A financial-technology company operating across cities like Lisbon, Warsaw, and Berlin can currently be licensed and supervised entirely from Vilnius. This arrangement has placed one central bank in a nation of fewer than three million people at the heart of a significant portion of the European Union’s fintech payments industry.
However, that central bank is now quietly stepping back from its extensive supervisory duties.
Following the United Kingdom's departure from the EU, Lithuania moved to fill the void, establishing one of the bloc's largest concentrations of electronic money and payment institutions. By the end of 2024, the country had licensed 119 such firms, which facilitated the movement of €152 billion that year.
The sector remains heavily concentrated, with just 10 firms managing approximately two-thirds of that volume, while a single regulator oversees the entire landscape.
While this development has been framed as a success, it also highlights what is known as regulatory arbitrage, where a single national authority provides market access for the entire bloc. Under the EU’s "home-state control" rule, a firm authorized in one member state can provide services across all others without further approval.
Consequently, while the supervisory responsibility remains in Vilnius, the political and consumer fallout from any potential issues is distributed across host states throughout Europe.
A critical structural difference exists between these firms and traditional banks. While banks answer to the European Central Bank’s Single Supervisory Mechanism, electronic money and payment institutions lack such an overarching layer of EU oversight. Furthermore, their customers do not receive deposit guarantees, relying instead on safeguarding mechanisms in accounts monitored solely by the home regulator.
Larger firms, such as Revolut, have transitioned into the supervised tier by becoming licensed banks, but hundreds of smaller entities remain under the lighter, home-state regime.
Lithuania’s approach—characterized by an English-language fast-track licensing process, a regulatory sandbox, and direct access to euro payment rails—was designed to attract firms seeking an efficient entry into the single market. Critics argue that a regulator approving firms with a pan-European reach inevitably becomes accountable for risks it cannot fully monitor on the ground.
The collapse of Germany’s Wirecard in 2020 served as a stark warning of the dangers inherent in such systems, particularly when the fallout affects countries that neither issued the license nor had the power to withdraw it.
The current trend in Vilnius, where the regulator cancels more licenses than it grants, suggests an acknowledgement that the scale of the sector has outgrown its oversight capacity. Brussels has begun to respond, with lawmakers provisionally agreeing to the PSD3 and a new Payment Services Regulation in November 2025 to create a more harmonized regime.
Additionally, the European Commission proposed in December that the European Securities and Markets Authority (ESMA) should oversee all crypto firms.
Despite these efforts, the structural problem persists. Both aim at exactly this, yet neither fixes it soon. The payments package is not yet law and, when it lands, still leaves authorisation and prudential supervision national, the very thing in question.
The crypto plan is still only a proposal. And nothing on the table unwinds the firms already passported across the bloc on a decade of light-touch licences.
Ultimately, the EU’s reliance on ambitious small states to manage risks that affect the entire bloc is being re-evaluated, but new rules arriving in 2028 will not retroactively manage the risks already embedded within the system.
So the customers, complaints and political fallout land in host states from Portugal to Poland. The supervisory burden stays in Vilnius.
True, and beside the point. A regulator that approves a firm whose business is everywhere becomes answerable for risks it cannot see up close.




