Throughout the European Union, VAT fraud evades billions of euros in taxes every year. In order to effectively combat VAT evasion in e-commerce, payment service providers as defined by PSD2 have been obliged by the amending Directive 2020/284/EU to report certain payment data on cross-border payments to national tax authorities as of 1 January 2024. This data is then forwarded to the European Central Electronic System of Payment Information (CESOP) for retention. The aim is to strengthen the cooperation between the national authorities and improve the availability of information for the respective authorities. The data from CESOP is made available to officials of the Eurofisc network for analysis and evaluation in the course of combating VAT fraud. The European "Guidelines for the reporting of payment data from payment service providers and transmission to the Central Electronic System of Payment information (CESOP)" dated 03/08/2022 compile information on the payment data to be provided by payment service providers in the future. Moreover, the EU Commission initially published a 30-page document on 23/06/2023 with still open questions relating to the new directive. This document will be adapted on an ongoing basis until it enters into force.
The European Commission, the Council of the European Union and representatives of the European Parliament reached a preliminary agreement on the Digital Operational Resilience Act (DORA) proposal on 22 May 2022. The European Commission had published the legislative proposal on DORA on 24 September 2020 as part of the "Digital Finance Package". It also includes a strategy for the digitalisation of the financial sector, legislative proposals on crypto-assets (MiCA and DLT pilot regime), legislative proposals on the operational stability of digital systems (DORA) and a retail payments strategy.
The DORA regulation pursues two important goals: firstly, to strengthen the digital resilience of financial companies throughout the EU and, secondly, to create a uniform legal framework. Among other things, it calls for the harmonised introduction of regulations on the documentation, classification and reporting of serious incidents related to information and communication technology (ICT). Requirements are also defined for ICT risk management, regular tests of the operational stability of digital systems are prescribed in the scope of business continuity management (BCM), and supervisory monitoring of third-party IT providers (TPPs) of critical systems is also intended. In the course of implementation, a fundamental structural change in supervisory governance and practice is to be expected in large parts of European financial market regulation.
Tokens such as Bitcoin, Ethereum or Tether USDt are becoming increasingly popular on the European market, either as an investment opportunity or for trading. The "Markets in Crypto-Assets" (MiCA) regulation creates a comprehensive set of rules within the EU to regulate this trading and the public offering of crypto-assets in a uniform manner. This will protect investors in particular in the future. The regulation has already come into force on 29 June 2023, although many of its rules are not yet valid. In future, providers of crypto services will need a MiCA licence in order to be allowed to carry them out within the EU. In return, they benefit from so-called "passporting", which allows them to offer their services in any EU member state with the licence, without any bureaucratic effort. The issuers of tokens also face new challenges. Depending on whether a legal entity or a bank issues a "value-referenced token", an "e-money token" or an "other crypto-value", certain requirements such as holding equity as well as reserve assets or the right of redemption for holders of the token must be fulfilled. For all categories of tokens alike, the publication of a crypto whitepaper will be mandatory. In it, the issuer must provide all necessary information about the token and the issuer's company in an understandable manner.
