New European Union rules affecting cybersecurity and digital resilience, known as "DORA," came into effect this year, and similar, if arguably less onerous, rules have come into force into the UK. The author examines the territory.

The following article comes from Rachel Cropper-Mawer, partner and head of regulatory services, Ogier. The article covers topics such as the recent DORA legislation that took effect in Europe in January (see a related article here).

These comments are designed to stir up conversations, and the editors are pleased to share these views; please remember that guest opinions aren’t necessarily endorsed by the editors. Join in the conversation! Email tom.burroughes@wealthbriefing.com and amanda.cheesley@clearviewpublishing.com

The year looks set to be a busy one on the regulatory front, with the implementation of significant changes affecting sustainability, environmental harm and digital assets across the EU and the UK.

There is also a focus on digital asset risk management and digital asset regulation – and all of this is set against the backdrop of the new Trump administration in the US, which could have global ramifications, turn everything regulatory on its head, drive protectionism and lead to a higher-risk investment environment.

The Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA), which came into force on 16 January, is a particularly noteworthy regulatory change, raising the bar globally for digital security in the financial services industry. It sets out requirements for EU financial entities to manage IT and cyber security risks and to create a register of key data regarding information and communication technology services providers.

Financial entities that are in scope should by now have completed their assessments and will be updating their member state regulatory bodies as to any key dependency digital service providers by 30 April 2025. 

As well as having broad application to EU-authorised financial entities, there is also a substantial impact on international finance centre entities and service providers. DORA does not clearly specify its territorial scope for financial entities. Therefore, for each type of entity, it is necessary to refer to the EU regulations/directives setting out the harmonised rules for that type of financial entity to determine the territorial application. 

Similar, if arguably less onerous, rules have been enacted in the UK which came into force on 1 January 2025.

ESG reporting
There is also big movement in the ESG space this year. First, ratings agencies have come under significant scrutiny as to how they are giving ESG ratings. This is long overdue in terms of regulation, and it is expected that the UK government will enact legislation, bringing in rules to ensure transparency regarding the methodologies, governance and processes used to decide the ratings.

The EU is also under pressure to consolidate the legislation on corporate sustainability. This is under review and may mean that the Corporate Sustainability Due Diligence Directive, the Corporate Sustainability Reporting Directive, and the EU taxonomy for sustainable finance are in some way consolidated or simplified.

In addition, there are changes afoot in the UK and the EU for the reporting of sustainability of financial instruments and products. In the UK, disclosures in respect of each sustainability labelled product is required within 12 months of the designation or by 2 December 2025 at the latest. Entity-level disclosure requirements enter into force from 2 December 2025 for firms with more than £50 billion assets under management.

In the EU from 21 May 2025, existing funds must comply with the European Securities and Markets Authority's (ESMA) ESG fund name guidelines, including investment criteria for funds branded with sustainability or ESG-related terms. 

The EU is also scheduled to review the Sustainable Finance Disclosure Regulation and technical standards in 2025. No date has been set for this as yet, but the technical standards for Principal Adverse Impact reporting and "do no significant harm" test is expected in 2025.

Retail investors
The so-called “democratisation of investments” remains a key theme too – and the EU has indicated that it requires a new retail investment product or vehicle to make investing more accessible to consumers who are sitting on their savings in bank accounts rather than investing them, which impacts both their wealth and that of the bloc. 

Finance experts are arguing that this undermines the branding of the UCITs product, which has been an incredible success for many years and should be sufficient to fulfil this objective. 

However, in a bid to make the market more attractive, other measures are also necessary. It is thought that the EU will revisit value for money benchmarks, suitability assessments and key information documentation requirements for packaged retail and insurance-based investment products (Priips) – all of which is under review in 2025. ESMA is also due to provide fund liquidity management guidelines by mid-April and rules of loan origination funds by the end of the year.

Markets in crypto-asset regulation
On the crypto-assets front, the Markets in Crypto-Assets Regulation (MiCAR) came into force on 30 December 2024, bringing with it a number of ongoing obligations, relating to the regulation and supervision of crypto-asset issuance, offering, admission to trading, and crypto-asset service provision in the EU.

The European Supervisory Authorities – the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority – jointly issued guidelines to standardise the regulatory classification of crypto-assets which are not already regulated under existing financial regulation, whilst the European Securities and Markets Authority (ESMA) also issued guidelines – Third-Country Sales Guidelines – on what constitutes third-country firm solicitation of EU customers for the sale of crypto assets.

These guidelines confirm that it is unlawful for a firm in a third country to sell crypto-assets into the EU unless the entity has a registered office in an EU member state and is an EU-authorised financial entity. It is, though, lawful for an EU entity or person to request crypto-asset services from a third country firm and, subsequently, for that firm to offer the same types of assets or services as were solicited to the same client but not to offer different types of services or assets.

Non-EU firms and intermediaries should pay careful attention to this guidance, which goes so far as to suggest that to avoid the inference of unlawful solicitation of EU investors, non-EU crypto-asset firms should prohibit investment by EU investors.

Complex landscape 
It is clear that the regulatory landscape in 2025 is set to become increasingly complex, across the data security, crypto-assets and sustainability sectors. Businesses and intermediaries in the EU, UK and IFCs such as Jersey and Guernsey need to ensure that they are tuned into these changes so that they can steer a safe course themselves, and support international investors.