FinancialRegulations.eu
Cross-Regulation
Guide

AMLA Level 2 Package: 23 RTS, ITS and Guidelines Due July 10, 2026

·14 min read
FR

FinancialRegulations.EU Team

Regulatory Intelligence

AMLA
AMLR
RTS
ITS
CDD
AML
compliance

The EU's Anti-Money Laundering Authority (AMLA) has a statutory deadline of 10 July 2026 to submit 23 Level 2 and Level 3 measures to the European Commission. These regulatory technical standards (RTS), implementing technical standards (ITS), and guidelines will define the practical substance of the AML/CFT obligations that apply to every bank, payment firm, CASP, and financial institution in the EU from 10 July 2027.

July 10, 2026 is not when the rules apply — it is when AMLA's standard-setting work must be complete. For compliance teams, this creates an 18-month window between the standards being finalised and them becoming binding obligations. That window is for implementation planning, not for waiting.

For background on the full EU AML Package (AMLA, AMLR, AMLD6) and what it means for your institution, see the comprehensive overview. This article focuses specifically on the Level 2/3 standards package due July 10, 2026.

What "Level 2" Means in the AML Context

EU financial regulation uses a layered legislative architecture:

  • Level 1 (Primary legislation): The AMLR (Regulation (EU) 2024/1624) and AMLD6 (Directive (EU) 2024/1640) — enacted by the European Parliament and Council. Sets the framework obligations.
  • Level 2 (Delegated and implementing acts): Regulatory technical standards (RTS), implementing technical standards (ITS), and delegated regulations adopted by the European Commission, typically on the basis of AMLA's draft standards. These fill in the detail of Level 1 obligations.
  • Level 3 (Guidelines and Q&As): Guidance issued by AMLA on application and interpretation. Not legally binding, but non-compliance must be explained to NCAs.

The AMLR mandates AMLA to develop 23 separate Level 2 and Level 3 measures. Most carry a statutory deadline of 10 July 2026 — exactly one year before the AMLR's full application date. The one-year gap is designed to give obliged entities time to build systems and update processes before the rules bite.

The 23 Standards: What AMLA Must Deliver by July 10, 2026

The 23 measures span five thematic clusters:

Cluster 1: Customer Due Diligence (CDD) — Article 28 AMLR

The most consequential standards for day-to-day compliance work. Under Article 28(1) AMLR, AMLA must submit draft RTS to the Commission covering:

  1. Standard, simplified and enhanced due diligence requirements — the minimum information to be collected when performing CDD across all categories of obliged entities (Article 28(1)(a))
  2. Simplified due diligence measures by sector and product — the specific SDD measures that apply in lower-risk situations, tailored by entity type and product category (Article 28(1)(b))
  3. E-money instrument risk factors — criteria for supervisors assessing the extent of exemptions for low-value electronic money instruments (Article 28(1)(c))
  4. Reliable verification sources — the independent sources of information that can be used to verify natural persons' and legal entities' identification data (Article 28(1)(d))
  5. Electronic identification attributes — the attributes that electronic ID means and qualified trust services must have to satisfy standard, simplified and enhanced CDD requirements (Article 28(1)(e))

Why this matters for your institution: The CDD RTS will establish the minimum information requirements across the EU. Institutions that today apply national CDD frameworks — which vary significantly across member states — will need to align with the harmonised AMLA standard. The "minimum information" approach means AMLA sets the floor; national competent authorities or AMLA may add requirements for specific risk categories.

The criteria that must underpin the CDD RTS are set out in Article 28(2) AMLR: inherent risk of the service, risks associated with customer categories, nature and amount of transactions, and business channels. The RTS must be reviewed regularly as technology evolves (Article 28(3)).

AMLA consultation: AMLA published a consultation paper on the CDD RTS. The consultation deadline for CDD and transaction-related standards is 8 May 2026. Compliance teams should submit responses to influence the calibration of enhanced due diligence thresholds, acceptable verification sources, and sector-specific SDD categories.

Cluster 2: Suspicious Transaction Reporting (STR) Standards

AMLA must develop RTS and ITS on the format, reporting channels, and minimum content of suspicious transaction reports. The EU has historically had significant divergence in STR practices across member states — some NCAs require paper forms, others use digital portals; the information fields differ; the timelines differ. The AMLA standards will introduce:

  • A harmonised EU STR template with mandatory data fields
  • Secure reporting channels connecting obliged entities to national FIUs
  • The interface between national FIUs and AMLA's joint analysis mechanism
  • Minimum timelines for reporting of suspicious transactions and suspicious activity

Why this matters: Institutions operating cross-border must currently maintain 27 different STR processes. The harmonised format will enable a single reporting infrastructure — but will require significant systems investment for any institution relying on manual or NCA-specific reporting processes.

Cluster 3: Risk Factors and Sectoral Guidelines

AMLA must publish guidelines on AML/CFT risk factors for specific obliged entity sectors. These replace and supersede the existing joint guidelines published by the European Supervisory Authorities (EBA, EIOPA, ESMA) under the Fourth and Fifth AML Directives. Sector-specific guidelines are expected for:

  • Credit institutions and banking
  • Payment institutions and electronic money institutions
  • Crypto-asset service providers (CASPs) under the Transfer of Funds Regulation
  • Life insurance and pension providers
  • Investment managers and fund administrators
  • Real estate professionals (newly in scope under AMLR)
  • Auditors, accountants, and tax advisers

For each sector, the guidelines will specify risk indicators, high-risk factors requiring enhanced due diligence, and permitted simplified measures for lower-risk categories.

CASPs specifically: The AMLR extends full CDD and STR obligations to all CASPs across all crypto services. AMLA's sector guidelines for CASPs will interact with MiCAR supervisory expectations. CASPs that hold MiCAR authorisation must ensure their CDD framework satisfies both the MiCAR conduct requirements and the AMLR/AMLA AML standards.

Cluster 4: AMLA Direct Supervision Standards

AMLA's power to directly supervise up to 40 obliged entities requires Level 2 measures on:

  • Selection criteria for which entities fall under AMLA direct supervision (risk-based, cross-border, volume thresholds)
  • Supervisory fees to be charged to directly supervised entities
  • Supervisory methodology for AMLA inspections
  • Supervisory cooperation between AMLA and national competent authorities for non-directly-supervised entities

Institutions with significant cross-border operations and high ML/TF risk profiles should model whether they may fall within AMLA's direct supervision perimeter once the selection criteria RTS is finalised.

Cluster 5: Sanctions and Enforcement

AMLA published a consultation on sanctions RTS (consultation deadline: 9 March 2026). The standards cover:

  • The methodology for applying pecuniary sanctions for AMLR violations
  • Criteria for assessing severity, aggravating and mitigating factors
  • Publication requirements for sanctions decisions
  • Administrative measures (business restrictions, management bans)

Maximum sanctions under AMLR: For the most serious violations, the AMLR allows sanctions of up to €10 million or 10% of total annual group turnover, whichever is higher. The AMLA RTS will define the framework for applying these sanctions consistently across the EU.

Timeline: From July 2026 Standards to July 2027 Application

DateEvent
10 July 2026AMLA statutory deadline to submit draft RTS/ITS to Commission
Jul–Sep 2026Commission review period; possible consultation with AMLA on adjustments
Oct–Dec 2026Commission adoption of delegated regulations based on AMLA drafts
Dec 2026 – Mar 2027European Parliament and Council scrutiny period (3 months per Level 2 act)
Jan–Jun 2027Publication in the Official Journal; 20-day entry into force
10 July 2027AMLR and AMLD6 fully applicable — all obligations binding on obliged entities

This timeline is compressed. Institutions that wait for final published standards before beginning implementation planning will face a 6–9 month sprint to July 2027. The playbook is to start with the AMLA consultation drafts — which represent the most accurate preview of the final standards — and build compliance frameworks on those, accepting that final calibration adjustments may require updates.

What Compliance Teams Must Do Before July 10, 2026

1. Respond to Open AMLA Consultations

AMLA's consultations close before July 10, 2026. Two key deadlines remain:

  • 8 May 2026: CDD measures and transaction criteria (Article 28 RTS consultation)
  • Sanctions standards (March 9, 2026 — deadline likely passed)

Submit responses to consultations relevant to your business. Calibration of enhanced due diligence thresholds, permitted simplified measures, and CDD verification sources will directly affect your systems and processes. Industry associations (Banking Federation, ISDA, Crypto Council) are coordinating responses — join if you haven't.

2. Map Current CDD Practices Against AMLR Article 28 Requirements

The AMLR CDD framework (Articles 19–34) represents the new minimum standard. Map your current practices:

AMLR RequirementYour Current StandardGap
Standard CDD minimum information
Enhanced CDD trigger criteria
Simplified CDD categories
Beneficial ownership threshold (25%)
UBO verification method
Ongoing monitoring frequency
PEP identification process

Gaps identified now give 12+ months to address before July 2027.

3. Assess Cross-Border Reporting Fragmentation

For institutions operating in multiple member states: catalogue your current STR reporting processes per jurisdiction. When AMLA's STR format RTS is finalised, you will need a single or harmonised process across all jurisdictions. Assess whether your current systems can generate AMLA-format reports or whether vendor/platform changes are required.

4. Flag the AMLA Direct Supervision Question

If your institution has significant cross-border AML/CFT risk exposure, assess whether the AMLA selection criteria (when finalised) could bring you within direct AMLA supervision. Direct supervision means:

  • AMLA (not national NCA) as your lead AML supervisor
  • Supervisory fees payable to AMLA
  • AMLA inspection rights alongside or instead of NCA inspections
  • Escalation of enforcement to AMLA for serious violations

5. Update Your AML Risk Assessment Framework

Your institutional ML/TF risk assessment will need to be re-anchored to the AMLR framework by July 2027. The AMLR's risk-factor approach (Articles 20–25), the EU Supranational Risk Assessment, and AMLA's sector guidelines will all inform how your risk assessment must be structured. Starting the redesign in 2026 — when consultation drafts are available — is materially easier than a Q2 2027 sprint.

Assess your AMLR readiness

Try free analysis

Key Differences From the Current AML Framework

Compliance teams accustomed to the Fourth AML Directive (AMLD4) and Fifth AML Directive (AMLD5) framework should note the most significant structural changes in the AMLR/AMLA package:

IssueCurrent Framework (AMLD4/5)AMLR + AMLA Package
Legal formDirective (requires national transposition)Regulation (directly applicable)
Beneficial ownership threshold25% (with exceptions)25% harmonised across EU
CDD requirementsMinimum harmonisation; national variationMaximum harmonisation via AMLA RTS
STR format27 national formatsSingle EU AMLA format
SupervisorNational NCAAMLA (for top-40) or national NCA under AMLA coordination
AML supervisory guidelinesEBA/EIOPA/ESMA joint guidelines (non-binding)AMLA guidelines (comply-or-explain)
SanctionsNational calibrationAMLA RTS framework; up to €10M or 10% turnover

Related Content

Need to check your AMLA compliance?

Try free analysis →
FR

FinancialRegulations.EU Team

Regulatory Intelligence

Expert analysis of EU financial regulation — covering MiCAR, DORA, AIFMD, SFDR, and 15+ regulatory frameworks across 7 jurisdictions.

Query AMLA obligations instantly

AI-powered analysis of EU financial regulations. No credit card required.

Start Free →

Get EU regulatory insights in your inbox

Weekly updates on MiCAR, DORA, SFDR and more. Unsubscribe anytime.

Related Resources

Key Terms

AMLAAI ActAI Act Risk Classification

Jurisdictions

EUEuropean UnionNLNetherlandsDEGermanyLULuxembourgFRFranceBEBelgiumGBUnited Kingdom

Related Articles

EU AML Package Explained: AMLA, AMLR, and AMLD6 — What Financial Institutions Must Do in 2026 and 2027

The EU AML package (AMLR + AMLD6 + AMLA) replaces five previous directives with a single directly-applicable rulebook. AMLA is operational since July 2025 with 23 technical standards due by July 2026. AMLR applies from July 2027. This guide covers expanded scope (CASPs, crowdfunding), the 25%-or-more UBO threshold change, enhanced CDD requirements, and a compliance checklist for 2026–2027.

EU Financial Regulation Compliance Calendar 2026: Every Deadline Your Team Must Know

Complete EU financial regulation compliance calendar for 2026. AIFMD II (16 April), MiCAR CASP authorisation (1 July), AML Package (10 July), AI Act high-risk (2 August), ESG Ratings Regulation (2 July), and more.

AIFMD II Deadline Passed: What Fund Managers in France, Belgium, Italy and Spain Must Do Now

The April 16, 2026 AIFMD II transposition deadline has passed. France, Belgium, Italy and Spain have not fully transposed. This guide explains the legal consequences for fund managers in non-transposing states — and the practical steps to take immediately.