2025, the year of compliance
The year 2025 will undoubtedly mark another milestone in the regulatory obligations of companies. While compliance requirements are progressing... and piling up, far too many companies will still wait until the last moment - i.e., the actual entry into force of these new obligations - to comply. But by then, it will be too late. The result: higher costs, skills that are hard to find, either in-house or with service providers, and a rush to comply, at the risk of overlooking certain requirements.
2025, an avalanche of legislation: will you be ready?
The solution? Anticipate! Because 2025 is tomorrow, all the more so as companies will be faced with the near-simultaneous entry into force of a number of provisions: a strengthening of anti-money laundering requirements, the European NIS2 directive on cybersecurity, the CSRD, which increases the burden of extra-financial compliance requirements, electronic invoicing, which will shake up many processes, not to mention a new layer of traceability with the evolution of MiFID II and MiFIR regulations. All these provisions, which are going to hit organizations hard, can generate uncertainty, concern and even despair about the extent of the adaptations required. Fortunately, there are ways to avoid missing the boat!
Money laundering: tightening the net
In early 2024, the European Council and Parliament agreed to strengthen the fight against money laundering. The provisional agreement extends the list of entities subject to the law to new organizations. The aim is " to comprehensively harmonize rules across the EU for the first time, closing any loopholes exploited by criminals to launder illicit funds or finance terrorist activities through the financial system."
Duty of care extended to additional sectors
The list of entities already subject to a duty of care (banks, financial establishments, casino real estate, retailers...) has been extended to include new organizations: cryptoasset service providers, luxury goods traders, professional soccer clubs and agents. And the maximum cash payment limit will be set at 10,000 euros.
The countdown has begun
These rules still need to be approved by EU member states before they can be enshrined in Community law. According to the United Nations Office on Drugs and Crime (UNODC), between 2% and 5% of the world's GDP is laundered every year. For fraudsters, the countdown has already begun!
The solution?
Equip yourself with a "turnkey" solution to automatically detect suspicious transactions and people, with systematic real-time filtering.
NIS2: intolerance to risk tolerance
We're already familiar with DORA (Digital Operational Resilience Act), a series of provisions applicable from January 2025 aimed at strengthening the financial sector's resilience to cybersecurity risks and ensuring greater industry control over outsourcing. To take account of the risks associated with digital transformation, the European Parliament and the Council of the European Union had already adopted the "Network and Information Security" (NIS) Directive in July 2016, with the ambition of increasing the level of cybersecurity of major players in ten strategic business sectors (representing a few hundred entities in France), and the obligation to report security incidents while implementing appropriate security measures.
Prevention must be the priority
The NIS 2 directive extends the scope of applicability to other sectors (public administration, food production and distribution, waste management, research...), with reinforced requirements. NIS2 obliges companies to adopt a proactive rather than reactive approach to risk management, and demands constant vigilance and absolute technological adaptability. This includes, for example, incident management, business continuity, risk mapping and, above all, control of third-party risks.
Watch out for penalties for poor performers!
The directive will come into force by October 2024 at the latest. The stakes are high: failure to comply with NIS2 obligations can result in fines of up to 10 million euros or 2% of sales. And the liability of company directors is also at stake, which could result in a temporary ban on exercising their functions!
The solution?
A more robust security policy more robust to control most risks and ensure compliance (by being able to demonstrate it). It also means combating fraud in all its forms (including money laundering and terrorist financing), with, among other things, real-time vulnerability scanning, secure protocols, an alert escalation system, prevention of reputational risk, secure customer journeys and traceability of all actions...
CSRD: extending the scope of compliance
The CSRD(Corporate Sustainability Reporting Directive), applicable from 2024 for companies with more than 500 employees, sets standards and obligations that companies must include in their non-financial reporting each year. It requires them to monitor and publish, in addition to their financial balance sheet, an ESG (Environmental, Social and Governance) balance sheet, thus giving as much importance to the sustainable dimension as to the economic dimension of their activities.
When non-financial reporting merges with financial reporting
Reporting will need to be more than comprehensive, since it will merge financial and non-financial risks. Although many companies already communicate on their CSR actions, they very often do so on the basis of unreliable and unauditable data.
Over a thousand indicators to publish!
Companies will have to report not only on their strategy and business model, but also on the resources they have put in place to contribute to the ecological transition, and on the performance of their actions, notably through monitoring indicators. Over a thousand indicators will need to be published, impacting all business lines and processes. If GDPR was already a complex project, CSRD is ten times more complex!
Compliance scrutinized by auditors
Extra-financial reporting will have to be published according to precise standards, including in digital format, to facilitate the use and sharing of this information. These ESG reports will have to be audited and certified by an independent body, which will verify the sincerity of the information and the presence of sustainability objectives .
The solution?
A widespread culture of compliance within organizations, supported by the right tools to automate and sustain it. Equipping organizations with the right software solutions is all the more crucial given that CSRD is probably the most important revolution in compliance history.
Electronic invoicing: automation doesn't mean you don't need to know your customers well
Originally scheduled for July1, 2024, the obligation for companies established in France to issue and receive electronic invoices will be phased in from September1, 2026. Electronic invoicing applies to all transactions between companies established in France and subject to VAT. The French Finance Act for 2024 has set a new timetable for the implementation of this reform. The obligation to issue electronic invoices, via dematerialization platforms or the public Chorus Pro portal, will apply on September 1, 2026 for large and medium-sized companies (ME), and on September 1, 2027 for small and medium-sized companies and micro-businesses.
Relaxing customer vigilance? Don't even think about it!
Companies might think that, with this final stage in the dematerialization of invoices, they don't need to know their customers very well, and that it would be a good idea to relax their vigilance. On the contrary! This legal framework is bringing about major changes for all companies: electronic invoicing modifies internal processes, transforms relations with suppliers (dematerialization platforms) and tax authorities, and requires appropriate technological solutions, particularly for security, archiving and... traceability!
The solution?
A KYC (Know Your Customer) approach, a "know your customer" process that involves verifying the identity and integrity of its customers. This process can of course be fully automated with a software solution.
MiFID 2 MiFIR: an additional layer of traceability
MiFID II (Market in Financial Instrument Directive) regulates companies providing investment services and activities related to financial instruments. MiFIR (Market in Financial Instrument Regulation) also imposes additional requirements, in particular concerning the obligation to report transactions.
Transaction reporting: more and more
MiFID II and MiFIR have been in force since 2018, but a European regulation of February 28, 2024 has introduced further changes. MiFIR complements MiFID II with, among other things, the obligation to report transactions to the competent authorities, with the aim of increasing transparency on capital markets, improving competitiveness and guaranteeing a level playing field. These two changes must be implemented by September 29, 2025 at the latest.
The solution?
Set up a compliance tool that enables traceability and explanability for regulators, with an audit trail, a relevant compliance policy, precise management of compliance lists...
Would you like to know how AP Solutions IO can help turn your business into a legal fortress? Request a demo