Europe’s regulatory roadmap 2026: Centralization, digital identity, and the AI investment surge

This article was originally published on the Payments Association website, which can be accessed here.

The landscape of financial crime compliance is undergoing a fundamental shift. While the US administration pursues a deregulatory agenda to lower compliance costs, the EU is doubling down on centralization. This period of supervisory convergence is no longer theoretical; it is a roadmap that mandates a radical tech upgrade for any firm operating in the eurozone. 

Drawing from our State of Financial Crime 2026 report, this blog explores the top five milestones for 2026 that will redefine expectations for firms across the UK and EU.

1. AMLA data collection and calibration (March 2026)

While the Anti-Money Laundering Authority (AMLA) won’t begin direct supervision until 2028, March 2026 marks a critical window for its first major data-collection exercise. According to its 2026–2028 Single Programming Document, the authority will initiate this exercise to test and calibrate the risk-assessment models that will eventually select the 40 most significant, high-risk financial institutions for direct oversight from its Frankfurt headquarters.

For firms, this means the technical burden starts now; organizations must ensure their risk data is structured and accessible enough to meet these new, harmonized standards. By building this “analytical backbone,” AMLA is moving toward a model where supervisory convergence replaces fragmented national rules, rewarding firms that build strong data foundations and penalizing those with inconsistent oversight.

2. Implementation of beneficial ownership access (July 2026)

By July 10, 2026, member states must implement requirements under the 6th AML Directive (6AMLD) regarding access to beneficial ownership registers. This milestone focuses on applying the principle of legitimate interest to ensure these registers are available to relevant parties. This push for transparency aligns with broader Financial Action Task Force (FATF) priorities to enhance corporate clarity and combat the misuse of legal persons. 

For compliance teams, this date signals a shift in customer due diligence (CDD) expectations. Firms will be required to cross-reference their own customer disclosures against these centralized registers more rigorously, ensuring that any anomalies are identified and addressed to prevent illicit financial flows from being obscured by complex shell structures.

3. EU AI Act governance application (August 2026)

A defining moment for technology in compliance occurs on August 1, 2026, when the requirements of the EU AI Act fully apply. Because the Act classifies AI-powered transaction monitoring and systems that evaluate creditworthiness as high-risk use cases, firms must meet mandatory transparency and data governance standards.

This regulatory pressure is a likely driver behind Europe’s current position as a global leader in AI investment. When we asked 600 senior decision makers, “Does your organization currently have dedicated projects or budgets specifically for implementing or developing AI solutions in financial crime detection and prevention?”, the results were telling. Europe has emerged as the global leader in dedicated AI investment, with 59% of firms confirming they have specific projects and budgets in place – compared to 46% in North America and 40% in Asia-Pacific (global average = 48%).

With the new AMLA harmonizing standards and the AI Act classifying AI-powered transaction monitoring as a “high-risk” use case, European firms appear to be investing now to ensure their systems meet new, mandatory transparency and data governance requirements. Firms are no longer just deploying AI for efficiency; they are investing to ensure their systems are explainable and secure. By this August deadline, compliance officers must be able to demonstrate that their AI models are subject to human oversight and that the logic behind automated financial decisions is transparent enough to withstand a regulatory audit.

4. EUDI wallet availability and eIDAS 2.0 (late 2026)

By late 2026, the deadline for all EU Member States to provide at least one certified Digital Identity (EUDI) Wallet to citizens and businesses arrives. This milestone under eIDAS 2.0 represents a radical transformation of identity infrastructure across the eurozone. For financial institutions, this requires a fundamental shift in onboarding technology. 

As these wallets become available, firms must prepare their tech stacks to accept these digital credentials for strong customer authentication. This move toward digital-first onboarding is expected to support financial inclusion by simplifying identification requirements. Firms that act early to integrate wallet-based know your customer (KYC) will not only reduce supervisory friction but also gain a significant competitive advantage in customer experience.

5. UK innovation-led regulation and sector reclassification (December 2026)

Throughout 2026, the UK government is expected to continue its distinct pro-innovation roadmap. Unlike the EU’s centralized AI Act, the UK’s framework remains decentralized and principles-based, as outlined in the AI Opportunities Action Plan. This strategy empowers existing regulators to apply AI governance within their specific sectors rather than through blanket statutory law. 

This official policy appears to align closely with industry sentiment: our research shows that the UK has the highest preference for innovation-led AI regulation globally, at 68%. This is nearly 10% above the global average (59%) and significantly higher than the US (53%), signaling a market that views AI as a growth tool rather than just a compliance checkbox.

However, this focus on innovation is paired with a sharpening of the AML perimeter. Following the UK’s 2025 National Risk Assessment, which reclassified retail banking, electronic money institutions (EMIs), and payment service providers (PSPs) as high-risk for money laundering, firms in these sectors are expected to have completed a full modernization of their controls by the end of 2026. This involves shifting away from legacy systems toward dynamic, real-time risk monitoring that can keep pace with evolving threats while supporting the government’s broader growth agenda.