The EU's Quiet Overhaul of Retail Finance: Five Programs, One Perimeter

Over the past year, the European Union has quietly rewritten the rulebook for how ordinary people use money, invest, and hold digital assets. It's the biggest shake-up of retail finance since the 2008 crisis — but almost none of it has made the news, because it arrives in the form of dry press releases and technical consultations.

Five programs are doing the work. They have clunky names — MiCA, MiFID II, the Retail Investment Strategy, DORA, and PSD3 — but the underlying idea is simple. Any company that sells a financial product to someone living in the EU now has to be licensed in the EU, built strongly enough to survive a cyberattack, and held responsible if customers get defrauded. Products that don't fit inside this perimeter are being pushed out. That's already why stablecoins like Tether were delisted from European exchanges in 2025, and why tokenised gold (PAXG) disappeared alongside them.

This analysis walks through what each program is meant to do, what they add up to together, and where the trade-offs lie.

The Key Findings

MiCA: The Licence Required to Sell Crypto in Europe

MiCA — the Markets in Crypto-Assets Regulation — is the foundation. The European Parliament approved it on 20 April 2023 with 517 votes in favour, creating the first EU-wide rulebook covering supervision, transparency, consumer protection, and even the energy consumption of major crypto providers (Source: European Parliament, 20230414IPR80133).

The rule is straightforward. If you want to sell crypto services to people in the EU — an exchange, a wallet, a stablecoin — you need an EU licence. If you issue a stablecoin, you have to prove you're holding real money to back it, you have to let customers redeem it, and you have to be authorised by an EU regulator. When these rules took effect in 2024 and 2025, the biggest exchanges quickly removed the stablecoins whose issuers refused to register in the EU. Tether (USDT) was the most famous casualty. Paxos Gold — a token backed one-to-one by real gold bars — was dropped for the same reason: its US issuer had not obtained EU authorisation.

MiCA also works alongside an older rule agreed in June 2022 that applies the "travel rule" to crypto transfers. Every transfer — no matter how small — has to carry the sender's and receiver's identity, and exchanges have to screen both against sanctions lists, including transfers to private wallets above €1,000 (Source: European Parliament, 20220627IPR33919). Anonymous crypto use through licensed European platforms has become structurally difficult.

MiFID II and the Retail Investment Strategy: Making Investing Simpler — In One Direction

MiFID II is the rulebook that decides who can sell investments in the EU and how. A wave of updates is currently being rolled out to make it easier for ordinary people to invest — but only through approved channels.

On 26 February 2026, ESMA (the EU's markets regulator) simplified rules on market data that investment firms have to pay for, aligning them with new standards that took effect in late 2025 (Source: ESMA). The same day, ESMA also clarified how regulators should oversee algorithmic and AI-powered trading. A related consultation from EBA and ESMA is tightening how banks and investment firms check whether their managers are fit for the job.

On 12 March 2026, ESMA published a set of actions aimed at making investing less painful for everyday people — reducing the mountain of forms you sign, cutting back the confusing sustainability questions, and making suitability checks less of a maze (Source: ESMA). And ESMA's March 2026 Costs and Performance report showed that fund fees have actually been falling: equity fund costs down 8%, bond fund costs down 15% (Source: ESMA).

The promise is real: investing in approved EU products is getting cheaper and simpler. The catch is that "simpler" only applies to those approved products. Anything outside the framework becomes harder to reach — not because it's banned, but because the paperwork and licensing squeeze it out.

DORA: If Your IT Can't Survive an Attack, You Can't Sell in the EU

DORA — the Digital Operational Resilience Act — took effect in January 2025. In plain English: if you're a bank, exchange, insurer, or payment firm operating in the EU, you have to prove that your technology can survive a cyberattack or system failure. You have to monitor your IT suppliers, report serious outages, and — if you're systemically important — pass real-world hacking tests (Source: ECB Banking Supervision).

On 24 March 2026, the European Central Bank launched the first wave of those tests. More than 80 of the largest EU banking groups were ordered to undergo "threat-led penetration testing" — ethical hackers trying to break into their systems to see what actually holds up (Source: ECB Banking Supervision).

The scale of the problem is real. In a speech in Brussels on 3 February 2026, ECB Supervisory Board member Patrick Montagner pointed out that over 85% of supervised banks are now using AI somewhere in their business, and that payment fraud across the EU hit €4.2 billion in 2024 (Source: ECB Banking Supervision). DORA is the EU's answer: serious money in finance requires serious cybersecurity. The side effect is that only big, well-resourced firms can afford to comply — which is, to a large extent, the intent.

PSD3: If You Get Scammed, the Bank Is on the Hook

On 27 November 2025, the European Parliament and Council agreed on a new set of payment rules — the Payment Services Regulation and the Third Payment Services Directive, known together as PSD3 (Source: European Parliament, 20251121IPR31540).

The headline change is simple: if your bank or payment app lets a fraudster trick you, the bank has to reimburse you in more situations than before. That includes impersonation scams — when a criminal pretends to be your bank or the tax office and convinces you to send money. The rules also standardise fees across the EU, improve cash access in remote places, and give fintechs better access to bank data (so-called "open banking").

For consumers, this is genuinely good news. For banks and payment firms, it means absorbing more fraud losses — which they either cover through better fraud prevention, or pass on through higher fees. Smaller payment firms that can't afford either will quietly exit the market.

The Big Picture: The Savings and Investments Union

All five programs sit under a bigger political project called the Savings and Investments Union, or SIU. The idea is that European households sit on enormous savings — mostly in bank accounts earning very little — while European companies struggle to raise money. The SIU's goal is to move that money from savings accounts into European businesses, through EU-regulated investment channels.

On 19 February 2026, the six largest EU economies — Germany, France, Spain, Italy, the Netherlands, and Poland — launched a joint initiative to push the SIU forward (Source: ECB). On 10 March 2026, EU finance ministers discussed the Commission's plan to unify capital markets supervision (Source: EU Council). On 26 March 2026, ECB Supervisory Board member Pedro Machado called in a speech for EU-level oversight of capital markets to replace the current country-by-country patchwork (Source: ECB Banking Supervision).

The SIU is the destination. MiCA, MiFID II, the Retail Investment Strategy, DORA, and PSD3 are the tools that get it there.

What This Means for You

Put it all together and the picture is clear. Any financial product sold to someone in the EU now has to tick five boxes: issued by an EU-licensed company, sold on EU-approved terms, running on resilient technology, delivered through regulated payment rails, and built around protecting the consumer. That's the perimeter.

The benefits are real. Fewer shady crypto schemes. Stronger fraud protection when criminals trick you into sending money. Cheaper, simpler investment products for everyday people. Banks and exchanges that can actually survive a cyberattack. These are meaningful improvements, and the €4.2 billion in EU payment fraud in 2024 alone shows why they were needed.

But the perimeter also has a clear shape. If a product or provider doesn't fit inside it — a non-European crypto issuer that won't apply for an EU licence, a tokenised gold product from a US company, a smaller fintech that can't afford DORA's testing costs, a commodity service from a UK bank trying to serve EU customers — they get pushed out. That's exactly what happened with Tether and Paxos Gold.

There's also a tension at the heart of the project. The EU is simultaneously adding rules and trying to simplify them. In February 2026, the European Parliament created a new "small mid-cap" category of company to exempt mid-sized European firms from some of the rules, because the overall weight of regulation was slowing them down (Source: European Parliament, 20260220IPR35906). That's a quiet admission that the framework has become heavy — including for the very European businesses it's meant to help.

The practical bottom line: the range of financial products an ordinary person can access in the EU is narrowing toward EU-licensed, EU-supervised, EU-anchored options — and away from cross-border or non-European alternatives. Whether you experience that as protection or as a limit depends on what you want to do with your money.

What to Watch

The push for EU-level financial supervision: The Commission's proposals discussed in March 2026 would transfer real power from national regulators to EU bodies like ESMA. If that happens, it's the biggest shift toward a single European financial market in decades.

Results from the first big cyber tests: The 80+ banks ordered to undergo penetration testing will report their results over the next three years. Serious weaknesses could trigger another wave of IT rules — possibly extended to crypto firms and payment providers too.

Whether "simplification" actually simplifies: ESMA has admitted that the first generation of sustainability rules produced forms nobody reads. The coming cleanup is a test of whether the EU can roll back complexity it created itself.

Fraud reimbursement in practice: Once PSD3 is written into national law, we'll find out whether banks can absorb the cost of refunding scam victims — or whether fees rise to cover it.

What gets regulated next: Tokenised bank deposits, tokenised shares, and tokenised commodities are the next frontier. How the EU draws the line on these will decide how much of the emerging digital asset world stays open to ordinary European investors.

Methodology & Sources

This analysis is generated from structured event data extracted from official government and institutional sources worldwide.

This report does not constitute predictions or financial or legal advice.