Deadline for group insurance intermediaries is approaching

25 september 2025

In this news update Financial Regulatory, we discuss: the upcoming deadline for the licence requirement applicable to group insurance intermediaries; the EBA’s launch of a consultation on its draft Guidelines on the sound management of third-party risk, which focus on third-party arrangements in relation to non-ICT related services and update the EBA Guidelines on outsourcing arrangements; the AFM’s press release of 1 July 2025 about Buy Now, Pay Later, concerning consumer protection and future AFM supervision; and ESMA’s publication of its guidelines on the assessment of knowledge and competence of CASP staff giving information or advice about crypto assets or crypto-asset services under MiCAR.
We will also discuss a number of other highlights since our last News Update.

Key contacts

Berry van Wijk
Berry van Wijk
Advocaat | Partner
Juan Vervuurt
Juan Vervuurt
Advocaat | Counsel
Lisanne Haarman
Lisanne Haarman
Advocaat | Senior Associate
Gijs Hamelijnck
Gijs Hamelijnck
Advocaat | Senior Associate

Op deze pagina

Deadline for group insurance intermediaries is approaching

From 1 October 2025, group insurance providers must hold a licence as insurance intermediaries. This requirement ensues from a judgment of the Court of Justice of the European Union (62020CJ0633). The AFM has published a reminder on its website (in Dutch).

Group insurance intermediaries that conduct a different main activity, such as removal firms or webshops, and that do not yet have a licence as an insurance intermediary, must meet this requirement by 1 October 2025. In summary, these parties have the following options:

  • Obtaining an AFM licence as an intermediary in non-life or other insurance; or
  • adjusting their insurance-related activities in such a way that they no longer qualify as insurance intermediaries

Given the timelines, parties that wish to obtain a licence will probably have already submitted their licence applications to the AFM months ago. Parties that have not done so must ensure that they modify their operations in such a way that they are no longer considered insurance intermediaries. If you would like assistance in assessing your options, we would be pleased to advise you.

EBA launches consultation on its draft Guidelines on the sound management of third-party risk

Over the past few years, Europe’s financial sector has become increasingly dependent on external service providers for the execution of important business processes. This trend entails new risks, necessitating a solid and harmonised framework for the management of third-party risks. Against this backdrop, the European Banking Authority (EBA) launched a consultation on 8 July 2025 on the revised Guidelines, which focus on the management of third-party risk in relation to non-ICT related services, with a particular focus on the provision of critical or important functions. The consultation allows stakeholders to give feedback on the proposed changes, which aim to update the current outsourcing guidelines and align them with the Digital Operational Resilience Act (DORA).

A key driver for revising the outsourcing guidelines is DORA’s entry into force on 17 January 2023 and its subsequent compliance date of 17 January 2025. DORA introduces a uniform regulatory framework for the management of ICT risks in the financial sector. Because of their wide scope, the EBA outsourcing guidelines generally also apply to ICT services. As DORA uniformly lays down the requirements for the management of third-party risks in relation to ICT services, ICT services must be explicitly excluded from the scope of the EBA outsourcing guidelines. In addition, the revised Guidelines aim to align the regulatory framework for non-ICT related services more closely with that for ICT services under DORA. This closer alignment between the ICT and non-ICT outsourcing frameworks is meant to ensure a level playing field and foster greater harmonisation and convergence in the supervision of third-party risks across the financial sector.

The EBA’s original outsourcing guidelines applied to credit institutions and investment firms subject to the Capital Requirements Directive (CRD), payment institutions and electronic money institutions. The revised Guidelines reflect the EBA’s aim of more closely aligning the scope of the outsourcing guidelines with that of DORA. This will extend their scope to include institutions (under the CRD), investment firms which are not considered to be ‘small and non-interconnected’, payment institutions, electronic money institutions, issuers of asset-referenced tokens under the Markets in Crypto-Assets Regulation (MiCAR) and creditors under the Mortgage Credit Directive. The Guidelines do not directly relate to credit intermediaries or account information service providers that are only registered for service 8 under the revised Payment Services Directive 2. Growing digitisation, the use of specialised service providers and the globalisation of the financial sector have increased the complexity and scope of outsourcing risks. The revised guidelines aim to ensure a harmonised and robust framework for financial entities to strengthen their operational resilience and for competent authorities to improve their supervision of outsourcing arrangements and concentration risks.

In addition, the Guidelines apply the principle of proportionality more explicitly, with the extent of the necessary control measures being determined by the size, nature and complexity of both the entity and the outsourced function. A new element is the express life cycle approach, which describes the entire process of third-party arrangements, from risk assessment to exit strategy. The documentation and reporting requirements have been aligned with DORA, enabling a single register for both ICT and non-ICT outsourcing. Critical or important functions are subject to stricter requirements, including with regard to contracts, audit rights and exit planning. Finally, the management of concentration risks features more prominently, and entities are given a two-year transition period to meet the new requirements.

The EBA’s revision aims to strengthen the financial sector’s operational resilience and ensure a future-proof and consistent framework for the management of third-party risks. The consultation is open until 8 October 2025, after which the final guidelines will be adopted.

AFM publishes its market update on Buy Now, Pay Later services

The Dutch Authority for the Financial Markets (AFM) published its Buy Now, Pay Later Market Update 2025 on 1 July 2025. The report gives an overview of Buy Now, Pay Later (BNPL) market developments. The BNPL market grew by 17% in 2025, with payment problems lagging slightly behind. At the same time, the number of BNPL users and average transaction amounts remained stable, indicating that current users have intensified their use of BNPL services.

Given the high absolute numbers of people with payment problems, the AFM is calling for more far-reaching consumer protection. Regarding market participants, the AFM observes that BNPL providers that have signed the Code of Conduct (Billink, In3, Klarna and Riverty) represent only half the BNPL market (55% of all BNPL transactions), as large online platforms such as bol.com, Amazon and Zalando also provide BNPL services (45% of all BNPL transactions).

BNPL providers will not come under formal AFM supervision until 20 November 2026. As a result of the implementation of the revised EU Consumer Credit Directive, BNPL services will, in principle, qualify as consumer credit, meaning that BNPL providers must have an AFM licence and comply with applicable consumer protection provisions for consumer credit.

In anticipation of this change, the AFM emphasises that BNPL providers must ensure that they cease any provision of BNPL services to minors. This will require better age verification of users of BNPL services. The AFM is still receiving indications that minors are using BNPL services and are able to circumvent current age checks.

In addition, the AFM is advocating an appropriate creditworthiness assessment and Credit Registration Agency (“BKR”) registration for BNPL service providers. In that regard, the AFM believes that the threshold amount for the creditworthiness assessment and BKR checks should be substantially lower than the current threshold of €250. The AFM may be aiming for a threshold amount of €50 or even less. The average transaction amount for BNPL payments is €74, and more than half of all BNPL transactions involve amounts of less than €50. In addition, in 92% of transactions where BNPL providers charged late payment fees – and in 89% of transactions that were transferred to a debt collection agency – the transaction amount was less than the current threshold amount of €250. Those cases do not involve a prior creditworthiness assessment or BKR check.

Lowering the threshold amount to €50 would subject more than half of these problematic payments to a creditworthiness assessment (i.e. an income and expenses check, with providers obtaining information about consumers’ income and expenses) and a BKR check. As BNPL providers have not yet voluntarily joined the BKR, despite the AFM’s express request, the AFM is again urging them to do so.

ESMA publishes its guidelines on the assessment of knowledge and competence of CASP staff giving information or advice about crypto assets or crypto-asset services under MiCAR

On 11 July 2025, the European Securities and Markets Authority (ESMA) published its final report on the guidelines for the criteria on the assessment of the knowledge and competence of staff giving information or advice on crypto assets and crypto-asset services. The guidelines aim to strengthen crypto investor protection and to ensure that staff possess the appropriate knowledge and competence. They seek to ensure a minimum level of knowledge and competence for staff and address specific features and risks of crypto-asset markets and services through specific criteria for the assessment of the relevant staff’s knowledge and competence.

MiCAR has introduced an EU-wide regulatory framework for 10 different crypto services, including the provision of crypto advice and order execution. Article 81 MiCAR requires crypto-asset service providers (CASPs) to ensure that natural persons giving advice or information about crypto assets possess the ‘necessary knowledge and competence’. ESMA was specifically instructed (Article 81(15)(a) MiCAR) to lay down criteria to ensure that Member States and market participants across Europe apply the same standard.

The guidelines apply to supervisory authorities and CASPs as defined in Article 3(1)(15) MiCAR. They also clarify which individuals fall outside their scope. Examples include employees who merely point out where clients can find information provided by the crypto-asset service provider, employees distributing brochures without giving additional information with regard to their content or providing any follow-up crypto-asset services, employees who only hand over information at the client’s request without giving any additional information with regard to its content or providing any follow-up crypto-asset services, and employees who perform back-office functions without direct relevance for clients and do not have direct contact with clients.

The core knowledge and competence requirements distinguish between information providers and advisers. A list is included for each group. Employees giving information must have sufficient knowledge and competence to accurately inform clients about crypto assets and crypto-asset services. They should have insight into the characteristics, risks and features of offered products, the relevant technology (such as distributed ledger technology), market functioning, cost structures (including network costs), differences in investor protection under MiCAR and MiFID II, and relevant laws and regulations (such as anti-money laundering rules). They also need a basic knowledge of valuation methods, cyber risks and operating risks. In addition, ESMA cites examples of sufficient credentials: a professional qualification of at least 80 hours and appropriate experience of at least 6 months under supervision, or appropriate experience of 1 year under supervision. Finally, annual continuous professional development (CPD) or training is required, with a minimum of 10 hours for simple products.

Advisers are subject to all the above requirements, plus more in-depth knowledge of suitability testing, portfolio management, diversification and valuation models. For example, they should be able to assess whether a particular crypto asset is suitable for the client. ESMA states four possible qualification routes, including a relevant degree in tertiary education and appropriate experience of 1 year, or a professional formation of 160 hours and appropriate experience of 1 year. An example minimum of 20 CPD hours per year applies. Both positions require knowledge assessments and up-to-date training and experience files.

Other financial regulatory publications

We have highlighted a selection of other publications that are relevant for the financial markets and financial supervision.

Investment institutions

The AFM published a letter (in Dutch) with points of attention for alternative investment fund managers under the light regime (‘light managers’). It observes that these light managers are not properly complying with their legal obligations.

  • Alternative Investment Fund Managers Directive reporting: reports are not always submitted on time or correctly.
  • Key information documents (KIDs): these are often lacking or are not provided (via a website or otherwise).
  • Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van witwassen en financieren van terrorisme) and Sanctions Act (Sanctiewet): there are shortcomings in risk assessments, and client due diligence is poor.
  • Investor classification: the distinction between professional and non-professional investors is regularly applied incorrectly.
  • Retail exception: light managers using the <150-persons exception are unable to adequately demonstrate their compliance.
  • Deregistration: omissions in the timely deregistration of inactive managers or funds.

Crypto

  • On 5 August 2024, the Dutch Central Bank (“DNB”) imposed an order subject to a penalty on Peken Global Limited (“PGL”), operating under the trade name ‘KuCoin’, for providing crypto services without registration with DNB, which is against the law.

Insurance

  • The European Insurance and Occupational Pensions Authority (EIOPA) launched a public consultation on its draft revised Guidelines on the Supervisory Review Process. This process is used by supervisory authorities to regularly assess insurers’ and groups’ exposure to risks and the effectiveness of the controls they have in place. EIOPA states that the revision’s primary objective is to update the Guidelines by clarifying existing instructions as necessary in light of the Solvency II review and by bringing emerging risks within their scope.

Case law

  • JOR 2025/163: Subdistrict Court of the Midden-Nederland District Court 30 April 2025, ECLI:NL:RBMNE:2025:2054, with commentary by C.W.M. Lieverse ‘buy now, pay later’ product. The court held that it had not been demonstrated that the costs charged were not part of the revenue model. An ex officio assessment was made of compliance with consumer protection provisions.

Key contacts

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.