The New EU AML Regulation: From National Transposition to a Single Rulebook

The new EU Anti-Money Laundering Regulation changes the architecture of EU AML/CFT compliance. Its importance lies not only in new or updated substantive rules, but also in the method of regulation. A significant part of the framework that previously depended on national transposition will move into a directly applicable EU regulation.

Regulation (EU) 2024/1624, commonly referred to as the AMLR, was published in the Official Journal on 19 June 2024. It lays down rules on measures to be applied by obliged entities to prevent money laundering and terrorist financing, beneficial ownership transparency and limits on certain anonymous instruments and cash payments.

The practical result is a move toward a more uniform EU AML/CFT rulebook. However, this should not be understood as the end of national AML law or local supervisory relevance. The AMLR is part of a broader package that also includes Directive (EU) 2024/1640 and the new EU Anti-Money Laundering Authority. The regulation harmonises the core rulebook for obliged entities, while the directive continues to address national AML/CFT institutional architecture.

Why the shift to a regulation matters

Under the previous framework, many AML/CFT obligations were set out in directives and then transposed into national law. That model allowed Member States to implement common EU requirements, but it also created divergences in wording, interpretation, timing and supervisory practice.

The AMLR itself identifies this as a central problem. Its recitals explain that the lack of direct applicability of rules imposed on obliged entities contributed to fragmentation along national lines, and that rules capable of being applied directly by obliged entities should be addressed in a regulation to achieve greater uniformity of application.

For cross-border businesses, this matters. A directly applicable regulation makes it easier to design group-wide AML/CFT policies, customer due diligence procedures, onboarding logic, internal controls and training materials around a common EU legal core. It should reduce the need to rebuild the substance of an AML programme country by country.

That does not mean compliance becomes simple. It means the starting point becomes more harmonised.

What the AMLR harmonises

The AMLR addresses the core private-sector obligations of obliged entities. These include, in broad terms:

• identifying which entities fall within the AML/CFT regime;
• internal policies, procedures and controls;
• business-wide risk assessments;
• customer due diligence;
• group-wide controls;
• beneficial ownership transparency;
• reporting of suspicions;
• record retention;
• limits on large cash payments.

The Council of the EU described the package as transferring all rules applying to the private sector into a new directly applicable regulation, while a directive deals with the organisation of national competent authorities. It also noted that the regulation harmonises AML rules for the first time throughout the EU and extends the regime to new obliged entities such as most of the crypto sector, traders of luxury goods and football clubs and agents.

For businesses operating in several Member States, this is a significant structural change. Instead of treating each national AML law as the primary expression of EU requirements, compliance teams will increasingly start from the AMLR as the directly applicable baseline.

Obliged entities and the expanded perimeter

The AMLR applies to a broad range of obliged entities. These include traditional financial-sector actors, but also a wider set of non-financial and newer market participants. The regulation expressly includes crypto-asset service providers within the financial institution perimeter, using concepts linked to the Markets in Crypto-Assets Regulation.

This expanded perimeter is important because AML/CFT risk is not confined to banks or traditional financial institutions. The legislative package reflects the EU's view that gatekeepers across the financial system and adjacent markets should be subject to more consistent preventive obligations.

For crypto-asset service providers, the AMLR will interact with other EU frameworks, including MiCA and the Transfer of Funds Regulation. For non-financial obliged entities, such as certain luxury goods traders or football-sector actors, the practical challenge may be more basic: building AML/CFT processes in sectors that may not historically have had the same compliance infrastructure as financial institutions.

The single rulebook is not a single procedure

The expression "single rulebook" should be used carefully. It does not mean that every operational detail of AML/CFT compliance will be identical in every Member State.

The AMLR harmonises the substantive obligations that can be applied directly to obliged entities. But Directive (EU) 2024/1640 remains relevant for the institutional and procedural framework. It deals with matters such as national risk assessments, financial intelligence units, supervision, cooperation between authorities and sanctioning structures. The Council's summary captures this division: the regulation governs the private-sector rulebook, while the directive addresses the organisation of national competent authorities and how FIUs and supervisors work together.

This distinction has practical consequences. An obliged entity may rely on the AMLR for the core content of its CDD and internal control obligations, but it will still need to understand:

• which national authority supervises it;
• how suspicious activity reports are submitted;
• whether local procedural rules apply;
• what national sanctioning practice looks like;
• whether national options or stricter measures apply;
• how supervision works in home-host scenarios.

The AMLR therefore reduces fragmentation, but it does not remove the need for local legal and supervisory analysis.

Application timeline

The AMLR entered into force after publication in the Official Journal, but it does not apply in full immediately. Article 90 provides that the regulation applies from 10 July 2027. For certain football-sector obliged entities referred to in Article 3(3)(n) and (o), it applies from 10 July 2029. The regulation is binding in its entirety and directly applicable in all Member States.

This timing matters. Businesses should not describe the AMLR as already fully applicable to all obliged entities. At the same time, waiting until the application date may be impractical for entities that need to revise policies, update customer onboarding, change system logic, train staff or coordinate group-wide compliance.

The transitional period should therefore be used for gap analysis, not only for monitoring.

AMLA and supervisory convergence

The new AML framework is not only about the AMLR and AMLD6. It also introduces the EU Anti-Money Laundering Authority, AMLA.

AMLA is intended to strengthen supervisory convergence and support a more integrated AML/CFT framework across the Union. According to the Council, AMLA will have direct and indirect supervisory powers over high-risk obliged entities in the financial sector and will coordinate and support financial intelligence units. It may also impose pecuniary sanctions on selected obliged entities in cases of serious, systematic or repeated breaches of directly applicable requirements.

This institutional layer is important because a single rulebook is only effective if supervision converges in practice. The AMLR provides the directly applicable legal core; AMLA, technical standards, guidelines and national supervisors will shape how that core is applied operationally.

For businesses, this means that AMLR implementation should be monitored together with AMLA outputs, regulatory technical standards, implementing technical standards and future guidance.

What businesses should do now

The AMLR is not merely a legal citation update. It requires businesses to understand how their AML/CFT framework maps to a new EU-level architecture.

A practical first review should include at least:

• whether the business is an obliged entity under the AMLR;
• whether any new group entities or business lines fall within scope;
• how existing customer due diligence processes map to AMLR requirements;
• whether beneficial ownership, reporting and recordkeeping processes need updates;
• whether group-wide policies can be redesigned around the new EU baseline;
• which local supervisory and reporting requirements will remain relevant;
• how AMLR implementation interacts with sector-specific regulation, such as MiCA for crypto-asset service providers.

For cross-border groups, the main benefit should be a more coherent compliance framework. But the correct approach is not to replace all local analysis with one EU document. It is to build a common EU core and then layer local supervision, procedure and national options on top.

Practical takeaway

The AMLR moves the EU AML/CFT framework closer to a single rulebook. It should make substantive obligations for obliged entities more uniform and reduce fragmentation caused by divergent national transposition.

But harmonisation is not the same as complete uniformity. AMLD6, AMLA, national supervisory practice, reporting channels, sanctions and Member State choices will continue to matter.

For obliged entities, the right question is therefore not whether AML compliance becomes "European" or "national". It becomes both: a directly applicable EU rulebook, applied through a still-relevant national and supervisory architecture.

Legal references

• Regulation (EU) 2024/1624, in particular recitals 1-3 and Articles 1, 3, 10-18, 19-39, 69-73, 80, 89 and 90.
• Directive (EU) 2024/1640, in particular provisions on national AML/CFT mechanisms, FIUs, supervision and sanctions.
• Regulation (EU) 2024/1620 establishing AMLA, where relevant to the institutional framework.
• Council of the EU, "Anti-money laundering: Council adopts package of rules", 30 May 2024.