Fintech 2025

LITHUANIA Law and Practice Contributed by: Donatas Šliora and Marius Matiukas, ADON legal

2.11 Implications of Additional, Non- Financial Services Regulations Fintech companies in Lithuania must carefully consider the impact of several key non-financial regulations, particularly those focused on data protection and cybersecurity. Personal Data The GDPR is central to Lithuania’s data protec - tion framework. Fintechs handling significant amounts of personal and financial data must adhere to its strict obligations regarding data collection, processing, storage and breach noti - fication. These obligations mirror those of legacy financial institutions, with an emphasis on user consent and transparency. Operational Resilience DORA is an EU-level regulation with a significant impact. It introduces formalised requirements around ICT risk management, incident report - ing and testing. The guidance from the Bank of Lithuania mainly aligns with DORA’s principles, but fintechs should anticipate a need to further enhance their processes. Network and Information Security Lithuania has implemented NIS2, establish - ing cybersecurity standards for critical sectors, including finance. Fintechs should carefully assess whether they fall under the scope of NIS2, necessitating compliance with its incident response, security and reporting requirements. 2.12 Review of Industry Participants by Parties Other than Regulators External auditors play a crucial role, as mandat - ed by law for most financial institutions. Auditors assess financial statements, internal controls and regulatory compliance.

Accounting firms offer a broader range of ser - vices, including tax compliance, bookkeeping and financial advisory, helping fintechs navigate the regulatory landscape. Technology vendors providing critical software solutions may impose their own due diligence and security require - ments that fintechs must satisfy. Additionally, potential investors and business partners often closely scrutinise fintech operations, focusing on financial controls, risk management and regula - tory compliance. While specific audits, tax compliance and certain vendor contract terms may be legally mandated, industry standards are equally important for fin - techs. Certifications, while not strictly required in the majority of cases, demonstrate best prac - tices and can benefit a fintech’s reputation. 2.13 Conjunction of Unregulated and Regulated Products and Services Lithuanian fintechs may offer a mix of regulated and unregulated products or services. Gener - ally, offerings deemed directly connected to the core regulated activities can be included within the same legal entity, simplifying operations for ancillary features or closely related innova - tions. For offerings with potential for increased financial or operational risk that could adversely affect the regulated business, the Bank of Lithu - ania may require the regulated fintech to estab - lish a separate legal entity. This aims to protect the core regulated activities and ensure effective regulatory oversight. Additional requirements may apply depend - ing on the specific type of financial institution. For example, banks, beyond providing financial services, can only engage in activities essential for enabling financial services or those directly related to their core function. This ensures that banks maintain their focus and limit activities

485 CHAMBERS.COM

Powered by