Financial regulation in the Netherlands

The Markets in Crypto-Assets Regulation (MiCAR) establishes the first EU-wide framework regulating cryptocurrencies and related services. It introduces requirements for the authorisation and supervision of crypto-asset service providers (CASPs), issuers of asset-referenced tokens (ARTs) and issuers of e-money tokens (EMTs), as well as for their operation, organisation and governance.

MiCAR also lays down transparency and disclosure requirements for the issuance, offer to the public and admission of crypto-assets to trading, requirements for the protection of holders of crypto-assets and clients of CASPs , and measures to prevent market-abuse related to crypto-assets, in order to ensure the integrity of markets in crypto-assets. Certain specific rules applied form 29 June 2023, the rules for ART and EMT issuers applied from 30 June 2024 and the vast majority of the rules applied from 30 December 2024, with transitional relief in some EU member states. In the Netherlands, the Dutch Authority for the Financial Markets (AFM) and Dutch Central Bank (DNB) share responsibilities. The AFM is the licensing authority for CASPs and is responsible for most of the regular supervision.

DNB is responsible for supervising EMTs and ARTs, the assessment of proposed holdings in CASPs and the regular prudential supervision of CASPs. MiCAR raises the bar on capital, governance, ICT resilience (alongside the Digital Operational Resilience Act), and retail disclosures, reshaping models for exchanges, brokers, custodians, advisors, and token issuers. 

The EU’s payments review led to proposals from the European Commission for a revised Payment Services Directive (PSD3) on authorisation of and supervision on payment services and electronic money services and a directly applicable Payment Services Regulation (PSR) harmonising conduct and operational rules.

Expect strengthened fraud prevention and refund rights (including more consistent IBAN/name checks), enhanced authentication and consent, clearer open-banking interfaces, and greater convergence of prudential and safeguarding regimes for banks, payment institutions and e-money institutions. Both PSR and PSD3 are expected to come into force in 2026.

After PSD3 becomes final, EU member states will have 18 months to implement the directive into national law. In the Netherlands, implementation will primarily amend the Dutch Financial Supervision Act (Wft) and underlying decrees, with DNB as lead supervisor and close coordination with the Dutch data protection authority (AP) and the Netherlands Authority for Consumers and Markets (ACM). Firms should plan for changes to fraud controls, customer communications, and licensing categories on a staged timeline following formal adoption. 

The Digital Operational Resilience Act (DORA) aims to enhance the IT security of financial entities with focus on key area's such as ICT risk management, third-party risk management, digital operational resilience testing, ICT-related incidents, information sharing and oversight of critical third-party service providers.

DORA covers, amongst others, banks, insurers, investment firms, payment institutions, e-money institutions, fund managers and CASPs. These institutions should therefore manage their ICT risks, deal with ICT-related incidents, test their own ICT resilience and manage risks associated with engaging ICT service providers. In the Netherlands, DNB and the AFM will supervise in line with their remits. DORA became fully applicable on 17 January 2025.

The proposed Financial Data Access regulation (FiDA) is the EU’s open-finance initiative, expanding secure, consent-based data sharing beyond payments to a broad range of retail and financial data. FiDA will expand beyond 'open banking', as FiDA includes a wider range of financial data like insurance, mortgages and investments, while PSD focusses on payment accounts. Customer consent is central to FiDA, as financial data can only be shared with a customer's explicit consent. Regarding the introduction of new players, FiDA will create a new category of regulated entities called Financial Information Service Providers (FISPs).

The Alternative Investment Fund Managers Directive (AIFMD) aims to provide for an internal market for managers of alternative investment funds (AIFMs) and a harmonised and binding regulatory and supervisory framework for their activities within the EU. AIFMD2 amends both the AIFMD and the UCITS Directive and makes changes regarding delegation, authorisation requirements, reporting obligations and the regulation of loan originating alternative investment funds.

In the Netherlands, the implementation will amend the Wft and Besluit/Regeling Wft for AIFMs and depositaries, with the AFM leading on licensing and conduct and DNB on prudential aspects. Dutch loan-originating funds and managers using delegation should re-map policies, risk limits, disclosures and service provider arrangements ahead of the transposition deadline. The deadline for implementation of AIFMD 2 in the Netherlands is 16 April 2026.

The Markets in Financial Instruments Directive (MiFID2) and the Markets in Financial Instruments Regulation (MiFIR) regulate the European financial markets, created to strengthen investor protection, increase transparency and to make the financial markets more efficient and resilient. MiFID2's key aspects are market infrastructure/transparency, transaction reporting, product governance, investor protection and rules on inducement. MiFIR amongst others sets transparency requirements which impose reporting standards on authorised investment firms.

Investment firms active in the Dutch market should monitor AFM guidance on marketing, costs and value-for-money, embed ESG preferences captured in suitability, and prepare for data and transparency changes under the MiFIR and MiFID2 Review. 

The Dutch Financial Supervision Act (Wet op het financieel toezicht, Wft) underpins financial regulation in the Netherlands, implementing EU law and setting national requirements for licensing, governance, conduct, prudential supervision and market integrity. Detailed rules sit in underlying decrees and regulations, supplemented by AFM and DNB policy rules and Q&As on topics such as fit and-proper and integrity assessments, outsourcing, controlled and sound business operations, and remuneration.

The AFM oversees conduct, disclosure and market integrity and DNB supervises prudential soundness and integrity/AML. Both coordinate with the Netherlands Financial Intelligence (FIU-the Netherlands) and the AP on AML and data protection. 

The Capital Requirements Regulation and Directive (CRR/CRD) set prudential rules for EU credit institutions and certain investment firms, covering own funds, risk-weighted assets, large exposures, liquidity (LCR/NSFR), governance and remuneration, Pillar 2/SREP and buffers. The regime continues to evolve, with implementation of the “Basel III finalisation” package (CRR3/CRD6) introducing the output floor and revised approaches for credit, operational and market risk on a phased timeline.

In the Netherlands, DNB applies the EU framework through SREP, macro-prudential buffers and Pillar 2 Guidance, and integrates European Banking Authority (EBA) guidelines on internal governance, ICT/outsourcing (alongside DORA) and remuneration. Dutch banks — and systemically important investment firms remaining under CRR/CRD — should plan for model and capital impacts from the output floor, data/system changes for revised standardised approaches, and the interaction with resolution/MREL and climate-risk expectations. 

Dutch AML/CFT obligations are anchored in the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft) and the Sanctions Act 1977, requiring risk-based CDD, UBO identification and verification, ongoing monitoring and screening, reporting of unusual transactions to FIU- the Netherlands), and sanctions compliance.

Supervisory responsibilities are split across DNB, the AFM and professional bodies, with active enforcement and guidance on transaction monitoring, high-risk third countries, correspondent relationships, PEPs and proliferation financing.

The EU’s new AML Package — a directly applicable AML Regulation (AMLR), a 6th AML Directive on supervision/enforcement (AMLD6), and the new EU Anti-Money Laundering Authority (AMLA) — will further harmonise rules (including a standard EU cash cap, consistent CDD and beneficial-ownership requirements, and extended coverage for crypto-asset services) and centralise oversight of high-risk entities.

Dutch obliged entities should track staged EU application dates, align policies and monitoring to more prescriptive AMLR standards, and ensure robust Sanctions Act controls remain front and centre.