1. Introduction
In July 2024, Directive (EU) 2024/1619 (“CRD6”) entered into force as part of the EU Banking Package, together with Regulation (EU) 2024/1623 (“CRR III”). While CRR III completes the implementation of the Basel III prudential standards, CRD6 mainly reshapes how banks are supervised and how non-EU institutions can operate in the European Union.
One of the most important changes introduced by CRD6 concerns banks and certain investment firms established outside the EU. For the first time, EU law lays down a harmonised framework governing how “core banking services” may be provided in the EU by third-country institutions, replacing a patchwork of national regimes with minimum EU-wide rules. This Legal Insight focuses exclusively on that new framework for third-country branches (“TCBs”).
Although CRD6 is already in force at EU level, Member States were required to transpose it into national law by 10 January 2026. In practice, transposition is still ongoing in several Member States, including Belgium, where the implementing legislation is currently expected in April 2026.
2. What CRD6 is trying to fix
Before CRD6, there was no harmonised EU framework governing how non-EU banks could operate through branches in the EU. Each Member State applied its own rules on licensing, capital, liquidity and supervision. This fragmentation facilitated regulatory arbitrage, as non-EU banks were able to structure their EU presence by relying on differences between national regimes.
CRD6 is designed to put an end to this fragmentation. It introduces a common EU baseline for market access for non-EU institutions that carry out the most sensitive banking activities in the EU.
3. What are “core banking services”?
CRD6 defines “core banking services” by reference to EU banking law, and therefore includes:
- taking deposits or other repayable funds from the public,
- granting credit, and
- providing guarantees or commitments.
4. The new rule: no core banking services in the EU without a local branch
CRD6 establishes a simple principle: if a non-EU institution provides core banking services “in” a Member State, it must do so through an authorised local branch in that Member State.
From 11 January 2027, non-EU institutions will no longer be allowed to provide core banking services to EU clients on a pure cross-border basis. Instead, they will have to establish a third-country branch and obtain authorisation from the local competent authority. Authorisation will be granted only if third‑country firms satisfy specific regulatory requirements, including capital, liquidity, and governance standards (cf. infra, point 6).
These branches will not benefit from passporting rights. A non-EU bank wishing to operate in several Member States will therefore need several branches or will have to set up an EU authorised subsidiary to benefit from the EU passport.
5. Limited exemptions
CRD6 does not prohibit all cross-border activity, but the exemptions are deliberately narrow.
The most important, and commonly applied exemption in the financial services industry, is reverse solicitation, where an EU client would approach a non-EU institution at its own exclusive initiative. Experience under MiFID II shows that this concept is interpreted very strictly and cannot support a scalable business model. Further exemptions apply to interbank services, intragroup transactions, and MiFID investment services together with closely related ancillary services.
In addition, contracts entered into before 11 July 2026 benefit from a grandfathering regime, allowing them to be serviced even after the new rules become fully applicable.
6. A much stricter branch regime
CRD6 does not merely require a branch to exist. It also subjects third-country branches to a harmonised EU prudential framework, covering capital endowment, liquidity, governance, booking arrangements and extensive reporting.
Branches are classified as Class 1 or Class 2, depending on their size, complexity, and risk profile. Large or non-equivalent branches will be placed in Class 1 and will face significantly more demanding requirements.
In addition, where a non-EU group’s EU branches reach certain thresholds (EUR 40 billion across the EU or EUR 10 billion in one Member State), supervisors will be able to require restructuring or even subsidiarisation, forcing the group to create a fully capitalised EU bank.
7. Conclusion
CRD6 marks a major shift for third-country firms providing core banking services in the EU. Cross border models will become the exception, and most non-EU institutions active in the EU will need to reassess their setup and consider establishing an EU branch or subsidiary.
Firms already operating through an EU branch should also prepare for strengthened authorisation, prudential and governance requirements, with the greatest impact on structures with limited local substance. Even ahead of full transposition across Member States, third-country institutions must begin adapting to a more prescriptive and demanding supervisory framework.
If you have any questions or would like to discuss the implications of CRD6 for your activities, feel free to reach out to us at digitalfinance@simontbraun.eu.
***
This newsletter does not constitute legal advice or a legal opinion. Please consult with a legal counsel of your choice before taking any action based on the information provided.