and the EU AI Act adds further complexity. The key takeaway: AI is not merely an IT issue – it is a management responsibility.

BBanking

KI im Finanzsektor: Warum Aufsicht und Governance jetzt entscheidend werden | ALLES LEGAL #125 ai-in-financial-sector-supervision-and-governance-alles-legal-125

2 minute read

AI in the Financial Sector: Why Supervision and Governance Are Now Crucial | ALLES LEGAL #125

byJosefine Spengler
11. February 2026

Artificial intelligence is fundamentally reshaping the financial sector – yet its growing use also raises pressing questions around governance and supervision. Find out what this means in the latest episode of “Alles Legal – Fintech-Recht kompakt”. Tune in now!

FFinTech

8 minute read

AI in the Financial Sector – Key Findings of the new OECD Paper

byJosefine Spengler
3. February 2026

The OECD paper “Supervision of Artificial Intelligence in Finance” analyses supervisory practices related to the use of AI in the financial sector. This article outlines the key findings and assesses them in light of the recent BaFin guidance.

DData Protection

Datenschutzrechtliche Zulässigkeit verpflichtender Nutzerkonten im E-Commerce EDPB

7 minute read

Data Protection Law Permissibility of Mandatory User Accounts in E-Commerce

byJosefine Spengler
8. January 2026

On 3 December 2025, the European Data Protection Board (EDPB) published its “Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites”. The recommendations are currently still in the phase of public consultation, which runs until 12 February 2026.

AArtificial Intelligence

Illustration zum Artikel KI im Finanzsektor

13 minute read

AI in the financial sector: Classification and practical significance of the new BaFin guidance on the use of AI

byJosefine Spengler
18. December 2025

With the ongoing integration of artificial intelligence into the business models, processes and decision-making structures of financial companies,…

DDORA & IT Security

Illustratives Bild zu: ESAs Liste kritischen IKT-Dienstleister

1 minute read

European Supervisory Authorities publish list of critical ICT third‑party providers

byJosefine Spengler
21. November 2025

On 19 November 2025, the European Supervisory Authorities (EBA, EIOPA, ESMA) for the first time designated 19 critical ICT third‑party providers under Article 32(1)…

FFinTech

Von Outsourcing zu Third Party Arrangements: Die neuen EBA-Leitlinien zum Drittparteienmanagement • Teil 1: Überblick über die wichtigsten Neuerungen

5 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 2/2

byJosefine Spengler
23. October 2025

The new EBA Guidelines significantly expand the approach to third-party risk. In this second part, we explore what this means in practice for banks, payment and e-money institutions – from new organisational requirements to integration with DORA. What are the biggest challenges and where do opportunities arise?

LLegal

7 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 1/2

byJosefine Spengler
9. October 2025

On 8 July 2025, the European Banking Authority (EBA) published a new consultation paper on the EBA Guidelines for third-party risk management. The draft goes well beyond the previous Outsourcing Guidelines from 2019. The objective is to establish a harmonised European framework for managing third-party risks, aligned in particular with the Digital Operational Resilience Act (DORA). Part 1 of the analysis highlights the key innovations and main content; a practical assessment will follow in Part 2.

DData Protection

4 minute read

Milestone in Data Protection: CJEU Rules on Pseudonymisation, Anonymisation and Transparency Obligations

byJosefine Spengler
30. September 2025

In its ruling of 4 September 2025, the CJEU reaffirmed key principles of EU data protection law: pseudonymised and subjective data qualify as personal data. The decision underlines transparency obligations when sharing data – and is directly relevant for the GDPR.

DData Protection

4 minute read

Cyber Resilience Act: The Overlooked Puzzle Piece in Financial IT

byJosefine Spengler
11. September 2025

Digital products like baby monitors and smartwatches have become an integral part of everyday life – but they carry security risks, especially when manufacturers fail to provide updates. The EU’s new Cyber Resilience Act (CRA), in force since 10 December 2024, aims to change that. But what does it mean for the financial sector?

FFinTech

5 minute read

From Onboarding to Offboarding: Lifecycle Management of ICT Third-Party Relationships under DORA

byJosefine Spengler
28. August 2025

The DORA Regulation (EU) 2022/2554 obliges financial institutions to manage their ICT third-party relationships in a structured way across the entire lifecycle – from selection to exit. For FinTechs, this means that ad hoc purchases of IT services are a thing of the past. Instead, documented and auditable processes are required, taking into account risks, supervisory requirements, and exit strategies.

DDORA & IT Security

4 minute read

The new DORA-RTS SUB is here!

byJosefine Spengler,Peter Frey
21. August 2025

On 2 July 2025, the European Commission adopted the Regulatory Technical Standard RTS SUB (Delegated Regulation (EU) 2025/532). It specifies the requirements that financial institutions must meet when (sub-)contracting ICT services that support critical or important functions – particularly with regard to risk assessment and the management of sub-service providers.