MiFID Monitor Q3 2025

MiFID II

ESMA outlines preparations for new single volume cap mechanism under MiFIR

On 24 July 2025 ESMA published a new webpage on the volume cap mechanism (VCM) under the Markets in Financial Instruments Regulation (MiFIR)[1] along with a press release. The current double volume cap is to be replaced with a single volume cap from 9 October 2025 (in accordance with changes introduced under MiFIR II[2]).

Under a new Article 5 of MiFIR, the single VCM will limit the amount of share trading that market participants can undertake under a transparency waiver to an EU-wide threshold of 7%. If this limit is exceeded, trading venues must suspend the use of the waiver for the relevant instrument for a period of three months.

ESMA intends to publish results of the VCM on this new webpage, as well as providing a list of securities that breach the 7% threshold. The first results will be published on 9 October 2025 and subsequently on a quarterly basis. They will also set out suspension start and end dated for any breaches of the threshold.

ESMA encourages interested parties to prepare for this new VCM becoming active in Q4 2025.

A link to the new webpage can be found here.

A link to the press release can be found here.

ESMA updates reporting instructions for commodity derivatives under MiFID II

On 25 September 2025, ESMA published a document which sets out the updated reporting instructions for the weekly reporting of commodity derivatives positions under Article 58 of the Markets in Financial Instruments Directive II (MiFID II)[3] (as amended). In addition, a related XML schema was published.

These instructions apply to market operators and investment firms that operate a trading venue which trades commodity derivatives, or derivatives relating to emission allowances. It also applies where it is intended to implement systems for the uploading of position data for commodity derivative reporting to comply with obligations under MiFID III.

ESMA stated in a press release that the new XML schema and reporting restrictions will apply from 1 April 2026. The press release can be accessed here.

The document published by ESMA can be accessed here.

The XML schema published by ESMA can be accessed here.

DORA

Central Bank of Ireland publishes revised Operational Resilience Guidance

In July 2025 the Central Bank published its revised cross industry guidance on Operational Resilience (Revised Guidance). The Revised Guidance is applicable from 14 July 2025 and replaces the previous version that applied from 1 December 2021 to 13 July 2025. 

The Revised Guidance:

• requires all in-scope firms to complete an annual self-assessment of their operational resilience framework;

• extends the requirement to map dependencies on outsourced service providers that support critical or important business services to include any third-party service provider;

• clarifies its expectations for alignment with the Digital Operational Resilience Act (DORA)[4] for both firms that fall within the scope of DORA and those regulated firms which do not fall within the scope of DORA. The Central Bank requires firms that are not subject to DORA to consider implementing equivalent ICT risk management measures, including the DORA ICT Simplified Risk Management Framework;

• moves from a narrow focus on “outsourced service providers” to “third party service providers”;

• recognises that operational resilience and operational risk are distinct concepts;

• clarifies that critical or important business services must be external facing with identifiable end users; an

• withdraws its September 2016 Cross Industry Guidance in respect of Information Technology and Cybersecurity Risk Management to ensure regulatory simplification and clarity.

A copy of the Revised Guidance is available here.

ESAs publish guide on DORA oversight activities

On 15 July 2025, the ESAs published a guide on oversight activities under DORA. The guide was published in order to provide an overview of the processes used by the ESAs through the Joint Examination Teams (JET) to oversee critical Information and Communication Technology (ICT) third party service providers (CTPPs).

The guide provides a high-level overview of the CTTP Oversight framework, oversight process, governance structure, founding principles and tools available to overseers.

The full guide can be found here.

ESMA revised Guidelines on Outsourcing to Cloud Service Providers

On 30 September 2025, ESMA published the official translations of its revised guidelines on outsourcing to cloud service providers (Revised Guidelines).

ESMA’s original guidelines on outsourcing were published on 10 May 2021 (2021 Guidelines). ESMA is amending the scope of addressees of the 2021 Guidelines but is not substantively changing their contents. ESMA did not conduct open public consultations on the amendments to the 2021 Guidelines.

Under the Revised Guidelines the following change of scope of addressees has been made:

• the Revised Guidelines exclude financial entities that fall under the scope of the DORA; and

• the Revised Guidelines shall solely apply to AIF depositaries, as referenced in AIFMD, where they are not financial entities to which DORA is applicable; and (ii) UCITS depositaries, as referenced in the UCITS Directive, where they are not financial entities to which DORA is applicable.

A link to the Revised Guidelines can be found here.

EBA Consultation Paper on Draft Guidelines on Management of Third-Party Risk

On 8 July 2025, the EBA published a consultation paper on draft guidelines on the sound management of third-party risk (Draft Guidelines).

The Draft Guidelines update and replace the EBA's 2019 guidelines on outsourcing in order to bring them in line with the Regulation on DORA. They focus on third-party arrangements (TPAs) relating to non-information and communication technology (ICT) related services provided by third-party service providers (TPSPs) and their subcontractors.

The Draft Guidelines specify the steps to be taken by firms for the life cycle of TPAs to ensure consistency with DORA, to the extent possible. They also ensure consistency with the DORA register by allowing firms to store consistent information for both ICT and non-ICT services.

Under the Draft Guidelines, the scope of the financial entities will be expanded to include the following:

• issuers of asset-reference tokens (ARTs) subject to MiCAR[5];

• investment firms that do not meet all of the conditions to qualify as small and non-interconnected firm under the Investment Firms Regulation (IFR)[6]; and

• creditors defined under the Mortgage Credit Directive (MCD)[7] which are financial institutions

The Draft Guidelines seek to abolish the distinction between outsourced and non-outsourced functions. This significantly broadens the scope of the 2019 guidelines to include any arrangement with a TPSP including intra-group TPSPs. Under the Draft Guidelines, outsourcing is considered a sub-category of TPAs.

The Draft Guidelines require firms to include a register of all third-party arrangements. This broadly mirrors the requirement to maintain a register of TPAs concerning ICT functions under DORA. The EBA has proposed to amend the format of the outsourcing register in order to make it consistent with the register required under DORA, thus allowing information on ICT and non-ICT TPAs to be stored on a single register. However, they have clarified that firms are not required to merge the registers.

Once finalised, firms falling within scope of the updated guidelines will have a two-year transition period within which to review and amend their existing TPAs and update the register for non-ICT TPAs.

This consultation may be of interest to Irish fund management companies given that the Central Bank may seek to align its existing guidance on outsourcing with the revised EBA guidelines once finalised.

The Draft Guidelines can be accessed here.

AML & CFT

Delegated Regulation amending list of high-risk third countries under MLD4 published in OJ

On 16 July 2025 Commission Delegated Regulation (EU) 2025/1184 was published in the Official Journal (Amending Regulation).

This amends a previous Commission Delegated Regulation[8] containing the list of high-risk third countries with strategic anti-money laundering (AML) and countering the financing of terrorism (CFT) deficiencies.  The Amending Regulation updates the table of high-risk countries by:

• Adding: Algeria, Angola, Côte de Ivoire, Kenya, Laos, Lebanon, Monaco, Namibia, Nepal, Venezuela.

• Removing: Barbados, Gibraltar, Jamaica, Panama, the Philippines, Senegal, Uganda and the United Arab Emirates.

The Amending Regulation can be accessed here.

Amending Regulations - Beneficial Ownership of Trusts

On 15 July 2025, the European Union (Anti-Money Laundering: Beneficial Ownership of Trusts) (Amendment) Regulations 2025 were published, with an effective date of 10 July 2025.

These amendments seek to align the provisions of the European Union (Anti-Money Laundering: Beneficial Ownership of Trusts) Regulations 2021 (2021 Regulations) with the EU’s Sixth Anti-Money Laundering Directive (AMLD6). These amendments clarify who can access beneficial ownership information and under what conditions. AMLD6 expands access to central beneficial ownership registers by allowing persons with a "legitimate interest," such as journalists and civil society organisations, to access the same information as designated persons.

On 30 September 2025, the European Union (Anti-Money Laundering: Beneficial Ownership of Trusts) (Amendment)(No.2) Regulations 2025 (S.I. No 440 of 2025) were published, with an effective date of 1 October 2025.  These Regulations amend the 2021 Regulations: 

• to confirm that where a designated person under the 2021 Regulations forms the opinion that a trust has not been registered on the central register, that designated person has an obligation to inform the Registrar of this; and

• to impose an obligation on competent authorities to report to the Registrar the non-registration of a trust on the central register.

The amending Regulations can be accessed here and here.

The current version of the Central Bank’s Beneficial Ownership Register FAQ can be accessed here.

Data Protection

EU-UK Personal Data Transfers

On 22 July 2025, the European Commission announced that it has launched the process to adopt new adequacy decisions to allow the free flow of personal data between the EEA and the United Kingdom following its assessment of the recently adopted UK Data Use and Access Act which it has concluded continues to provide data protection safeguards which are essentially equivalent to those provided by the EU.

This follows the publication of a decision of the European Commission in June 2025 to extend the existing adequacy decisions under which the free flow of personal data from the EU to the UK can continue until 27 December 2025 (June 2025 Adequacy Decision).

A copy of the June 2025 Adequacy Decision is accessible here.

EU Savings & Investments Union

European Commission Recommendation on Savings & Investments Accounts and Financial Literacy Strategy

On 30 September 2025, the European Commission published a Commission Recommendation titled “Increasing the Availability of Savings and Investments Accounts with Simplified and Advantageous Tax Treatment” (Commission Recommendation).

The Commission Recommendation forms an integral part of the European Commission’s savings and investments union strategy to enhance financial opportunities for EU citizens and businesses unveiled in March of this year.

In it, the European Commission recommends to EU Member States that they should establish savings and investment accounts (SIA) frameworks which should have the specific characteristics identified by it in the Commission Recommendation. To the extent that individual Member States have already introduced such frameworks, they should assess such frameworks against the Commission Recommendation to ensure that they are aligned with same.

The objective of the SIA framework is to provide EU retail investors with “simple and accessible investment opportunities”.

The Recommendation sets down specific parameters for such SIA frameworks relating to the provision of such SIAs, the costs associated with opening and operating such SIA, the scope of assets which could be held by those SIA as well as recommendations relating to beneficial tax treatment and facilitated tax compliance for such accounts.

Alongside the Commission Recommendation, the European Commission also published a communication on its Financial Literacy Strategy which is based on four pillars of action being (i) coordination and best practices, (ii) communication and awareness raising, (iii) funding for financial literacy initiatives including for research and (iv) monitoring progress and assessing impact.

A copy of the Commission Recommendation is available here.

A Dillon Eustace analysis of the Commission Recommendation is available here.

A copy of the European Commission’s communication on its Financial Literacy Strategy is available here.

Miscellaneous

Reform of EU settlement cycle

On 10 September 2025, the European Parliament voted to adopt the proposed regulation to shorten the settlement cycle for securities trades such as transactions in shares or bonds from two days to one days by 11 October 2027. The Council of the EU subsequently adopted its position on 29 September 2025.

Regulation (EU) 2025/2075, which incorporates the relevant changes to the existing CSDR[9] (Amending Regulation) was published in the Official Journal on 14 October 2025. It will apply from 11 October 2027.

A copy of the Amending Regulation is available here.

Footnotes:
[1] Regulation (EU) 600/2014
[2] Regulation (EU) 2024/791
[3] Directive 2014/65/EU
[4] Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and the Directive (EU) 2022/2556 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector
[5] Regulation (EU) 2023/114 (Markets in Crypto-Assets Regulation)
[6] Regulation (EU) 2019/2033 of the European Parliament and of the Council of 27 November 2019 on the prudential requirements of investment firms and amending Regulations (EU) No 1093/2010, (EU) No 575/2013, (EU) No 600/2014 and (EU) No 806/201
[7] Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010
[8] Delegated Regulation (EU) 2016/1675
[9] Regulation (EU) 909/2014