Europe finds itself in the midst of what is probably the largest regulatory transformation wave since the 2008 financial crisis. Banks and insurers face not one but a multitude of near-simultaneous regulatory initiatives – from digital operational resilience to artificial intelligence, capital markets infrastructure and sustainability. Those that do not approach the coming 24 months with a targeted strategy risk not only compliance deficits and supervisory findings but also losing ground to institutions that leverage regulatory change as a catalyst for transformation.

At a Glance

Period: 2025–2027, with focus on 2026 and 2027

Regulations in scope: DORA, Basel IV/CRR III, MiCA, EU AI Act, AML Package/AMLA, PSD3/PSR, MiFIR Review, FiDA, CSRD, T+1 Settlement, Solvency II Review, IDD

Geographic focus: EU (with direct effect in Germany) and Switzerland (own legal framework, but close regulatory exchange with the EU)

Critical deadline: 2 August 2026 – EU AI Act for high-risk AI and GPAI systems in financial services fully applicable

Key deadline: 11 October 2027 – T+1 Settlement go-live (EU, UK and Switzerland coordinated)

The Regulatory Roadmap

The particular challenge of the current regulatory cycle lies not in the complexity of individual requirements but in their simultaneity. Between 2025 and 2027, European financial institutions will be confronted with more than ten major regulatory initiatives that must be implemented not sequentially but in parallel. DORA has been fully applicable since January 2025 and requires ongoing adjustments. At the same time, implementation work is under way for the EU AI Act, the AML package and the T+1 settlement migration – with diverging deadlines, different authorities and massive IT implications.

For Germany, the majority of these regulations apply directly as EU law. Institutions in Switzerland face a different starting position: Switzerland is not an EU member and frequently develops regulatory equivalents independently, but aligns closely with European standards to maintain market access. This regulatory parallel universe creates considerable additional complexity for internationally active Swiss institutions and for banks and insurers operating simultaneously in Germany and Switzerland.

"Ten regulations in 24 months – this is not normal regulatory business. This is a structural reordering of the financial services industry."

Regulatory Timeline 2024–2027

The following overview shows the key dates in European financial regulation from late 2024 to October 2027 – organised by time period and differentiated by applicability in the EU, in Germany (as an EU member with national transposition aspects) and in Switzerland.

Regulatory Matrix: Pressure vs. IT Impact

As a complement to the timeline, an interactive Regulatory Matrix is available. It positions all 12 regulations according to regulatory pressure and depth of required IT transformation – analogous to a BCG portfolio matrix.

Regulatory Timeline: Financial Services Europe 2024–2027
Key dates for banks and insurers – EU, Germany and Switzerland compared
Q4 2024
MiCA fully in force (30 Dec 2024)
EU/DE: Markets in Crypto-Assets Regulation (MiCA) fully applicable. Crypto-asset service providers require a CASP licence. CH: DLT Act (2021) and FINMA guidelines on virtual assets as equivalence framework already in force.
Q1 2025
DORA applicable (17 Jan 2025) · CRR III phase-in start · AI Act: prohibitions
EU/DE: DORA applies to all supervised financial undertakings incl. insurers and ICT third-party providers. CRR III starts with output floor at 50%. AI Act: prohibited AI systems from February 2025. CH: FINMA Circular 2023/1 on operational resilience since 1 Jan 2024 as DORA equivalent; Basel IV implementation by FINMA in parallel.
Q2–Q4 2025
AI Act GPAI (Aug 2025) · CSRD reporting large undertakings · AML package final legislation
EU/DE: General Purpose AI Models (GPAI) under AI Act applicable from August 2025. CSRD mandatory reporting for large undertakings (FY 2024). AML package (AMLR + AMLD6 + AMLA Regulation) in final legislative phase. CH: CO Art. 964a–c: sustainability reporting for large undertakings from FY 2024. GwG revision in consultation.
Q1–Q2 2026
PSD3/PSR transposition deadline · MiFIR Review provisions · Solvency II Review · Basel IV output floor 55%
EU/DE: PSD3 Directive: transposition deadline for Member States running; PSR directly applicable. MiFIR Review (EU 2024/791): Consolidated Tape, SI regime. Solvency II Review (Omnibus I): new capital rules for insurers in application. Basel IV output floor rises to 55%. CH: Own payments law (no PSD3 obligation). SST as standalone solvency model; FINMA adjusting circulars. Basel IV phase-in parallel to EU.
2 August 2026
EU AI Act: High-risk AI and GPAI – Full application in the financial sector
EU/DE: AI systems for credit scoring, underwriting, AML screening, risk modelling and customer interaction subject from this date to full high-risk requirements: risk management, data governance, transparency, human oversight and conformity assessment. GPAI models with systemic risk subject to enhanced obligations. CH: No AI-specific legislation; DPA (2023) as data protection framework; FINMA guidance on AI in financial services expected. De facto alignment for internationally active institutions unavoidable.
Q3–Q4 2026
CSRD mid-sized undertakings · FiDA consultation framework · AMLA operational build-up
EU/DE: CSRD extended to mid-sized listed undertakings (reporting year 2025). FiDA: consultation phase and permission framework draft. AMLA in Frankfurt building up; first institutions placed under direct supervision. Basel IV output floor 55%. CH: FINMA monitoring FiDA development; Open Finance Initiative Switzerland running in parallel. AML equivalence assessment within the bilateral EU–CH framework.
Q1–Q3 2027
AMLR/AMLD6 applicable · FiDA permissions · Basel IV output floor 60% · T+1 test phase
EU/DE: AML Regulation (AMLR) directly applicable; AMLD6 transposed by Member States. FiDA: first permission schemes for financial institutions. Basel IV output floor at 60% (from 2027). T+1: industry-wide test phase for all market participants. CH: GwG revision in force; SIX Group coordinating T+1 test phase with EU. FINMA circular on financial data access in consultation.
11 Oct 2027
GO-LIVE: T+1 Settlement in EU, UK and Switzerland · Basel IV output floor 65% (from 2028)
EU/DE/CH: Securities transactions settled on a T+1 basis from this date in a coordinated move. Settlement fail penalties (CSDR) apply from day one. Switzerland (SIX): simultaneous migration based on the coordinated agreement with EU and UK. Basel IV output floor rises to 65% in 2028.

Banks and Insurers Compared

Although many regulations apply across the board, the degree of impact and urgency differs considerably between banks and insurers. The following comparison shows the most important regulations and their primary effects per institution type.

Banks & Capital Markets Institutions

DORA – Fully applicable since Jan 2025. ICT risk management, incident reporting, third-party management and TLPT.

Basel IV / CRR III – Phase-in 2025–2030. New capital requirements, output floor, FRTB (market risk), SA-CCR (derivatives).

MiCA – CASP licence requirement, issuer requirements, custody rules for crypto-asset safekeeping.

EU AI Act – Credit scoring, AML screening, algorithmic trading as high-risk AI. Conformity obligations from Aug 2026.

AML/AMLA – Tightened KYC/KYB requirements, direct AMLA supervision for the largest institutions.

PSD3 / PSR – Open banking, strong customer authentication (SCA), new liability rules for payment initiation.

MiFIR Review – Consolidated tape, transparency obligations, SI regime adjustments.

FiDA / Open Finance – Data access obligations for all financial data (beyond PSD3).

CSRD – Sustainability reporting incl. double materiality and ESRS standards.

T+1 Settlement – Fundamental process overhaul in post-trade, FX, custody and fund administration by Oct 2027.

Insurance

DORA – Applicable since Jan 2025 also for insurance undertakings. ICT resilience, incident reporting, third-party risk management.

Solvency II Review (Omnibus I) – New capital requirements, simplified FLAOR, strengthened proportionality, revised long-term guarantee package.

IDD Update – Revised product information requirements (IPID, KID), sustainability preferences in the advisory process.

EU AI Act – AI in underwriting, claims assessment, fraud detection and pricing as high-risk applications from Aug 2026.

AML/AMLA – Life insurers as obliged entities. Tightened due diligence for insurance products with investment character.

CSRD – Sustainability reporting; insurers as institutional investors: double impact (own reporting obligation + ESG integration in investment portfolios).

SFDR / ESG Disclosure – Sustainability preferences in product classification (Art. 6, 8, 9) and advisory process (IDD supplement).

T+1 Settlement – Indirect impact: investment portfolios (fixed income, equities) and ALM processes must be adapted.

The Most Affected Business Areas

Regulatory requirements hit different business areas with very different intensity. The following overview shows which areas of a financial institution face the highest pressure – and from which regulations.

Capital Markets & Investment Banking

Regulatory pressure: Very high

This area is most heavily challenged by the combination of T+1 Settlement (complete process overhaul in post-trade by October 2027), MiFIR Review (transparency obligations, SI regime, consolidated tape) and CSRD (reporting obligations for issuers and investment banks). Shortening the settlement cycle to one day requires a fundamental reworking of trade allocation, the FX model, collateral management and securities lending processes. Additional market risk requirements under Basel IV / FRTB demand significant model and system changes.

Priorities: T+1 Settlement, Basel IV/FRTB, MiFIR Review, CSRD

Compliance & Risk Management

Regulatory pressure: Very high

Compliance and risk are de facto the cross-functional disciplines for all regulatory requirements. DORA demands a fully documented ICT risk landscape, ongoing third-party risk monitoring and real-time incident reporting chains. The AML package tightens KYC/KYB requirements, introduces direct AMLA supervision for the most systemically important institutions and requires harmonised risk assessment frameworks. The EU AI Act requires risk functions to establish an entirely new governance layer for AI systems: risk management, data governance and human oversight following a GDPR-like pattern. Basel IV necessitates the overhaul of internal rating models (IRB) and the implementation of the output floor as a capital backstop.

Priorities: DORA, AML/AMLA, EU AI Act, Basel IV/CRR III

IT & Operations

Regulatory pressure: Very high

DORA makes IT departments and ICT third-party providers a direct object of financial regulation for the first time. Requirements for ICT risk management frameworks, TLPT, incident classification and a register of all ICT third parties affect the entire technology organisation. The EU AI Act creates additional requirements for IT: technical documentation for high-risk AI systems, conformity assessments, logging obligations and ongoing monitoring of system performance. Cloud outsourcing governance (EBA/EIOPA guidelines) remains a standing topic. T+1 requires the conversion of batch systems to intraday real-time processing.

Priorities: DORA, EU AI Act, T+1, Basel IV (IT systems for new models)

Retail Banking & Payments

Regulatory pressure: High

PSD3 and the accompanying Payment Services Regulation (PSR) fundamentally reform the European payments market: open banking is expanded, liability rules for authorised push payment (APP) fraud are harmonised, and strong customer authentication (SCA) is further developed. FiDA goes far beyond PSD3 and obliges banks to provide savings account, credit, securities deposit and insurance data via APIs. AI in customer service and credit decision systems falls under the AI Act's high-risk category. AML requirements intensively affect account opening, transaction monitoring and suspicious activity reporting processes.

Priorities: PSD3/PSR, FiDA, EU AI Act, AML/AMLA

Asset Management & Wealth Management

Regulatory pressure: High

Asset managers are indirectly but massively affected by T+1 Settlement: NAV calculation, ETF funding gaps and subscription/redemption processes must be fundamentally accelerated. FiDA creates new data access obligations also for securities deposits and fund positions. CSRD and SFDR require both own sustainability reporting and ESG integration into all investment decision processes. The EU AI Act affects algorithmic investment strategies and AI-based investment advice. MiFIR transparency obligations for OTC business and new requirements from the SI regime add further complexity.

Priorities: T+1, FiDA, CSRD/SFDR, EU AI Act, MiFIR Review

Insurance Distribution & Underwriting

Regulatory pressure: High

The Solvency II Review overhauls capital requirements and strengthens the proportionality principle for smaller insurers – whilst simultaneously introducing new requirements for the valuation of long-term guarantees. The IDD update harmonises product information obligations and mandates the explicit collection and documentation of sustainability preferences in the advisory process. The EU AI Act classifies AI-assisted claims handling, underwriting models and automated pricing as high-risk applications. Life insurers with investment products are additionally subject to AML due diligence obligations and SFDR disclosure requirements.

Priorities: Solvency II Review, IDD, EU AI Act, AML/AMLA, CSRD/SFDR

Germany and Switzerland in Regulatory Comparison

For institutions operating in both markets, understanding the regulatory differences between Germany and Switzerland is essential. Germany is an EU member and subject to EU regulations directly; Switzerland develops independent equivalence solutions but aligns closely with the European standard.

Regulation Germany (EU) Switzerland
DORA Directly applicable since 17 Jan 2025. BaFin supervises implementation. EBA/EIOPA RTS binding. FINMA Circular 2023/1 "Operational Risks and Resilience" since Jan 2024 as functional equivalent. TLPT requirements similar, but independent supervisory regime.
Basel IV / Solvency II CRR III (banks): output floor phase-in 2025–2030. Solvency II Review (insurers): new capital rules 2026. FINMA implements Basel IV independently (parallel timeline). Insurers: SST instead of Solvency II – own model, no direct alignment planned.
EU AI Act Directly applicable. BaFin and national market surveillance authorities responsible. Conformity assessment mandatory from Aug 2026. No AI-specific federal legislation. DPA 2023 as data protection framework. FINMA guidance expected. De facto alignment obligation for institutions with EU market access.
MiCA / Crypto MiCA directly applicable since Dec 2024. CASP licence via BaFin. Grandfathering for existing providers expired. DLT Act (2021) and FINMA practice for virtual assets. No MiCA equivalent, but close FINMA supervision. Zug serves as European crypto hub with own regulatory approach.
AML / AMLA AMLR directly applicable 2027. AMLA headquartered in Frankfurt. GwG to be revised through AMLD6 transposition. FIU Germany. GwG (Anti-Money Laundering Act), FINMA Circular 2011/1 – standalone framework. Revision under way to align with FATF standards and EU equivalence.
PSD3 / Payments PSR directly applicable; PSD3 to be transposed into national law. ZAG to be amended. Own payments law. No PSD3 obligation; Open Finance Initiative Switzerland running as industry initiative (SIX, Swiss fintech players). Regulatory alignment voluntary.
CSRD / ESG CSRD directly applicable (following HGB amendment transposition). ESRS standards mandatory. BaFin supervises financial institutions. CO Art. 964a–c: sustainability report for large undertakings. Substantively similar to CSRD but standalone provision. Swiss banks with EU listing: dual reporting possible.
T+1 Settlement CSDR amendment directly applicable. Go-live 11 October 2027. Clearstream, Euroclear coordinated. SIX SIS coordinating with EU and UK. Switzerland migrates to T+1 simultaneously (11 October 2027). Own legal instrument, same date.

Recommendations

The regulatory agenda 2026–2027 leaves no room for a simple sequential approach. Financial institutions must set up parallel workstreams, embed regulatory programmes across business areas and consistently link regulation with strategic transformation. The following recommendations address the most important fields of action.

1. Establish a regulatory inventory and prioritised gap analysis

Immediately: No institution can prioritise effectively without a complete overview of its exposure to all current regulations. The first task is a consolidated regulatory inventory: which regulations apply when, in which jurisdictions and to which business areas? Building on this, a gap analysis by compliance maturity per regulation should be conducted – ideally using a heat-map approach combining urgency (deadline) and action required (gap). Programmes without clear ownership and budget should be stopped and restructured immediately. For institutions in Germany and Switzerland, a dual impact analysis is also necessary: what applies under EU law, what independently under the Swiss framework?

2. Treat DORA follow-up and AI governance as a strategic unit

Q2 2026: DORA has been in force since January 2025 – but applicability does not mean compliance. Most institutions are still in the refinement phase: completing ICT third-party registers, planning TLPT for the first test cycle, synchronising incident response processes with the new reporting obligations. Simultaneously, preparation for the EU AI Act from August 2026 must be integrated into the same governance framework. AI systems in regulated use cases (credit, AML, underwriting) now require: risk classification, technical documentation, conformity assessment planning and responsible persons as defined by the AI Act. Those who treat DORA and the AI Act separately waste resources and build parallel governance structures.

3. Set up a T+1 settlement programme with intraday architecture at its core

Q2–Q3 2026: 11 October 2027 is less than 20 months away. According to the ISSA industry survey, 65% of project work should be completed by end of 2026. This means: anyone without a programme structure today is already behind schedule. The T+1 programme must address intraday processing capability as its architectural foundation: STP automation for allocation and matching on trade date T+0, converting the FX model to same-day settlement, cleansing SSI quality and documenting custodian/counterparty dependencies. For asset managers, T+1 also means: accelerating NAV calculation, developing an ETF funding gap strategy and converting fund administration processes to T+2 (and prospectively T+1).

4. Prepare AML compliance architecture for AMLA direct supervision

H2 2026: The newly established Anti-Money Laundering Authority (AMLA) headquartered in Frankfurt will directly supervise the largest and most cross-border institutions in Europe. Initial supervisory assignments will be announced in 2026. This means concretely: implement harmonised risk assessment frameworks per AMLR requirements, elevate KYC/KYB processes to the new EU standard, align SAR processes with FIU requirements and – crucially – ensure the quality of AML AI systems meets EU AI Act high-risk requirements. Swiss institutions active in the EU market should proactively clarify the AMLA equivalence question with FINMA.

5. Treat sustainability regulation as a data and business model programme

Ongoing, with focus Q3–Q4 2026: CSRD, SFDR and the ESG dimensions of MiFID II and IDD collectively create a new data reality: financial institutions must systematically capture, validate and report the sustainability data of their portfolio companies, borrowers and policyholders. This is not a reporting problem but a data problem – and a business model problem. Institutions that treat sustainability requirements as a box-ticking exercise miss the strategic dimension: ESG data is becoming a central competitive factor in lending, asset management and insurance. The interfaces between ESG data, risk management (climate risk) and product development should be consciously designed now.

6. Actively manage regulatory divergence between the EU and Switzerland

Strategic standing task: Institutions operating in both markets must manage the growing regulatory divergence between the EU and Switzerland as a standalone risk. Switzerland pursues an independent regulatory path in key areas (AI, AML, payments) – with the goal of functional equivalence but without formal EU commitment. This creates operational complexity: different compliance frameworks, potential dual reporting obligations and strategic question marks around market access. Recommendation: build bilateral mapping tables (EU regulation vs. Swiss equivalent), establish regulatory early warning systems for both jurisdictions and coordinate communication with BaFin and FINMA rather than running it in parallel.

Regulatory Matrix 2026–2027

The following matrix positions the twelve central regulations along two dimensions: regulatory pressure (deadline urgency × breadth of impact × sanction risk) and impact on IT infrastructure (depth of required system and process changes). The combination of both axes shows where immediate action is required and where monitoring suffices.

MONITOR ACTION REQUIRED IMMEDIATE ACTION 30405060708090100 30405060708090100 REGULATORY PRESSURE IMPACT ON IT INFRASTRUCTURE 1 2 3 4 5 6 7 8 9 10 11 12 DORA T+1 AI Act AMLA PSD3 FiDA Basel IV CSRD MiFIR MiCA Solv.II IDD
Banks & Insurers (Cross-Sector)
Primarily Banks & Capital Markets
Primarily Insurance

Linear axis scaling (range 30–100). Positioning based on qualitative expert assessment (Regulatory Pressure = deadline urgency × breadth of impact × sanction risk; IT Impact = depth of required system and process changes). As of: March 2026

Disclaimer: This article was created on 5 March 2026 partially with the assistance of AI but has been edited, reviewed and fact-checked by a human. All regulatory timelines are subject to change.
newsletter
the agentic banker

Keep reading – in your inbox every two weeks.

Capital markets insights, regulatory updates and AI trends. Concise, well-founded, free of charge.

GDPR-compliant. Unsubscribe at any time.

← Back to overview