Article 7 Information sharing for supervisory purposes


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 7 of the RTS on group-wide minimum requirements and additional measures for third-country subsidiaries and branches say?

This article addresses the flow of information from group entities or branches located in third countries to Union supervisors.

It establishes a clear principle that obliged entities should not be blocked from sharing such information with their supervisors in the Union.

However, it also recognises that third country law may sometimes restrict or prohibit this, and sets out the minimum steps obliged entities must take in that scenario.

This article connects closely to the broader framework in Section 4 of the regulation, which it explicitly does not override.

Important points:

  • Do not treat third country legal restrictions as a barrier to sharing group information with Union supervisors — the default position is that such sharing is permitted.
  • Where a third country's law does restrict or prohibit data transfers to the Union supervisor, notify the supervisor of the home Member State within 28 calendar days of identifying the restriction or prohibition.
  • Following that notification, explore whether customer consent or any other means can be used to legally overcome the restriction or prohibition.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Without prejudice to the measures set out in Section 4 of this Regulation, obliged entities shall not be prevented from sharing information from entities or branches of the group established in third countries to supervisors in the Union.

    1. Where the third country´s law restricts or prohibits the transfer of data to the supervisor of the obliged entity in the Union, the obliged entity shall at least:

      1. inform the supervisor of the home Member State of such restrictions or prohibitions without undue delay and in any case no later than 28 calendar days after identifying the third country and the restrictions or prohibitions;

      2. establish whether consent from the customer and, where applicable, their beneficial owner, or any other means can be used to legally overcome restrictions or prohibitions.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod