EU Counter-Terrorism Protocol 2026: What Financial and Technology Companies Must Do

Key data

Companies in the financial and technology sectors must begin monitoring this process: Council Decision (EU) 2026/1132 of 18 May 2026 approves the signature of the Protocol amending the Council of Europe Convention on the Prevention of Terrorism, which opens the door to new compliance obligations in counter-terrorism matters.

Although full implementation requires subsequent ratification and transposition into national legislation, the framework being built will directly affect how banks, financial entities and technology companies manage their prevention obligations. Anticipating transposition is the difference between adapting with time or doing so under pressure.

What does this regulation establish?

The Council Decision enables the European Union to formally accede to the Protocol amending the Council of Europe Convention on the Prevention of Terrorism. This is not a rule directly applicable to companies today, but rather the legal step that initiates the process of formal EU accession to the amended convention.

The amendments incorporated by the protocol include the following elements:

• New criminal typologies related to terrorism, which expand the scope of what is considered activity to be prevented and reported.
• Information exchange obligations between Member States and with third countries, which may involve new data flows and reporting requirements for private entities.
• Strengthened judicial cooperation mechanisms, which affect how cross-border investigations and proceedings are handled.

The stated objective is to strengthen Europe's commitment to international counter-terrorism standards and improve cooperation between Member States and third countries in the fight against terrorism.

The complete process has three distinct phases:

Economic and operational impact

The direct and immediate economic impact for companies is limited at this stage: the signature does not generate enforceable obligations today. However, the operational impact in the medium term may be significant for two specific sectors.

For the financial sector, national transposition will likely expand existing obligations regarding the prevention of money laundering and terrorist financing. This may translate into:

• Update of internal compliance and due diligence procedures.
• New reporting requirements to competent authorities.
• Expansion of the catalog of operations or profiles subject to monitoring.
• Possible investments in transaction detection and analysis systems.

For the technology sector, especially digital platforms, communication service providers and cybersecurity companies, new criminal typologies and information exchange obligations may generate additional requirements for collaboration with authorities and data management.

The concrete cost of adaptation cannot be quantified at this stage, as it will depend on the exact content of national transposition. However, companies that already have robust counter-terrorism compliance programs will have a clear advantage over those that must build it from scratch.

Who does it affect?

• Financial and banking entities: banks, savings banks, credit cooperatives, payment entities and any company subject to money laundering and terrorist financing prevention regulations.
• Technology companies: digital platforms, communication service providers, cybersecurity companies and any operator that may be involved in information exchange obligations.
• Judicial and police authorities of EU Member States, which must adapt their cooperation mechanisms.
• Legal and compliance advisors providing services to the above sectors, as they must update their advisory frameworks.
• CFOs and risk directors of companies in regulated sectors, who must anticipate the budgetary impact of future obligations.

Practical example

A digital payment entity operating in several EU countries already has a transaction monitoring system in place to comply with current money laundering prevention regulations.

With the entry into force of the Protocol amendment, once national ratification and transposition are completed, this entity will need to review whether the new criminal typologies incorporated into the convention expand the scope of operations or profiles it must monitor. If the protocol introduces, for example, new categories of suspicious activity linked to terrorist financing, the company will need to update its detection rules, its reporting procedures and possibly its contracts with compliance technology providers.

The time to conduct that internal review is not when transposition is already enforceable, but now, while the ratification process is underway and there is time to plan without urgency.

What should companies do now?

1. Identify your level of exposure: determine if your company operates in the financial or technology sector and to what extent you are already subject to terrorism prevention and money laundering obligations. This defines your starting point.
2. Review your current compliance program: audit your internal prevention procedures against the scope that the protocol anticipates expanding: new criminal typologies, information exchange and judicial cooperation.
3. Monitor the ratification process: the signature is already approved, but ratification and national transposition are the steps that will generate concrete obligations. Establish an alert system for when transposition texts are published in Spain.
4. Consult with your legal advisor specialized in counter-terrorism compliance: the exact content of new obligations will depend on transposition. A specialized advisor can anticipate the impact on your specific sector.
5. Budget for adaptation: although concrete figures are not available at this stage, include in your financial planning a budget for possible system updates, training and review of compliance procedures.