Legal changes in 2026: What banks and financial institutions need to know

Between innovation and duty

The year 2026 will bring numerous new legal requirements at both EU and national levels. In particular, significant changes are on the horizon for companies obligated under the Money Laundering Act (GwG) – especially banks and financial service providers.

This article provides an overview of the most important changes in 2026 and offers recommendations for your company.

eIDAS 2.0: EU Digital Identity Wallet in Germany from 02.01.2027 

Sources [1][2]

EU AI Regulation: Phased application until 2026

Sources [3][4][5][6]

The AI ​​Regulation (EU) 2024/1689 entered into force in August 2024 and provides for a phased implementation schedule. The general application date is August 2, 2026, but some obligations apply earlier.

Early phase: Prohibitions and basic obligations since 2025

Since February 2, 2025, AI systems posing an unacceptable risk have been banned across the EU. This includes manipulative or discriminatory applications. Providers and operators must also demonstrate initial AI expertise, training, and internal control processes. Banks, for example, are prohibited from using AI that influences customers without their knowledge and should establish usage guidelines early on..

Expansion to General Purpose AI since 2025

Since August 2, 2025, new requirements have applied to general-purpose AI systems, such as large language models. Providers must comply with transparency and security requirements, such as labeling AI-generated content and implementing measures against bias. Financial institutions that use such models (e.g., chatbots) must integrate these obligations into their processes..

Full application and high-risk AI from 2026

The AI ​​Regulation will be fully applicable from August 2, 2026. High-risk AI – for example, in creditworthiness assessments, scoring, or fraud detection – may only be used if extensive requirements are met (including risk assessment, documentation, and human oversight). Banks should inventory their AI applications and implement compliance measures by then..

Extended deadline for certain regulated systems

For some high-risk AI systems already regulated elsewhere (e.g., in financial supervisory law), an extended transition period applies until August 2027. This is the EU's response to industry-specific implementation costs.

Sanctions and recommendations for action

Violations of the AI ​​Regulation can be punished with fines of up to €35 million or 7% of the company's worldwide annual turnover.

Financial institutions should now develop an AI compliance strategy: immediately cease prohibited practices, identify high-risk AI, establish governance and control structures, and train employees. Transparency obligations, particularly regarding generative AI, should be implemented early to ensure compliance with the requirements by 2026..

EU Digital Omnibus: Planned relief for digital regulation

Sources [5][7][8]

In November 2025, the EU Commission presented a so-called Digital Omnibus Package. Its aim is to simplify existing digital laws and reduce compliance efforts without weakening data protection and fundamental rights.

Simplifications in AI and data regulation

The draft legislation proposes technical adjustments to, among other things, the AI ​​Act, the GDPR, the ePrivacy Regulation, and the Data Act. For example, certain obligations for high-risk AI are to be postponed – such as extending the implementation deadline to the end of 2027. This would give companies more lead time to implement compliant AI systems.

Furthermore, discussions are underway regarding the conditions under which personal data may be used for AI training. In the future, legitimate interest could suffice in certain cases, provided all GDPR safeguards are observed. This would be particularly relevant for data-intensive AI applications..

Relief measures regarding cookies and reporting obligations

In the area of ​​ePrivacy, the Commission plans to streamline cookie rules to reduce the number of consent banners. At the same time, reporting obligations for data protection and cyber incidents are to be harmonized, for example through longer deadlines and a central EU reporting portal. This would particularly benefit financial companies that are subject to multiple reporting regimes.

Schedule and classification

The Digital Omnibus package has not yet been adopted; it is not expected to be passed before 2026. Changes to the legislative process are likely. However, one thing is clear: the EU is aiming for simplification, not deregulation..

No immediate action is required. However, banks and insurers should closely monitor developments, as the planned measures could reduce compliance costs in the medium term. Until actual implementation, full compliance with existing digital and data protection regulations remains mandatory..

DORA will replace BAIT by the end of 2026

Sources [9][10][11]

The EU regulation DORA (EU) 2022/2554 has been applicable since January 17, 2025, and establishes a uniform EU-wide legal framework for the digital operational resilience of financial institutions. In Germany, the BAIT (Banking Supervisory Requirements for IT) will continue to be applied until December 31, 2026, during the implementation of DORA and will then be repealed. From 2025, DORA will be the relevant supervisory reference framework for IT/ICT issues for the companies within its scope; from 2027, IT supervision will primarily be based on DORA, while general organizational and supervisory requirements (e.g., from the German Banking Act (KWG)/MaRisk) will continue to apply.

Key requirements of DORA

DORA requires financial institutions to implement a holistic ICT risk management system. This includes clear governance structures, regular risk analyses, and information security measures.

Another focus is on resilience and security testing, such as penetration tests and emergency drills. Larger institutions may also be required to conduct threat-led penetration tests (TLPT).

The management of third-party ICT providers will also be significantly tightened: Institutions must identify all relevant service providers, assess risks, and document exit strategies. Critical ICT providers will even be subject to direct EU supervision in the future.

In addition, DORA introduces harmonized reporting obligations for serious ICT incidents, with short-term initial reports and follow-up reports to the supervisory authority.

Transitional arrangements until 2027

While DORA has been in effect EU-wide since January 17, 2025, and provides the central framework for ICT risk management, incident reporting, testing, and third-party ICT risks for the financial institutions it covers, some institutions regulated under the German Banking Act (KWG) will only be included in the (simplified) DORA framework from January 1, 2027. The BAIT (Banking Supervisory Requirements for IT) will continue to apply to the remaining scope of application until December 31, 2026, and will then be repealed; however, general national organizational and supervisory requirements will remain relevant.

When implemented correctly, DORA offers not only compliance, but also greater stability and trust in digital processes.

NIS2: New cybersecurity rules from 2026

Quellen [12][13][14][15][18][20]

The EU Directive NIS2 (EU) 2022/2555 significantly strengthened the European framework for cybersecurity. In Germany, the law implementing the NIS2 Directive entered into force on December 6, 2025, following its publication in the Federal Law Gazette. Since then, the new obligations have applied to companies covered by NIS2. The law transposes the European requirements into German law, which entails new, far-reaching cybersecurity compliance obligations for many companies, including reporting requirements to the Federal Office for Information Security (BSI).

Significantly expanded application range

NIS2 significantly expands the scope of obligated entities. In Germany, approximately 30.000 organizations are now affected. Banks, payment systems, and financial market infrastructures are explicitly included among the essential institutions. Many IT service providers for banks will also fall under the regulations in the future. In effect, this means that virtually all credit institutions are now subject to NIS2.

Affected companies must register with the BSI (Federal Office for Information Security) by March 2026 at the latest and establish an effective cyber risk management system. This requires state-of-the-art technical and organizational security measures as well as clear accountability from management.

The reporting requirements for cyber incidents are particularly demanding:
– Initial notification within 24 hours,
– Interim report after 72 hours,
– Final report within 30 days.

Fines can amount to up to €10 million or 2% of worldwide annual turnover.

Relationship to DORA

According to Article 1(2) DORA, it is to be classified as a sector-specific EU legal act within the meaning of Article 4 NIS2. Therefore, for financial institutions addressed by DORA, the following applies: Insofar as DORA regulates requirements for ICT/cybersecurity risk management and the reporting of significant ICT-related incidents, these requirements take precedence and are not superseded in these areas by the corresponding obligations of the national NIS2 implementation in the BSIG (German Federal Office for Information Security Act).

Institutions should promptly assess whether they qualify as particularly important or important entities and thus fall under the scope of NIS2. Where applicable, registration with the BSI (Federal Office for Information Security) and robust incident response and reporting processes are priorities. Furthermore, NIS2 makes cybersecurity a management responsibility: Management must monitor implementation and can be held accountable for it.

Money Laundering Reporting Ordinance: New standards from March 2026

Sources [16][17][19]

The Money Laundering Reporting Ordinance (GwGMeldV) will enter into force on March 1, 2026. For the first time, it standardizes the form and content of suspicious activity reports to the relevant authorities. FIUs and should significantly improve reporting quality and evaluability.

Suspicious activity reports must henceforth be submitted exclusively electronically via the FIU portal goAML. Web forms or XML files are permitted; other transmission methods are no longer accepted. Attachments must be in machine-readable format. Until now, there were no binding detailed specifications regarding the form, minimum content, and data structure. The AML reporting regulation thus significantly contributes to the quality of reports and simplifies processing by the FIU.

Uniform minimum information required in every report

The regulation defines a binding list of mandatory information., including:

• Information on the reporting body,
• standardized reporting reasons,
• relevant customer data (including beneficial owners),
• a comprehensible description of the facts as well as
• Required documents as attachments.

All relevant KYC information must be available in the event of a report.

Impact on processes, IT and liability

For institutions, the GwGMeldV (German Ordinance on the Registration of Money Laundering Data) means a significant need for adjustments in IT and organization. Internal systems must provide the required data in a structured manner, ideally via an interface to goAML.

Furthermore, the liability risk increases in the event of reporting errors: Anyone who submits a suspicious activity report in the future not, not on time, incomplete or incorrect Failure to submit reports correctly can result in a fine under Section 56 of the Money Laundering Act (GwG). The newly introduced precise guidelines more clearly define this administrative offense. Institutions must therefore ensure that reports are formally correct; otherwise, they will be considered not submitted.

Recommendation for those obligated to act

Obligated companies should urgently use the time until March 2026 to prepare for the new reporting requirements. Specifically, this means: ensuring goAML registration (many banks are already registered, but newly obligated entities such as lawyers had to register by the end of 2024), converting internal reporting systems to XML, and providing intensive training for employees (especially money laundering officers and compliance staff).

Furthermore, KYC processes should be checked for gaps: All information that will be required in future reports must be available in the customer database or transaction data – if not, internal due diligence requirements must be increased.

Finally, a workflow for extensive attachments must be prepared. Relevant documents should be available electronically and easily accessible. These preparations will enable institutions to report suspicious transactions efficiently, completely, and on time from 2026 onwards, which will help avoid fines and allow the FIU to evaluate money laundering reports more quickly – a win for all parties involved.

Conclusion

For entities subject to the German Money Laundering Act (GwG), particularly banks, significant regulatory changes are on the horizon for 2026. Europe is accelerating the development of digital identity and creating new frameworks for future technologies and cybersecurity with the AI ​​Regulation and NIS2. At the same time, the Digital Omnibus initiative aims to make existing rules more practical, which could bring relief in the medium term. Furthermore, DORA and the Money Laundering Reporting Regulation will ensure greater uniformity and stringency in financial IT and money laundering prevention.

For institutions, the bottom line is: act proactively instead of waiting. The changes described sometimes require long lead times; be it IT integrations (for wallets, goAML), new control processes (for AI and cyber risks), or cultural shifts (cybersecurity as a leadership responsibility).

The consequences of non-compliance – hefty fines, personal liability for management, reputational damage – make it clear that compliance is not optional, but mandatory. However, those who invest early can also reap the benefits: for example, from more efficient processes (digital identities, standardized reporting) or from a competitive edge through more resilient and trustworthy systems.

Create a Regulatory Roadmap 2026 for your institution that includes the topics mentioned. Prioritize them according to implementation dates and impact.

This is how you can navigate your company safely through the regulatory year 2026 and at the same time sustainably strengthen your compliance culture.

Sources

[1] EU Digital Identity Wallet - Wikipedia

[2] The EU Digital Identity Wallet: What companies need to know | Arthur Cox LLP
[3] AI Act | Shaping Europe's digital future

[4] Long awaited EU AI Act becomes law after publication in the EU's Official Journal | White & Case LLP

[5] EU to delay 'high risk' AI rules until 2027 after Big Tech pushback | Reuters

[6] The EU AI Act: What it means for your business | EY – Switzerland

[7] EU AI Act, GDPR, and Digital Laws Changes Proposed | Crowell & Moring LLP

[8] Simpler EU digital rules and new digital wallets to save billions for businesses and boost innovation | Shaping Europe's digital future

[9] BAIT / DORA | Deutsche Bundesbank

[10] DORA has been in use since January 17, 2025

[11] DORA: BaFin announces simplifications for the first-time audit

[12] German Bundestag passes NIS-2 law | RÖDL

[13] NIS2 law in force: Compliance turnaround for 30.000 German companies

[14] For St. Nicholas Day: NIS2 Implementation Act comes into force | heise online

[15] Who does NIS2 apply to? | Securepoint

[16] New GwGMeldV: Changes March 2026 | PayTechLaw.com

[17] New regulations for money laundering suspicion reports apply from 1 March 2026 | German Federal Bar Association

[18] GwGMeldV 2026: What changes regarding suspicious activity reports?

[19] New requirements for money laundering suspicion reports from 1 March 2026…

[20] https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/NIS-2-Infopakete/NIS-2-DORA/NIS-2-DORA_node.html?utm

Cover photo by Tingey Injury Law Firm on Unsplash
Parts of the text were created with ChatGPT.