AGEFI Luxembourg - juin 2025

Juin 2025 45 AGEFI Luxembourg IA / ICT ByVincentWELLENS&OttavioCOVOLO,Avocats à la Cour, NautaDutilhAvocats Luxembourg S.à r.l. O n 10 June 2025, the EBA issued a 33-page “no action letter” in cooperationwith ESMA (the “Letter”) to clarify the interplay between Regulation (EU) 2023/1114 onmarkets in crypto-assets (“MiCA”) and Directive (EU) 2015/2366 on payment services in the in- ternal market (“PSD2”), in relation to crypto asset ser- vice providers (“CASPs”) that transact e-money tokens (“EMTs”). The main takeaways are (i) a lighter applica- tion of PSD2 for EMTs to the extent these are part of a payment service, with a grace period until 2 March 2026 and (ii) the “exchange of crypto-assets for funds” and “exchange of crypto-assets for other crypto-assets” as defined in MiCA are not subject to PSD2. What is a no-action letter? “No action letters” are a regulatory instrument which may be taken by authorities to discourage the enforcement of certain legal provisions, notably in case of a risk of contradiction with other poten- tially contradicting legal provisions. Popularised in the US as “ forbearance powers ”, (1) these are a recent innovation in the EU, with the EBAandESMAem- poweredwith such power since a 2019 reform. The EBA in particular may take such no action let- ter “only in exceptional circumstances” (2) in case of conflict between legal provisions, lack of delegated or implementing acts raisingdoubts as to legal con- sequences of the applicationof saidprovisions, and lack of guidelines and recommendations entailing practical difficulties in their application. Simplyput, these are for all practical purposes equivalent to opinions taken by the EBA. Why EMTs in particular? The reaction of the EBA and ESMA originated from a letter of the European Commission in De- cember 2024 considering the issuance of such no action letter given the internal differences within the Commission’s services and between national authorities on the overlap between MiCA and PSD2 when it comes to EMTs. The Commission points out that EMTs are crypto- assets within MiCA but are also deemed to be e- money pursuant to art. 48(2) MiCA and hence would bewithin the scope of PSD2. Consequently, the provision of payment serviceswithEMTs (such as for peer-to-peer payments) will need to be cov- ered by a payment service provider (“ PSP ”) li- cense under PSD2 – either held by the CASP or making use of another entity licensed as a PSP. In addition to this potential overlap in regulatory supervision, the Commission also notes that EMTs may be used for trading purposes (exchanging EMTs for funds or for other crypto-assets) which would fall under the definition of a “payment transaction” under PSD2 (3) even though there would be no intention from the CASP to offer any payment services. Since these issues are to be dealt with the ongoing proposals for PSD3 and the PSR (currently under reviewby the Council), the Com- mission therefore envisages the adoption of a no action letter from the EBA on these issues in the meantime. The EBA, reaffirming that in principle one activity should be governed exclusively by one text (sic), responded in the affirmative by issuing the Letter, whilst noting that – due to time con- straints – it cannot take a position on all issues arising from the overlap between PSD2 andMiCA, but at least recognises the existence of such issues. Do I need a PSP license for my EMTs? The transfer of EMTs offered and carried out by the CASP on behalf of their clients will be considered as a payment service, and hence fall within the scope of PSD2. The Letter how- ever excludes the interme- diation services for the purchase of any crypto assets with EMTs from the scope of PSD2. If a dual license is required in for such EMT activ- ity, the Letter does recommend a cumulation of the capital requirements (so that the requirements are added together, rather than the biggest threshold being taken as the only reference), but also a lower own funds requirement underArticle 9(3) of PSD2. The Letter also advises not to prioritise enforce- ment of consumer protections under PSD2 (includ- ing those arising out of the SEPA Regulation – including therefore the instant payments require- ments), as well as the PSD2 provisions on safe- guarding assets and open banking. The Letter foresees a grace period until 2 March 2026 in the form of de-prioritising enforcement of PSD2 provisions regarding security (including strong-customer authenticationmeasures), aswell as fraud reporting requirements. The scope of the Letter is furthermore limited to entities which would in theory need suchdual license by 2March 2026, in order to avoid CASPs discontinuing their activities due to the (sudden) clarification given by the EBA. In our view, this scope may be reviewed in the future depending on the advancements of the legislative process regarding PSD3 and PSR. On a practical note, the Letter does recall national supervisory authorities tomake use of information already at their disposal, in linewith the ‘ once only ’ principle growing in importance in public admin- istrations. Do I need a PSP license for my EMT custodial services? Custodial wallets allowing transfers of EMTs to and from third parties shall amount to a payment account under PSD2. This being said, the supervi- sion thereof should not be prioritised by national supervisory authorities. The above considerations on the dual authorisations apply as well. Do I need a PSP license for my crypto-exchange? The Letter explicitly excludes the services of ‘ex- change of crypto-assets for funds’ and ‘exchange of crypto-assets for other crypto-assets’ fromthe scope of PSD2. No licence is required for such services. What’s next? In terms of outlook, the EBA does explicitly state that the issue at hand involves the incompleteness of MiCA to offer sufficient protection to con- sumers, which justified the reference and applica- bility of PSD2 in addition thereto. However, due to the risks of confusion, market distortion, lower consumer protection standards, and regulatory ar- bitrage, the EBAurges the Commission to remedy these issues during the legislative process of PSD3 and PSR. In particular, one of the approaches proposed by the EBA would consist of MiCA re-producing, or cross referring to, the relevant requirements set out in the forthcoming PSD3 and PSR, so that these would not apply to CASPs, nor would an addi- tional licence be required. It remains to be seen whether such approachwill be followed or not, es- pecially in light of the long-term objectives of the EU on competitiveness. (4) 1) See Marjosola, Heikki. “ Shadow Rulemaking: Governing Reg- ulatory Innovation in the EU Financial Markets ” German Law Journal 23, no. 2 (2022): 186–203. 2) To be noted this is not the first no-action letter pusblished by the EBA, which previously published on the application of the FRTB. 3)As a reminder, this definition aimed to be as wide as possi- ble to capture any other form of payments than card-based ones (see recital 10 PSD2). 4) See theCommunication of the EUCommission, Parliament and Counsel on Long-term competitiveness of the EU, COM(2023) 168 final. Do you really need both PSD2 and MiCA licences? EBA issues no-action letter on interplay between payments and crypto-regulations ParChloéHENIN,HRManagerLuxembourg –WESTPOLE, du groupe Prodware À l’heure où la transforma- tion digitale bouscule les modèles traditionnels, les entreprises luxembourgeoises doi- vent composer avec un environne- ment à la fois technologique, réglementaire et humain. Entre exigences sectorielles strictes, montée en puissance de l’IA et évolution des compétences, le rôle des ressources humaines prend une dimension nouvelle dans l’ac- compagnement du changement. Un environnement réglementaire structurant AuLuxembourg, la transformationdigi- tale se conjugue avec un cadre régle- mentaire particulièrement structurant. Certains secteurs – bancaire, financier ou institutionnel – imposent des normes strictes, telles que la certification bien connue PSF (Professionnel du Secteur Financier), condition indispensablepour manipuler certaines données sensibles. Les entreprises actives dans l’accompa- gnement à la digitalisation doivent donc composeraveccescontraintesfortes.Cela suppose de disposer de collaborateurs non seulement techniquement compé- tents, mais également certifiés, audités et formés aux processus conformes aux standards luxembourgeois. L’IA s’impose dans les projets…avec mesure Le virage de l’intelligence artificielle marque aujourd’hui une nouvelle étape dans cette transformation. Qu’elle serve à automatiser des tâches documentaires, fluidifier des processus ou extraire des données, l’IA est désormais un levier incontournable dans de nombreux pro- jets opérationnels. Mais son intégration se fait de manière progressive et raisonnée.Ducôtédes res- sources humaines, elle commence à être utilisée pour mieux cartographier les compétences, identifier les besoins de formation ou orienter les recrutements, tout en conservant une validation humaine à chaque étape. La prudence reste de mise : l’objectif n’est pas de déléguer la décision, mais de l’éclairer. Croiser expertises techniques et humaines sur le terrain La complexité des projets impose aujourd’hui des profils dits « hybrides », capablesdenaviguerentrelogiquemétier, compréhensiontechniqueetsensrelation- nel. Cette complémentarité entre exper- tises (ingénieurs, analystesmétier, spécia- listessectoriels)permetd’adapterlessolu- tions auplus près des besoins. Sur le terrain, ces talents agissent autant comme experts techniques que comme médiateurs du changement. Car la tech- nologie ne transforme pas seule : il faut la rendre accessible, la faire accepter, accompagner les équipes et rassurer les utilisateurs. Lamontée en compétences au cœur de la transformation La transformation digitale n’est jamais figée. Les outils évoluent, les projets s’en- chaînent, les attentes changent. Pour que les collaborateurs restent pertinentsdans ce contexte, la montée en compétences devient un enjeu central. Cela suppose une gestion dynamique des ressources humaines : mise à jour régulière des matrices de compétences, déploiement de plans de formation évolutifs, accom- pagnement individuel, y compris à dis- tancepour les consultants opérant direc- tement chez les clients. Dans cette optique, les consultants ne sont pas seulement formés, ils forment aussi, en transférant les bonnespratiques et en guidant les utilisateurs finaux. Chaque projet devient alors un vecteur d’apprentissage partagé. CFL : un cas concret de digitalisation encadrée Un projet emblématique mené au Luxembourg illustre cette approche : la digitalisation documentaire de CFL (Société Nationale des Chemins de Fer Luxembourgeois). L’enjeu dépassait la simple numérisation : il fallait aussi sécu- riser les processus, garantir la conformité avec les normes locales, et rendre l’accès aux données fluide et maîtrisé pour plu- sieursmilliers de collaborateurs. La réus- sitede ceprojet repose sur une combinai- sond’expertisestechniques(IA,signature digitale,archivageélectronique),d’accom- pagnement humain et d’un pilotage rigoureuxdesobligationsréglementaires. Se transformer pour mieux accompagner Ce que les acteurs de la transformation digitaleappliquentchezleursclients,ilsse doivent de l’incarner eux-mêmes. Maintenir une dynamique d’innovation suppose de créer un environnement pro- piceàl’adaptation,audialogueetaudéve- loppement professionnel. Les retoursd’expériencemontrent que les projetslesplusrobustessontsouventceux quiallientexpertiseIT,proximitéhumaine etcompréhensiondesspécificitésdumar- ché local. Dans un environnement où la technologie évolue sans cesse, la véritable transformation ne tient pas seulement à l’adoption d’outils innovants, mais à la capacité d’en faire un levier de cohérence, de performance et de confiance. AuLuxembourg, cette exigence est d’au- tant plus forte qu’elle s’inscrit dans un cadre réglementaire strict et un tissuéco- nomique exigeant. Pour y répondre, les entreprises doivent s’appuyer sur une approche équilibrée entre technologie, culture humaine et adaptation continue. Elles ont également tout intérêt à s’en- tourer de partenaires quimaîtrisent tous ces aspects à la fois. c.henin@westpole.lu https://westpole.lu/ Transformation digitale : concilier innovation, cadre réglementaire et compétences humaines