EU compliance, mapped to the regulation.

MiCAR (Regulation EU 2023/1114) establishes the first comprehensive EU-wide framework for crypto-asset service providers (CASPs). It applies to anyone issuing crypto-assets or providing crypto-asset services — exchanges, custodians, stablecoin issuers — operating in the EU, regardless of where they are headquartered. Full application began 30 December 2024, with stablecoin provisions (Titles III and IV) applying from 30 June 2024.

• AML/CFT controls: CASPs must implement know-your-customer (KYC), customer due diligence, and ongoing monitoring equivalent to traditional financial institutions under AMLD6
• Travel Rule compliance: CASPs must collect, hold, and transmit originator and beneficiary information for crypto transfers (mirroring FATF Recommendation 16)
• Sanctions screening: Transfers to or from sanctioned individuals, entities, or jurisdictions must be blocked and reported
• Suspicious transaction reporting: CASPs must file SARs with the national FIU for transactions exhibiting AML typologies — structuring, layering, or sanctions evasion
• Ongoing transaction monitoring: Automated detection of unusual or high-risk transfer patterns, especially cross-border and crypto-to-fiat movements
• Third-country CASP assessment: Enhanced due diligence for counterparties in high-risk or non-cooperative jurisdictions

AMLD6 (Directive EU 2018/1673) is the foundational AML framework for the EU financial sector. It harmonises the list of predicate offences for money laundering across all member states — expanding to 22 offences including cybercrime and environmental crime — and introduces corporate criminal liability. Obliged entities include credit institutions, payment service providers, cryptocurrency service providers, lawyers, accountants, and real estate professionals. Member states were required to transpose by 3 June 2021.

• Customer due diligence (CDD): Verify identity of customers, beneficial owners, and counterparties before establishing a business relationship or executing transactions above applicable thresholds
• Enhanced due diligence (EDD): Apply strengthened measures for high-risk third countries, PEPs, and complex ownership structures — including source-of-funds verification
• Ongoing transaction monitoring: Continuously scrutinise transactions for consistency with the customer's risk profile and reported business activity
• Suspicious activity reporting (SAR): File a SAR with the national FIU whenever there is suspicion of money laundering or terrorist financing — without tipping off the subject
• Record-keeping: Retain CDD documentation and transaction records for a minimum of five years
• Risk assessment: Maintain a firm-wide AML risk assessment, updated regularly, covering customers, products, geographies, and delivery channels
• Corporate liability: Senior management and legal persons (entities) can be held criminally liable for AML failures — no longer just individuals

DORA (Regulation EU 2022/2554) mandates that financial entities — banks, investment firms, insurance companies, payment institutions, CASPs — achieve a high common level of digital operational resilience. It has applied since 17 January 2025. The regulation covers five pillars: ICT risk management, ICT-related incident classification and reporting, digital operational resilience testing, third-party ICT risk management, and information sharing. For Arkē users, the most operationally relevant obligations concern ICT third-party risk and incident reporting.

• ICT third-party risk management: Conduct pre-contract due diligence on all ICT service providers — including cloud, SaaS, and compliance tooling — before onboarding them
• Contractual requirements for ICT providers: Ensure contracts with critical third-party ICT providers include defined SLAs, audit rights, data portability, and exit strategies
• ICT-related incident reporting: Classify and report major ICT incidents to the competent authority within prescribed timelines (initial notification, intermediate, and final reports)
• Operational resilience testing: Conduct regular resilience tests — including threat-led penetration testing (TLPT) for significant entities
• Concentration risk monitoring: Identify and monitor concentration risk arising from reliance on a single third-party ICT provider across critical functions
• Information and intelligence sharing: Participate in threat intelligence sharing arrangements as applicable

NIS2 (Directive EU 2022/2555) significantly expands the original NIS Directive's scope, now covering a broad range of sectors — financial services, digital infrastructure, cloud providers, managed security services, and more. EU member states were required to transpose NIS2 by 17 October 2024. For financial entities subject to both NIS2 and DORA, DORA is lex specialis and takes precedence; NIS2 applies to the broader supply chain and digital service providers that are not themselves financial entities.

• Cybersecurity risk management: Implement risk-proportionate technical and organisational measures — including access controls, incident detection, cryptography, and supply chain security
• Incident notification: Report significant cybersecurity incidents to the national CSIRT or competent authority within 24 hours (early warning), 72 hours (notification), and 30 days (final report)
• Supply chain security: Assess and manage cybersecurity risks in supply chains, including ICT product and service providers
• Business continuity: Maintain backup management, disaster recovery, and crisis management procedures
• Senior management accountability: Management bodies of essential and important entities are personally responsible for NIS2 compliance
• Vulnerability disclosure and information sharing: Cooperate with national authorities and participate in information sharing frameworks

AMLA (Regulation EU 2024/1620) creates a new EU-level supervisory authority headquartered in Frankfurt that will directly supervise the highest-risk obliged entities across the Union — approximately 40 cross-border financial institutions — and coordinate national supervisors for all other obliged entities. The authority was formally established in July 2025. Direct supervisory powers over selected entities begin in 2027. AMLA will maintain the EU AML rulebook (the new AML Regulation, adopted alongside AMLA), consolidating and replacing AMLD4, AMLD5, and AMLD6 into a single directly applicable regulation.

• Direct supervision readiness: Obliged entities identified by AMLA for direct supervision must demonstrate full compliance with the EU AML rulebook — gap assessments and documentation are required now
• Harmonised CDD and EDD standards: AMLA will issue binding technical standards (BTS) to harmonise CDD processes across member states — obliged entities should track AMLA publications and align processes proactively
• Centralised beneficial ownership data: AMLA will coordinate cross-border beneficial ownership register access — entities must ensure their beneficial ownership documentation is current and consistent
• Cross-border SAR coordination: AMLA coordinates FIU cooperation for cross-border suspicious transaction analysis — SAR quality and consistency become more important as reports feed centrally
• Crypto-asset provider integration: CASPs under MiCAR will fall within AMLA's supervision perimeter — compliance with both MiCAR and AMLA is required for crypto obliged entities
• Supervisory convergence: National supervisors will be required to follow AMLA peer review outcomes — regulatory expectations will converge upwards across all EU member states