What U.S. Companies Get Wrong About European Compliance Requirements
Regulatory updates
Risk management
There's a pattern that plays out with remarkable consistency when U.S. companies expand into European markets. They arrive with serious compliance infrastructure built for the domestic market, a well-resourced legal team, and a genuine belief that adapting to European requirements is largely a matter of administrative translation. Then they encounter a series of surprises that nobody briefed them on, each one more operationally disruptive than the last.
The surprises are rarely about exotic regulations or obscure requirements. They are about structural differences in how the EU regulatory framework operates, who it applies to, and what "compliance" is expected to look like in practice. The gap is not between sophisticated U.S. compliance teams and impenetrable European law. It is between the assumptions U.S. companies bring to Europe and the reality they find when they arrive.
This article is for U.S. compliance teams, in-house counsel, operations teams, and business leaders who are either building EU operations, onboarding EU business partners, or managing relationships with EU-regulated counterparties. We are going to walk through the specific misunderstandings that cause compliance programmes to fail in the European context, the regulatory developments that are making those failures more consequential, and what a genuinely EU-compliant operational posture actually requires.
Mistake One: Treating Europe as a Single Compliance Market
The most common and most costly misunderstanding U.S. companies bring to Europe is the assumption that the EU operates like a federal system with one compliance framework, the way the U.S. does at the federal level. In practice, the EU is 27 sovereign member states, each with its own national regulator, its own legal tradition, its own company registry, its own approach to AML enforcement, and in many cases its own language. This is the single most important thing to understand before building any compliance programme that touches the EU.
Yes, the EU has harmonising legislation. Yes, Regulations apply directly across all member states. But even under harmonised frameworks, national implementation creates material variation. Companies entering the European market consistently underestimate European compliance timelines due to the documentation burden, which requires comprehensive files that must be translated, localised, and formatted according to national requirements. Licensing complexities can slow down expansion because every new market brings its own set of local regulations and authorisations needed before getting started. Regulatory fragmentation is a real issue: compliance teams have to juggle different requirements across the EU, and sometimes those rules contradict each other.
A company that builds one unified EU compliance policy and assumes it applies equally in Germany, France, the Netherlands, and Poland will quickly find that the operational reality does not match the policy design.
National Variation in AML Enforcement
Even within the existing EU AML framework, enforcement quality and supervisory culture vary significantly across member states. The fragmented, directive-based system that preceded the incoming AMLR was consistently exploited. Moneyval mutual evaluation reports documented significant variance in CDD quality, beneficial ownership verification, and suspicious transaction reporting across member states.
What this means for U.S. companies is that the EU counterparty you are onboarding from one member state may have been subject to genuinely robust AML supervision, while a counterparty from another member state may have operated within a looser supervisory environment. Your risk assessment needs to account for this variation. Your counterparty's country of incorporation is a risk factor, not just a data point.
Why This Is About to Change, and What It Means
The incoming Anti-Money Laundering Regulation (Regulation EU 2024/1624), applying from 10 July 2027, is specifically designed to end this national variation by replacing the directive-based framework with a directly applicable Regulation that is identical across all 27 member states. The Anti-Money Laundering Authority (AMLA), operational since 1 July 2025 and headquartered in Frankfurt, adds a supranational supervisory layer above national regulators for the highest-risk cross-border entities.
But the transition to full harmonisation runs until 2027, and until then, national variation remains operationally real. U.S. companies need to understand both the current patchwork and the harmonised framework they are preparing for.
Mistake Two: Assuming GDPR Only Applies If You Have an EU Office
This is the misunderstanding that has generated billions of euros in GDPR fines and continues to catch U.S. companies off guard. GDPR does not apply because of where a company is based. It applies because of whose data is being processed.
The EU's GDPR compliance obligations follow the data subject: any U.S. company handling EU residents' personal data must comply with GDPR regardless of where it is headquartered. This means that a U.S. company running a digital service used by EU residents, onboarding EU business partners, processing EU employee data, or managing KYC/KYB records for EU counterparties is subject to GDPR, even if every single one of its employees and servers is located in the United States.
European data protection authorities issued over €3 billion in GDPR fines in the first half of 2025 alone, with many penalties tied to unlawful international transfers. Cumulative GDPR fines reached €7.1 billion as of January 2026, with data transfer violations remaining a high-risk enforcement area. These are not fines levied only against EU-based companies. Non-EU companies operating only through digital services, with no physical EU establishment, have been fined by DPAs. The enforcement record confirms this is a real, active risk.
The Representative Requirement U.S. Companies Ignore
GDPR Article 27 requires organisations outside the EU that are subject to GDPR to appoint an EU-based representative who can receive Data Protection Authority communications. This requirement is regularly missed by U.S. companies that treat GDPR as a policy document obligation rather than a structural requirement. Failure to appoint an EU representative is itself a breach of GDPR, and it means that any DPA communication about your data processing goes unanswered, which compounds enforcement risk significantly.
The CLOUD Act Conflict That U.S. Companies Underestimate
There is a structural legal tension that U.S. companies entering Europe almost always underestimate, and it has no clean resolution. U.S. companies doing business in the EU face a compliance challenge unlike any other: two bodies of law, pulling in opposite directions, both of which apply simultaneously.
The EU's GDPR compliance obligations follow the data subject: any U.S. company handling EU residents' personal data must comply with GDPR regardless of where it is headquartered. The U.S. CLOUD Act follows the provider: any U.S. company must produce data it controls upon receiving a valid U.S. government demand, regardless of where that data is stored.
Under GDPR Articles 13 and 14, data subjects have a right to know how their data is processed. Under the CLOUD Act, the U.S. provider is legally barred from informing them when a government demand has been received. These obligations directly conflict. Standard Contractual Clauses, which many U.S. companies use as their primary mechanism for compliant data transfers to and from the EU, do not resolve this conflict. The European Data Protection Board confirmed in its Schrems II recommendations that contractual supplementary measures alone cannot address U.S. surveillance law exposure.
This is not a theoretical risk. It is a structural compliance gap that U.S. companies need to understand before building any data processing infrastructure that handles EU personal data. For compliance functions specifically, this applies to every record you hold about EU-based individuals as part of KYC, KYB, or AML processes.
Mistake Three: Assuming U.S. AML Programme Travels
U.S. compliance teams often arrive in Europe with a well-built AML programme calibrated to the Bank Secrecy Act, FinCEN's CDD Rule, and sector-specific regulatory expectations. That programme is real, and it is rigorous. The mistake is assuming it maps cleanly onto EU AML requirements. It does not, for reasons that are structural rather than cosmetic.
The U.S. AML framework is sector-by-sector, built through rules and regulatory guidance from multiple separate bodies. FinCEN governs banks and financial institutions. FINRA covers broker-dealers. State regulators add further requirements in certain markets. There is no single overarching AML regulation. What matters is your sector and who regulates you.
The EU AML framework is moving toward a single, directly applicable Regulation that applies identically across all 27 member states. The AMLR creates a single rulebook for all obliged entities, regardless of member state, with AMLA providing a supranational supervisory layer. The evidentiary and documentation standards embedded in the AMLR are specific, granular, and in some respects more prescriptive than what U.S. companies are used to.
The Beneficial Ownership Gap
One specific area where U.S. AML practice and EU requirements diverge in ways that create operational problems is beneficial ownership. The existing EU framework required member states to maintain central beneficial ownership registers under the Anti-Money Laundering Directives. The incoming AMLR standardises the beneficial ownership threshold EU-wide at 25% or more (a subtle but meaningful change from the previous "more than 25%" formulation used in some member states), and creates specific documentation requirements for every business relationship entered.
Under Article 15 of Regulation (EU) 2024/1624, obliged entities must collect valid proof of registration or a recently issued register excerpt whenever entering a new business relationship with a legal entity. This is not equivalent to the U.S. approach of collecting a self-certified beneficial ownership form at account opening. It requires registry-sourced documentation that is current, complete, and linked to a specific transaction or relationship. U.S. companies used to relying on counterparty self-certification as the primary UBO verification mechanism will need to update their approach for EU counterparties.
The Ongoing Monitoring Standard
The EU standard for ongoing monitoring of business relationships is explicit and auditable in a way that U.S. compliance teams sometimes find more demanding than their domestic framework. Article 26 of Regulation (EU) 2024/1624 requires obliged entities to keep CDD documentation current and monitor business relationships on an ongoing basis. Article 24 requires discrepancy reports to be filed within 14 calendar days of detecting any inconsistency between information in central registers and your own collected CDD data.
This 14-calendar-day discrepancy reporting window is a specific, enforceable obligation. A U.S. company operating an EU compliance programme needs a system capable of detecting and reporting discrepancies on that timeline, not a periodic manual review cycle.
Mistake Four: Not Knowing the AMLR Directly Applies to You as a Foreign Entity
This is the most significant emerging compliance obligation for U.S. companies with European business relationships, and it is the one that receives the least attention in domestic compliance planning. The AMLR does not just raise the bar for EU-regulated entities. It creates new obligations for foreign entities operating in the EU.
The AMLR mandates that foreign entities register beneficial ownership information in EU member states' central registers before conducting business transactions in the EU, with non-compliance potentially restricting operations in the European Union. The regulation expanded the scope of its provisions to explicitly include third-country legal entities, trustees, and new sectors like crypto-asset providers and high-value goods dealers.
To be precise about the scope: the obligation to register applies where a third-country legal entity wishes to enter into a business relationship with an EU obliged entity that is associated with medium-high or high money laundering or terrorist financing risks, or where the foreign entity itself falls within a legal entity category or sector assessed as carrying medium-high or high risk. These obligations become applicable from 10 July 2027. Foreign entities already owning real estate in the EU face additional registration requirements with earlier deadlines.
What this means for a U.S. company transacting with EU-regulated counterparties in sectors including financial services, payment services, or other regulated industries is that from 2027, you may be required to register your beneficial ownership information in the relevant EU member state central register, not as a courtesy, but as a legal precondition to conducting business. A U.S. company that has not prepared for this obligation will find EU counterparties unable or unwilling to enter into business relationships with them.
Mistake Five: Misunderstanding How EU Company Registries Work
U.S. compliance teams building KYB processes for EU business partners often assume the EU has a centralised company registry, analogous to a federal system, where a single query returns comprehensive, current company information. This assumption is operationally expensive.
Each of the 27 EU member states maintains its own national business register. The EU operates a connectivity layer called BRIS (Business Registers Interconnection System) through the European e-Justice Portal, which allows basic company information to be searched across member states. But BRIS provides only harmonised basic data: legal form, registered seat, and registration number. It does not include full financial statements, detailed beneficial ownership data, or the filing history that meaningful KYB requires. For that, you need to go to each national register individually, on each country's terms, in each country's language.
Germany operates three separate registers: the Handelsregister, the Unternehmensregister, and the Transparenzregister, each with overlapping but inconsistent data. France's registry portal is entirely in French, with shareholder data available only through the purchase of individual documents per company. Italy, France, and Spain charge for most filings and financial statements, while Denmark and Poland provide broader registry access free of charge. A complete, verified corporate documentation pack for an EU counterparty is not something you retrieve from one source in one query. It is assembled from multiple national sources, at varying costs, in varying formats.
U.S. companies that build EU KYB processes assuming they can collect all required documentation by asking the counterparty to submit it will accumulate self-declared document sets rather than registry-verified verification records. Under the EU AMLR, those two things are not equivalent.
The Beneficial Ownership Register Complexity
The complexity of accessing EU beneficial ownership data adds a further layer. Following the November 2022 ruling of the Court of Justice of the EU, which struck down open public access to beneficial ownership registers as a disproportionate interference with privacy rights, most EU member states restricted public access to UBO register data. Countries including Belgium, the Netherlands, and Luxembourg suspended public access to their UBO registers immediately.
This means that UBO data, which sits at the heart of any meaningful KYB process, is now accessible primarily to competent authorities, financial intelligence units, and obliged entities conducting customer due diligence in the performance of their legal obligations. For U.S.-based companies that are not themselves EU-supervised obliged entities, accessing this data may require demonstrating legitimate interest through a country-specific process that varies across jurisdictions.
Mistake Six: Conflating EU Compliance With GDPR Compliance
A related misunderstanding is treating GDPR as the entirety of the EU compliance framework. Many U.S. companies approach European market entry as primarily a data protection exercise: hire a GDPR lawyer, appoint a Data Protection Officer, publish an updated privacy notice, and consider the compliance obligation satisfied. This approach misses most of the regulatory landscape that actually governs regulated businesses operating in the EU.
In addition to GDPR, a U.S. company operating in the EU financial services or payments space may be subject to or materially affected by the following current and incoming frameworks.
Regulation (EU) 2024/1624 (AMLR) governs AML and KYB obligations from July 2027, including the new obligations for foreign entities discussed above. The Digital Operational Resilience Act (DORA), applicable since 17 January 2025, governs ICT risk management for financial entities and their critical third-party service providers, including U.S.-based technology vendors whose services are used by EU financial institutions. The Markets in Crypto-Assets Regulation (MiCAR), fully applicable since 30 December 2024, governs crypto-asset service providers operating in the EU market. The EU AI Act (Regulation EU 2024/1689), with full high-risk AI system obligations applying from 2 August 2026, governs AI systems placed on the EU market or whose outputs are used in the EU, regardless of where the provider is established. The EU Data Act (Regulation EU 2023/2854), applying since September 2025, governs data sharing and cloud switching, with provisions explicitly addressing unlawful third-country government access to data.
Each of these applies based on market activity, not on the location of the company's headquarters. A U.S. company providing AI-powered risk scoring to EU financial institutions, for example, is within scope of the EU AI Act even if it has no EU subsidiary. Building a compliance programme that addresses only GDPR leaves every other regulatory layer unaddressed.
Mistake Seven: Treating Documentation as an Administrative Step Rather Than a Legal Obligation
Perhaps the most deeply embedded U.S. compliance habit that does not translate well to the EU context is a culture of compliance-as-policy. The expectation in many U.S. compliance programmes is that if you have the right written policies, the right training records, and the right governance structure, you have demonstrated compliance. What you actually did in any specific case is secondary to whether the right process existed.
European regulators have always placed heavier weight on demonstrable practice over documented policy, and the incoming AMLR makes this even more explicit. The AMLR's documentation obligations require that every CDD decision be evidenced, every beneficial ownership determination be traceable to registry-sourced documents, every risk classification be recorded with the rationale that supported it, and every ongoing monitoring action be logged with a timestamp and attribution to a named reviewer.
The focus is moving from the presence of controls, often a tick-box approach, to the demonstrable effectiveness of those controls. Companies consistently underestimate the documentation burden: European authorities require comprehensive files, supporting documentation that must be translated, localised, and in the correct format, not simply a file that records that an action was taken.
For U.S. companies building EU compliance infrastructure, this means that the quality of your documentation system matters as much as the quality of your compliance policies. A well-written policy stored in a document management system, with no evidence of how it was actually applied to any specific counterparty decision, does not satisfy the AMLR's requirements.
What Getting It Right Actually Looks Like
Understanding where U.S. companies go wrong with European compliance is the starting point. The more useful question is what the right compliance posture looks like for a U.S. company operating in or with the EU.
1) Know Which EU Regulations Apply to You, by Activity Not by Location
Begin with a structured assessment of which EU regulatory frameworks apply based on what your business does in or with the EU, not based on where you are incorporated. If you handle EU personal data, GDPR applies. If you provide services to EU financial institutions, DORA may apply. If you deploy AI systems whose outputs are used in the EU, the AI Act applies. If you transact with EU-regulated entities in AML-relevant contexts, the AMLR applies to your counterparties and may apply directly to you as a foreign entity from 2027.
This scoping exercise is not a one-time legal review. EU regulatory scope is actively expanding, and the answer to which regulations apply to your EU activities in 2024 may be different from the answer in 2027.
2) Build KYB Processes That Collect Registry-Sourced Documentation
For any U.S. company onboarding EU business partners, the documentation standard needs to reflect EU evidentiary expectations, not domestic practice. That means collecting registry-sourced company extracts rather than relying solely on counterparty self-certification, tracing beneficial ownership chains to natural persons with documentary support at each layer, and maintaining records in a system that can produce a complete, timestamped file for any counterparty relationship on demand.
Self-declared documents are a starting point, not a verification. Under the AMLR, obliged entities must collect valid proof of registration or a recently issued register excerpt when entering every new business relationship with a legal entity. If your EU counterparties are obliged entities themselves, they will expect the same standard from you.
3) Appoint an EU Representative and Conduct a Proper GDPR Transfer Impact Assessment
If your business processes EU personal data, the GDPR representative requirement under Article 27 is not optional. Appoint an EU-based representative with a verifiable address in a member state where your data subjects are located. Beyond the representative appointment, any transfer of EU personal data to the U.S. requires a Transfer Impact Assessment (TIA) that genuinely addresses the CLOUD Act conflict, not just a set of Standard Contractual Clauses filed and forgotten. The EDPB's Schrems II recommendations make clear that contractual measures alone do not adequately address U.S. surveillance law exposure. Technical measures, specifically encryption with keys retained within the EEA, are required.
4) Build for the AMLR Timeline Now
The 2027 AMLR application date is not permission to start preparing in 2026. AMLA is publishing the technical standards that define operational compliance requirements throughout 2026. U.S. companies with material EU business relationships should be tracking those standards and building compliance infrastructure that can meet the AMLR's documentation, beneficial ownership, and ongoing monitoring requirements before they become legally enforceable.
The beneficial ownership registration obligation for foreign entities is particularly important to prepare for. If your business model involves entering into relationships with EU obliged entities in medium-high or high-risk sectors, your U.S. entity may need to register beneficial ownership information in EU member state central registers from July 2027. The preparation for that registration needs to happen now, not when the obligation becomes effective.
Conclusion: The Cost of Underestimating the EU Framework
The EU compliance framework is demanding, structurally different from U.S. domestic requirements, actively evolving, and explicitly designed to apply to foreign entities operating in the European market. These are not new realities, but the AMLR, DORA, the AI Act, and the ongoing GDPR enforcement environment are making them more consequential for U.S. companies than they have ever been.
The companies that navigate European compliance well are not those with the largest legal budgets. They are the ones that understood early that European compliance is a different discipline from domestic compliance, invested in building infrastructure rather than policies, and treated the 2027 AMLR deadline as a 2025 and 2026 preparation window rather than a future problem.
The mistakes covered in this article are fixable. None of them require a fundamental rethinking of how compliance works. They require understanding how the EU regulatory framework actually operates, mapping that understanding onto your specific business activities and counterparty relationships, and building the documentation and workflow infrastructure that makes compliance demonstrable, not just aspired to.
About SpeedyDD
SpeedyDD is a KYB onboarding and due diligence platform built for regulated businesses operating across complex, multi-jurisdictional environments. Our mission is to help organisations maintain continuous audit-readiness across every business relationship, every market, and every stage of the counterparty lifecycle.
For U.S. companies building or scaling EU compliance infrastructure, SpeedyDD provides the centralised workflow, document management, and audit trail infrastructure that makes meeting EU evidentiary standards operationally achievable.
Frequently Asked Questions
Does EU compliance apply to a U.S. company with no EU office?
Yes, in most cases. The key EU regulatory frameworks apply based on market activity and whose data is processed, not on where a company is incorporated or physically based. GDPR applies to any company that processes the personal data of EU residents, regardless of location. The EU AI Act applies to providers of AI systems placed on the EU market or whose outputs are used in the EU, regardless of where the provider is established. Regulation (EU) 2024/1624 (AMLR) mandates that foreign entities register beneficial ownership information in EU member states' central registers before conducting business transactions with EU-regulated entities in certain risk categories, with non-compliance potentially restricting EU operations. U.S. companies should assess their EU regulatory exposure based on what they do in or with the EU, not where they are headquartered.
What is the AMLR and what does it mean for U.S. companies specifically?
Regulation (EU) 2024/1624, the Anti-Money Laundering Regulation, is the EU's first directly applicable AML rulebook, replacing the previous directive-based framework and applying identically across all 27 member states from 10 July 2027. For U.S. companies, the most significant new provision is the requirement that third-country legal entities register beneficial ownership information in EU member states' central registers before conducting business transactions with EU obliged entities in medium-high or high-risk sectors. Foreign entities already owning real estate in the EU face additional registration obligations. Non-compliance can restrict a U.S. entity's ability to operate in the EU market. Preparation for these obligations needs to start now, well before the July 2027 application date.
How does GDPR apply to U.S. companies handling KYB and KYC records for EU counterparties?
Any KYB or KYC record relating to an EU-based natural person, including UBO declarations, director identity documents, and individual shareholder information, constitutes personal data under GDPR. Processing that data as part of a compliance workflow subjects the U.S. company to GDPR's requirements including a lawful basis for processing, data subject rights obligations, data transfer rules for records held on U.S. systems, and data retention and deletion requirements. The interaction between GDPR's data minimisation principle and AML's requirement for long-term CDD record retention creates a genuine tension that needs to be addressed deliberately in your data governance framework. GDPR also requires U.S. companies subject to the regulation to appoint an EU-based representative under Article 27 of the regulation.
What is the CLOUD Act conflict and why does it matter for U.S. companies with EU operations?
The U.S. CLOUD Act of 2018 requires U.S. companies to produce data they control upon receiving a valid U.S. government demand, regardless of where that data is stored. GDPR requires that EU personal data be protected and that data subjects be informed about how their data is processed. Under GDPR Articles 13 and 14, data subjects have a right to know how their data is being processed. The CLOUD Act legally bars the U.S. provider from informing data subjects when a government demand has been received. These obligations directly conflict, and Standard Contractual Clauses alone do not resolve the conflict. The European Data Protection Board's Schrems II recommendations confirm that technical measures, specifically encryption with keys retained within the EEA, are required alongside contractual measures for a compliant transfer mechanism.
What is BRIS and why does it not replace national EU company registries for KYB purposes?
BRIS (Business Registers Interconnection System) is a European Commission infrastructure that allows basic company information to be searched across EU member state registers through the European e-Justice Portal. It covers more than 20 million registered companies. However, BRIS provides only a basic set of harmonised data including company name, legal form, registered seat, and registration number. It does not provide full financial statements, detailed beneficial ownership data, director filing history, or the documentary record required for a complete KYB verification. For comprehensive due diligence, teams need to access each national register directly, in the relevant language, under the relevant access conditions for that country.
How does the EU's beneficial ownership framework differ from U.S. requirements?
The EU beneficial ownership framework is standardised EU-wide under the AMLR at a threshold of 25% or more of shares, voting rights, or ownership interest, ending the national variation that previously existed under the directive-based framework. The AMLR requires documentary evidence of the ownership chain for complex structures, registry-sourced verification of current ownership status, and specific discrepancy reporting obligations when the information collected through CDD does not match information in central registers. The U.S. FinCEN CDD Rule uses a similar 25% threshold, but U.S. practice typically relies more heavily on counterparty self-certification than the EU's registry-sourced verification standard. Additionally, FinCEN's February 2026 exceptive relief modified requirements around beneficial ownership verification at new account opening, while EU obligations under the AMLR are moving in a more prescriptive direction.
What is AMLA and does it affect U.S. companies?
AMLA, the Anti-Money Laundering Authority established by Regulation (EU) 2024/1620, became operational on 1 July 2025, headquartered in Frankfurt. It is the EU's first centralised AML supervisor and will directly supervise up to 40 of the highest-risk financial institutions with significant cross-border operations. For U.S. companies, AMLA's primary relevance is through the technical standards it is publishing through 2026, which define the operational detail of the AMLR, and through the supervision it will exercise over EU counterparties. If your EU business partners are subject to AMLA's direct supervision, the compliance standards they are required to apply to their counterparties will be AMLA-calibrated. AMLA can impose administrative sanctions of up to €10 million or 10% of annual group turnover for the most serious violations.
What does DORA mean for U.S. technology companies serving EU financial institutions?
The Digital Operational Resilience Act (Regulation EU 2022/2554), which has applied since 17 January 2025, governs ICT risk management for EU financial entities and imposes obligations on their critical third-party ICT service providers. U.S.-based technology companies whose services are relied upon by EU financial institutions for critical or important functions may be classified as critical ICT third-party providers under DORA, which carries its own regulatory obligations. EU financial institution clients will conduct vendor due diligence against DORA requirements for their technology suppliers, and U.S. companies that cannot demonstrate adequate ICT resilience, incident reporting capabilities, and audit access may find their EU client relationships at risk.
How should a U.S. company prepare for the AMLR's beneficial ownership registration requirement for foreign entities?
Preparation has four components. First, assess whether your business activities in the EU involve relationships with EU obliged entities in sectors classified as medium-high or high AML/TF risk. If they do, your entity may be required to register beneficial ownership information in the relevant EU member state register from July 2027. Second, ensure your beneficial ownership information is accurate, complete, and documented to the standard required by EU member state central registers. Third, track AMLA's technical standards as they are published through 2026, particularly those governing documentation requirements and the registration process for foreign entities. Fourth, engage EU legal counsel with AML expertise in the specific member states where your counterparty relationships are concentrated, since the registration process and its requirements will vary at the national level until the AMLR is fully operational.
