Financial professionals are subject to specific regulatory obligations toward their users and clients.
As a result, the websites of financial advisors, venture capital firms, investment funds, banks, and other financial services providers must implement additional measures to comply with French and European regulations. Financial regulations are constantly evolving, which is why it is strongly recommended to work with a web agency specialized in the financial sector to ensure that your website remains fully compliant.
In this article, we outline the key compliance rules that financial institutions must follow.
1. MiFID II Directive (European Union)
What is it about?
The MiFID II Directive (Markets in Financial Instruments Directive) is a set of rules governing how financial market participants present, market, and distribute financial products. Its objective is straightforward: to protect investors by ensuring greater transparency and clearer, more balanced information, particularly regarding the risk–return trade-off.
Who is concerned?
This regulation directly applies to financial investment advisors (CGPs / CIFs), banks, asset management companies, investment funds, and all entities that offer investment services or communicate about financial products. Even if these products are presented for informational purposes only, you may still fall within its scope.
How to be MiFID II compliant on your website?
Compliance mainly depends on how information is presented and made accessible on your website:
- Inform without misleading: your content must be factual, clear, and must not imply any guarantee of performance.
- Present risks with the same level of visibility as benefits: include clear and prominent risk warnings.
- Make regulatory documents easily accessible: such as the KID (Key Information Document), your pricing and fees policy, your investment strategies, and related disclosures.
- Keep content up to date, particularly information related to financial products.
2. Directive 2014/65/EU (Legal Basis of MiFID II)
What is it about?
Within the MiFID II framework, Directive 2014/65/EU establishes the European rules for investor protection. It defines in particular how investors must be categorized and what type of information may be presented to them, depending on their investor status.
Who is concerned?
For certain market participants, investment funds, asset management companies, private banks, and investment platforms in particular, this directive imposes an additional level of regulatory compliance.
How to comply with Directive 2014/65/EU?
A specific disclaimer must be displayed to users in order to verify their investor status (professional or non-professional). The objective is to prevent non-professional investors from accessing financial products that are not intended for them. This disclaimer is often implemented as a pop-up, displayed either upon entering the website or when accessing specific pages, such as investment strategy pages or fund pages.
The disclaimer allows users to confirm that:
- their investor profile is accurate,
- they understand the access conditions,
- they are browsing the website or page in compliance with the laws applicable in their jurisdiction.
3. PRIIPs Regulation: Key Information Document (KID)
What is it about?
The PRIIPs Regulation (Packaged Retail and Insurance-based Investment Products) requires the provision of a Key Information Document (KID) for any packaged investment product intended for retail investors. This is a standardized document designed to provide clear and comparable information across financial products, including:
- risks,
- performance scenarios,
- fees and costs,
- recommended holding periods,
- liquidity,
- and other key characteristics.
Who is concerned?
All entities that design, distribute, or present packaged investment products are concerned. This includes: investment funds, asset management companies, banks, insurers (notably for unit-linked products), investment platforms, financial advisors (CGP / CIF), and others.
Put simply, as soon as a product can be viewed by a retail investor, providing a KID becomes mandatory.
How to comply with the PRIIPs Regulation on your website?
Your website must provide access to the KID for each product, and these documents must be:
- clearly visible, easily accessible, and downloadable,
- presented in their most up-to-date version,
- clearly associated with each product (fund pages, strategy pages, unit-linked products, etc.).
The information published on the website (performance, objectives, risks, fees) must be consistent with the content of the KID and must not create any contradictions. Finally, performance scenarios must never be presented as guarantees or promises of results.
4. AMF Regulations and Communication Requirements
What is it about?
Beyond European directives, financial market participants targeting a French audience must comply with the AMF’s regulatory doctrine on promotional communications. The Autorité des marchés financiers (AMF) governs how organizations may present their products and services, whether on their website, marketing materials, or social media channels.
Key regulatory texts include in particular:
- The AMF General Regulation, which requires that information be presented in a clear, accurate, and non-misleading manner.
- Specific guidelines and doctrines, such as:
- DOC-2011-24, which provides guidance on advertising communications and the marketing of collective investment schemes, and
- DOC-2023-05, which sets out the AMF’s expectations regarding promotional communications by crowdfunding service providers (CSPs).
In addition to AMF guidelines, certain product categories are subject to specific restrictions, such as highly speculative financial instruments covered by the Sapin II law, which the AMF is responsible for enforcing.
Who is concerned?
AMF regulations apply to most financial institutions offering products or services to the French public, including private banks, asset management companies, investment funds, investment services providers (ISPs), financial advisors (CGPs), crowdfunding service providers (CSPs), and others.
How to be compliant ?
AMF website compliance is primarily driven by how information is written and presented. From an operational perspective, areas that require particular attention on websites include:
- product pages (funds, discretionary mandates, structured products, etc.),
- downloadable brochures and documentation,
- investment or performance simulators,
- acquisition and marketing campaigns (landing pages, promotional banners, etc.).
Content must comply with the following core principles:
- Clearly identify promotional content, ensuring it is presented without ambiguity.
- Present information in a clear and non-misleading manner: avoid ambiguous or prohibited wording such as “risk-free,” “guaranteed,” or “assured performance,” and always include essential elements such as risks, fees, and conditions.
- Give risks the same level of prominence as benefits, using clearly visible sections rather than relegating them to the bottom of the page.
- Ensure consistency between website content and regulatory documents (KID / DIC).
- Frame performance information appropriately, clearly stating that past performance is not indicative of future results.
{{custom-blog-cta}}
5. Fintech, Payments & Security: PSD2
What is it about?
PSD2 (Revised Payment Services Directive) has governed online payment services and access to bank account data across the European Union since 2018. Its objective is to strengthen transaction security while encouraging fintech innovation, notably by allowing authorized third parties to access bank accounts. As a result, PSD2 has introduced high security standards for payment services.
Who is concerned?
PSD2 applies to all entities involved in processing payments or accessing financial data, including payment institutions, fintech companies, e-commerce platforms, and similar players.
How to be compliant ?
PSD2 compliance largely depends on the role you play within the payment chain. In practice, two main scenarios are commonly observed:
- Using a PSD2-compliant payment service provider (PSP): Solutions such as Stripe, PayPal, Worldline, or any other SCA-compliant PSP handle strong customer authentication (SCA), secure transactions, and maintain RTS-compliant APIs.
- Becoming a PSD2-regulated entity yourself: In this case, you must meet all PSD2 regulatory requirements, including licensing, security, authentication, and technical standards.
6. IT Resilience and Cybersecurity in Finance: DORA
What is it about?
DORA (Digital Operational Resilience Act) is a new European regulation, which came into force in 2025, aiming to ensure that financial entities are able to withstand and recover from a wide range of ICT-related incidents, such as cyberattacks, system failures, or operational disruptions.
Who is concerned?
DORA applies to all financial market participants, as well as to their critical third-party service providers delivering essential services, such as cloud hosting providers, API providers, and other ICT service vendors.
How to be compliant ?
Once again, compliance primarily depends on how information is presented:
- Provide clear pre-contractual information, including coverage, exclusions, fees, and contract duration, generally available in the website’s terms and conditions.
- Make insurance-specific documents easily accessible, such as the IPID (Insurance Product Information Document).
- Ensure consistency between website content and contractual documentation.
DORA compliance relies both on the security of the IT infrastructure and on robust risk management processes, including:
- A clear ICT risk management framework: risk mapping, prevention measures, business continuity and disaster recovery plans.
- Implementation of incident detection and response measures, including monitoring and alerting mechanisms.
- Regular cybersecurity testing, such as vulnerability assessments and penetration testing (pentests).
7. Insurance Product Distribution: IDD (Insurance Distribution Directive)
What is it about?
The IDD (Insurance Distribution Directive) regulates how insurance products are presented and distributed across Europe.
As with financial products, the objective is to ensure transparency and reliability of information, in order to protect consumers.
Who is concerned?
All entities involved in the distribution of insurance products are concerned, including insurers, brokers, banks, and financial advisors (CGPs) distributing products such as life insurance.
How to be compliant ?
Once again, compliance primarily depends on how information is presented:
- Provide clear pre-contractual information, including coverage, exclusions, fees, and contract duration, generally available in the website’s terms and conditions.
- Make insurance-specific documents easily accessible, such as the IPID (Insurance Product Information Document).
- Ensure consistency between website content and contractual documentation.
8. Data Protection: GDPR & Cookies
What is it about?
Companies operating in the financial sector are not exempt from general data protection rules, and are therefore fully subject to the GDPR (General Data Protection Regulation), which governs how personal data is collected, processed, and used in Europe.
Who is concerned?
All websites, without exception, must comply. In the financial sector, the stakes are even higher, as sensitive personal and financial data is often collected.
How to be compliant
To comply with the GDPR, your website must:
- Inform users through a clear privacy policy explaining how their data is processed.
- Collect only data that is strictly necessary for the stated purpose.
- Manage user consent, particularly for non-essential cookies.
- Ensure data security, including appropriate technical and organizational measures.
- Enable users to exercise their rights, including access, rectification, erasure, and data portability.
.webp)
