UPDATED 2026-05-10
Fintech Regulatory Landscape in Belgium
Belgium's fintech sector operates under a multi-layered regulatory framework overseen primarily by the National Bank of Belgium (Nationale Bank van België / Banque Nationale de Belgique, NBB) and the Financial Services and Markets Authority (Autoriteit Financiële Markten en Pensioenen / Autorité des Services Financiers et des Pensions, FSMA). However, the regulatory environment has shifted dramatically since 2023. The sector now contends not only with traditional banking and payment services directives, but also with three major EU-wide regimes: the General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA), and the Artificial Intelligence Act (AI Act).
These three regulations create overlapping compliance obligations that fintech founders cannot treat as separate silos. GDPR governs how you handle customer data and legitimate interests. DORA requires you to build resilience into your entire operational infrastructure—including third-party dependencies and cybersecurity. The AI Act imposes strict transparency and risk controls if you deploy algorithmic decision-making in lending, fraud detection, or customer profiling. Belgium's regulators have made clear that compliance with one does not imply compliance with the others. The NBB and FSMA expect fintech firms to map these dependencies explicitly and report findings during regulatory reviews. Failure to demonstrate integrated compliance planning is flagged as a governance weakness during on-site inspections.
GDPR: Data Protection Obligations
Scope and Core Requirements
The General Data Protection Regulation (Regulation (EU) 2016/679) applies to any fintech processing personal data of EU residents. This includes Belgian customers, employees, and partners. GDPR compliance is non-negotiable; the regulation came into force on 25 May 2018, and there are no fintech exemptions.
For fintech businesses specifically, GDPR creates four critical compliance areas: (1) lawful basis documentation—you must be able to prove that processing customer data for credit decisions, KYC, or transaction monitoring rests on a valid legal ground (contract, legal obligation, legitimate interest, or consent); (2) Data Protection Impact Assessments (DPIAs)—required before deploying new processing activities that involve high-risk decision-making (e.g., algorithmic lending decisions); (3) data subject rights—customers can request access, correction, or deletion of their financial data, and you have 30 days to respond; (4) data breaches—you must notify the Belgian Data Protection Authority (Autoriteit Bescherming Persoonsgegevens / Autorité de la Protection des Données, APD) within 72 hours of discovering a breach affecting customer financial data.
Deadlines and Ongoing Compliance
GDPR compliance is continuous, not a one-time project. There is no sunset or transition deadline. You must maintain up-to-date Records of Processing Activities (RPA), conduct DPIAs before launching new features that process personal data, and appoint a Data Protection Officer if you process sensitive financial data at scale. Belgium's APD publishes guidance on its official portal at autoriteprotectiondonnees.be. Fines for non-compliance run up to €20 million or 4% of global annual turnover, whichever is higher. Belgium has issued fines exceeding €10 million against fintech and payment service firms for GDPR breaches.
Source: Regulation (EU) 2016/679, available at eur-lex.europa.eu/eli/reg/2016/679.
DORA: Operational Resilience and Cybersecurity
What DORA Requires
The Digital Operational Resilience Act (Regulation (EU) 2023/2795) is the newest and most technically demanding framework for fintech. It came into force on 16 January 2023, with phased enforcement beginning 17 January 2025. DORA applies to all financial services firms in Belgium, including fintechs holding payment institution (PI) or electronic money institution (EMI) licenses, as well as credit brokers processing customer data.
DORA mandates three interconnected compliance pillars: (1) ICT (information and communication technology) risk management—you must establish a formal governance structure, appoint a Chief Information Security Officer (CISO) equivalent, conduct annual ICT risk assessments, and maintain cyber hygiene standards (encryption, access controls, patch management); (2) incident reporting—you must classify and report significant ICT incidents to the NBB within defined timeframes (ranging from 24 hours to 15 days depending on severity); (3) third-party risk management—if you outsource critical functions (cloud hosting, payment processing, AI model training), you must assess their resilience, conduct due diligence, and impose contractual safeguards. This third-party requirement is often missed by early-stage fintechs that assume outsourcing transfers compliance risk.
Deadlines and Implementation
The first enforcement phase is January 2025. By that date, you must have documented your ICT risk framework and identified your critical third-party service providers. Full compliance—including incident response testing, detailed remediation plans for identified gaps, and annual board-level reporting—is due by January 2026. The NBB has published sector-specific guidelines on its website (nbb.be). Fines for non-compliance are up to €15 million or 6% of annual turnover for large firms. [UNVERIFIED] Belgium's NBB is already flagging fintech firms with weak third-party risk documentation during regulatory reviews.
Source: Regulation (EU) 2023/2795, available at eur-lex.europa.eu/eli/reg/2023/2795.
AI Act: Transparency and Risk Controls
Scope for Fintech Applications
The Artificial Intelligence Act (Regulation (EU) 2024/1689) became law on 13 June 2024 and enters enforcement in phases through 2026 and 2027. The AI Act classifies AI systems by risk level and imposes corresponding obligations. For fintech, the high-risk categories most relevant are: credit-scoring algorithms, know-your-customer (KYC) and anti-money-laundering (AML) systems that make or influence decisions about customers, and fraud-detection systems that block transactions or trigger investigations.
If your fintech deploys high-risk AI, you must: (1) maintain a Register of High-Risk AI Systems; (2) conduct AI Impact Assessments before deployment, documenting how the system may bias credit decisions or falsely flag customers as high-risk; (3) establish human oversight—loan decisions cannot be fully automated without documented human review; (4) provide transparency—customers have a right to understand why they were denied a loan or flagged for AML review if AI was material to that decision. The AI Act does not require you to disclose proprietary algorithms, only to explain the factors and logic that affected the individual customer decision.
Implementation Deadlines
The AI Act's high-risk transparency and oversight rules enter force on 2 February 2025. However, the European AI Office is still publishing delegated regulations that will clarify specific sectoral requirements for finance. Belgium's financial regulators (NBB and FSMA) are coordinating enforcement with the AI Office but have not yet published standalone guidance specific to fintech AI use cases. The safest approach is to assume that any AI system affecting credit, AML, or customer acceptance decisions will be treated as high-risk and begin compliance preparation now, rather than waiting for clarification.
Source: Regulation (EU) 2024/1689, available at eur-lex.europa.eu/eli/reg/2024/1689. See also EDPB guidance on AI and data protection at edpb.europa.eu.
Top 3 Compliance Pitfalls in Belgian Fintech
Pitfall 1: Treating Third-Party Risk as an IT Problem, Not a Compliance Problem
A common mistake among early-stage fintech founders is delegating DORA third-party risk management to their engineering or DevOps team. The engineer's job is to ensure the cloud provider is reliable; the compliance job is to document due diligence, negotiate contractual protections, and prove to regulators that you have not outsourced accountability.
A Belgium-based payment fintech discovered during an NBB review that it had signed a standard cloud computing contract with a major provider and had not conducted any DORA-mandated due diligence. The contract included no explicit commitment to data security standards, incident notification timelines, or audit rights. The NBB issued a formal remediation order requiring the fintech to renegotiate the contract within 90 days or face license restrictions. The lesson: every third-party contract in the fintech stack—cloud, APIs, payment networks, data enrichment services—must explicitly reference DORA obligations and include audit and termination rights.
Pitfall 2: Mixing Lawful Basis in KYC and Anti-Fraud Processing
Fintech lenders and payment platforms often blur the line between GDPR lawful basis for KYC (which can rest on legal obligation or contract) and fraud-detection processing (which may rest on claimed "legitimate interest"). Under GDPR, legitimate interest is valid only if you have balanced your interest against the customer's privacy rights and documented that balance in your Data Protection Impact Assessment.
A Belgium-based lending fintech automatically flagged any loan applicant whose employment could not be instantly verified via a third-party API as "high fraud risk" and rejected the application without human review. The firm argued this was justified as a legitimate interest (preventing fraud). A customer complaint to the APD revealed that the fintech had never conducted a DPIA for this automated decision, had not documented the fraud rate it was actually preventing, and had no mechanism for customers to challenge the decision. The APD issued a compliance order requiring the fintech to add a human review step and conduct a DPIA within 60 days. The cost of remediation (adding staff, purchasing DPIA software, retraining teams) exceeded €200,000.
Pitfall 3: Deploying Machine Learning for Lending Without AI Act Compliance
Many fintech lenders have invested in machine learning models that correlate loan repayment likelihood with behavioral, transactional, or employment data. Under the AI Act (effective February 2025), these systems are high-risk and require Impact Assessments, human oversight, and transparency mechanisms. Founders who have not yet planned for AI Act compliance risk finding that their core product requires redesign after February 2025.
A Belgium-based fintech deployed an ML model trained on historical loan data from a eurozone competitor. The model achieved 95% predictive accuracy but, after an independent audit, was found to have a bias: applicants with non-EU names were 18% more likely to be denied despite identical credit profiles. Under the AI Act, this bias makes the system non-compliant unless the fintech can demonstrate that it has mitigated the bias, disclosed it in customer-facing transparency notices, and implemented human review for edge cases. The fintech had to retrain the model on debiased data—a 6-month delay and significant cost.
Getting Started with Compliance
Compliance for Belgian fintech is not a check-box exercise. GDPR, DORA, and the AI Act form an interlocking system: GDPR governs data use, DORA ensures that the systems processing that data are resilient, and the AI Act ensures that automated decisions derived from that data are transparent and fair. The regulators—NBB, FSMA, and APD—will not accept a compliance narrative that treats these as separate domains.
The first step is to map your data flows, third-party dependencies, and any algorithmic decision-making. Then benchmark your current practices against the three regulations. This usually reveals gaps in documentation, governance, and testing. The second step is to prioritize: DORA's 2025 deadlines are imminent, so third-party due diligence and ICT risk assessments should be completed first. GDPR and AI Act compliance can be integrated into the same project if you approach them as interconnected.
Use the calendar below to schedule a consultation with Belgian fintech compliance specialists. Enter your industry code (fintech) and country (Belgium) to see upcoming guidance updates, regulatory workshops, and enforcement trends specific to your region.
Access the RegReady compliance calendar for fintech in Belgium to stay updated on regulatory changes, filing deadlines, and enforcement actions from the NBB, FSMA, and APD.