DORA & IT Security Archives | PAYMENT.TECHNOLOGY.LAW.

KI im Finanzsektor: Warum Aufsicht und Governance jetzt entscheidend werden | ALLES LEGAL #125 ai-in-financial-sector-supervision-and-governance-alles-legal-125

2 minute read

AI in the Financial Sector: Why Supervision and Governance Are Now Crucial | ALLES LEGAL #125

byJosefine Spengler
11. February 2026

Artificial intelligence is fundamentally reshaping the financial sector – yet its growing use also raises pressing questions around governance and supervision. Find out what this means in the latest episode of “Alles Legal – Fintech-Recht kompakt”. Tune in now!

FFinTech

8 minute read

AI in the Financial Sector – Key Findings of the new OECD Paper

byJosefine Spengler
3. February 2026

The OECD paper “Supervision of Artificial Intelligence in Finance” analyses supervisory practices related to the use of AI in the financial sector. This article outlines the key findings and assesses them in light of the recent BaFin guidance.

BBanking

EUDI-Wallet: KYC, SCA & digitale Signatur in einem System | ALLES LEGAL #122

2 minute read

EUDI-Wallet: KYC, SCA & Digital Signature in One System | ALLES LEGAL #122

byPeter Frey
14. January 2026

The EUDI-Wallet fundamentally changes KYC processes, strong customer authentication (SCA) and digital contract signing. This episode covers key use cases, tangible benefits for banks, and the regulatory perspective – and explores why the Wallet is more than just another identification tool.

DData Protection

Datenschutzrechtliche Zulässigkeit verpflichtender Nutzerkonten im E-Commerce EDPB

7 minute read

Data Protection Law Permissibility of Mandatory User Accounts in E-Commerce

byJosefine Spengler
8. January 2026

On 3 December 2025, the European Data Protection Board (EDPB) published its “Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites”. The recommendations are currently still in the phase of public consultation, which runs until 12 February 2026.

AArtificial Intelligence

Illustration zum Artikel KI im Finanzsektor

13 minute read

AI in the financial sector: Classification and practical significance of the new BaFin guidance on the use of AI

byJosefine Spengler
18. December 2025

With the ongoing integration of artificial intelligence into the business models, processes and decision-making structures of financial companies,…

DDORA & IT Security

Illustratives Bild zu: ESAs Liste kritischen IKT-Dienstleister

1 minute read

European Supervisory Authorities publish list of critical ICT third‑party providers

byJosefine Spengler
21. November 2025

On 19 November 2025, the European Supervisory Authorities (EBA, EIOPA, ESMA) for the first time designated 19 critical ICT third‑party providers under Article 32(1)…

DDORA & IT Security

EZB-Leitfaden zur Auslagerung von Cloud-Diensten: Tipps zur Umsetzung von DORA ECB Guide on Cloud Outsourcing: Implementation Tips for DORA Compliance

7 minute read

ECB Guide on Cloud Outsourcing: Implementation Tips for DORA Compliance

byNiklas Olschewski
18. November 2025

In July 2025, the ECB published a non-binding guide on cloud outsourcing, aiming to align financial institutions with DORA’s resilience standards. It addresses supervisory findings and offers actionable best practices.

FFinTech

Von Outsourcing zu Third Party Arrangements: Die neuen EBA-Leitlinien zum Drittparteienmanagement • Teil 1: Überblick über die wichtigsten Neuerungen

5 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 2/2

byJosefine Spengler
23. October 2025

The new EBA Guidelines significantly expand the approach to third-party risk. In this second part, we explore what this means in practice for banks, payment and e-money institutions – from new organisational requirements to integration with DORA. What are the biggest challenges and where do opportunities arise?

LLegal

7 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 1/2

byJosefine Spengler
9. October 2025

On 8 July 2025, the European Banking Authority (EBA) published a new consultation paper on the EBA Guidelines for third-party risk management. The draft goes well beyond the previous Outsourcing Guidelines from 2019. The objective is to establish a harmonised European framework for managing third-party risks, aligned in particular with the Digital Operational Resilience Act (DORA). Part 1 of the analysis highlights the key innovations and main content; a practical assessment will follow in Part 2.

FFinTech

Neues Buch: Das Recht der digitalen Zahlungsdienstleistungen

2 minute read

PayTechLaw – now available as a book!

byPayTechLaw-Team
18. September 2025

With the title “PayTechLaw – The Law of Digital Payment Services”, a new handbook has been published by C.H. BECK. It is dedicated entirely to the regulatory and civil law framework of digital payments. The editors: Prof. Dr. Carsten Herresthal, LL.M., and Annerton partners Dr. Matthäus Schindele and Frank Müller, LL.M. – all recognized experts in payment services and financial regulatory law. They were supported by a top-class team of authors – including many familiar names from the Annerton environment and beyond.

DData Protection

4 minute read

Cyber Resilience Act: The Overlooked Puzzle Piece in Financial IT

byJosefine Spengler
11. September 2025

Digital products like baby monitors and smartwatches have become an integral part of everyday life – but they carry security risks, especially when manufacturers fail to provide updates. The EU’s new Cyber Resilience Act (CRA), in force since 10 December 2024, aims to change that. But what does it mean for the financial sector?

FFinTech

5 minute read

From Onboarding to Offboarding: Lifecycle Management of ICT Third-Party Relationships under DORA

byJosefine Spengler
28. August 2025

The DORA Regulation (EU) 2022/2554 obliges financial institutions to manage their ICT third-party relationships in a structured way across the entire lifecycle – from selection to exit. For FinTechs, this means that ad hoc purchases of IT services are a thing of the past. Instead, documented and auditable processes are required, taking into account risks, supervisory requirements, and exit strategies.

PPayment

2 minute read

Material legal framework that payment service providers in the area of IT regulatory law need to know

byChristian Walz,Wencke Salmen
26. August 2025

New regulations, new obligations – with NIS2 and DORA, the requirements for payment service providers under IT supervision…

DDORA & IT Security

4 minute read

The new DORA-RTS SUB is here!

byJosefine Spengler,Peter Frey
21. August 2025

On 2 July 2025, the European Commission adopted the Regulatory Technical Standard RTS SUB (Delegated Regulation (EU) 2025/532). It specifies the requirements that financial institutions must meet when (sub-)contracting ICT services that support critical or important functions – particularly with regard to risk assessment and the management of sub-service providers.