Follow-up to: IFRS 9, MiFID II, GDPR…: The Corporate Treasurer Facing Regulatory Constraints
After IFRS 9, MiFID II and the GDPR, the regulatory surge shows no sign of abating. An overview of the regulations transforming payments, bank connectivity and treasury management systems — and the opportunities they bring.
Current Regulatory Status
In March 2023, we outlined the portrait of a corporate treasurer under regulatory pressure: IFRS 9, MiFID II, GDPR, AML/CFT — a series of requirements to integrate, reconcile and accommodate within information systems and Treasury Management Systems (TMS) that had not always been designed with such complexity in mind.
Three years on, the regulatory wave has not receded. It has surged — and crossed a new threshold. It is no longer confined to reporting or documentary compliance: it now reaches into the very infrastructure of payments, the security of systems, data governance and operational resilience. Three converging forces are driving this transformation: the digitisation of payment flows, the cybersecurity imperative, and growing sustainability requirements. For the corporate treasurer, the challenge is no longer merely to comply — it is to reshape the financial architecture of the organisation on a lasting basis.
What the first waves changed
IFRS 9 compelled treasurers to rethink the classification and measurement of their financial assets, replacing the IAS 39 framework with one based on the business model test and the SPPI criterion. MiFID II extended oversight to hundreds of thousands of financial instruments, mandated full traceability of communications and strengthened disclosure obligations to counterparties, with data-retention periods of up to seven years. The GDPR made the treasurer a responsible actor in personal data processing, sharing that responsibility with software vendors as data processors. And the AML/CFT framework — overseen in France by TRACFIN — reinforced that every financial transaction is a checkpoint in the fight against money laundering.
These four pillars remain fully in force. But a new generation of regulations has since been layered on top, creating a regulatory environment of unprecedented density for finance departments.
The new wave: regulations in force since 2024
Instant Payments and VoP: real-time takes hold
Scope: European Union — Regulation (EU) 2024/886 (IPR) + VoP Scheme by the European Payments Council | EUR-Lex: IPR • EPC: VoP Scheme
The Instant Payments Regulation (IPR), which entered into force on 8 April 2024, pursues an ambitious goal: making SEPA instant credit transfers the norm across Europe. Since 9 January 2025, all payment service providers (PSPs) in the euro area must be able to receive instant transfers. By 9 October 2025, they must also offer instant payment initiation at charges no higher than those for standard transfers.
As a direct corollary of the IPR, Verification of Payee (VoP) became mandatory on the same date. This mechanism requires real-time verification of the match between the IBAN and the beneficiary’s name before any SEPA transfer is executed. The payer’s bank queries the beneficiary’s bank and receives one of four results: match, close match (partial correspondence, with the actual name returned), no match, or match not possible.
For businesses processing high volumes of batch payments, VoP represents a major operational challenge. The treasurer must decide between systematic activation (maximum security but potential friction) and a selective, risk-based approach. VoP covers SEPA transfers only and is not an absolute safeguard against identity fraud, but it remains one of the most effective responses to beneficiary-fraud schemes.
Beyond the compliance burden, the IPR opens the door to optimised working capital management and near-instant visibility over cash positions. VoP is a powerful opportunity to clean up and professionalise third-party master data on a lasting basis.
▶ Listen also: TreasuryCast Podcast – Why Digitalisation Should Serve Treasury (VoP, AI)
ISO 20022: the quiet revolution transforming payment data
Scope: Global — ISO Standard. Mandatory migration on the SWIFT network (completed end of 2025). TARGET2 (ECB) since March 2023 | ISO 20022: official site • SWIFT: migration
The migration to ISO 20022 is the most far-reaching — and least visible — transformation affecting corporate treasurers. This international standard replaces legacy SWIFT MT messages with vastly richer XML messages (MX format): invoice references, LEI identifiers, structured addresses, and regulatory information.
The timetable is now tight. In November 2025, MT103 and MT202 messages for cross-border payments were definitively retired. Unstructured addresses are no longer permitted in interbank exchanges. For corporates, the November 2026 deadline will require fully structured addresses (name, street, postal code, city, country) for all payments outside the EEA. ERPs and TMS platforms must be updated to handle pain.001 and camt.053 formats.
Yet this data richness is also a considerable asset: automated bank reconciliation, more precise AML controls, and more granular cash forecasting. ISO 20022 is a demanding technical constraint, but it is the foundation on which the cash management services of tomorrow will be built.
DORA: digital resilience as a legal obligation
Scope: European Union — Regulation (EU) 2022/2554, applicable since 17 January 2025. 21 types of financial entities + third-party ICT providers | EUR-Lex: DORA • EBA: DORA page
The Digital Operational Resilience Act (DORA) establishes a harmonised European framework for managing ICT risks in the financial sector. Directly applicable without national transposition, it rests on five pillars: ICT risk governance, major incident reporting, annual resilience testing, contractual oversight of third-party providers (with enhanced supervision of “critical” suppliers), and cyber-threat information sharing. DORA takes precedence over NIS 2 for financial entities as lex specialis.
The corporate treasurer is affected on two fronts. Directly, if the organisation falls within the financial-entity perimeter. Indirectly, because its banks and service providers (TMS, bank connectivity, cloud) must demonstrate DORA compliance. In practice: business-continuity clauses, audit rights, exit plans, incident-notification obligations. SaaS treasury providers are directly in scope if designated as critical ICT third-party providers.
▶ See also: Datalog TMS – ISAE 3402, ISO 27001, SOC 1/2/3 compliance
DORA pushes organisations to structure their architectures, improve their procedures and better control their technology dependencies — an exercise often dreaded, but invariably beneficial.
NIS 2: cybersecurity extends to critical enterprises
Scope: European Union — Directive (EU) 2022/2555. National transposition (France: legislation pending) | EUR-Lex: NIS2
The NIS 2 Directive considerably broadens the scope of its predecessor: over 10,000 entities are now covered in France alone, spanning 18 critical sectors. It imposes cyber-governance obligations, strict incident-notification deadlines, and extended liability across the entire supply chain — including senior management, who bear personal responsibility for oversight.
For the corporate treasurer, NIS 2 means that the security of treasury tools and financial flows is now a matter of enterprise governance at the highest level, rather than a purely technical concern.
CSRD: a framework overhauled by the Omnibus Act
Scope: European Union — Directive (EU) 2022/2464, substantially amended by the Omnibus I Act definitively adopted on 16 December 2025 | EUR-Lex: CSRD • EFRAG: ESRS standards
The Corporate Sustainability Reporting Directive (CSRD) mandates structured, audited sustainability reporting in accordance with the ESRS standards. However, its scope has been radically narrowed. The Omnibus I Act, definitively adopted by the European Parliament on 16 December 2025 by a vote of 428 to 218, raised the thresholds to 1,000 employees and €450 million in turnover. Listed SMEs and financial holding companies are permanently excluded. Wave 1 companies that no longer meet the revised thresholds are exempted for financial years 2025 and 2026, subject to national transposition. The “Stop the Clock” mechanism defers Waves 2 and 3 by two years. Simplified, revised ESRS standards will apply from financial year 2027.
An important point for the value chain: companies with fewer than 1,000 employees now enjoy “protected” status and may decline information requests that go beyond the VSME standard (Voluntary Sustainability Standard for SMEs). The cascade effect that so worried mid-sized suppliers has been significantly mitigated.
Despite this scope reduction, the CSRD remains pivotal for very large corporations. The double-materiality principle stands, as do all ten E, S and G thematic standards. Liquidity management must incorporate ESG criteria in investment decisions, and green financing instruments (green bonds, sustainability-linked loans) require regular tracking of extra-financial KPIs.
For treasurers at companies still in scope, the CSRD remains a strategic positioning lever. For all others, the VSME standard offers a credible voluntary framework to structure sustainability reporting at lower cost.
Basel IV / CRR3: collateral effects on corporate financing
Scope: Global (Basel Committee, BIS). Transposed in Europe via CRR3 (EU) 2024/1623 and CRD6, applicable since January 2025 | BIS: Finalised Basel III • EUR-Lex: CRR3
While Basel IV primarily concerns credit institutions, its effects on corporates are not negligible. Higher bank capital requirements mechanically feed through into the cost and availability of credit, current-account terms and cash management product pricing.
The treasurer must anticipate these shifts in the funding strategy: diversifying sources, optimising working capital, and making greater use of bond markets or alternative financing solutions (debt funds, supply chain finance, factoring). The banking relationship becomes more strategic than ever.
AMLA: anti-money laundering (AML/CFT) scales up
Scope: European Union — AMLR Regulation + AMLD6 Directive (2024). AMLA operational in 2025, direct supervision from 2028 | EU Commission: AML/CFT package
Our 2023 article already detailed AML/CFT obligations, overseen in France by TRACFIN. The European AML/CFT package adopted in 2024 marks a step change: it creates a dedicated European authority (AMLA, headquartered in Frankfurt) and a regulation directly applicable in all Member States without transposition. Due-diligence, suspicious-transaction reporting and third-party screening obligations will be harmonised and strengthened by 2027–2028. For treasurers using a Treasury Management System equipped with an AML/CFT or anti-fraud module, this means more comprehensive screening databases, more demanding automated controls, and enhanced transaction traceability within the TMS and bank connectivity platforms.
Regulations to watch: what comes next
Mandatory e-invoicing
Scope: France (2026–2027) — ViDA Directive for the EU as a whole (2030–2032) | French Tax Authority: e-invoicing reform
France’s e-invoicing reform, rolling out from September 2026 (mandatory receipt for all businesses; mandatory issuance for large and mid-sized companies) and September 2027 (SMEs and micro-enterprises), will transform supplier payment and customer collection processes. For the treasurer: better visibility on expected cash flows, working capital optimisation, and a lever for supply chain finance.
PSD3 / PSR: overhauling the payments framework
Scope: European Union — Draft published June 2023, application expected around 2027
The revision of the PSD2 directive takes the form of two instruments: PSD3 (licensing and supervision of PSPs) and PSR (a regulation harmonising security obligations). Expected impacts include stronger fraud protection, the expansion of open banking with standardised APIs, and greater cross-border payment transparency. Although still under negotiation, PSD3/PSR is shaping up to be a major overhaul of the payments landscape.
AI Act: artificial intelligence under regulatory control
Scope: European Union — Regulation (EU) 2024/1689. Phased application through August 2027 | EUR-Lex: AI Act
Cash-forecasting tools, fraud-detection systems and investment-optimisation engines that rely on machine learning may fall within the scope of the European AI Regulation, particularly where they produce high-impact decisions in the financial domain. For TMS vendors integrating AI modules: transparency, documentation and human-oversight requirements. For treasurers as users: the need to understand and document the decision-making logic of the tools they employ.
MiCA: a harmonised framework for crypto-assets
Scope: European Union — Regulation (EU) 2023/1114. Applicable since 30 December 2024. End of transitional period: 1 July 2026 | EUR-Lex: MiCA • ESMA: MiCA page
The Markets in Crypto-Assets Regulation (MiCA) is the first harmonised European framework for crypto-asset markets. It regulates stablecoin issuance (e-money tokens, asset-referenced tokens), requires mandatory licensing for crypto-asset service providers (CASPs) and strengthens transparency and investor-protection obligations. From 1 July 2026, only licensed CASPs will be permitted to operate within the EU.
While most corporate treasury departments are not directly involved with crypto-assets at this stage, MiCA reshapes the landscape for those considering stablecoins as a payment or short-term investment instrument. The treasurer would then need to assess crypto counterparties against four criteria: the provider’s MiCA licence, the supervising European authority, effective client-asset segregation, and failure-protection procedures. MiCA creates the conditions for certain treasury flows to eventually transit through blockchain channels within a regulated framework — a development worth monitoring.
On the horizon: post-quantum cryptography
Scope: Global — NIST Standards (August 2024). EU Commission Recommendation (2024). EU Roadmap (June 2025). ANSSI: PQC qualification from 2027 | NIST: PQC Project • ANSSI: PQC advisory
To conclude this overview, a word on a topic that is not yet a regulation but could become one: post-quantum cryptography (PQC). The algorithms currently protecting bank communications, electronic signatures and SWIFT exchanges could be compromised by a sufficiently powerful future quantum computer. NIST standardised the first quantum-resistant algorithms in August 2024. France’s ANSSI will require PQC for product qualification from 2027, and the European roadmap targets critical-system migration by 2030.
To be clear: as of today, no obligation requires PQC in treasury management tools (TMS, bank connectivity, ERP). But the convergence of the GDPR (“state of the art” security under Article 32), DORA (forward-looking ICT risk management) and ANSSI recommendations is creating a growing body of incentives. The right question for the treasurer is not “should I migrate tomorrow?” but rather: does my TMS vendor have a PQC roadmap? Are my systems crypto-agile? A topic to keep on the radar, not in the emergency lane.
Summary: the treasurer’s regulatory calendar
2018 — IFRS 9 • MiFID II • GDPR
2024 — IPR (April) • MiCA (December) • NIS 2 (October) • AI Act (August, phased)
2025 — DORA (Jan.) • Basel IV/CRR3 (Jan.) • IPR send + VoP (Oct.) • ISO 20022 interbank (Nov.) • CSRD Omnibus Act (Dec.)
2026 — French e-invoicing (Sept.) • ISO 20022 corporates (Nov.) • MiCA end of transition (July)
2027 — Revised CSRD/ESRS (FY 2027) • PSD3/PSR (est.) • AMLA direct supervision (2028) • AI Act full effect (Aug.)
2027–2030 — PQC: ANSSI qualification (2027) • EU critical systems migration (2030)
From constraint to opportunity: a change of perspective
Faced with this accumulation of regulation, it is tempting to see nothing but an additional burden. That would mean overlooking a lesson confirmed by every major regulatory transformation of recent decades: a well-integrated constraint is often the most powerful accelerator of modernisation.
IFRS 9 compelled treasurers to formalise their asset-management business model — and in doing so improved portfolio transparency. The GDPR mandated a data-mapping exercise that in many cases exposed duplicates, obsolete records and uncontrolled access. AML obligations drove the automation of third-party screening, freeing up time for higher-value tasks. The same logic applies to the new wave.
ISO 20022 and VoP require the cleansing and structuring of third-party master data — permanently improving straight-through processing (STP) rates within the TMS and reducing costs linked to rejections. The IPR provides real-time visibility over cash positions, enabling a rethink of cash pooling and liquidity optimisation. DORA and NIS 2 collectively strengthen the security of the financial ecosystem, reducing fraud exposure and bolstering partner confidence. The CSRD, even with its narrowed scope, repositions the finance department at the crossroads of corporate strategy and ESG, while the VSME standard offers mid-sized and smaller companies a credible voluntary framework.
The TMS: the central platform for compliance and resilience
In the face of regulations simultaneously affecting payments, data, security and reporting, the Treasury Management System (TMS) is changing status. It is no longer merely a cash-flow tracking tool: the TMS is becoming a critical infrastructure in the regulatory sense of the term.
It is through the TMS that the requirements for payment structuring (ISO 20022), beneficiary verification (VoP), transaction traceability (GDPR, AML/CFT, AMLA), operational resilience (DORA) and sustainability reporting (CSRD) now converge. Combined with a bank connectivity platform and, where applicable, a payment factory, a modern, compliant TMS allows organisations to absorb these regulatory changes without overhauling their financial architecture. It provides the technological foundation on which the treasurer can build an integrated compliance strategy, rather than managing each regulation in isolation.
Conclusion: the treasurer as architect of transformation
The treasurer of 2026 is no longer the treasurer of 2018. The role now extends far beyond managing flows and monitoring balances. It involves steering cross-functional regulatory compliance, orchestrating the digital transformation of payments, securing operational resilience and contributing to the organisation’s sustainability strategy.
Faced with this shift, two attitudes are possible. The first is to endure — treating each new regulation as an isolated compliance project. The second, far more rewarding, is to embrace this regulatory momentum as a catalyst for modernisation, adopting an integrated vision in which every constraint feeds into a broader transformation agenda.
Behind the acronyms and the deadlines, a common thread emerges: that of a financial ecosystem that is more transparent, more secure, faster and more responsible. The treasurer who can read that thread and turn it into a competitive advantage will not merely be compliant — but ahead.
Your TMS vendor can support you through this transition
A modern Treasury Management System built for the latest standards — native ISO 20022, SWIFT FINplus connectivity, VoP integration, AML/CFT module, crypto-agility — is the treasurer’s best ally in turning regulatory obligation into a performance lever. Whether it is a TMS, a payment factory or a bank connectivity solution, early preparation is the key to a successful transition.
Want to learn more? Contact our team of experts →
Further reading on datalog-finance.com
▶ Original article: IFRS 9, MiFID II, GDPR… The Treasurer Facing Regulatory Constraints
▶ Open Banking: Towards Real-Time Treasury?
▶ Corporate Treasury: 3 Emerging Trends
▶ Case Study: Urssaf Caisse Nationale – TMS Transformation
