MENU
EN

Legal obligations of fintech companies in 2025

13.3.2025

Fintech start-ups and established financial firms face major changes to the regulatory environment in 2025. The European Union is responding to developments in payments innovation, cyber threats, artificial intelligence and crypto-assets with new regulations that introduce new obligations and stricter oversight. Key changes include the forthcoming Payment Services Directive 3 (PSD3) regulating payments, the Digital Operational Resilience Act (DORA) focusing on digital security for financial institutions, and the AI Act regulating the use of artificial intelligence. In addition, other regulations are coming into force, such as new anti-money laundering (AML) rules and the Markets in Cryptoassets Regulation (MiCA). Failure to comply with these obligations can lead to heavy penalties (fines in the millions of euros, revocation of licenses, etc.) and significant reputational and business risks. This article discusses the new requirements in detail and offers recommendations on how to prepare for the changes. It also highlights opportunities to work with ARROWS to implement and ensure compliance with these regulations.

Author of the article: ARROWS law firm (JUDr. Jakub Dohnal, Ph.D., LL.M., office@arws.cz, +420 245 007 740)

PSD3 - A new era of payment services and consumer protection

What is PSD3? The forthcoming Payment Services Directive 3 (PSD3) is an evolution of the existing PSD2 with the aim of further strengthening payment security and user rights. The European Commission published a proposal in June 2023 and the legislation is expected to be finalised by 2024-2025. PSD3 is also accompanied by a new Payment Services Regulation (PSR) and the Open Finance Initiative (FIDA). The main objective is to modernise the framework for digital payments - an "evolution, not a revolution " compared to PSD2. The news responds to the development of fintech innovation as well as new types of fraud and issues that have emerged since the introduction of PSD2 in 2018.

office@arws.cz 245 007 740

Key changes and new obligations:

PSD3 brings a number of tightening and improvements:

  • Strengthening the fight against fraud: More robust fraud prevention mechanisms will be introduced, including the ability for payment providers to share fraud information across the market. In addition, requirements for strong customer authentication (SCA) will be tightened - extending its use to more scenarios and clarifying exemptions. For example, there are new plans to verify the payee's name against the account number before making a payment to prevent "bad account" fraud - the so-called IBAN vs. owner name check. Third-Party Providers (TPPs) will also have greater responsibility for security - if a bank delegates identity verification to a third party, that third party will now be responsible for meeting SCA requirements.
  • Greater consumer rights and protections: consumers will have more control over their data and payments. PSD3 will introduce clear "dashboards" for managing consents - customers will see which companies have access to their payment data and will be able to easily revoke access. It will also extend the information obligation - account statements will be clearer and ATM charges, for example, more transparent. The rules on unauthorised transactions will be tightened - payment providers will only be able to refuse refunds in exceptional cases of suspected fraud by the customer. Overall, the Directive will extend the reimbursement rights of fraud victims and limit the exceptions where a bank does not have to return stolen funds.
  • A level playing field for banks and fintechs: PSD3 seeks to level the playing field in the payments market - non-bank payment service providers will get better access to key payment systems (e.g. card schemes) on non-discriminatory terms. Scheme operators will not be able to unreasonably deny connections to licensed fintechs. This will foster competition and innovation. At the same time, the licensing of payment institutions and e-money institutions will be unified - e-money institutions will be included as a separate category of payment institution, instead of the existing parallel regime. This will simplify the supervisory structure also for the firms themselves (no duplication of licences).
  • Open Banking and Finance: The new rules remove obstacles to the development of Open Banking. Banks will have to provide standardised APIs for sharing data with third parties, making it easier to connect fintech applications. The obligation for so-called fallback interfaces will disappear - banks will no longer have to run duplicate data accesses. Customers will be able to securely share their financial data with AISP/PISP-licensed fintechs and benefit from innovative services. In parallel with PSD3, the Financial Data Access (FIDA) regulation is also in the pipeline, promoting open finance, i.e. data sharing beyond bank accounts (e.g. investments, insurance) through a new type of licensed financial data access intermediaries (FISPs). All this is to accelerate the digitisation of financial services in the EU.
  • Other changes: the PSD3/PSR package contains a number of partial modifications - e.g. clarification of definitions (what is a payment account, who is an information aggregator, etc.), modifications to existing exemptions from regulation (e.g. limitation of the "restricted network" - vouchers applicable only in narrowly defined establishments), obligation to provide alternative out-of-court dispute resolution for clients, prohibition of unilateral increase of payment limits by the provider, etc. In short, PSD3 will strengthen security, innovation and trust in payments - a move towards a more integrated and consumer-friendly payments ecosystem.
Impacts, sanctions and recommendations:

PSD3 is unlikely to come into force until after 2025 (after transposition into national laws, which will take ~18 months from approval). However, firms in the payments sector need to start preparing now as they will probably only have ~18-24 months to comply. It is necessary to perform a gap analysis - compare current processes with the new requirements (e.g. update SCA systems, prepare a mechanism for verifying the name of the payee, modify contracts with technical providers, etc.). Non-compliance with future obligations would be subject to sanctions similar to PSD2 - fines and, in the extreme case, revocation of the payment institution's license. Regulators (e.g. CNB) will have enhanced powers to enforce uniform rules.

Recommendations for fintechs: actively monitor the legislative development of PSD3, engage in expert discussions and start preparing internal projects to implement the changes. Consultations with payment regulation experts can also be used to help interpret the new requirements in advance. Fintechs that adapt to the changes in time will gain a competitive advantage - both avoiding penalties and strengthening customer confidence in the security and transparency of their services.

DORA - Digital Operational Resilience and Cybersecurity

The Digital Operational Resilience in the Financial Sector (DORA) Regulationcomes into force on 17 January 2025. This directly effective EU regulation fundamentally changes the approach to cybersecurity and resilience for banks, insurance companies, investment firms, fintech firms and other financial institutions across the EU. DORA responds to the fact that finance is increasingly dependent on IT technologies and external ICT service providers (cloud, software, etc.), making them vulnerable to cyber-attacks and disruptions. The aim is to ensure that the financial sector can withstand a major operational disruption - typically a hacker attack, cloud failure, system error, etc. - without compromising clients or market stability.

Who is affected

DORA applies to a broad group of "financial entities " (20 types in total), including banks, payment institutions, electronic money institutions, investment firms, securities dealers, fund managers, insurance companies, crypto-service providers and many others. This includes fintech firms that hold one of these licences (e.g. payment companies, trading platforms, EU regulated crowdfunding platforms, etc.). Moreover, DORA also indirectly affects suppliers of ICT services to the financial sector - critical suppliers (e.g. large cloud operators) will be subject to EU registration and supervision, and financial institutions must enter into contracts with suppliers containing the required ICT risk provisions.

office@arws.cz 245 007 740

DORA requirements

The Regulation establishes a single framework for ICT risk management and digital resilience based on five pillars:

  • ICT risk management: every financial institution must implement a comprehensive ICT risk management system - from strategy, to policies and procedures, to technical measures. DORA sets out the principles that ICT risk management should be part of the firm's overall risk management strategy and subject to management oversight. In practice, this means, for example, regularly assessing cyber risks, adopting control measures (firewalls, antivirus, access control, etc.), having data backups and disaster recovery plans in place. Senior management (board) will be directly responsible for digital risk management.
  • Incident management and incident reporting: DORA requires procedures to be in place to detect and deal with cyber incidents. Each institution must classify incidents by severity and report significant incidents to oversight bodies (typically within 72 hours of discovering a serious incident). This includes the obligation to have an internal reporting line, keep records of all incidents, and notify the regulator and clients, if applicable, of a breach in a timely manner. The aim is to enable a rapid response and prevent the problem from spreading to other parts of the financial system.
  • Digital operational resilience - testing: firms must regularly test their ability to withstand cyber threats. Resilience testing programmes should include basic testing (e.g. penetration testing of IT systems) and, for larger institutions, advanced testing such as Threat-Led Penetration Testing (TLPT), which simulates sophisticated attacks. These advanced tests will be carried out every 3 years with the participation of external certified testers and under the supervision of the regulators. Institutions must use the results of the tests to correct identified weaknesses.
  • ICT third-party risk management: DORA emphasises the risks associated with IT vendors. Financial institutions must carefully select and monitor their ICT providers, especially critical ones. Key contractual requirements are to be put in place - service availability, data protection, cybersecurity measures, audit rights and incident information are to be mandated in contracts with ICT suppliers. In addition, regulators can request information on these contracts and, as a last resort, order the termination of a contract with a supplier that poses excessive risk.
  • Threat information sharing: the Regulation promotes the secure exchange of information on cyber threats and vulnerabilities between financial institutions. This is not an obligation, but an option - firms can join threat intelligence sharing communities to help them better counter current attacks.
Key risks and penalties

DORA sets the bar high for cyber resilience and regulators will be uncompromising in demanding compliance. Failure to comply can lead to very tangible penalties. Supervisory authorities (in the Czech Republic the CNB, at EU level the European Supervisory Authorities) can impose fines for breaches of DORA - e.g. in some countries up to 10% of a company's annual turnover or €5 million. These are therefore penalties comparable to the most stringent fines under the GDPR or banking regulations. In addition to fines, there is also the risk of being restricted or banned from operating in the event of serious and repeated breaches (e.g., if a fintech repeatedly ignores fundamental security weaknesses, it may lose its permission to provide its services). The risks of non-compliance are not just regulatory - in the financial services environment, one serious cyber incident can cause service disruption, client data leakage and irreversible reputational damage. Fintech start-ups in particular, which are only just establishing their credibility in the market, could find such a shock difficult to withstand. As the Latvijas Banka report points out, weak cyber security can lead not only to data leaks and service disruptions, but also to loss of licence and a threat to the stability of the entire financial system.

How to prepare

By January 2025, every fintech company should conduct a thorough audit of its ICT security and processes. It is recommended to conduct an internal DORA readiness assessment: check whether there are formal ICT risk management frameworks, crisis plans, IT outsourcing rules, etc. If not, these should be urgently completed. It is also necessary to train staff - not only IT professionals, but also management and other staff on their roles in managing cyber incidents.

Investing in technology

Fintechs should consider implementing advanced security tools (SIEM for network monitoring, intrusion detection system, multi-factor authentication, etc.) if they are not already using them. It is important to establish communication with key IT vendors and update contracts according to DORA requirements - e.g. add provisions for incident reporting, consent to audits and recovery tests. Resilience testing shouldn't just remain on paper - conduct penetration tests and mock cyber attack scenarios in advance to uncover vulnerabilities. Management should then be regularly updated on the status of ICT risks. Finally, keep an eye on the methodologies and guidelines issued by the European Banking Authority (EBA) and others on DORA - DORA is complex and some details will only be specified by the technical standards (RTS). Involving legal and security experts in preparing for DORA is a wise investment - they will help prioritise measures so that the company meets its obligations in a timely and efficient manner.

office@arws.cz 245 007 740

AI Act - Regulation of Artificial Intelligence in Fintech

What is the AI Act?

The European Union is the first in the world to introduce a comprehensive legal framework for artificial intelligence. The AI Act is a forthcoming EU regulation to ensure that AI deployment is safe, transparent and compliant with fundamental rights. The draft has already been approved by the European Parliament (in 2023) and the final version is expected during 2024. Some obligations start to apply as early as 2 February 2025 - the date on which the ban on the most dangerous AI practices will come into force. The AI Act introduces a risk-based approach: it distinguishes AI systems into four categories according to their level of risk - prohibited, high-risk, restricted and low-risk.

  • Prohibited AI practices: an absolute ban applies to AI systems that seriously threaten values and rights. Examples include so-called social scoring of people based on their behaviour (citizen grading), mass biometric surveillance systems in public, or AI that subliminally manipulates human behaviour. The fintech sector mostly avoids these practices, yet care should be taken, for example, to use AI to discriminate against clients. These prohibited applications are completely unacceptable from February 2025 and their deployment would lead to draconian fines (see below).
  • High-risk AI: This includes AI used in sensitive areas where it may affect the security or fundamental rights of people. Crucially for fintech, credit scoring systems are explicitly named as high-risk AI. Further, for example, AI for recruitment, insurance assessment, fraud detection or transaction monitoring for AML purposes may be assessed as high risk. The requirements for high-risk AI are very stringent - the developer or provider of such a system must fulfil a number of obligations prior to market introduction: implement systematic AI risk management, ensure the excellence of the input data (to avoid biases or errors), develop technical documentation and user guides, ensure human supervision of the system's operation, guarantee the accuracy, reliability and cybersecurity of the AI system, and conduct post-market monitoring of its operation. The provider of high-risk AI must also register the system in an EU database and ensure certification (called conformity assessment, often in the form of CE marking) before use. Organisations deploying (deploying) high-risk AI from other suppliers have slightly less stringent obligations - they must mainly use the AI for legitimate purposes, train the operators, monitor the outputs and inform the supplier or authorities if serious defects are found. Importers and distributors of AI have a similar responsibility to verify that products meet requirements and carry certification. In practice, this means that a fintech that uses, for example, external AI for client scoring must check that the supplier has AI Act compliance sorted - otherwise the risk passes to the fintech as well.
  • Limited and low risk: AI tools that can interact with humans and potentially cause only a minor level of risk or possible deception to the user fall into the limited risk category . Typical examples are chatbots or deepfake content generators. These systems will not be banned, but they do have a transparency obligation - the user must be notified that they are interacting with AI or that the content has been created by AI. The low-risk (minimal risk) category then includes all other AI applications, for which no specific obligations are imposed (but they are of course still fully regulated by general laws such as GDPR, consumer law, etc.). In practice, most common fintech AI that e.g. analyses data for internal purposes, business strategies, etc. will fall here, unless they directly affect customer or systemic risks.
Enforcement and sanctions

The supervision of compliance with the AI Act will be carried out at Member State level (a national AI "supervisory authority" will be designated, in the Czech Republic this is likely to be the Office for Personal Data Protection or a new authority) in cooperation with the emerging European AI Authority. Unlike the GDPR, the principle of a lead supervisory authority does not apply here - a company operating in multiple EU countries may face parallel inspections in different countries. Penalties for non-compliance will be graduated according to severity: maximum fines of up to €30 million or 6-7% of global annual turnover (whichever is higher) are threatened for breaches of the ban on prohibited AI practices. This is an even more severe penalty than the GDPR (max 4% of turnover). For other serious breaches (e.g. for high-risk AI - missing documentation, failure to provide oversight, etc.), fines will be up to €20 million or 4% of turnover. And for less serious offences or administrative misconduct (e.g. providing false information to the authorities) up to €10 million or 2% of turnover. These amounts clearly signal that the regulator takes AI very seriously. Fintechs that deploy an AI system that breaches the rules therefore face not only a financial penalty but also a ban on operating such technology. In addition, a significant reputational impact can be expected - as with GDPR, disclosure that a firm has been experimenting with "unsafe" AI in an unauthorised manner could deter clients and investors.

What fintechs should be doing already

Although most of the obligations (especially for high-risk AI) will probably not actually begin to apply until 2026 (the AI Act will include transition periods of about 2-3 years), 2025 is an ideal time to prepare. Recommended Steps:

  • Identify your company's use of AI - map what AI systems you use or develop (both internally and contractor). For each, assess whether it falls within the scope of the AI Act (i.e., if it is an "AI system" by definition, which includes most software using machine learning, expert systems, etc.).
  • Classify Risk: For identified AI tools, make a preliminary classification of which category they would fall into. Pay particular attention to whether any are high-risk according to the AI Act Annexes - for fintech, typically credit scoring, AML transaction monitoring, robo-advisors in finance, etc. For these, prepare a plan to meet future requirements.
  • Establish AI governance policies: it pays to set internal rules for AI development and use now (ethics policies, bias testing procedures, management approval of AI deployment, etc.). These AI policies will help the company transition smoothly into a regulated mode. Designate a person responsible for AI compliance.
  • Evaluate the impact on the business model: If your product relies on AI (e.g., fully automated decision making), consider whether you may need to incorporate a human element (human oversight) into the process or provide customers with the ability to challenge the decision. While the AI Act does not introduce direct private law claims, there are AI Liability Guidelines and revisions to the Product Liability Directive in the pipeline that may make it easier for customers to recover AI damages. Again, it makes sense for fintechs to have AI systems that are explainable and auditable.
  • Monitor developments and consult: Developments around the AI Act are dynamic - it pays to keep up to date with the latest information (e.g. European Commission opinions on AI, interpretations of terms, or take advantage of offers to consult legal experts). Some Member States may set up AI innovation hubs (similar to fintech sandboxes), which can be used to fine-tune solutions in line with regulation.

Fintech companies that use AI should take the AI Act as an impetus to implement a responsible approach to AI. It's not just the threat of sanctions, but also a competitive advantage - the ability to demonstrate regulatory compliance and an ethical approach to AI can be an important factor for clients and partners when choosing fintech services.

office@arws.cz 245 007 740

Other regulation and Czech implementation - AML, MiCA and others

In addition to the European regulations mentioned above, other regulatory changes are coming into force that directly affect the fintech sector. Among the most important are the new anti-money laundering rules (AML/CFT) and the comprehensive framework for crypto-assets (MiCA). The Czech Republic will implement these regulations into its law and supervisory practice.

Stricter anti-money laundering (AML)

In June 2024, a package of AML legislation was adopted in the EU, including the 6th AMLD6 , the AMLR Regulation (a single directly applicable regulation on anti-money laundering measures) and the establishment of a new European Anti-Money Laundering Authority (AMLA). The aim is to harmonise and tighten the rules across Member States, as there have been differences in the implementation of AML rules so far. For fintechs - which are often among the "obliged persons" under AML law - this means a number of changes:

  • Uniform due diligence rules: the forthcoming AMLR regulation will introduce more detailed and uniform requirements for customer identification and due diligence, including enhanced obligations for high-risk clients. Obliged persons (banks, payment companies, virtual currency providers, investment firms, etc.) will have to obtain more information about beneficial owners, verify it from independent sources and obtain management approval when establishing a relationship with a high-risk client. There is also an obligation to report any discrepancies between client information and the beneficial owner register entries within 30 days or face a penalty of up to €1 million. CZK.
  • Extension of obliged persons: AMLD6 adds new types of entities that must comply with anti-money laundering obligations. For example, in the Czech Republic, real estate agencies or developers will be among the obliged persons from 2021, with fines of up to CZK 10 million. CZK 10 million for non-compliance. At the European level, it has even been considered to include football clubs and other high-risk sectors. Importantly for fintechs, all financial services companies (albeit innovative ones) fall under AML - and with the advent of crypto regulation, so do crypto firms (see below).
  • Stronger supervision (AMLA): as of 1 July 2024, a new European authority, the AMLA, based in Frankfurt, was formally established. From 1 July 2025, the AMLA will gradually take over the role of coordinator of anti-money laundering supervision in the EU. This means that some large multinational fintechs or crypto firms may be supervised directly by this EU authority (it will select the entities with the highest risk of money laundering). The AMLA will be able to issue methodologies, coordinate national regulators and, as a last resort, intervene directly against a firm that poses an acute risk. For most Czech fintechs, however, the primary oversight remains the Financial Analysis Authority (FAU) and the CNB, but tighter controls and unified standards can be expected going forward. The EU is also pushing for a tough approach - for example, it has set a €10,000 limit on cash payments across the EU to make cash laundering more difficult.
  • Penalties for AML breaches. For financial institutions, fines of up to CZK 50 million or 10% of annual turnover (under the Banking Act or the Payment Act) - for serious breaches of AML obligations. The newly proposed amendments go even further: for example, it was considered to increase the penalties up to CZK 130 million. 130 CZK for financial institutions in case of systemic AML failure of a group. In addition to monetary fines, there may also be revocation of authorisation to operate (prohibition of business) in extreme cases. Thus, in practice, even a smaller fintech can be fined millions of crowns for neglecting to identify a client or failing to report a suspicious trade. Sixty percent of fintechs in a recent survey said they were already paying a fine of at least $250,000 for compliance misconduct in 2022 - the trend is clear, regulators are clamping down.
AML recommendations

Fintechs should continually update their internal AML regulations to reflect the latest risks and guidance. A review of internal KYC procedures should be undertaken in 2025 - e.g. how they verify beneficial owners, whether they collect additional information from risky clients, whether they monitor sanctions lists, etc. Need to prepare for due diligence - the regulator may require detailed evidence of how you are meeting your obligations (e.g. staff AML training records, internal audit outputs). Automation can help - deploy RegTech tools to screen transactions and people, verify identity online, etc. A fintech that already invests in a robust AML system will have no problem meeting even more stringent requirements in the future. It is also important to keep an eye on the upcoming amendment to the Czech AML Act (253/2008 Coll.), which is likely to introduce some elements of European legislation by 2025 (e.g. mandatory AML control persons in statutory bodies, mandatory reporting of irregularities in the register, etc.). - As proposed by the Ministry of Finance in the past). Early consultation with experts will help to assess whether new obligations apply to your business (e.g. if you expand your services into the crypto area, you will automatically become an obliged person under the AML Act). Overall, the message from regulators is clear: AML compliance cannot be underestimated - in addition to the threat of penalties, there is also the risk that a fintech implicated in a money laundering scandal will lose the trust of clients and partners.

office@arws.cz 245 007 740

Regulation of cryptoassets (MiCA)

The year 2025 is also a watershed year for companies doing business in cryptocurrencies and cryptoassets. EU Regulation 2023/1114 on markets in cryptoassets (MiCA) introduces the first ever comprehensive regulation of this sector in Europe. The MiCA was formally approved in May 2023 and its provisions take effect in two phases: from 30 June 2024, rules apply to so-called stablecoins (tokens pegged to the value of fiat currencies, officially asset-linked tokens - ARTs - and electronic money tokens - EMTs), and from 30 December 2024, all other provisions, in particular the regulation of cryptoasset service providers (CASPs). In practice, therefore, from January 2025, the crypto-industry is subject to uniform rules across the EU.

Who is affected

The MiCA Regulation affects all entities that issue cryptoassets or provide cryptoasset-related services in the EU. This includes for example: crypto exchanges and exchangers, custody wallet operators, token trading platforms, crypto advisory service providers, but also issuers of new cryptocurrencies or tokens in ICO/ITOs. It does not only apply to cryptoassets that are already regulated by other regulations - e.g. security tokens considered as investment securities fall under capital market laws (MiFID) and are not covered by MiCA. Further, MiCA does not address unique NFTs (non-fungible tokens) in their pure form, unless they are serially traded tokens. However, the vast majority of common cryptocurrencies (Bitcoin, Ethereum, etc.) and related services will fall within the MiCA framework.

Key obligations under MiCA:
  • Crypto-Asset Service Provider (CASP) licensing: from 1 January 2025, only a Crypto-Asset Service Provider (CASP) licensed entity may operate an exchange, exchange, brokerage, cryptocurrency custody, etc. in the EU. Existing companies will have to obtain a licence from the relevant supervisor (in the Czech Republic, the Czech National Bank) by a certain date. The CASP licence will be uniform and recognised in all EU countries (single passport principle). Conditions for obtaining a licence include e.g. sufficient capital, ensuring management expertise, putting in place procedures to protect client assets, measures against cyber-attacks etc. Firms that currently operate under trade licenses (typically cryptocurrency exchanges) will have to move to a fully regulated regime - this may mean significant investment in compliance and structural change (as the Latvian regulator expects - MiCA may lead to consolidation of the industry and the demise of smaller players that do not meet the conditions.
  • White paper in token issuance: the MiCA introduces an obligation for anyone offering crypto-assets (except stablecoins) publicly or wishing to accept them for trading on a platform to publish an information document - a "crypto-asset white paper". This contains easy-to-understand information about the project, the rights associated with the token, the technology, the risks, etc., similar to a prospectus for shares. The white paper is submitted (for notification only, not for approval) to the regulator. There are some exceptions - e.g. if the token is offered to less than 150 persons in each country, or the total value of the offering is under EUR 1 million in 12 months, no white paper is required. For stablecoins (ART/EMT), a stricter regime applies - the issuer must meet capital requirements, obtain authorisation and is subject to supervision (the stability of the value of these tokens is crucial for the financial system).
  • Customer protection and market integrity: crypto service providers must act honestly, fairly and in the best interests of their clients. For example, the MiCA requires them to segregate client crypto-assets from their own, establish rules to address customer complaints, and disclose fees and risks associated with products. Market manipulation and abusive practices in the cryptoasset market will be prohibited - bringing the EU's equivalent of the traditional securities regime (MAR) to cryptocurrencies.
  • AML/CFT and risk management: crypto firms under MiCA will also have to comply with AML/CFT requirements in exactly the same way as banks. This includes identifying customers, monitoring transactions, reporting suspicious transactions to the FAU. In addition, MiCA emphasizes the need for cybersecurity measures and contingency plans - e.g., custody providers must have well-secured wallets, backup mechanisms in case of technical failures, etc.

office@arws.cz 245 007 740

Impacts and penalties

For Czech crypto fintechs, MiCA represents a fundamental change in the "rules of the game". The hitherto relatively free environment is gaining a firm framework similar to a regulated financial market. On the one hand, this will increase the credibility of the industry (clients will be better protected, the regulator has tools against fraudulent projects), on the other hand, the costs of regulatory compliance will increase. Firms that do not comply will not be able to continue legally - operating crypto services without a license will be illegal and severely punished. Penalties for violating MiCA can be very high. Regulators (e.g. the CBN) will be given the power to impose fines of up to €20 million or 5% of a firm's total annual turnover, whichever is higher. These fine limits are comparable to the GDPR and signal that the EU will require strict compliance (e.g., if someone continues to operate an unregulated exchange, they could face fines in the hundreds of millions of CZK). For less serious breaches, MiCA may impose lower fines - some sources suggest up to €700,000 for individuals - responsible managers, for example, or minimum fines of €500,000 for illegal operation of an exchange in the Czech Republic. In addition to financial penalties, there is of course also a criminal risk - money laundering through crypto or fraudulent ICOs may lead to criminal prosecution of the responsible persons.

How to prepare for MiCA

Cryptocurrency entities should take immediate steps to ensure compliance. Existing crypto firms (exchanges, exchangers) should begin the licensing process - i.e., contact the CNB, familiarize themselves with the licensing requirements, and begin gathering documents to apply for a license. Latvijas Banka has announced that it will be ready to issue CASP licences from January 2025 - it can be expected that the CNB will similarly start the processes in due course. Furthermore, internal processes need to be adjusted: necessary guidelines (for customer asset protection, proprietary trading, conflict of interest management, etc.) need to be put in place, missing functions need to be added (e.g. compliance department, functions for reporting suspected market abuse), security audits of IT systems need to be ensured. Token issuers should prepare model white papers and mechanisms for their approval. It is also advisable to review contracts and arrangements with clients - e.g. terms and conditions will need to be updated to reflect customers' rights under MiCA (information on risks, deposit insurance or non/crypto-asset insurance, etc.). For some projects, MiCA implementation may also involve a strategic decision on whether to proceed - entities that are unable to meet capital requirements or other demands may consider merging with larger players (market consolidation). Conversely, those who adapt to regulation in time will gain a head start and the ability to offer services legally across the EU.

Main risks of non-compliance

It is clear from the regulations described above that the regulatory bar for fintechs in 2025 is rising significantly. Supervisors are being given new tools and powers to enforce compliance across the EU. In summary, the main risks of non-compliance can be summarised as follows:

  • High financial penalties: the new rules allow for fines in the millions to tens of millions of euros, often related to a firm's turnover (5-10% of annual turnover is no exception). For smaller fintechs, even a fine in the tens of thousands of euros can represent an existential threat, let alone a penalty in the millions. Moreover, these fines can be cumulative - a firm operating in different sectors could face sanctions for breaching multiple regulations simultaneously.
  • Loss of license or business authorization: regulators will be empowered to suspend or revoke the license of an entity that grossly or repeatedly violates obligations (e.g., ignores security risks, operates an unapproved AI system, or fails to comply with AML remediation measures). Prohibition is the ultimate but realistic sanction that would effectively end a startup. Particularly in the payments and crypto space, a license is an essential prerequisite for doing business - losing it puts a company out of business.
  • Criminal and legal liability: neglect of duties can also lead to personal liability of management. For example, in the AML field, by deliberately ignoring warning signs, managers can be prosecuted for laundering the proceeds of crime. If regulatory failure leads to client harm (data leakage, financial losses), class actions or individual claims for damages may follow. In addition, pending AI liability regulations may shift the burden of proof to developers - increasing the risk that injured clients will succeed in any litigation.
  • Reputational loss and client churn: the Fintech sector is built on trust and innovation. If it comes to light that a firm has underestimated security (e.g., by leaking data due to non-compliance with DORA) or failed to respect clients' rights (e.g., by inappropriately using AI without explanation), this can irreparably damage its reputation. Clients today are sensitive to protecting their data and money - published sanctions from the regulator or negative publicity will lead to an exodus of customers to compliant competitors. Investors and partners will also be wary of working with a firm that has a "chink" in its supervision.

All in all, the risk of non-compliance with the new obligations in 2025 is not just theoretical - on the contrary, supervisors in the EU are signaling that they intend to enforce the rules vigorously. Fintech companies therefore need to take a proactive approach to compliance: seeing regulatory requirements not as an obstacle, but as a necessary part of doing business in finance. Those who fail to comply may be sanctioned so heavily that the very existence of their business is threatened.

office@arws.cz 245 007 740

Conclusion and recommendations: how to prepare for change

The year 2025 brings increased regulatory demands on the fintech sector, but with appropriate preparation these can be managed and used to your advantage. Here is a summary of key recommendations on how to prepare for the new obligations:

  • Keep an eye on legislative developments: keep track of exactly when each regulation comes into force (e.g. DORA January 2025, AI Act phased 2025-26, MiCA end 2024, etc.) and when any transition periods end. Attend professional seminars, read regulators' circulars (CNB, FAU) and join industry associations (Czech Fintech Association, etc.), which often share practical information. Regulation is evolving - e.g. AI Act implementation rules will be issued in 2025-26, so stay up to date.
  • Do an internal audit and gap analysis: Map out where your business currently stands against the new requirements. Ideally, make a list of obligations for each regulation and verify compliance. E.g.: Do we have a formally appointed person responsible for AML? (If not, appoint one - this will also be a legal obligation). Do we keep logs of ICT incidents under DORA? Do we use any AI for decision making and does it meet the non-discrimination principles? This will identify areas where processes need to be added or existing practice documented.
  • Strengthen the team and knowledge: consider whether you have sufficient staff capacity for new compliance obligations. You may need to hire or allocate a dedicated compliance officer (if you don't already have one) or strengthen your IT security team. Invest in training - not just for specialists, but also more broadly for staff so they understand the importance of the new regulation (e.g. training staff on cyberhygiene will help comply with DORA, training developers on the AI Act will in turn prevent problems with inappropriate use of AI).
  • Create a roadmap and prioritize: Management, along with legal and compliance, should put together an implementation roadmap: which tasks need to be completed by when. For example: by Q3/2024 modify business terms due to MiCA, by the end of 2024 apply for CASP license, during 2025 deploy new DORA incident reporting systems, etc. Not all changes can be done at once - need to prioritise by risk (biggest risks of non-compliance to be addressed first). Include budget in the plan as some measures may be costly (e.g. penetration testing, purchase of new monitoring software).
  • Automation and technology: use modern tools to manage the scope of responsibilities. RegTech solutions are available on the market - for example, software for ongoing compliance monitoring (compliance management tools), tools for monitoring transactions and sanctions lists (for AML), anomaly detection systems (for DORA), or platforms for recording and documenting AI models. These technologies can streamline compliance and reduce human error.
  • Working with experts: you don't have to go it alone. It's helpful to consult with legal counsel or auditors on specific issues, especially if you're doing business in multiple jurisdictions. Experts who monitor regulatory interpretation on a daily basis can help you avoid inconsistencies due to misunderstanding of a requirement. For example, assessing whether your AI system falls within the "high-risk" category under the AI Act can be complex, and an outside opinion will prevent problems later. Also, don't be afraid to reach out to regulators directly - CNB operates an Innovation Hub to advise fintech innovators on regulatory issues, which can clear up confusion and prevent mistakes.

By preparing early and systematically, you can ensure that your fintech company is fully compliant with the new regulations by 2025 , gaining the trust of clients and a head start on competitors who may be late to react.

How ARROWS can help you

Navigating such extensive regulatory changes and implementing them correctly in practice can be challenging for fintechs. ARROWS law firm offers comprehensive support and partnership in this area. Our team of lawyers specialising in financial law and the fintech industry follows the latest developments in European legislation and has practical experience in implementing regulatory requirements for financial institutions. How can we help you specifically?

  • Regulatory impact analysis on your business: we will conduct a detailed audit of your services and processes in light of the new regulations (PSD3, DORA, AI Act, AML, MiCA, etc.). We will identify the specific obligations that apply to your company and highlight any compliance gaps. You'll get a clear map of what needs to be adjusted.
  • Tailored implementation: we'll help you create or modify internal policies, procedures and contractual documentation to meet the new requirements. For example, we will prepare new terms of business and client information documents (according to PSD3 or MiCA), ICT risk and incident management guidelines (DORA), code of ethics for AI development (AI Act), update internal AML regulations, etc. All in accordance with Czech law and relevant European standards.
  • Training and workshops. We will teach your team to recognize risk situations (e.g. cyber incidents, suspicious transactions) and to react correctly according to legal requirements. This will minimize the risk of human error leading to sanctions.
  • Licensing and regulatory procedures: if you need to obtain a new license (typically a payment institution license, an electronic money institution license or now newly a CASP license for crypto services), we will guide you through the entire process with the Czech National Bank. We will prepare the application, necessary documents and communication with the regulator to make the procedure run smoothly. We also assist with notification obligations (e.g. white paper notification under MiCA).
  • Ongoing advice and compliance monitoring: regulatory compliance is not a one-off event - we offer long-term cooperation in the form of external compliance monitoring. We will monitor further changes in the law, alert you to new obligations and consult you on specific situations (e.g. the introduction of a new technology or product from a regulatory perspective). We will identify a potential problem early and propose a solution before it can escalate into a sanction procedure.
  • Incident and dispute resolution: if an unwanted event has already occurred - a security incident, a suspicion by a regulator or even the initiation of an administrative procedure - we will represent your interests. We will help with the mandatory communication (DORA incident reporting, explanation of supervision in an inspection, remediation plan) and will defend your company in proceedings so that the impact is minimized.

ARROWS law firm understands the specifics of the fintech industry and the speed at which the industry is evolving. Our goal is to be your partner, providing legal certainty so you can focus on growing your business. With a combination of legal knowledge and a hands-on approach, we help fintech clients effectively implement new regulations - from initial analysis to final compliance and team training. With our support, you can navigate the challenging year 2025 without unnecessary complications and turn regulatory challenges into an opportunity to strengthen your firm's credibility and stability.

In conclusion, regulations such as PSD3, DORA, AI Act, AML or MiCA represent new "boundaries" for fintech innovation in Europe. They bring greater client protection and market stability, but also require fintech companies to take a professional approach to compliance. Firms that prepare early and invest in compliance will gain a head start and confidence for further development. Those that ignore regulation would bear disproportionate risks. Fintech's future belongs to those who innovate responsibly and within the law. ARROWS law firm is ready to lend a hand on this path to responsible growth.

PSD3 - Draft Payment Services Directive 3 and related regulations

office@arws.cz 245 007 740