EU financial firms: digital and legal challenges

September 2025  |  SPECIAL REPORT: DIGITAL TRANSFORMATION

Financier Worldwide Magazine

September 2025 Issue

Digital transformation is reshaping financial services, bringing innovation, efficiency and enhanced customer experience. From open banking to artificial intelligence (AI), financial institutions (FIs) are evolving at an unprecedented pace.

However, the legal and regulatory framework governing this transformation is struggling to keep up. In the European context, the interplay between evolving EU legislation, data protection obligations under the General Data Protection Regulation (GDPR) and the forthcoming AI Act presents both challenges and opportunities.

As FIs embrace digital transformation, oversight over AI and emerging technologies is increasingly viewed as the most critical corporate governance issue of the next three years.

The push toward digital transformation in financial services

The financial services sector has been at the forefront of digital innovation. fintechs, digital banks and incumbent institutions alike are deploying technologies like AI, cloud computing and advanced data analytics to streamline operations, reduce costs and offer tailored financial products.

Key drivers of digital transformation include changing customer expectations for real-time, personalised services, competition from agile fintech and BigTech companies and cost pressures, and the need for operational resilience.

This transformation, however, does not occur in a regulatory vacuum. FIs must navigate a complex and dynamic legal environment, while managing heightened scrutiny from regulators and stakeholders.

Navigating the European legal and regulatory landscape

The European Union (EU) has been proactive in setting the legal and ethical parameters for digital innovation in financial services.

The GDPR – protecting personal data in a digital economy. The GDPR, effective since 2018, remains a cornerstone of digital regulation. FIs handle vast amounts of sensitive personal data, making GDPR compliance fundamental to their operations.

Core GDPR challenges in a digital transformation context include: (i) data minimisation and purpose limitation – AI and analytics often require large datasets, which must still meet the GDPR’s proportionality and specificity requirements; (ii) automated decision making and profiling – article 22 of the GDPR imposes limits on fully automated decisions with legal or significant effects, a common feature in AI-driven credit scoring or fraud detection; and (iii) cross-border data transfers – with the rise of global cloud service providers, ensuring lawful international data flows under the GDPR (especially post-Schrems II) is a persistent challenge.

The AI Act – shaping the use of AI. The proposed EU AI Act, expected to come into force by 2026, introduces a risk-based framework for AI regulation. It classifies AI systems into prohibited, high-risk and lower-risk categories. Prohibited AI systems are banned due to their incompatibility with EU values. These include systems that manipulate human behaviour, exploit vulnerabilities or enable social scoring.

High-risk AI systems pose significant threats to individuals’ health, safety, fundamental rights or the environment. Examples include AI used in critical infrastructure, education, employment decisions, law enforcement and biometric identification.

Limited-risk AI systems, including certain foundation models, may affect individuals’ rights or interests. This includes systems used in content generation, chatbots or emotional recognition, which must meet specific transparency requirements.

Minimal-risk AI systems pose little to no risk, such as those used in video games, spam filters or virtual assistants. These are largely exempt from regulatory obligations.

For FIs, many applications, such as creditworthiness assessment, insurance underwriting or anti-money laundering, are likely to fall under the ‘high-risk’ category, triggering stringent compliance obligations. Those obligations include risk assessments and documentation, transparency and explainability requirements, human oversight and accountability mechanisms, and data governance and quality standards.

The Digital Operational Resilience Act (DORA). The DORA, effective since January 2025, seeks to ensure the operational resilience of FIs against information and communication technology (ICT)-related disruptions. It mandates comprehensive ICT risk management frameworks, the reporting of major ICT-related incidents and oversight of third-party ICT providers, including cloud services.

Digital transformation amplifies ICT dependencies and cyber risks, making DORA compliance central to futureproofing business models.

Corporate governance implications: oversight of AI and emerging technologies

Effective governance of digital transformation is emerging as a critical strategic imperative. Boards and senior executives must navigate a shifting landscape that includes technological complexity, regulatory demands and ethical considerations.

Oversight over AI and emerging technologies is widely regarded as the area most likely to define strong corporate governance in the next three years. Key governance considerations include: (i) board-level awareness and expertise – boards must possess or acquire sufficient knowledge to oversee digital risks and opportunities effectively; (iii) integration of technology risk into enterprise risk management frameworks – AI and tech risks should not be siloed but integrated into enterprise-wide risk management; (iii) accountability and ethical AI use – FIs must establish clear lines of responsibility for AI outcomes and ensure alignment with ethical standards; and (iv) transparency and stakeholder trust – public and regulatory trust hinges on transparency, fairness and the explainability of digital decision making.

Challenges in implementation

While the direction of digital transformation is clear, the journey for FIs remains complex and fraught with challenges. One of the foremost issues is legal uncertainty and fragmentation.

Constantly evolving regulations, varying interpretations and inconsistencies across jurisdictions – particularly in data protection – make compliance a moving target. Additionally, legacy systems and cultural resistance continue to hinder progress, as many institutions struggle to modernise outdated infrastructure or shift deeply rooted mindsets.

Compounding these challenges are skills and capability gaps. There is a growing need for legal, compliance and governance professionals to develop expertise in emerging areas such as AI ethics, data science and digital risk management. Moreover, the high costs of compliance with regulatory frameworks like the GDPR, the AI Act and DORA place a disproportionate burden on smaller firms, which may lack the resources to meet these demands.

Finally, cyber security and operational risk are escalating concerns. As digital footprints expand, so do vulnerabilities to cyber threats, making resilience and incident response critical components of any transformation strategy. Navigating these hurdles will require strategic investment, cross-functional collaboration, and a forward-looking approach to governance and technology.

Opportunities and strategic gains

Despite the challenges, digital transformation presents significant opportunities for FIs that can successfully navigate the regulatory landscape. It enables enhanced customer experiences through personalisation, faster service and seamless omnichannel delivery, driving greater satisfaction and loyalty.

Risk management is also strengthened, with AI and advanced analytics improving fraud detection, credit scoring and compliance reporting. At the operational level, efficiency gains from automation and cloud technologies reduce costs and increase agility.

Moreover, transformation unlocks new business models, such as embedded finance, digital wallets and cryptoassets, offering fresh revenue streams. FIs that view compliance as a strategic advantage can differentiate themselves, build trust and attract long-term investment.

Conclusion: a strategic inflection point

Digital transformation is no longer optional; it is a strategic imperative. However, the legal and regulatory challenges it poses are equally transformative. The GDPR, the AI Act and DORA, among other frameworks, signal the EU’s commitment to shaping a secure, ethical and innovation-friendly digital financial ecosystem.

For FIs, success lies in embedding regulatory foresight, ethical AI practices and digital governance into their transformation journeys. Those that adapt with agility, invest in governance capabilities, and lead with integrity will not only comply but thrive in the digital era.

As AI and technology oversight become defining features of corporate governance over the next three years, FIs must align their digital ambitions with responsible innovation and robust accountability structures. In doing so, they will futureproof their business models, protect customer trust, and contribute to a resilient and inclusive European financial system.

 

Vanessa Galhardo-Galhetas is a director and consultant at Neva Consulting. She can be contacted by email: vanessa.galhardo-galhetas@neva-consulting.eu.

© Financier Worldwide

BY

Vanessa Galhardo-Galhetas

Neva Consulting

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.