The 2025 Finan­cial and Mar­ket Infra­struc­tures and Pay­ment Ser­vices Report

Introduction

(by Samuel Goret)

The National Bank of Belgium has released the 2025 edition of its Financial Market Infrastructures and Payment Services Report (FMI Report), continuing a tradition that began in 2017. This annual publication provides a detailed overview of the Bank’s oversight and prudential supervision activities concerning financial market infrastructures, custodians, payment service providers, and critical service providers operating in Belgium.

As part of its growing role in enhancing IT operational and cyber resilience, the Bank also includes in the report key developments related to digital security and regulatory frameworks.

This article highlights four key topics from the report which were also addressed during the NBB-webinar on July 2, 2025:

1. Digital Operational Resilience Act (DORA) – An overview of the EU regulation and the National Bank’s initiatives to support and monitor compliance.
2. Euroclear Bank and Sanctions – A discussion on the impact of EU sanctions and Russian countermeasures on Euroclear’s operations.
3. Wero – An introduction to a new European digital payment solution aimed at simplifying and accelerating transactions across the continent.
4. SWIFT Oversight Framework – A look at the upcoming revisions to the cooperative oversight framework for SWIFT, effective from 2026.

These topics reflect the evolving landscape of financial infrastructures and the Bank’s commitment to transparency, resilience, and regulatory alignment. Further details and insights are available in the full report, accessible at https://www.nbb.be/fmi.

Digital operational resilience 

(by Noemi de Guzman)

The financial sector is increasingly exposed to cyber and IT risks. Threats are evolving in sophistication, driven by geopolitical tensions and rapid advances in technologies. Supervisory authorities, such as the NBB, are continuously expanding their toolkit to assess and promote resilience. The Digital Operational Resilience Act (DORA), which is since 17 January 2025 applicable to a broad set of financial entities, is an important game changer. It establishes requirements on ICT governance and risk management, incident classification and reporting, resilience testing, and third-party risk management. The NBB contributed during the past years in various ways to a successful implementation of this regulation in the Belgian financial sector.

Reliance on digital processes, standardised ICT components, and third-party providers has materially increased exposure to cyber and IT risks across the financial sector. Threats are evolving in sophistication, driven by geopolitical tensions and rapid advances in technologies such as artificial intelligence and, prospectively, quantum computing.

Supervisory authorities, such as the NBB and the ECB, are continuously expanding their toolkit to assess and promote resilience. In addition to on-site inspections, IT risk questionnaires, incident notifications, third-party registers, and threat intelligence, they conduct cyber testing in cooperation with ethical hackers, simulating intelligence-based threats, through the TIBER framework, conduct crisis simulations, and develop coordination mechanisms. The ECB’s cyber resilience stress test in the first half of 2024 assessed the effectiveness of response and recovery arrangements under a simulated crisis. 

The Digital Operational Resilience Act (DORA) entered into force on 16 January 2023 and applies since 17 January 2025 to a broad set of financial entities, including credit institutions, stockbroking firms, insurance and reinsurance undertakings, central securities depositories, payment and e-money institutions. DORA establishes requirements on ICT governance and risk management, incident classification and reporting, resilience testing, and third-party risk management, and it prevails as lex specialis over NIS2 (EU Directive on cybersecurity legislation)  and CER (focus on non-digital threats such as natural disasters, sabotage, terrorist attacks, …). The NBB contributed during the past years to the development of detailed technical standards on these topics, raised awareness in the sector through the organisation of seminars and communications, facilitated the integration of DORA into the Belgian legal order, prepared the necessary IT tools and processes, adapted supervisory methodologies, and aligned TIBER-BE (Threat Intelligence-Based Ethical Red Teaming-Belgium) with DORA’s threat-led penetration testing framework.

A July 2024 survey of 132 entities showed significant implementation effort and an anticipated rise in compliance between September 2024 and January 2025, with most firms expecting to meet DORA’s application date of 17 January 2025. Nonetheless, many did not anticipate full, operationally effective compliance as of this date.
 
Principal gaps cluster in three areas:

• ICT risk management frameworks, including the incomplete rollout of policies, insufficient mapping of dependencies from critical or important business functions to ICT assets and providers, and control weaknesses in business impact analysis, encryption in transit, network segmentation, identity and access management, vulnerability management, monitoring and detection, and secure software development and testing.

• Management of ICT third-party risk, notably contract remediation still in progress, inadequate inclusion of audit, monitoring, reporting, and termination clauses, limited transparency on subcontractors, and exit strategies that are not yet adequately designed or tested. 

• Digital resilience testing, where some entities expected to need 2025 to operationalise testing strategies and governance, rehearse severe but plausible scenarios, meet testing frequency requirements, and formalise response and recovery plans.

The Bank reminded financial entities that full implementation of DORA was nevertheless expected by 17 January 2025.

EUROCLEAR BANK - Between global sanctions and Russian retaliatory measures

(by Filip Saffer)

In 2025, Euroclear continued to find itself at the epicentre of a rapidly evolving geopolitical and financial landscape. As one of the world’s largest international central securities depositories (ICSDs), Euroclear plays a critical role in the global financial system. However, the escalation of sanctions against Russia and the retaliatory measures that followed placed the institution in an extraordinary situation, testing its operational resilience and applicable legal frameworks.

Sanctions and Systemic Exposure

Following the intensification of sanctions imposed by the European Union, United States, and United Kingdom, Euroclear was legally required to freeze assets linked to Russian entities. This included both securities and cash held directly or indirectly in custody for sanctioned entities. The scale of the frozen assets was unprecedented, and the legal complexity of complying with overlapping international sanctions regimes introduced significant operational challenges.

Notwithstanding Euroclear’s role as a neutral post-trade infrastructure, facilitating cross-border settlement and custody services, it became involved in the enforcement of geopolitical policy.

Retaliation and Operational Disruption

In response to Western sanctions, Russian authorities implemented countermeasures that directly impacted Euroclear’s operations. These included the freezing of assets belonging to Euroclear’s clients and the effective severing of its market link with Russia’s central securities depository. The result was a breakdown in settlement flows with significant implications for risk management, whereas the actual seizing of cash and securities balances created mismatches in Euroclear’s systems, complicating the reconciliation of transactions and the allocation of interest payments. These disruptions highlighted the limitations of robust financial market infrastructures to insulate themselves against geopolitical shocks: the impact of sanctions’ circumventions, dislocated assets throughout the custody chain, impacting investors, issuers and intermediaries who are now facing reconciliation and legal challenges. The case of Euroclear illustrates that the ability to navigate the complexities of sanctions and retaliatory measures is necessary to carry on delivering (operational) continuity and regulatory compliance in today’s fragmented global order.

Strategic and Regulatory Implications

Financial market infrastructures in Europe and beyond need to have apt risk management frameworks related to cross-border legal risk, counterparty exposure, and the legal enforceability of asset segregation under stress scenarios. Current developments are likely to influence the broader oversight and regulatory approach towards them. Moreover, the situation underscored the need for enhanced coordination between regulators across the globe. As financial market infrastructures become increasingly entangled in geopolitical dynamics, consistent oversight and clear regulatory guidance will be essential to maintaining financial stability.

Conclusion

The recent challenges have placed Euroclear Bank in a complex and evolving operational environment. Navigating sanctions, legal obligations, and disrupted settlement flows has required significant adjustments to its processes and risk frameworks. As the financial system continues to face geopolitical uncertainty, Euroclear’s experience offers insight into how financial market infrastructures stay adaptable to maintain continuity and regulatory compliance.

WERO - Towards a unified & sovereign European retail payment solution

(by Reinout Temmerman)

WERO is the commercial name of The European Payments Initiative or ‘EPI’ in short. It was founded in 2020 by banks and payment service providers (PSPs) in Belgium, France and Germany with Dutch banks joining in 2023. EPI acquired the Dutch payment solution iDEAL and the Luxembourg Payconiq International. This will result in a phase-out of Payconiq in Belgium. France migrated its Paylib solution to WERO as well.

Objectives

Several objectives are envisaged by WERO. The first is to create a pan-European and sovereign European-owned payment solution. This will provide a possibility to end European reliance on non-EU card or mobile-based payment solutions and help in achieving strategic autonomy in EU payments. Another is to build on the instant SEPA Credit Transfers to provide for account-to-account payments. WERO has already started with providing Peer-to-Peer (P2P) payments and will extend into e-commerce and m-commerce.

What does WERO do (in Belgium)?

WERO provides an ecosystem combining an account-to-account payment scheme, based on a four-corner model similar to the cards model, with a digital wallet.

In the Belgian market this translates into WERO services being available in mobile banking apps of major Belgian banks such as BNP Paribas Fortis, Belfius, ING and KBC who thereby allow their customers to send/receive funds instantaneously through either scanning QR-codes or entering a phone number as well as into a strategic partnership with Bancontact Payconiq Company that will result in the gradual migration of Payconiq transaction volumes to WERO, with an ultimate phase-out of Payconiq.

WERO consists of a payment scheme, a front-end solution and a technical platform. At the payment scheme level, banks and other payment service providers (such as non-bank acquirers or issuers) can join the EPI scheme, adhering to the rules and standards set out in its rulebook. Only then can they offer Wero payments to their customers. In terms of front-end solution EPI provides its services either through integration in the existing mobile application of its adherent banks or PSPs or through its own ‘standalone’ mobile application. When it comes to the technical platform, WERO provides shared services, e.g. fraud prevention, transaction processing, back-office and data management.

How is WERO supervised/regulated?

EPI Company is both supervised prudentially under PSD2 and is subject to Central Bank Oversight.

• Prudential supervision

  WERO’s ‘standalone’ mobile application is used to initiate instant payments and consult payment history and account information. PSD2 considers this to be regulated payment services, notably payment initiation and account information respectively. Hence EPI Company has a license from the NBB to provide these payment services.

• Central Bank Oversight

  EPI Company operates the WERO payment scheme, subject to central bank oversight. To ensure that the payment scheme meets oversight expectations in each country in which EPI offers or will offer its products a Joint Oversight Team (‘JOT’) has been set up between central banks in Belgium, Germany, The Netherlands, Luxemburg, France as well as the European Central Bank.

Oversight of Swift and the Belgian Law on the Oversight of Financial Messaging Service Providers

(by Vincent Versluys)

Swift plays a critical role in the financial system as a key service provider to financial market infrastructures, offering secure financial messaging services. Given its systemic importance, Swift is subject to oversight by central banks. In recent years, the NBB has been working on strengthening this oversight framework, leading to the adoption of a Belgian law that formally underpins the oversight of Swift.

Swift plays a critical role in the global financial system, providing financial messaging services to approximately 12,000 institutions across more than 200 countries and territories. Its infrastructure supports not only payment transactions but also securities, treasury, and trade operations, making its operational continuity vital to financial stability worldwide.

Swift is a member-owned cooperative headquartered in Belgium. The current oversight of Swift is led by the National Bank of Belgium (NBB), in cooperation with the central banks of the G10 and the European Central Bank. This oversight, grounded in moral suasion, is guided by five High-Level Expectations (HLEs), which cover risk management, information security, reliability and resilience, technology planning, and user communication, as set out in Annex F of the CPMI-IOSCO Principles for FMIs.

This oversight model is now evolving – for several reasons. The change is motivated by Swift’s increased adoption of new and off-the-shelf technologies, the expansion of its service offering in the competitive domain, and the changing geopolitical and regulatory environment in the financial sector. These changes have prompted the need to anchor Swift’s oversight in a stronger legal framework. Against this background, a  Belgian oversight law targeting providers of financial messaging services was passed in April 2025. It is due to enter into force in early 2026⁽¹⁾.

The revised framework maintains the cooperative oversight model but introduces legally enforceable requirements. It broadens the scope of oversight to now includes governance requirements, such as the requirement for a two-tier board structure, independence criteria for board members, fit-and-proper assessments, and frameworks for managing conflicts of interest and whistleblowing. It also codifies overseers’ operational risk and cyber resilience expectations, taking into account requirements codified elsewhere in the financial sector - including the EU’s DORA regulation.

Under the new law, the NBB retains its role as lead overseer, with enhanced powers for information access and enforcement. Swift is expected to be formally designated as a systemic provider under the law in 2026, after which the associated legal provisions will become fully applicable. This transition marks a significant step toward ensuring the resilience and operational continuity of a critical global service provider.

⁽¹⁾ 25 mei 2025 – Wet houdende het toezicht op aanbieders van financiële berichtendiensten, http://www.ejustice.just.fgov.be/eli/wet/2025/05/25/2025004515/staatsblad