What U.S. Financial Firms Need to Know Before Entering Europe
Regulatory updates
The European financial market is not a geographic extension of the U.S. market with different accents and currencies. It is a distinct regulatory environment, structured around different legal principles, governed by different supervisory bodies, and operating under a framework that has been undergoing one of its most significant transformations in decades.
The Capital Requirements Directive VI has reshaped the rules for how non-EU banks provide cross-border services to EU clients. The Anti-Money Laundering Regulation is building toward a single rulebook that will apply uniformly across all 27 member states from July 2027. The Digital Operational Resilience Act is already in force. PSD3 has reached political agreement and is moving toward publication. The EU AI Act is applying obligations to financial institutions and their technology vendors with a hard enforcement deadline approaching. And MiCAR has been fully operational since December 2024, creating a mandatory licensing regime for any firm offering crypto-asset services to EU customers.
None of these frameworks care where your headquarters is. They care what you do in Europe, with whom, and how.
This guide is for U.S. financial firms at any stage of European market planning: those who are entering now, those who are already operating and realising their compliance posture needs work, and those who are assessing whether and how to enter. It covers the licensing reality, the regulatory framework you are entering, the structural decisions that cannot be avoided, and the compliance obligations that apply from day one.
The Licensing Reality: You Cannot Passport From the U.S.
The single most operationally significant thing a U.S. financial firm needs to understand before entering Europe is this: passporting rights, which allow an authorised firm to operate across all 27 EU member states on the basis of a single home-state licence, are available only to firms authorised in an EU or EEA member state. A European passport is only available to firms having their head office established in an EU or EEA jurisdiction and will not be available to branches of third-country firms.
That means a U.S. firm cannot use passporting to access the EU single market. It needs to either establish a licensed EU entity (a subsidiary incorporated and authorised in a member state, which can then passport across the EU) or apply for branch authorisation in each market it wants to serve, under the relevant third-country regime for its sector.
The EU Entity Route
The most common strategic path for U.S. financial firms entering Europe at scale is incorporating a subsidiary in a single EU member state, obtaining the relevant authorisation in that jurisdiction, and then using EU passporting rights to offer services across other member states from that base. The choice of home member state matters significantly for operational reasons. Regulatory culture, supervisory approach, available talent pool, language, and the specific technical standards applied by the national competent authority all vary. Common choices for U.S. firms include Ireland, Luxembourg, Germany, and the Netherlands, each with distinct advantages and supervisory characteristics.
The type of authorisation required depends on your activity. Investment firms need MiFID II authorisation. Payment institutions need payment institution authorisation under PSD2 and eventually PSD3. Electronic money institutions need EMI authorisation. Banks need a credit institution licence under the Capital Requirements Directive framework. Crypto-asset service providers need MiCAR authorisation. In some cases, more than one licence applies to the same business model.
The Third-Country Branch Route
For U.S. firms that do not want to establish an EU subsidiary, some EU member states have national third-country regimes that permit branch operations subject to local authorisation. This route is narrowing, not expanding. CRD VI, which EU member states were required to transpose into national law by 10 January 2026, introduces new minimum prudential requirements for third-country branches providing banking services in the EU and, critically, introduces a ban on third-country institutions providing core banking services, specifically lending, guarantees, commitments, and deposit-taking, into the EU on a cross-border basis without local establishment.
The new branch authorisation requirements under CRD VI apply from 11 January 2027, following a transitional period. Contracts for the provision of core banking activities ceased to benefit from grandfathering exemptions from 11 July 2026. What this means in practice is that a U.S. bank providing lending, guarantees, or deposit-taking to EU clients from outside the EU without a local branch will no longer be able to rely on existing contractual arrangements or national exemptions after the relevant deadlines. U.S. lenders involved in trade finance, letters of credit, guarantees, or cross-border structured finance with EU counterparties need to assess whether their activities fall within the CRD VI scope and what their structural options are.
The key practical message: if you are a U.S. bank still assessing whether to establish a European branch or subsidiary on the grounds that cross-border services remain available indefinitely, that window is closing under CRD VI. The structural decisions need to be made now, not when the deadline arrives.
The Regulatory Frameworks You Are Entering in 2026
Once you have a licensed EU presence, you are operating inside one of the most rapidly evolving regulatory environments in the world for financial services. Here is an honest account of the frameworks that will govern your operations from the point you enter the market.
CRD VI and the Capital Requirements Framework
The Capital Requirements Directive VI came into force in July 2024 as part of the EU's implementation of the Basel III banking standards. Built on the Basel III framework, the CRR III/CRD VI Banking Package is one of the most extensive regulations to come into force in 2025. It updates capital requirements, risk assessments, and reporting obligations for credit institutions operating in the EU, and it applies to EU subsidiaries of U.S. banks just as it applies to EU-headquartered banks.
For U.S. firms establishing a bank or credit institution in the EU, CRD VI compliance is a day-one obligation covering capital adequacy, liquidity requirements, governance standards, and remuneration policies. Your EU subsidiary will be supervised by its national competent authority and, for significant institutions, by the European Central Bank under the Single Supervisory Mechanism. The supervisory expectations at the ECB level are exacting, and the application process for significant institution status carries its own documentation and governance requirements.
For U.S. firms that are not establishing a bank but are providing services that include core banking activities to EU clients, the CRD VI cross-border restriction is the immediate question. The provision of cross-border investment services as such remains unaffected by CRD VI. But lending, deposit-taking, and guarantees provided directly from outside the EU will require a local EU presence to continue lawfully after the relevant deadlines.
The EU AML Package: The Compliance Transformation That Is Happening Right Now
The EU's 2024 AML legislative package is arguably the most consequential compliance development for financial firms entering Europe, and it is the one that most commonly catches U.S. firms off guard because its full application date of July 2027 creates a misleading sense of distance.
Regulation (EU) 2024/1624, the Anti-Money Laundering Regulation (AMLR), replaces the previous directive-based AML framework with a directly applicable rulebook that will be identical across all 27 member states from 10 July 2027. Unlike the former AML Directives, which allowed national variation in how the rules were implemented, the AMLR removes that discretion entirely.
Regulation (EU) 2024/1620 established the Anti-Money Laundering Authority, AMLA, as the EU's first centralised AML supervisor, operational since 1 July 2025 and headquartered in Frankfurt. AMLA will directly supervise up to 40 of the highest-risk financial institutions with significant cross-border operations, while coordinating national supervisors for all other obliged entities. AMLA must publish 23 regulatory and implementing technical standards, most of them due by 10 July 2026, which define the operational detail of the AMLR. These standards cover CDD procedures, reporting formats, risk factor guidelines, and governance requirements for compliance functions. They are what you build against, not the legislative text alone.
For U.S. firms entering the EU, the AML compliance posture you build needs to meet the AMLR's standard from the point you are authorised and operational. That means registry-sourced beneficial ownership verification, documented risk-based due diligence, ongoing monitoring with a 14-calendar-day discrepancy reporting obligation under Article 24, and a Business-Wide Risk Assessment documented and approved at management body level. The documentation standard is specific and auditable. A U.S. AML programme built for FinCEN and the Bank Secrecy Act will not meet these requirements without material redesign.
There is also a direct obligation for foreign entities. The AMLR mandates that third-country legal entities register beneficial ownership information in EU member states' central registers before conducting business transactions with EU-regulated entities in medium-high or high-risk sectors. Non-compliance can restrict operations in the EU market. For a U.S. financial firm building EU business relationships, this is not a future consideration. It is a structural compliance requirement.
A practical guide for conducting KYB Onboarding in the E.U
DORA: Operational Resilience Is Now a Legal Obligation
The Digital Operational Resilience Act (Regulation EU 2022/2554) has applied since 17 January 2025. It governs ICT risk management for EU financial entities including banks, payment service providers, investment firms, and crypto-asset service providers, and it extends directly to their critical ICT third-party providers regardless of where those providers are based.
For a U.S. financial firm establishing an EU subsidiary, DORA compliance is not optional and it is not solely an IT department concern. DORA requires a comprehensive ICT risk management framework, incident classification and reporting procedures, digital operational resilience testing, third-party ICT risk management including contractual requirements and audit rights applied to technology vendors, and a register of all contractual arrangements with ICT third-party service providers.
Third-party provider reporting under DORA had a deadline of 30 April 2025, meaning EU financial entities were required to have their ICT third-party registers in place by that date. If your EU entity is newly established, this register needs to be built from day one. If you are a U.S.-based technology provider whose services are used by EU financial institutions, your EU clients are legally required under DORA to conduct due diligence on you, maintain DORA-compliant contracts, and may report on your resilience posture to their supervisors.
A major development expected in the coming years is the designation of critical ICT third-party service providers, which may extend direct EU-level oversight to cloud platforms, payment processors, and large technology vendors supporting multiple financial institutions. If your firm falls into that category, coordinated supervisory examinations are a near-term prospect.
PSD3 and the Payment Services Regulation: The New Framework for Payments
On 27 November 2025, the European Parliament and the Council of the EU reached provisional political agreement on two key legislative measures: the Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR). PSD3/PSR is expected to be published in the Official Journal in 2026, with a transition period of approximately 18 to 24 months following publication before full application.
For U.S. firms entering the European payments market, PSD3 and the PSR represent the legislative environment you are entering, not one that is already settled. PSD3 as a directive addresses licensing and supervision and will need to be transposed into national law. The PSR, as a regulation covering security, strong customer authentication, and the obligations of payment service providers, is directly applicable across all EU member states without local transposition.
Key practical changes under PSD3 and the PSR include strengthened fraud prevention obligations, enhanced consumer protection requirements, and adjustments to the licensing framework for payment institutions and electronic money institutions. Account information service providers, currently required only to register under PSD2, will benefit from full passporting rights under PSD3, enabling cross-border services on the basis of a single home-state registration.
For firms operating at the intersection of payments and crypto assets, there is an important dual-licence consideration. The EBA's February 2026 opinion clarified that certain electronic money token-related payment services require PSD2 or PSD3 authorisation in addition to MiCAR CASP authorisation. The specific outcome depends on whether your entity already holds PSD2 authorisation or operates through an authorised payment service provider. This dual authorisation requirement applies to specific business models, and any U.S. firm building a European crypto-payments proposition needs to map its operating structure against the applicable outcome before beginning any application process.
MiCAR: The Mandatory Framework for Crypto-Asset Services
Regulation (EU) 2023/1114, the Markets in Crypto-Assets Regulation, has been fully operational since 30 December 2024. It creates licensing requirements for crypto-asset service providers operating anywhere in the EU. Exchanges, custodians, wallet services, and token issuers are all in scope. A U.S.-based crypto business that offers services to EU customers or counterparties without MiCAR authorisation is operating without a licence, and enforcement is active.
Penalties for MiCAR non-compliance can reach at least €5 million or 12.5% of annual turnover for severe breaches, whichever is higher. Regulators can also publicly disclose violations, suspend authorisations, and freeze assets related to violations where fraud or money laundering is suspected. These are not theoretical enforcement outcomes. They have been applied in 2025.
MiCAR's licensing model uses passporting: a CASP authorised in one EU member state can offer services across all 27 on the basis of that single authorisation. For U.S. crypto firms entering the EU market, the strategic decision is which member state to use as a licensing home, and that choice should be based on supervisory culture, processing time, local regulatory expertise, and the specific product scope you need covered, not simply convenience.
MiCAR also carries AML obligations integrated with the AMLR framework. CASPs are obliged entities under the AMLR, meaning all KYB and customer due diligence obligations, the beneficial ownership verification standard, the ongoing monitoring requirements, and the AMLA supervisory framework all apply in full from the point of authorisation.
The EU AI Act: The Compliance Layer Affecting How You Build Products
Regulation (EU) 2024/1689, the EU AI Act, applies to AI systems placed on the EU market or whose outputs are used in the EU, regardless of where the developer or deployer is based. For U.S. financial firms entering Europe, this applies to every AI system embedded in your EU-facing products, risk models, compliance workflows, or customer interactions.
Many of the AI use cases common in financial services, including credit scoring, loan approval, fraud detection, AML risk profiling, and automated decision-making that affects access to financial services, are explicitly classified as high-risk AI systems under the Act. High-risk systems require automated logging, comprehensive technical documentation, human oversight mechanisms, transparency obligations to regulators and affected customers, and ongoing accuracy and bias monitoring.
The full high-risk AI system obligations were scheduled to apply from August 2026, though the European Commission has proposed extending this deadline to December 2027 for certain categories of high-risk systems. The proposed delay has not yet been formally enacted as of mid-2026. Given the usual timeline for adopting new legislation, the implementation of this delay may prove challenging. Do not plan your AI governance programme around the assumption that the extension will be confirmed.
For U.S. firms entering the EU market with AI-powered products or AI-assisted compliance processes, building an AI inventory, classifying each system against the Act's risk framework, and establishing appropriate governance is a pre-launch requirement, not a post-launch project.
The KYB and AML Infrastructure You Need From Day One
One of the most practically overlooked aspects of European financial market entry is the onboarding and verification infrastructure that EU-authorised firms need to have operational before they can build a compliant business partner and client portfolio.
Your EU entity, once authorised, becomes an obliged entity under EU AML law. That means every business partner, corporate client, and counterparty you onboard needs to go through a KYB process that meets the AMLR's evidentiary standard. That standard includes collecting valid proof of registration or a recently issued company registry excerpt every time you enter a new business relationship with a legal entity, under Article 15 of Regulation (EU) 2024/1624. It includes tracing beneficial ownership to natural persons, with documentary support at each layer of a complex ownership chain. It includes sanctions and PEP screening, risk classification, documented approval decisions, and ongoing monitoring with a 14-calendar-day window to report discrepancies to relevant authorities.
None of this can be built ad hoc as you go. EU supervisors expect to see a documented, operating compliance programme from the point your business begins regulated activities. The compliance infrastructure, including document collection workflows, verification against registry sources, risk tiering, approval hierarchies, and audit trails, needs to be in place before you start onboarding.
This is a different standard from what many U.S. firms are used to building in the early stages of a new market entry. In the EU, the regulatory expectation is not that compliance infrastructure follows business growth. It precedes it.
The Structural Decisions That Cannot Be Deferred
Beyond the regulatory compliance programme, entering the European financial market requires a set of structural decisions that directly determine your compliance posture and your operational flexibility. These cannot be deferred to later stages of market development.
Choosing Your Licensing Jurisdiction
Your choice of home member state for EU authorisation determines which national competent authority supervises you, which national law applies to your corporate governance, how quickly your licence application will be processed, and how easily you can attract local compliance talent. Common choices for U.S. firms include Ireland for English-language operations with a pragmatic supervisory culture, Luxembourg for fund and investment management structures, Germany for banking activities under BaFin supervision, and the Netherlands for payment services and fintech models.
There is no universally correct answer. The right choice depends on your business model, your licensing type, your target markets, and your resourcing plan. What matters most is that the choice is made deliberately, based on a considered assessment of supervisory environment and operational fit, rather than defaulting to whichever jurisdiction your corporate counsel has most experience with.
Building a Compliance Function That Meets EU Standards
EU financial regulators expect your compliance function to be genuinely capable, not nominally present. A compliance officer based in New York who visits your EU subsidiary quarterly does not meet the localisation and expertise requirements that EU supervisors will assess. Most authorisations under MiFID II, CRD VI, PSD3, and MiCAR require the compliance function to be adequately staffed, locally present, and demonstrably competent in the relevant EU regulatory frameworks.
Your compliance officer or MLRO at the EU entity level needs to understand the specific obligations that apply to your EU-authorised entity under EU law, not just the group-level compliance programme.
Aligning Group Compliance With EU Subsidiary Obligations
A critical tension for U.S. firms entering Europe is the relationship between group-level compliance policies, which reflect U.S. regulatory standards and group-level risk appetite, and the subsidiary-level obligations that EU regulation imposes. The AMLR, DORA, and the EU AI Act all impose obligations directly on the EU-authorised entity, regardless of what the group-level programme looks like.
Where group policies conflict with EU regulatory requirements, EU regulatory requirements take precedence for the EU entity. Where group data governance policies conflict with GDPR, GDPR governs for EU personal data. Where group IT procurement processes produce vendor contracts that do not meet DORA's third-party risk management requirements, those contracts need to be renegotiated before the EU entity can use those vendors for critical or important ICT functions.
Managing this alignment requires a structured gap analysis between your group compliance infrastructure and the specific obligations of each EU regulatory framework that applies to your European business model.
Common Entry Mistakes That Delay Authorisation or Create Early Compliance Risk
Based on the structural reality of European financial market entry, the following failure patterns appear most consistently.
Underestimating the licensing timeline is one of the most expensive mistakes U.S. firms make. EU financial services licence applications are not fast. A MiFID II investment firm authorisation typically takes six to twelve months from submission to approval. A banking licence under CRD can take twelve to eighteen months or more. MiCAR authorisation timelines vary by member state but can take six to twelve months. These timelines assume a complete, well-prepared application. Incomplete or poorly documented applications are returned and restart the clock.
Submitting an authorisation application before the compliance infrastructure is built is another common failure. EU supervisors review applications holistically, assessing not just the legal structure and capitalisation but the compliance function, the risk management framework, the AML programme, and the governance arrangements. An application that is structurally sound but lacks a credible, documented compliance programme will not be approved.
Assuming that a U.S. AML programme meets EU standards is a mistake that typically becomes visible at the first supervisory review or audit. The AMLR's documentation requirements, its ongoing monitoring standards, its beneficial ownership verification expectations, and its discrepancy reporting obligations all go beyond what most U.S. AML programmes are built to meet. The gap analysis needs to happen before launch, not after.
Treating DORA as an IT project rather than a compliance obligation consistently results in underprepared ICT risk management frameworks. DORA's requirements, including the ICT third-party register, the incident reporting framework, and the digital operational resilience testing programme, are management body obligations. They need executive ownership and documented implementation, not just an updated IT policy.
Conclusion: Entering Europe Is Worth Getting Right
The European financial market offers genuine strategic value for U.S. firms: access to a deep, sophisticated client base, the ability to serve multinational corporate clients with EU operations, and the reputational credibility that comes with being authorised and operating in one of the world's most rigorously regulated financial environments.
Getting it right means understanding from the outset that European market entry is a regulated, sequenced process with specific structural, licensing, and compliance prerequisites that cannot be shortcut. The firms that invest in those prerequisites, building a genuinely compliant EU entity with appropriate authorisation, a capable local compliance function, and an AML and KYB infrastructure that meets the AMLR's evidentiary standard, are the ones that build durable, scalable European operations.
The ones that enter with a U.S.-calibrated compliance programme, a nominal EU entity, and an assumption that they can build compliance infrastructure after the business is running find that European regulators correct that approach quickly, and the correction is expensive.
About SpeedyDD
SpeedyDD is a KYB and due diligence platform built for regulated businesses entering and operating in complex, multi-jurisdictional environments. For U.S. financial firms building EU compliance infrastructure from the ground up, SpeedyDD provides the registry-sourced verification, structured KYB workflows, and audit-ready documentation that EU supervisors expect from day one of operation.
Frequently Asked Questions
Can a U.S. financial firm use EU passporting rights without an EU entity?
No. Passporting rights allow an authorised firm to operate across all EU member states on the basis of a single home-state licence, but a European passport is only available to firms with their head office established in an EU or EEA jurisdiction. A U.S. firm cannot access passporting by establishing a branch or conducting business from the U.S. To use passporting rights, a U.S. firm must incorporate and obtain authorisation in an EU member state, at which point its EU subsidiary, not the U.S. parent, holds the passport.
What does CRD VI mean for U.S. banks providing cross-border services to EU clients?
CRD VI introduces a ban on third-country institutions providing core banking services, specifically lending, guarantees, commitments, and deposit-taking, into the EU on a cross-border basis without local establishment. Contracts for core banking activities ceased to benefit from grandfathering exemptions from 11 July 2026. Third-country branch authorisation requirements apply from 11 January 2027, following a transitional relief period. U.S. banks providing trade finance, letters of credit, guarantees, structured finance facilities, or acquisition finance to EU counterparties need to assess whether their activities fall within scope and what their structural options are. The provision of cross-border investment services as such remains unaffected.
What licences might a U.S. financial firm need to operate in the EU?
The specific licences required depend entirely on your business model. Investment firms need MiFID II authorisation. Banks and credit institutions need a CRD licence. Payment institutions need authorisation under PSD2 and eventually PSD3. Electronic money institutions need EMI authorisation. Crypto-asset service providers need MiCAR authorisation. Some business models require multiple licences, particularly where payment services and crypto-asset services overlap. The European Commission's overview of financial services legislation is the primary reference for the full scope of EU financial services frameworks.
How long does EU financial services authorisation take?
Timelines vary by licence type and member state. MiFID II investment firm authorisations typically take six to twelve months from a complete application submission. Banking licences under CRD are generally longer, often twelve to eighteen months or more. MiCAR CASP authorisations vary by national competent authority but typically range from six to twelve months. These are timelines for complete, well-prepared applications. Incomplete applications are returned and restart the process. Planning the licensing timeline is one of the most important operational decisions in a European market entry, and it needs to begin well before your target go-live date.
What AML compliance infrastructure does a new EU financial entity need from day one?
A newly authorised EU financial entity needs a documented AML/CFT compliance programme that meets the existing AML Directive framework from the point it begins regulated activities, and needs to be building toward the AMLR's enhanced standard for July 2027. In practical terms, this includes a documented Business-Wide Risk Assessment, a KYB process that meets EU evidentiary standards including registry-sourced beneficial ownership verification, risk-based customer due diligence with documented approval decisions, sanctions and PEP screening, and an ongoing monitoring programme with a system capable of detecting and reporting discrepancies within 14 calendar days under Article 24 of Regulation (EU) 2024/1624. A U.S. AML programme built for FinCEN requirements will not meet this standard without redesign.
What does DORA require of a newly established EU financial entity?
DORA (Regulation EU 2022/2554) requires a comprehensive ICT risk management framework covering ICT strategy, risk assessment, incident classification and reporting procedures, digital operational resilience testing, and a register of all contractual arrangements with ICT third-party service providers. For newly established EU entities, the ICT third-party register needs to be built from day one. Vendor contracts for critical or important ICT functions need to include the specific provisions DORA requires, including audit rights, incident reporting cooperation, and resilience testing access. DORA compliance is a management body obligation, not an IT team task.
What does PSD3 mean for a U.S. firm entering the European payments market?
PSD3 and its companion Payment Services Regulation reached political agreement in November 2025 and are expected to be published in the Official Journal in 2026, with a transition period of 18 to 24 months before full application in late 2027 to early 2028. For U.S. firms entering the payments market now, PSD2 authorisation under the current framework remains the applicable standard, with PSD3 compliance forming part of the medium-term regulatory roadmap. Key changes under PSD3 include strengthened fraud prevention obligations, enhanced consumer protection, and updated passporting rights for account information service providers. Firms operating in both payments and crypto-asset services should specifically assess whether dual MiCAR and PSD3 authorisation applies to their business model, following the EBA's February 2026 opinion clarifying the scope of that requirement.
Does the EU AI Act apply to a U.S. firm entering Europe?
Yes, if your business deploys AI systems in EU-facing operations or whose outputs are used in the EU. Many AI use cases in financial services including credit scoring, fraud detection, AML risk profiling, and automated decision-making that affects access to financial services are classified as high-risk AI systems under Regulation (EU) 2024/1689. High-risk systems must meet requirements including automated logging, comprehensive technical documentation, human oversight mechanisms, and ongoing accuracy and bias monitoring. Penalties for serious violations can reach €35 million or 7% of global annual turnover. An EU AI Act inventory and risk classification exercise should be part of the pre-launch compliance preparation for any U.S. firm entering the EU financial market.
How does MiCAR affect a U.S. crypto firm wanting to serve EU customers?
MiCAR (Regulation EU 2023/1114) requires any entity offering crypto-asset services to EU customers to hold a MiCAR CASP authorisation, obtained from a national competent authority in an EU member state. Operating without authorisation exposes the firm to penalties of at least €5 million or 12.5% of annual turnover for severe breaches, suspension of services, and public disclosure of violations. MiCAR uses passporting: a single authorisation in one member state covers service provision across all 27. CASPs are obliged entities under EU AML law, meaning the full AMLR compliance framework applies to their KYB and customer due diligence processes from the point of authorisation.
