
Welcome to the FIG Top 5 at 5
The Top 5 at 5 is a weekly update in which members of the Financial Institutions Group (FIG) identify five of the key legal and regulatory developments relevant to the financial services industry from the preceding week.
Priority is given, in the first instance, to Irish based developments but the update will also include important developments in European law and regulation.
The topics chosen are dictated by the developments during the relevant period but priority is given to cross sectoral developments. The FIG Top 5 at 5 is not intended to represent all developments of note for the relevant period but rather a snap shot of some of the issues which we feel are of particular importance.
Should you have any queries in respect of the contents of the update, please do not hesitate to contact your usual Matheson LLP contact or any member of our team detailed below.
The Top 5 at 5
On 14 July 2026, the European Union (Capital Requirements) (Amendment) Regulations 2026 (“Transposing Regulations”) were published. The Transposing Regulations amend the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) (“Principal Regulations”), giving effect to the EU’s sixth Capital Requirements Directive (“CRD VI”).
CRD VI, which came into force on 9 July 2024, incudes significant changes to the treatment of third- country undertakings (“TCU”) providing services to persons in the EU, specifically, article 21c as regards the requirement to establish a branch in a relevant member state where certain core banking services are provided.
Other reforms introduced include, but are not limited to, changes in relation to conducting suitability assessments for the management body as well as governance arrangements in respect of management of ESG risks.
Article 21c
Article 21c of CRD VI:
- creates a new requirement for TCUs to establish a branch in a member state and apply for authorisation as a third-country branch (“TCB”) to commence or to continue carrying out ‘core banking services’, as referred to in article 47 of CRD VI, in the relevant member state by 11 January 2027;
- provides that in order to preserve clients’ acquired rights under existing contracts, the requirement to establish a TCB shall be without prejudice to existing contracts that were entered into before 11 July 2026; and
- lists certain exemptions to the requirement to establish a TCB.
The Transposing Regulations insert chapter 1C in Part 3 of the Principal Regulations, addressing TCBs. Some of the areas covered are as follows:
- the requirement to establish a branch for the provision of banking services by TCBs;
- prohibition of discrimination;
- the classification of TCBs;
- the conditions for qualifying TCBs;
- the minimum conditions for authorisation of TCBs;
- the conditions for refusal or withdrawal of a TCB’s authorisation;
- capital endowment, liquidity and booking requirements;
- internal governance and risk management;
- cooperation between competent authorities and colleges of supervisors;
- the assessment of systemic importance and requirements on TCBs which have systemic importance; and
- regulatory and financial information on TCBs and head undertakings that is to be reported to the Central Bank.
Next Steps
The Transposing Regulations are effective as of 10 July 2026.
On 25 June 2026, the Central Bank of Ireland (“Central Bank”) hosted its second innovation sandbox programme showcase (“Showcase”). The theme of the 2026 sandbox programme was “Innovation in Payments” – for more information, see FIG Top 5 at 5 dated 29 January 2026.
Innovation Hub Report
At the Showcase, the Central Bank also shared its 2025 Innovation Hub Report (“Report”), highlighting that the Showcase and the Report “forms part of the Central Bank’s ongoing commitment to engaged, forward-looking regulation, creating space for shared learning between innovators and regulators in support of better outcomes for consumers and the wider financial system.”
Some of the main findings of the Report are as follows:
- 2025 saw 78 engagements with firms innovating in financial services in 2025, representing a 10% increase from 2024. The Report highlights that this reflects the continued demand for early regulatory engagement and the value firms place on embedding regulatory and compliance cultures from the outset;
- there was strong engagement from start-ups seeking to build an understanding of regulation and compliance early into their business models and approach; and
- enquiries from firms who were seeking information on the authorisation process with the Central Bank increased to 54% in 2025, with such firms seeking information in key areas such as:
- RegTech firms seeking to understand the Central Bank’s expectations as it relates to the regulated financial services firms that they provide services to;
- firms looking to understand the regulatory expectations as it relates to the provision of investment advice and other regulated services; and
- firms seeking to understand any regulatory overlap when providing multiple products or services i.e. payments and crypto services.
Spotlight on AI
The Report features a spotlight (“Spotlight”) on AI, with the Report highlighting that AI has been one of the leading technologies used by firms engaging with the Central Bank’s innovation hub (“Hub”) with one in three firms using AI in 2025 – in 2024 it was one in five firms.
Illustrating that this is an upward trend, the Spotlight highlights that in 2026, four of the nine projects in the 2026 sandbox programme are using AI as their enabling technology.
The Spotlight gives some examples of how, firms that engaged with the Hub in 2025, have been using AI, some of which are as follows:
- ensuring regulatory compliance by using AI to automate compliance checks and monitor transactions;
- as a support tool to firms providing financial wellbeing and advice to customers either as a ‘chatbot’ tool or as a tool for providing a more detailed financial analysis of a customer; and
- identification of fraudulent documents during onboarding of customers and also identify verification.
The Spotlight highlights that the growth in the use of AI aligns with findings of recent surveys issued by the Central Bank, such as the survey in conjunction with the European Insurance and Occupational Pensions Authority (“EIOPA”) – for more information, see FIG Top 5 at 5 dated 19 March 2026.
In addition, the Spotlight draws attention to the Central Bank’s February 2026 Regulatory and Supervisory Outlook Report (“RSO”), reminding firms that the RSO contains the Central Bank’s current perspective on regulatory and supervisory implications around the use of AI in financial services.
The Spotlight also sets out AI supervisory developments, including:
- the EU AI Office is due to provide guidance on the high-risk classification under the AI Act in the coming months;
- the European Supervisory Agencies are taking an outcome-focused approach to AI risk-management anchored in the AI Act, DORA, and other existing sectoral regulation and guidance. This will see a focus on governance, proportionality, accountability and integration of AI supervision into the mainstream prudential and conduct risk frameworks of regulated firms, rather than treating AI as a standalone area;
- AI considerations feature in the Central Bank’s supervisory priorities for 2026 and beyond, with the degree of focus varying depending on AI’s significance in each sector, the Central Bank’s assessment of risk and the wider European supervisory agenda;
- the AI Act is a targeted addition to exiting regulations and standards and will need to be integrated into firms’ operational frameworks;
- the resilience of technologies, and of the third-party providers behind, them is a core supervisory concern for the Central Bank, highlighting that firms need a future-proofed strategic response with senior sponsorship and appropriate levels of investment when it comes to the technological and cyber-threat landscape, including those risks / threats related to frontier AI models. Here, the Spotlight emphasises that firms’ obligations under DORA come to the fore, such as:
- maintaining a clear view of ICT risks;
- ensuring ICT controls evolve with emerging threats; and
- being prepared to respond to, and recover from, operational disruptions.
Finally, the Spotlight sets out the standards that firms must adhere to when using AI:
- firms must make sure that their use of AI is appropriate for the specific business challenge being addressed;
- firms should establish clear accountabilities and responsibility, human oversight of decisions and their explainability;
- risk management practices must be commensurate with the scale, scope and sensitivity of the AI deployment; and
- processes should be in place to ensure that all EU AI Act obligations are fulfilled, including transparency requirements.
Remainder of Report
Some of the other matters covered by the Report are as follows:
- a spotlight on tokenisation;
- an update on the innovation sandbox programme 2025;
- engagement in 2025; and
- work / engagements planned for 2026 and beyond.
On 8 and 10 July 2026, the Central Bank of Ireland (“Central Bank”) updated its frequently asked questions (“FAQs”) part of its website regarding the Solvency II directive and the Insurance Recovery and Resolution Directive (“IRRD”).
The FAQs arise from the Central Bank’s industry event that was held on 16 June 2026 which addressed:
- the Solvency II changes and the implications for industry; and
- the insurance recovery and resolution directive (“IRRD”) and the implications for industry.
For more information on that event, see FIG Top 5 at 5 dated 25 June 2026.
The FAQs, dealing with both Solvency II and the IRRD, aim to provide clarity as regards key aspects of the Solvency II review implementation and the IRRD implementation, addressing questions received from industry before, after and during the event. By publishing the FAQs, the Central Bank aims to support (re)insurance firms when it comes to preparation for compliance with the amended requirements under Solvency II and in understanding and preparing for the IRRD requirements – both due to come into effect in January 2027.
Solvency II FAQs
The areas covered by the Solvency II FAQs are as follows:
- small and non-complex undertaking (“SNCU”) classification;
- non-SNCU proportionality measures;
- reporting;
- sustainability risk management plans;
- liquidity risk management plans; and
- volatility adjustment.
IRRD FAQs
The areas covered by the IRRD FAQs are as follows:
- legal framework and transposition – some matters highlighted here include:
- the Central Bank will notify firms likely to be in scope of both recovery and resolution planning in Q3 of 2026, followed by a formal notification process in Q1 of 2027, while the scope for recovery planning only will be communicated separately;
- the Central Bank will not goldplate its implementation of the IRRD, emphasising that it is actively taking a proportionate, pragmatic yet robust approach to implementation; and
- the IRRD complements, rather than replaces, national insolvency regimes. Resolution is intended for cases where resolution objectives are met – otherwise, firms may enter normal insolvency proceedings under national law.
- IRRD scope – some matters highlighted here include:
- all firms are in-scope for IRRD, but only some firms will be in scope of pre-emptive recovery or resolution planning;
- the Central Bank will be engaging with potentially in scope (re)insurance firms in H2 2026;
- the Central Bank decision on recovery and resolution scoping is not aligned with the PRISM rating, with the FAQs highlighting that some PRISM high impact firms may not be in scope and vice versa; and
- SNCUs will not be subject to recovery or resolution planning requirements.
- IRRD fund – a decision will be taken by the Department of Finance on the matter of funding in due course and the Central Bank will notify firms of the processes around the fund once known.
- EU groups – here, the Central Bank highlights that, if firms in-scope for resolution or recovery planning are part of an EU group, and that group is producing a plan that includes the Irish entity, then the Central Bank will engage with the relevant NRA or – from a supervisory perspective – the relevant national competent authority to ensure it covers that entity in sufficient detail. If it does not, the Central Bank states that it will work to improve the group plan but failing that, it may have to resort to a local entity plan.
- third country entities – some of the matters addressed here include:
- how the Central Bank will apply the IRRD to Irish subsidiaries with a third country parent; and
- how the Central Bank will apply the IRRD to third country branches, particularly where a non-EU undertaking is already subject to similar prudential requirements, for example, the PRA’s solvent exit planning requirements.
- recovery planning – some matters highlighted here include:
- although recovery planning will no longer be a regulatory requirement for all firms, the Central Bank encourages firms to consider retaining the beneficial elements of the recovery planning framework within their broader risk management and business continuity arrangements;
- recovery planning in Ireland is relatively mature and no significant increase in workload for firms or supervisors is anticipated, especially with the move to a two-year cycle;
- the Central Bank intends to revoke the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1) (Recovery Plan Requirements for Insurers) Regulations 2021 when the measures transposing IRRD come into effect; and
- it is expected that the majority of firms will no longer have to produce pre-emptive recovery plans on a regular basis.
- resolution planning – some matters highlighted here include:
- a critical business function, as per the operational resilience guidelines, focuses on customer / service continuity, while an IRRD critical function focuses on functions whose disruption could materially affect policyholders, financial stability or the wider economy during recovery or resolution. The FAQs highlight that there will likely be overlap, but not a one-to-one mapping; and
- initial recovery planning requests are likely to begin during 2027, with the Central Bank expecting that the initial resolution reporting will be in 2028, which will commence the two-year resolution planning cycle as per the IRRD.
1. EIOPA publishes four sets of guidelines and three sets of RTS under IRRD
On 8 July 2026, the European Insurance and Occupational Pensions Authority (“EIOPA”) published seven final reports containing four sets of guidelines and three sets of regulatory technical standards (“RTS”) under the insurance recovery and resolution directive (“IRRD”).
The IRRD will introduce a harmonised EU legislative framework for the recovery and resolution of insurers, reinsurers and insurance groups. In total, EIOPA is mandated to develop 19 technical standards and guidelines as regards the implementation of the IRRD. The first set of guidelines and RTS were published in February 2026, with a further set of draft technical standards being published in April 2026 – for more information, see FIG Top 5 at 5 dated 19 February 2026 and FIG Top 5 at 5 dated 30 April 2026.
EIOPA is currently consulting on the remaining four instruments – for more information, see the update below.
December 2025 consultation
EIOPA consulted on the guidelines and the RTS in December 2025 – for more information, see FIG Top 5 at 5 dated 18 December 2025.
In a related press release, EIOPA highlights that it sought to reduce the burden on authorities as much as possible and also to simplify the regulation. In that regard, EIOPA has also published an annex containing specific examples of burden reduction and simplification measures for each instrument.
All of the final reports contain an impact assessment and a feedback statement on the December 2025 consultation.
Guidelines
The published guidelines are follows:
- final report on guidelines on the range of scenarios in pre-emptive recovery planning under article 5(11)(a) of the IRRD;
- final report on guidelines on qualitative and quantitative indicators in pre-emptive recovery planning under article 5(11)(b) of the IRRD;
- final report on guidelines on provision of information under article 66(7) of the IRRD; and
- final report on guidelines on simplified obligations under article 4(1) of the IRRD.
RTS
The published sets of RTS are as follows:
- final report on draft RTS on the independence of valuers;
- final report on draft RTS on resolution stay powers; and
- final report on draft RTS on the valuation of liabilities from derivatives.
Next Steps
In line with the IRRD, the guidelines and the RTS will apply from 30 January 2027.
2. EIOPA publishes final set of consultation papers under IRRD
On 8 July 2026, the European Insurance and Occupational Pensions Authority (“EIOPA”) published two consultations as regards the implementation of the insurance recovery and resolution directive (“IRRD”). The IRRD aims to make insurance failures less likely, and in the event that a failure does occur, to limit the impact of a failure.
The consultations are as follows:
- Consultation on a proposal for draft regulatory technical standards (“RTS”) setting out the methodologies for assessing the value of the assets and liabilities of undertakings in the context of resolution and the methodology for calculating the buffer for additional losses to be included in provisional valuations.
Under article 23 of the IRRD, resolution authorities must ensure that any resolution action is taken on the basis of a valuation ensuring a fair, prudent and realistic assessment of the assets, liabilities, rights and obligations of the entity in scope. In that regard, article 23 sets out two valuations – a first valuation assessing whether the conditions for resolution have been met (“Valuation 1”) and a second valuation which forms the basis for the resolution authority to decide on the appropriate resolution tools (“Valuation 2”). The consultation highlights that the empowerments related to Valuation 1 and Valuation 2 have been merged into one set of draft RTS with the streamlining of the resolution process in mind.
This consultation focuses on the valuation of (re)insurance undertakings and groups for the purposes of resolution, covering Valuation 1 and Valuation 2.
- Consultation on a proposal for draft RTS setting out the methodology for assessing the treatment that shareholders, policyholders, beneficiaries, claimants and other creditors would have received if the undertaking under resolution had entered insolvency proceedings, the methodology for the estimation of the replacement costs, and the separation of valuations in resolution and insolvency proceedings (“Valuation 3”).
This consultation focuses on the valuation of (re)insurance undertakings and groups for the purposes of resolution, covering Valuation 3.
Next Steps
Both consultations are open for feedback until 20 October 2026. In due course, EIOPA will publish reports on the consultations including the revised proposals and the resolution of stakeholder comments.
3. EIOPA publishes letter on the exclusion of GLMs and GAMs from high risk systems classification under EU AI Act
On 10 July 2026, the European Insurance and Occupational Pensions Authority (“EIOPA”) published a letter (“July Letter”) sent to the European Commission (“Commission”) about excluding generalised linear models, including linear and logistic regression (“GLMs”), and generalised additive models (“GAMs”) from the scope of high-risk AI systems under annex III paragraph 5, point (c) (“Annex III”) of the EU AI Act (“AI Act”).
Background
On 14 April 2026, EIOPA sent a letter (“April 2026 Letter”) to the Commission, the European Parliament and the European Council setting out targeted suggestions as regards the AI Act, including that AI systems that rely solely on linear or logistic regression or decision trees under human supervision, GLMs, and GAMs, do not raise the risks that justify the AI Act’s enhanced governance requirements.
The April 2026 Letter highlighted that such systems, which are widely used by (re)insurance undertakings, are not autonomous, as they operate strictly according to predefined instructions and require human intervention for retraining and any material modification. Additionally, it was emphasised that their outcomes are generally easily reversible and that EIOPA has no evidence, to date, that their use has led to significant adverse effects on fundamental rights. Including these models in the scope of high-risk AI systems would, EIOPA argued, not materially reduce the risks associated with these models, rather it would create unnecessary compliance burdens for undertakings and supervisors without bringing added value to consumer protection.
July Letter
Upon receipt of the April 2026 Letter, the Commission sought further context and concrete examples to help it assess whether Annex III should be amended to exclude GLMs and GAMs from the list of high-risk AI systems as regards risk assessment and pricing in life and health insurance. The July Letter has an attached technical annex which sets out EIOPA’s detailed assessment of the criteria set out in article 7(2) of the AI Act with a view to establishing whether the conditions in article 7(3) are fulfilled for a targeted amendment of Annex III.
The July Letter highlights that:
- human-supervised GLMs and GAMs do not present the type of significant AI-specific risk that justifies their classification as high-risk AI systems under Annex III;
- EIOPA emphasises that life and health insurance pricing and risk assessment are important processes that may affect natural persons’ access to and enjoyment of insurance products, but that risks arise, in the main, from data selection, data governance and underwriting or pricing policies, rather than from the GLM or GAM model architecture;
- such risks are already addressed via EU legislation that already applies to insurance entities using AI systems;
- if GLMs and GAMs are classified as high risk under the AI Act, there may be a resulting risk of creating overlapping compliance obligations and the possibility that finite supervisory and industry resources may be diverted away from more opaque, adaptive or genuinely novel AI systems that may raise more specific AI-related risks; and
- EIOPA is of the view that the conditions set out in article 7(3) of the AI Act are met for a targeted exclusion from Annex III, point 5(c), of systems relying solely on GLMs, including linear or logistic regression, and GAMs under human supervision.
1. AMLA publishes final report and draft RTS on pecuniary sanctions, administrative measures and periodic penalty payments under MLD6
On 8 July 2026, the Anti-Money Laundering Authority (“AMLA”) published its final report (“Report”) on draft regulatory technical standards (“RTS”) on pecuniary sanctions, administrative measures and periodic penalty payments under article 53(10) of directive (EU) 2024/1640 (“MLD6”).
Under article 53(10) of MLD6, AMLA is required to develop draft RTS to specify indicators classifying the level of gravity of breaches. The RTS must also establish criteria to be taken into account when setting the level of pecuniary sanctions or applying administrative measures and develop a methodology for the imposition of periodic penalty payments, including their frequency.
The draft RTS are aimed at ensuring that the same AML / CFT breach is assessed in the same way by all national supervisors and that any enforcement measures are proportionate, effective and dissuasive.
In addition, the draft RTS contain specific provisions for natural persons who are not obliged entities, including senior management and members of the management body in its supervisory function, and procedural aspects for the imposition of periodic penalty payments, such as the right to be heard, a limitation period for the collection of periodic penalty payments, and the minimum content of the decision by which a periodic penalty payment is imposed.
Consultations
The European Banking Authority (“EBA”) consulted on the draft RTS in March 2025 – for more information, see FIG Top 5 at 5 dated 13 March 2025. The AMLA also consulted on the draft RTS in February 2026 – see FIG Top 5 at 5 dated 12 February 2026.
Changes to the draft RTS have been made as a result of the responses received during the public consultation, some of which are as follows:
- changes to the draft RTS to clarify its application to the non-financial sector; and
- article 2(6) of the draft RTS was amended to further clarify that breaches classified as categories three and four meet the definition of serious, repeated or systematic breaches under article 55 (1) of directive (EU) 2024/1640 (“AMLD”).
Final Report
Some of the matters covered by the Report are as follows:
- simplification and proportionality;
- indicators to classify the level of gravity of breaches;
- criteria to be considered when setting the level of pecuniary sanctions or applying administrative measures; and
- methodology for the imposition of periodic penalty payments pursuant to article 57, including their frequency.
Next Steps
The draft RTS will be submitted to the European Commission for adoption before being published in the official journal of the EU.
2. Commission adopts delegated regulation on transparency requirements under MiFIR
On 13 July 2026, the European Commission (“Commission”) adopted a delegated regulation (“Delegated Regulation”) amending the regulatory technical standards (“RTS”) in the following delegated regulations:
- delegated regulation (EU) 2017/583 as regards transparency requirements for trading venues and investment firms in respect of derivatives;
- delegated regulation (EU) 2017/2194 as regards package orders; and
- delegated regulation (EU) 2025/1155 as regards input and output data of the over-the-counter (“OTC”) derivatives consolidated tape.
The Delegated Regulation also makes corrections to article 12 of delegated regulation (EU) 2017/587.
The RTS reflect revisions to the Markets in Financial Instruments Regulation (“MiFIR”) made by Regulation (EU) 2024/791 (“MiFIR II”). Annexes 1 to 3 of the Delegated Regulation have been published separately.
The amendments and corrections to the four delegated regulations listed above are combined into the single Delegated Regulation adopted on 13 July 2026, as they are all necessary to achieve an effective transparency regime and for the successful establishment of the consolidated tape for OTC derivatives.
Next Steps
The Delegated Regulation will now be scrutinised by the European Parliament and the Council of the EU and if neither institution objects to it, shall enter into force 20 days following its publication in the official journal of the EU.
Articles 1, 2 and 3(1) to (5) will apply from 1 March 2027.

Thought Leadership
Matheson Talks Financial Regulation Podcast
The Matheson Financial Institutions Group are delighted to share with you some useful podcasts.




















