FINGREED | EU Financial Regulation Analysis
Source document: WK 12764/2023 REV 1 LIMITE | Circulated: 8 November 2023 | Declassified: 26 August 2025
The EU Document Kept Secret for Nearly Two Years
That Defines the Rights of Cross-Border
Financial Operators Across the European Union
WHAT THIS ARTICLE COVERS
For nearly two years, a key Council of the European Union document remained classified and inaccessible to the public. It contained answers to questions that directly affect tens of thousands of financial institutions across the EU: when a cross-border operator is subject to host country law and when it is not, who has the right to supervise it, and to which authority suspicious transactions must be reported. The document was declassified only in August 2025. In the meantime, some national authorities acted as if the answers were already settled — to the detriment of European operators.
1. A Key Document, Kept Classified for Nearly Two Years
On 8 November 2023, the General Secretariat of the Council of the European Union circulated an internal working document to all national delegations: WK 12764/2023 REV 1. The recipients were the Financial Services Attachés and members of the Working Party on Financial Services and the Banking Union (AML) — the officials who negotiate, behind closed doors, the rules that will govern the European financial market for decades.
Five days later, on 13 November 2023, these delegations met in Brussels to debate the document. The discussions focused on one of the most contested issues in the AML/CFT legislative package then under negotiation: the rules applicable to financial institutions operating across multiple EU Member States — and, more precisely, where a state’s right to intervene ends and where an operator’s freedom to provide services without local restrictions begins.
The document carried the LIMITE marking — the Council’s internal classification that restricts a document’s circulation to a specific community of recipients and prohibits public dissemination. For nearly two years, its contents remained inaccessible to financial operators, lawyers, academics, and the general public.
DECLASSIFIED ON 26 AUGUST 2025
WK 12764/2023 REV 1 became public only on 26 August 2025, following a request for access to documents submitted under Regulation (EC) No 1049/2001 on public access to European institutional documents. Between November 2023 and August 2025, its contents were known to national authorities — which had participated in the 13 November 2023 meeting or received the document through the Council’s IT system — but not to the economic operators whose rights and obligations it defined.
This information asymmetry has real and measurable consequences. In the spring and summer of 2025, several national authorities across the EU issued documents restricting the right of European non-bank financial institutions to provide services on their national territory. The arguments invoked were based on an interpretation of the EU legal framework that was in direct contradiction with the position expressed by the Commission services in the document under analysis — a document that the affected operators had no means of knowing at that time, as it was classified.
2. What WK 12764/2023 REV 1 Is and Why It Matters to Every Financial Operator in the EU
The document is a non-paper — an informal document of the Commission services, drawn up not to impose a position but to structure the technical discussion between national delegations. It carries an explicit disclaimer: it has not been adopted or endorsed by the European Commission and does not represent an official position of the institution.
Nevertheless, non-papers of this kind play an essential role in the European legislative process: they define the terms of debate, propose concrete solutions and, through their influence on negotiations, directly shape the final legislative texts. WK 12764/2023 REV 1 contributed to the drafting of articles that appear in the Anti-Money Laundering Regulation (AMLR) and the Sixth Anti-Money Laundering Directive (AMLD6) — instruments with direct applicability or transposition in all 27 Member States.
Its central subject is universally relevant to any financial operator active in more than one EU Member State: the distinction between the freedom of establishment and the freedom to provide services in the context of AML/CFT regulation, and the practical consequences of this distinction for cross-border supervision.
3. Freedom of Establishment vs. Freedom to Provide Services: The Distinction Worth Millions
The Treaty on the Functioning of the European Union guarantees economic operators from Member States two distinct freedoms to operate in other Member States: the freedom of establishment (Article 49 TFEU) and the freedom to provide services (Article 56 TFEU). The difference between them is not merely technical — it directly determines how extensively a host state may intervene in the activities of a foreign operator.
Freedom of establishment: permanent presence, local rules
When a financial operator opens a subsidiary, a branch or a permanent office in a host Member State — with locally employed staff and activities conducted on a stable and continuous basis — it exercises the freedom of establishment. In this case, the host state has both the right and the obligation to supervise it and to require compliance with local AML/CFT rules.
The case law of the Court of Justice of the EU, starting with the judgment in Case C-55/94 Gebhard (1995), established the defining criteria of establishment: stable and continuous participation in the economic life of the host Member State, through a fixed infrastructure, for an indefinite period. The legal form is not decisive. A single permanent representative constitutes a stable presence where that representative acts with a sufficient degree of stability and has the necessary equipment for the provision of the specific services concerned — in accordance with the Court’s judgment in Case C-230/14 Weltimmo.
PRACTICAL EXAMPLE
A financial institution headquartered in Estonia that opens a permanent office in Warsaw, employs local staff and continuously carries out lending activities through that office operates under the freedom of ESTABLISHMENT in Poland. Polish AML/CFT supervisory authorities have full competence over the activities of that office. Suspicious transactions are reported to the Polish FIU.
Freedom to provide services: at a distance, without host-state intervention
When the same Estonian operator provides financial services to clients in another Member State exclusively through electronic means — without locally employed staff and without a physical office there — it exercises the freedom to provide services. Its activities are subject primarily to the law of Estonia, its home state, and not to the law of the host Member State.
WK 12764/2023 REV 1 emphasises an aspect that is essential in practice: the mere existence of a minimal physical presence — equipment, a contact point, a local address — does not automatically convert an activity into establishment, provided that the infrastructure in question is necessary for the provision of the service and does not represent a stable and continuous presence in the legal sense of the term.
The legal consequence is direct: the host Member State cannot impose on a cross-border service provider obligations equivalent to those imposed on entities with a fixed establishment on its territory. The Court of Justice held explicitly in Case C-76/90 Saeger that the host state cannot make the cross-border provision of services conditional on compliance with all domestic requirements — this would amount to a duplication of control, prohibited under the TFEU.
PRACTICAL EXAMPLE
The same Estonian financial institution that issues guarantee letters to clients in another Member State exclusively through electronic means, with no staff employed in that state, operates under the freedom to PROVIDE SERVICES. Under the current legal framework, the authorities of the host Member State do not have direct AML/CFT supervisory competence over this activity. Requiring prior registration with a national authority as a condition for market access constitutes a restriction incompatible with Article 56 TFEU.
Why the boundary between the two freedoms is so important — and so contested
WK 12764/2023 REV 1 acknowledges explicitly that the dividing line between the two freedoms cannot be drawn through a universal formula. The Court of Justice held that the Treaty does not permit determining, in the abstract, the duration or frequency beyond which the provision of a service in another Member State can no longer be regarded as a cross-border provision of services. Each case must be assessed on the basis of its specific circumstances.
This case-by-case nature creates room for national authorities to manoeuvre. Some use it constructively, through cooperation with the authorities of the operator’s home state. Others exploit it as an instrument of administrative protectionism, imposing formal requirements without legal basis to block European operators’ access to their national market. The difference between these two approaches is precisely what the November 2023 document sought to eliminate through legislative clarity.
4. CJEU Case Law: What the Court of Justice Says About National Restrictions
The Court of Justice of the European Union has issued judgments that establish with binding force the limits within which a Member State is entitled to intervene in the activity of a financial operator providing cross-border services. These judgments are binding on all courts and authorities in the Member States and cannot be overridden by national administrative acts.
C-76/90 Saeger: Prohibition of duplicating control
In Manfred Saeger v. Dennemeyer & Co. Ltd. (C-76/90, 1991), the Court held that the host state cannot make the cross-border provision of services conditional on compliance with all requirements imposed on providers established on its territory. Such a requirement would amount to a duplication of control — the operator is already authorised and supervised in its home state for the activity in question. Imposing additional control in the host state negates the substance of the European single passport and is incompatible with Article 56 TFEU.
A financial operator authorised and supervised by the competent authority of its home state cannot be required to obtain an equivalent authorisation or to register in a national register of the host state as a condition for providing cross-border services.
C-384/93 Alpine Investments: The service is provided where the supplier is established
In Alpine Investments BV v. Minister van Financien (C-384/93, 1995), the Court clarified a principle essential for digital and cross-border financial operators: the provision of a service takes place in the Member State in which the supplier is established, even if the benefit of the service is realised in another Member State.
This judgment has direct consequences for any financial institution providing services at a distance: its activity is legally located in its home state, not in the state of the beneficiary. Accordingly, the state in which the beneficiary is located cannot make the benefit of that service conditional on a local authorisation of the provider. To do so means restricting an activity that, legally, does not take place on its territory.
C-452/04 Fidium Finanz AG: Additional national authorisation is contrary to the TFEU
In Fidium Finanz AG v. Bundesanstalt fur Finanzdienstleistungsaufsicht (C-452/04, 2006), the Court held explicitly that imposing an additional national authorisation on a provider lawfully established in another Member State is contrary to Article 56 TFEU.
An operator that holds the necessary authorisation in its home state cannot be required to obtain a separate authorisation in each Member State in which it wishes to provide services. Such a requirement would transform the internal market into an aggregate of isolated national markets, contrary to the fundamental objective of the Treaty.
C-186/87 Cowan: Protection of beneficiaries and the freedom to receive services
In Ian William Cowan v. Tresor public (C-186/87, 1989), the Court extended the protection conferred by the freedom to provide services to beneficiaries as well as to providers. The freedom guaranteed by the TFEU includes both the right to provide services cross-border and the right to benefit from services lawfully provided in another Member State, without being subject to discriminatory treatment or unjustified administrative barriers.
A national authority that blocks a European provider’s access to its market simultaneously restricts the freedom of its own citizens and companies to contract financial services at the best price and on the best terms available on the European internal market.
Directive 2006/123/EC (Services Directive): Prohibition of requirements imposed on beneficiaries
Articles 16 and 19 of Directive 2006/123/EC on services in the internal market prohibit Member States from imposing on beneficiaries requirements that restrict the use of a service provided from another Member State.
A Member State cannot adopt administrative measures — whether normative in character or in the form of notifications, circulars or recommendations — that discourage or prevent local beneficiaries from using services lawfully provided by operators established in other Member States. Any such measure, regardless of its legal form, constitutes a restriction prohibited both by the Services Directive and by the TFEU.
120/78 Cassis de Dijon and the Principle of Mutual Recognition: A Service Lawful in One Member State Is Lawful Throughout the EU
Case 120/78 Rewe-Zentral AG v. Bundesmonopolverwaltung fur Branntwein — known as Cassis de Dijon (1979) — established one of the founding principles of the internal market: a product or service lawful in one Member State must be accepted in other Member States without additional authorisation. In financial matters, the home state control principle — derived from Cassis de Dijon and explicitly enshrined in EU sectoral legislation — establishes that supervision of a financial operator belongs exclusively to the authority that granted its authorisation. The state in which the beneficiary of the service is located has no competence to re-evaluate, duplicate or disregard the licence issued by the home authority.
C-55/94 Gebhard: The Burden of Proof Lies With the Restricting State
In Gebhard (C-55/94, 1995), the Court clarified the conditions under which a national restrictive measure may nonetheless be compatible with EU law: it must be justified by an overriding reason of public interest, be non-discriminatory, necessary to achieve the objective pursued, and proportionate — meaning it must not go beyond what is necessary to achieve that objective.
A Member State that seeks to make the market access of a European operator conditional on local registration or authorisation must demonstrate that this requirement is justified, necessary and proportionate. This burden of proof belongs exclusively to the restricting state. In the absence of such demonstration, the measure is incompatible with Article 56 TFEU.
JURISPRUDENTIAL SYNTHESIS
CJEU case law builds a coherent framework protecting the freedom to provide cross-border services: (1) the operator is authorised once, in its home state — Saeger; (2) the service is provided where the supplier is established, not where the beneficiary is — Alpine Investments; (3) no additional national authorisation may be imposed — Fidium Finanz; (4) beneficiaries also have the right to freely access services from other Member States — Cowan; (5) no national requirement may restrict the use of cross-border services — Directive 2006/123/EC. Any national measure that conditions a European operator’s market access on local registration or authorisation is incompatible with EU law, unless the restricting state demonstrates justification by an overriding public interest, necessity and proportionality — a burden that belongs exclusively to that state, pursuant to C-55/94 Gebhard.
The requirement to establish a local branch applies exclusively to undertakings from third countries — confirmed by the CRD VI legislative package. Financial institutions authorised in EU Member States operate under an entirely different regime, governed by Article 56 TFEU and the single passport principle.
When National Authorities Exceed Their Powers: Administrative Practice versus EU Law
The case law described above has direct applicability in concrete situations documented in multiple Member States: a national authority issues a notification, circular or letter stating that financial operators from other Member States cannot provide services on its territory without local registration or national authorisation. The document may lack formal normative value — it may not have been published in the official journal and may not take the form of a normative act. A document not published in the official journal and lacking the form of a normative act does not produce binding legal effects under the principle of legality. Nevertheless, its practical effect is immediate: contracting authorities, banks or other market participants begin rejecting financial instruments issued by those operators.
This practice raises two distinct and equally serious legal problems:
- With respect to EU law: the measure constitutes a restriction on the freedom to provide services, prohibited by Article 56 TFEU and the case law of Saeger, Alpine Investments and Fidium Finanz, regardless of its administrative form. The Court of Justice has consistently held that the legal form of a national act is irrelevant to its classification as a restriction — what matters is its effect on the freedom guaranteed by the Treaty.
- With respect to national law: in states where the law requires publication in the official journal as a condition of enforceability of normative acts, an unpublished notification or circular cannot produce binding legal effects. Treating such a document as a source of rights or obligations constitutes a violation of the principle of legality and the hierarchy of legal norms.
Operators affected by such practices have concrete legal remedies: administrative challenge, action before national administrative courts, complaint to the European Commission under the SOLVIT procedure or the infringement procedure, and — as a last resort — action for state liability for breach of EU law, under the Francovich doctrine (C-6/90).
5. European Consensus: What Supervisory Authorities in Five Member States Confirm
Beyond CJEU case law and the European normative framework, the most compelling argument against national restrictions on cross-border financial services comes from the documented practice of European supervisory authorities. A financial operator authorised in an EU Member State requested official written opinions from the competent authorities of five different Member States, asking a simple and direct question: is it necessary to obtain a local licence or authorisation to provide financial services cross-border on your territory?
The answers received are unanimous and remove all ambiguity:
OFFICIAL CONFIRMATIONS FROM EU SUPERVISORY AUTHORITIES
Denmark — Finanstilsynet (14 May 2025): “No licence is required for the provision of services on a cross-border basis.”
Latvia — Latvijas Banka: “Not considered licensed activities when provided to legal persons.”
Luxembourg — CSSF: “No licence required — limited to individually selected legal entities.”
Lithuania — Lietuvos bankas: “No operating licence is required.”
Bulgaria — Bulgarian National Bank (16 April 2025): “Does not contravene the provisions of Article 56 TFEU.”
The five confirmations come from financial supervisory authorities in Member States with different legal systems, administrative traditions and levels of financial development — Denmark, Latvia, Luxembourg, Lithuania and Bulgaria. Their unanimity reflects the coherent application of the same European legal framework, the same CJEU principles and the same home state control principle that governs the internal market for financial services.
This unanimity documents the isolated and contrary-to-European-practice nature of those national authorities that impose additional registration or authorisation requirements on European financial operators providing cross-border services. This is not a debatable interpretation of an ambiguous legal framework — it is a documented deviation from the consensus of European supervisory authorities.
LEGAL SIGNIFICANCE OF THESE CONFIRMATIONS
The written confirmation by a national supervisory authority that an activity does not require a local licence has full legal value in administrative and judicial proceedings. It is enforceable before national courts, in administrative litigation proceedings, and in complaints addressed to the European Commission. The unanimity of responses from five different Member States documents the consistent administrative practice at EU level and constitutes a reference element in the Commission’s assessment in infringement proceedings against any state that adopts a position contrary to this consensus.
6. The Gap No One Wanted to Acknowledge: AMLD Is Silent on the Freedom to Provide Services
One of the most significant acknowledgements in WK 12764/2023 REV 1 is formulated with institutional discretion but carries extraordinary consequences: the current Anti-Money Laundering Directive (AMLD, 2015/849) is silent on the rules applicable to entities operating in another Member State under the freedom to provide services.
In practice, this gap means that a financial operator providing cross-border services without local infrastructure is subject primarily to the law of its home state — not to the law of the host Member State. The host Member State has no clear legal instrument under the current Directive to impose its AML/CFT rules on this operator.
The response of some national authorities to this gap was, rather than awaiting the EU legislative clarification under way, to fill it unilaterally with national restrictions — invoking legal norms that did not cover the situation in question, or issuing administrative documents without normative value and treating them as law.
WHAT THIS MEANS FOR EU OPERATORS
If you operate cross-border under the freedom to provide services — without local offices, without staff employed in the host Member State — Article 56 TFEU prohibits additional national requirements. Where a national authority nonetheless imposes them, the operator has the legal remedies described in Section 4 to challenge them.
7. What the Commission Proposed in November 2023: Legislative Clarity for Cross-Border Operators
WK 12764/2023 REV 1 did not merely describe problems — it proposed concrete legislative solutions in the form of amendments to the AML/CFT package. These proposals are relevant to any financial operator active in more than one Member State, regardless of country of origin or destination.
Proposal 1: A clear legal definition of “establishment”
For the first time, the new AML Regulation (AMLR) would contain an explicit legal definition of “establishment” — calibrated on CJEU case law and adapted to the realities of the digital economy. The proposed definition clarifies two essential aspects:
- What does NOT constitute establishment: a mere letterbox does not constitute establishment; offices or equipment used exclusively for support activities (back-office, IT, data centres) do not constitute establishment.
- What CAN constitute establishment even without classic form: a single permanent authorised representative constitutes establishment where acting with sufficient stability; the provision of crypto-asset services through ATMs constitutes establishment.
Proposal 2: Notification to the home state, not authorisation by the host state
The document proposes introducing a notification obligation for operators wishing to carry out activities in another Member State for the first time. The recipient of the notification is the supervisor of the HOME state, not the HOST state. The mechanism is: the operator notifies its home authority, which in turn informs the host authority. The host state receives the information — it does not grant or refuse an authorisation. This distinction is fundamental and shows that the new legislative proposal does not intend to convert the freedom to provide services into a system of multiple national authorisations.
Proposal 3: Supervision of local infrastructure — but only for specific categories
Proposed Article 29a of AMLD6 extends the competence of host-state authorities to supervise the activities of certain operators who, while lacking a fixed establishment, operate through local agents, distributors or other forms of infrastructure. The categories covered are limited: electronic money issuers, payment service providers and crypto-asset service providers.
This proposal confirms, by inversion, the general rule: for non-bank financial institutions not falling within these categories and operating without local infrastructure, the host Member State does not acquire additional AML/CFT supervisory competence. The gap in the current AMLD is filled selectively, not through a general rule of expanded national supervision.
8. Two Years of Asymmetry: Authorities Knew, Operators Did Not
Perhaps the most important editorial angle of this document is not its legal content, but its chronology.
Between 8 November 2023 — the date of the document’s circulation — and 26 August 2025 — the date of its declassification — there existed a structural information asymmetry in the European financial market: national authorities knew the position of the Commission services on the freedom to provide services in the AML/CFT context, while financial operators, their legal advisers and the general public had no access to this position.
This asymmetry was exploited by some national authorities across different Member States. In several documented cases, national authorities issued administrative documents restricting European financial operators’ access to their local markets, invoking interpretations of the EU legal framework that were in direct contradiction with what the Commission services had stated before national delegations in November 2023 — but the affected operators had no means of knowing this, as the document was classified.
THE QUESTION THAT DEMANDS AN ANSWER
Can national authorities act in contradiction with a position of the Commission services — a position known to them from participation in Council meetings — invoking an interpretation of EU law that affected operators cannot challenge because the relevant document was classified? The answer, from the standpoint of the rule of law and equality of arms, is no. The declassification of WK 12764/2023 REV 1 in August 2025 gives operators a legal instrument they can invoke directly in administrative and judicial proceedings.
9. What This Document Means for Financial Operators in the EU: A Practical Guide
Now that the document is public, every cross-border financial operator in the European Union can and should know it. The main practical conclusions are:
If you operate exclusively cross-border, without local infrastructure
- Article 56 TFEU prohibits national requirements for prior registration or authorisation as a condition for providing services.
- No European legal norm in force requires you to register with the national authority of the host Member State before providing services.
- Any national requirement of prior registration imposed on operators providing services at a distance is incompatible with Article 56 TFEU unless the imposing state demonstrates justification by an overriding public interest, necessity and proportionality.
If you operate through local agents or distributors
- The presence of agents or distributors constitutes establishment where the CJEU criteria are met: stable and continuous activity, through fixed infrastructure, for an indefinite period. In the absence of these criteria, the activity remains under the freedom to provide services regime.
- Proposed Article 29a of AMLD6 will extend the competence of host-state authorities for electronic money issuers, payment service providers and crypto-asset service providers operating through local infrastructure.
If your guarantees have been refused or you have been excluded from procurement procedures
- WK 12764/2023 REV 1, now public, confirms that the Commission services’ position supports the freedom to provide cross-border financial services without prior national registration requirements.
- Judicial decisions in multiple Member States have confirmed this position in practice, sanctioning national authorities that imposed registration requirements without basis in European law.
- You have legal remedies available: administrative challenge, action before national courts, complaint to the European Commission, and — as a last resort — action for state liability under the Francovich doctrine.
10. Conclusion: Delayed Transparency Is Not Transparency
WK 12764/2023 REV 1 establishes with clarity the legal framework applicable to cross-border financial operators in the EU. For nearly two years, this document remained inaccessible to the public while national authorities knew its contents. During this period, some national authorities adopted measures in direct contradiction with the position of the Commission services documented in it.
The European internal market functions on the principle that rules are the same for all and that all can know them. A document that defines the rights of cross-border financial operators should not be classified LIMITE for two years. This lesson, more than any other, deserves to be retained from this story.
Fingreed is an international financial information platform. This article is strictly informative and analytical in nature. Primary references: Council of the EU — WK 12764/2023 REV 1 (declassified 26.08.2025); CJEU — C-55/94 Gebhard, C-76/90 Saeger, C-384/93 Alpine Investments, C-452/04 Fidium Finanz, C-186/87 Cowan, C-230/14 Weltimmo, C-502/20 TP v Institut des Experts en Automobiles, C-212/11 Jyske Bank, C-6/90 Francovich, 120/78 Cassis de Dijon; TFEU — Articles 49, 56, 63; Directive 2006/123/EC — Articles 16, 19; Regulation (EC) No 1049/2001.
https://data.consilium.europa.eu/doc/document/WK-12764-2023-REV-1/en/pdf
