From repair to reinvention – how EU financial markets regulation has evolved and what it signals for the next decade

RegCORE Client Alert

QuickTake

Over the past decade, EU financial services regulation has moved through distinct but connected phases. What began as a concentrated effort to repair the damage of the 2008 global financial crisis has evolved into a broader and more complex project: governing a financial system shaped by digitalisation, geopolitical fragmentation, climate risk and structural change in how financial intermediation occurs. Looking across three reference points in time – 2016, 2026 and 2036 – reveals not cyclical regulatory change, but a clear and directional shift in regulatory philosophy. For boards, senior management and investors, understanding this trajectory is increasingly critical to strategy, capital allocation and long-term resilience as well as competitiveness in an increasingly complex environment.

This Client Alert looks back to the regulatory forces shaping markets in 2016, examines the defining themes of 2026 (which should be read in conjunction with “Navigating 2026”, our annual assessment of the work programmes of EU financial services regulatory policymakers and supervisors) and concludes by setting out a forward-looking view of what is likely to matter most by 2036 and why.Available here. Of course, while we can trace clear trends and regulatory trajectories through Rule Scanner and other PwC-powered tools, we must admit that our predictive powers stop short of gazing into a crystal ball – so take any forecasts with a pinch of regulatory salt.Show Footnote

2016: Completing the post-crisis regulatory architecture

In 2016, EU financial regulation was still firmly anchored in the response to the 2008 global financial crisis. The dominant regulatory objective was stability: repairing balance sheets, restoring trust and ensuring that banks and markets could fail without systemic consequences.

Finalisation of the post-crisis rulebook

Key legislative pillars – Capital Requirements Regulation (CRR)Available here.Show Footnote/Capital Requirements Directive (CRD IV)Available here.Show Footnote, European Market Infrastructure Regulation (EMIR)Available here.Show Footnote, Bank Recovery and Resolution Directive (BRRD)Available here.Show Footnote and  Markets in Financial Instruments Directive (MiFID II)Available here.Show Footnote/Markets in Financial Instruments Regulation (MiFIR)Available here.Show Footnote – were either being implemented or nearing entry into force. The emphasis was on capital, liquidity, transparency and resolvability. This drove major structural change (and unprecedented investment in compliance and reporting), including business model reassessments and balance-sheet optimisation through de-risking and risk-weighted asset (RWA) management. It also led to an increase in bank capital instruments (such as AT1 and Tier 2 bonds) and, ironically, increased concentration risk in central counterparties (CCPs) as collateral became a scarce resource.

Supervisory intensity and enforcement

Supervisory authorities increasingly shaped outcomes through Supervisory Review and Evaluation Processes (SREP), stress testing and enforcement, rather than through new legislation. Conduct risk, governance failures and personal accountability were central concerns following benchmark manipulation and market abuse scandals.

Market structure and transparency

The impending implementation of MiFID II fundamentally reshaped EU capital markets - introducing new transparency requirements, redefining trading venues and changing how research, execution and data were priced and consumed.

Brexit as a structural shock

The UK's referendum on EU membership catalysed a slow-burn disentanglement of booking models, governance, passporting and market access that would reverberate throughout the next decade. While the long-term implications were not yet fully visible, firms began contingency planning for a more fragmented European market.

Economic backdrop

Ultra-low and negative interest rates distorted pricing, strained bank profitability and raised questions about the sustainability of long-term savings and pension products. From a legal perspective, this environment created new fronts for litigation, particularly concerning product suitability, the viability of pension promises and complex valuation disputes.

Overall regulatory mindset (2016):

The predominant attitude was very much on completion, compliance and control. Regulation was largely backward-looking, designed to prevent a repeat of past failures.

2026: Regulating complexity in a fragmented and digital world

By 2026, the regulatory centre of gravity has shifted decisively. The focus is no longer on correcting the last crisis, but on managing systemic risk in a world characterised by technological dependence, geopolitical tension and increasingly complex market structures.

Digital finance moves to the regulatory core

Frameworks such as the Markets in Crypto-Assets Regulation (MiCAR)Available here.Show Footnote, Digital Operational Resilience Act (DORA)Available here.Show Footnote and the AI ActAvailable here.Show Footnote reflect a recognition that digital assets, ICT risk and artificial intelligence are no longer peripheral innovations but are integral to financial stability. These rules have materially lifted the bar, requiring evidence-based control design in client journeys and critical processes. Supervisors' focus areas include crypto-asset scams, travel-rule implementation, crypto-asset service provider (CASP) authorisation norms and AI-enabled fraud, reflecting a wider pivot to outcomes-focused supervision with clear expectations for firm-side controls, client communications, and incident playbooks.

More broadly (digital) operational resilience has become a board-level priority, with supervisors expecting firms to demonstrate not only prevention capabilities, but credible impact tolerance, scenario testing and recovery planning, particularly in relation to cloud concentration and third-party dependencies.

While the associated compliance costs of all of these (new and enhanced) priorities are significant, they may not necessarily be an innovation killer; instead, they select for firms with scale.

Geopolitics as a prudential and conduct issue

Foreign policy has become a balance-sheet issue. Sanctions, trade restrictions and geopolitical tensions related to Russia/Ukraine, the Middle East and China/Taiwan risks increasingly influence supervisory expectations. These factor and now directly affect correspondent banking relationships, market access, sovereign exposures and infrastructure localisation decisions, with firms expected to have credible exit and continuity plans.

Supervisory convergence (and divergence)

Despite the Single Rulebook, increased harmonisation efforts, supervisory practice divergence across national competent authorities (NCAs) still exists, with gold‑plating and interpretation gaps driving quiet forum shopping. This especially arises where data, ICT and cross‑border risk controls are tested.

As in 2016 (and probably through to 2036 and beyond) harmonising the Single Market remains a dominant issue with on-going EU policymaker efforts to further complete and streamline but equally simplify (a now much expanded) Single Rulebook as well as to establish a “Single Supervisory Culture”. Ambitions for real‑time supervision continue to increase demands for consistent data taxonomies and high‑quality reporting pipelines.

ESG and climate: recalibration, not retreat

Sustainable finance regulation has entered a more mature phase, marked by a rightsizing of certain reforms yet a rise in greenwashing enforcement. The centre of gravity is shifting from disclosure volume and labelling to decision-useful, enforceable frameworks that drive risk governance, supervisory action and defensible client communications. Expect sharper liability exposure for greenwashing and more explicit integration of climate risk into ICAAP/ILAAP/ORSA, stress testing and capital planning. Over the decade, prudential consequences will increasingly influence capital allocation and asset pricing, with greater reliance on supervisory judgement than prescriptive metrics.

Non-bank financial intermediation

Regulators are paying closer attention to leverage, liquidity mismatches and procyclicality in funds and market-based finance, reflecting concern that systemic risk has migrated beyond the banking sector. The finalisation of Basel rules, including output floors, is driving lending repricing and portfolio reallocation, with consequences for EU competitiveness and the Capital Markets Union (CMU)/Savings and Investments Union (SIU).

Data-driven supervision

Supervisors are becoming more sophisticated consumers of data. Expectations around reporting quality, automation and consistency are rising, supported by SupTech and RegTech developments. Firms that treat data lineage, quality and taxonomy as control objectives may find supervisory engagement more predictable.

Overall regulatory mindset (2026):

Complexity management: regulation now seeks to govern interconnected systems rather than discrete institutions.

Looking ahead to 2036: governing systems, not institutions

While the precise shape of future regulation is uncertain, several structural trends are already visible. By 2036, these are likely to redefine how financial markets and participants are governed and supervised.

From entity-based to activity-based regulation

The EU is likely to continue moving away from a purely entity-centric approach – where regulation targets banks, insurance companies, or investment firms – to one that focuses on the functions and activities that drive systemic risk. Activities such as leverage, liquidity provision, maturity transformation, and risk transfer will be regulated regardless of the legal form of the participant. This reflects the recognition that significant financial intermediation increasingly occurs outside traditional banks, for example through shadow banking, fintech, or decentralised finance (DeFi) platforms. As a result, regulators are expected to adopt activity-specific licensing, capital, and conduct requirements, ensuring that prudential and operational risks are captured even in non-bank entities or hybrid structures.

AI as a prudential concern

Artificial intelligence and advanced analytics are poised to move beyond current governance and ethics frameworks into the core of prudential supervision. By 2036, AI systems deployed in credit underwriting, market-making, trading, pricing, and risk management may be subject to rigorous validation, ongoing model risk management, capital adequacy implications, and potentially supervisory approval – akin to the internal model approval processes under Basel II/III frameworks. The EU’s approach is likely to blend technology-neutral AI regulation (such as the AI Act) with sector-specific prudential standards, requiring firms to demonstrate not only transparency and explainability but also stability, robustness, and resilience in financial operations. This may significantly alter risk management frameworks, operational infrastructures, and governance practices across all financial institutions.

Tokenisation as mainstream infrastructure

Tokenised securities, central bank digital currencies (CBDCs), and digital settlement networks are expected to become core elements of market infrastructure rather than niche innovations. Driven primarily by operational efficiency, collateral mobility, and systemic resilience, tokenisation will likely be adopted by incumbents, including banks and established clearinghouses, rather than by new entrants. EU regulators are already signalling that tokenised market infrastructure will be subject to the same supervisory expectations as traditional systems, including cyber resilience, settlement finality, interoperability standards, and prudential risk oversight. This trend may also enable more flexible capital and collateral management, cross-border settlement, and streamlined reporting.

At the time of writing, the European Central Bank (ECB) has just announced that the Eurosystem will officially accept marketable assets issued in Central Securities Depositories (CSDs) using Distributed Ledger Technology (DLT) as eligible collateral for Eurosystem credit operations as of 30 March 2026.ECB paves way for acceptance of DLT-based assets as eligible Eurosystem collateral (availabe here).Show Footnote At the same time, the Eurosystem communicated that it continues to align its collateral framework and collateral management practices with technological advancements in financial markets while upholding the principles of adequacy of collateral, safety, efficiency and level playing field.

Climate risk embedded in capital and valuation

Climate considerations are expected to evolve from disclosure-focused measures to direct prudential treatment. Supervisory authorities are likely to (further) integrate climate risk into:

• Capital requirements and buffers, reflecting transition and physical risk exposures;
• Asset valuation and collateral eligibility, potentially limiting the use of carbon-intensive assets as collateral; and
• Long-term funding costs, influencing pricing of loans and investment products.

Disclosure will continue to provide transparency, but direct supervisory and prudential interventions – stress testing, risk-weight adjustments, and supervisory judgement – are expected to become primary levers. This may accelerate repricing of carbon-intensive portfolios, create early recognition of stranded assets, and encourage proactive corporate transition strategies, beyond what market forces alone would achieve.

Permanent crisis governance

The frequency and severity of systemic shocks - from pandemics and cyber incidents to climate events and geopolitical disruptions – may prompt the EU to formalise permanent crisis-management frameworks. Such frameworks could include pre-defined intervention powers, emergency liquidity arrangements, and resolution mechanisms extending across sectors and borders. While these measures aim to enhance resilience, they raise complex issues regarding proportionality, predictability, accountability, and due process, particularly for non-bank entities and market infrastructures.

Near-real-time supervision

Technological advances in data collection, analytics, and reporting are likely to enable regulators to monitor key risk indicators in near real time. This could transform supervisory models from periodic reporting and post hoc assessments to continuous, predictive oversight. However, near-real-time supervision will require robust accountability frameworks, clear escalation procedures, and safeguards against misinterpretation or misuse of data, balancing stability with legal certainty for market participants.

Expanded senior management accountability

Personal accountability regimes – already seen in the EU with CRD VI, MiFID II – are expected to expand further. Senior management and board members will likely face heightened responsibility for prudential, operational, and ESG-related risks, reinforcing conservative risk-taking and governance rigor. This trend will also drive demand for directors’ and officers’ (D&O) liability coverage, regulatory compliance consulting, and governance advisory services, making personal accountability a central consideration in strategic and operational decisions.

Fragmentation persists

Despite global regulatory convergence efforts, substantial fragmentation between the EU, US, and Asia is expected to persist. Differences in licensing regimes, prudential standards, data localisation requirements, and supervisory expectations will continue to impose significant compliance and operational costs. Firms operating across jurisdictions will need to maintain multiple infrastructures, reconciled reporting processes, and divergent playbooks, limiting the efficiency benefits of digitalisation and tokenisation.

Overall regulatory mindset (2036):

EU financial services regulation is likely to prioritise system-wide governance over the supervision of individual entities. Regulators will focus on controlling interconnected and complex systems, integrating technological, environmental, and operational risk dimensions. Sectoral silos will be increasingly broken down, and regulation will evolve toward a holistic, predictive, and risk-sensitive framework that shapes not only behaviour and reporting but also structural market dynamics.

Outlook ahead

Across this snapshot of a 20-year arc, one conclusion is clear: regulation is no longer episodic - it is structural. Compliance, governance, and risk management are increasingly intertwined with strategic decision-making, operational design, and market positioning. Leading firms are already responding by:

1. Embedding regulatory considerations into strategy: Forward-looking institutions are treating regulation not as a constraint but as a strategic driver. This includes:

• Elevating digital finance controls to manage AI, data, and tokenised infrastructure risks as core business imperatives;
• Integrating ESG and climate considerations into capital allocation, investment decision-making, and risk frameworks, rather than treating them as disclosure-only obligations; and
• Positioning data, technology, and analytics as strategic capabilities that underpin competitive advantage and regulatory readiness.

2. Strengthening governance and accountability: Firms are redesigning governance structures to meet heightened supervisory expectations. This involves:

• Industrialising data governance to ensure integrity, traceability, and auditability of critical information flows;
• Expanding personal accountability frameworks across senior management, boards, and key risk-takers; and
• Embedding decision-making processes capable of withstanding rigorous supervisory scrutiny, including scenario analysis, model validation, and risk escalation protocols.

3. Building operational and organisational resilience: Resilience is becoming a core differentiator for firms navigating structural regulatory expectations. Key initiatives include:

• Conducting realistic simulations and rehearsals for crises, including cyber incidents, market shocks, and climate-related disruptions;
• Developing credible exit strategies for critical third-party relationships and infrastructure dependencies; and
• Leveraging technology-enabled approaches to regulatory change, including continuous monitoring, predictive compliance analytics, and near-real-time reporting.

By taking these steps, firms are positioning themselves not only to comply with evolving regulatory expectations but to leverage them as drivers for strategic advantage, operational robustness, and long-term competitiveness. In this era, regulatory foresight is inseparable from business foresight.

Ultimately, those financial services firms that view regulation solely as a constraint will face increasing friction. Those that understand it as a framework shaping markets, competition and trust will be better positioned to navigate the decade ahead.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business. 

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.  

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.