European Parliament proposes legislative action on crypto-assets, cyber-resilience and digital onboarding

A European Parliament committee has published a draft report on digital finance which proposes initial legislative action in three areas: (i) a framework for cryptoassets, including an open-ended taxonomy; (ii) a common approach to cyber-resilience in the financial sector, including oversight of critical third-party tech providers; and (iii) measures to harmonise digital onboarding across the single market. These proposals are likely to inform the Commission’s new Fintech Action Plan, due to be finalised in Q3 2020.

New draft report

The European Parliament’s Economic and Monetary Affairs Committee (ECON) has published a draft report setting out its recommendations to the Commission in relation to digital finance. The recommendations draw on previous work done at a European and international level, including the ROFIEG report, EC consultations on cryptoassets and operational resilience and the G7 working group report on stablecoins, for example.

The report identifies three priority areas demanding pan-European legislative action: crypto-assets, cyber-resilience and data, as discussed below.

Echoing a familiar message, it emphasises that fintech law and supervision should be based on the following principles:

  • the same services and their associated risks being subject to the same rules;
  • technology neutrality; 
  • a risk-based approach.

It also highlights the importance of aligning with developing international standards in these areas.


ECON recommends that the Commission put forward a legislative proposal in relation to crypto-assets, to create legal certainty as well as to protect consumers and investors. It reiterates the need for a common taxonomy, but suggests this is made open-ended “given that crypto-assets are likely to experience a significant period of evolution in the coming years”. Settling on an agreed crypto-taxonomy may be a challenge, given the complexity in this area and judging from the contentious debates around the EU’s taxonomy for sustainable finance.

Notably, ECON indicates that an extension of the regulatory perimeter is likely, noting that applying existing regulations to previously unregulated crypto-assets will be necessary, as will creating bespoke regulatory regimes for evolving crypto-asset activities, such as initial coin offerings.”.


ECON recommends a legislative proposal on cyber resilience which ensures consistent standards of cyber security across the EU. In particular, it suggests legislative reform which focuses on:

  • modernisation;
  • alignment of reporting rules regarding technology incidents;
  • a common framework for penetration and operational resilience testing across all financial sectors;
  • oversight of critical third-party tech providers.

In recent weeks, the European Securities and Markets Authority (ESMA) has proposed new guidelines on outsourcing to cloud service providers and the International Organization of Securities Commissions (IOSCO) has proposed revising and extending its Principles on Outsourcing. This underlines the need for the Commission to align its work with that of other regulatory authorities, as ECON has emphasised.


The third legislative framework ECON proposes is around digital onboarding and the use of digital financial identities. Its proposal is reflective of the ROFIEG report finding that divergences in know-your-customer (KYC) processes across jurisdictions are “the single most important example of fragmentation which harms the provision of services across borders using FinTech” and its recommendations that the Commission “introduce legislation to fully harmonise the [KYC] processes and requirements across the EU…” and “take steps to achieve convergence in the acceptance, regulation and supervision of the use of innovative technologies for [customer due diligence] purposes…”.

The report also promotes policies to support data-driven innovation and data-sharing in the EU, including measures to address asymmetries and enhance oversight.