On 24 October 2025, the European Banking Authority ("EBA") launched a consultation ("Consultation") on draft guidelines ("Guidelines") on common procedures and methodologies for the supervisory review and evaluation process ("SREP") and supervisory stress testing under directive 2013/36/EU ("CRD").

The Guidelines are addressed to competent authorities and aim to strengthen supervisory convergence across the EU, improve clarity, and ensure that the SREP remains fit for purpose taking account of regulatory developments and supervisory experience.

The Consultation explains that the Guidelines are being revised due to a number of factors such as:

Contents

The Guidelines combine all relevant SREP provisions into one comprehensive framework and retain the core elements but also integrate new aspects such as:

The Guidelines fulfil the EBA's mandate to issue guidelines on the SREP for third-country branches and to issue guidelines to operationalise the requirements where an institution becomes bound by the output floor.

Repeal

The Guidelines repeal the separate ICT SREP guidelines due to the fact that the ICT risk assessment has been integrated into the Guidelines in the interests of simplification and consistency.

Next Steps

The Consultation is open for feedback until 26 January 2026. The EBA will hold a virtual public hearing on 4 December 2025, which interested parties can register for here. Once the final Guidelines are published, the existing SREP guidelines and the guidelines on ICT risk assessment under the SREP will be repealed and replaced. The Guidelines are expected to apply from 1 January 2027.

On 22 October 2025, the European Banking Authority ("EBA") published its fifth report ("Report") on the functioning of anti-money laundering and countering the financing of terrorism ("AML / CFT") colleges under the fourth money laundering directive ("MLD4").

The Report, which covers the period 1 January 2025 to 31 May 2025, details that the EBA actively monitored nine AML / CFT colleges and gathered data on the functioning of 258 colleges.

Overall, the Report shows that the colleges framework has remained stable since December 2023, specifically that:

the number of colleges has remained broadly the same; and

competent authorities are still using the colleges as a way to effectively exchange information.

The Report does highlight that there has been limited progress as regards addressing two priorities identified by the EBA in its fourth report on the functioning of AML /CFT colleges, as follows:

implementing the risk based approach to the organisation of colleges – here the EBA found that most supervisors had not adapted the functioning of colleges (the way information is exchanged and the frequency of such exchange) according to the level of money laundering or terrorism financing (" ML / TF ") risk presented. This had the effect that lead supervisors were not always in a position to allocate enough human resources to the most strategic colleges; and

") risk presented. This had the effect that lead supervisors were not always in a position to allocate enough human resources to the most strategic colleges; and ensuring that discussions on the need for a common approach are meaningful and systematic – here the Report shows that most colleges that were actively monitored by the EBA did not make sufficient efforts to identify common ML / TF risks and AML / CFT issues and consequently, participating competent authorities were rarely able to identify whether there were risks and / or issues that should be addressed in a coordinated manner.

Next Steps

This is the final such report that the EBA will publish as, from 1 January 2026, monitoring of AML / CFT colleges will be the responsibility of the anti-money laundering authority ("AMLA"). The Report highlights that the AMLA may wish to take account of the findings of the Report as it develops its supervisory framework.

Finally, the Report highlights that under the new AMLD6, AML / CFT colleges will remain a key tool in respect of cooperation and accordingly, lead supervisors and members should continue to focus on enhancing the functioning of existing colleges to ensure that, by the time the new legislation is implemented in July 2027, these colleges are fully functional and effective.

3. ESMA announces cyber risk and digital resilience as main Union strategic supervisory priorities for 2026

On 24 October 2025, the European Securities and Markets Authority ("ESMA") published a press release ("Press Release") stating that cyber risk and digital resilience will drive the agenda of its Union strategic supervisory priorities ("USSP") for 2026.

Cyber and digital resilience

ESMA commenced its promotion of cyber and digital resilience, as a key strategic supervisory priority, in January 2025 to coincide with the entry into force of DORA – allowing for enhanced supervisory coordination as regards strengthening firms' ICT risk management and improving the digital resilience of the EU securities market.

ESMA has noted strong initial engagement from national competent authorities ("NCAs") on cyber risk and digital resilience and calls for continued efforts on the USSPs.

The Press Release highlights that NCAs and ESMA direct supervision has shown commitment regarding the monitoring of financial entities' compliance with DORA through proactive checks and supervisory capacity building.

Emphasising the importance of a resilient financial sector, the Press Release goes on to call on NCAs to maintain efforts in 2026 regarding effective supervisory implementation across the EU, highlighting that coordination between authorities' supervisory work and the DORA oversight framework will be essential.

ESG

The Press Release also sets out that NCAs and ESMA have carried out intense supervisory work on ESG disclosures over 2025 which has played an integral role in promoting the application of ESG requirements throughout the sustainable investment ecosystem. ESMA has stated that it will focus on consolidating these achievements under the ESG disclosures USSP, particularly focusing on high risk areas.

Next Steps

ESMA has also highlighted that it will consider new topics in other areas that may require increased supervisory work at Union-wide level in the following years.

4. ESMA publishes final report on RTS on EU code of conduct for issuer sponsored research under MiFID II

On 22 October 2025, the European Securities and Markets Authority ("ESMA") published its final report ("Report") on draft regulatory technical standards ("RTS") for the establishment of an EU code of conduct for issuer sponsored research under the Directive on Markets in Financial Instruments ("MiFID II").

Background

The Listing Act Directive ("Listing Act"), which entered into force on 4 December 2024, made several amendments to MiFID II, one of which relates to issuer sponsored research, requiring the development of an EU code of conduct for such research aimed at enhancing trust in, and use of, issuer sponsored research.

Consultation

ESMA consulted on the draft RTS in December 2024. The Report summarises and analyses the responses to the consultation and sets out how the responses, together with advice sought and received from the Securities and Markets Stakeholder Group's ("SMSG") have been taken into account.

The main issue identified in response to the consultation concerned the information that research providers should make available to investment firms about their agreement with the relevant issuer. On foot of this, ESMA amended the draft RTS to clarify that a summary of the key elements of the agreement and how the research provider is remunerated would be sufficient. Further, providers would not be required to share the complete agreement with issuers.

ESMA recommends reading the Report in conjunction with the consultation in order to have a complete picture regarding the rationale behind the draft RTS.

Contents

The Listing Act adds new paragraphs to article 24 of MiFID II which deals with "General principles and information to clients." Some of the requirements / areas addressed in the draft RTS are as follows:

issuer sponsored research must be fair, clear and not misleading and should be clearly identified as such or with similar wording;

all relevant conditions set out in the MiFID II delegated regulation (EU) 2017/565, and applicable to the research, are required to be met;

investment firms that produce or distribute research partly or fully paid by the issuer are required to use the label "issuer-sponsored research" only if the research complies with the EU code of conduct for issuer-sponsored research, to be developed by ESMA as RTS;

the objectivity and independence of the issuer sponsored research;

contract duration and payments for the issuer sponsored research;

dissemination of issuer sponsored research; and

information sharing with investment firms.

Next Steps

ESMA will submit the draft RTS, by 5 December 2025, to the European Commission for adoption, who have three months to decide whether to adopt the draft RTS or not.

The draft RTS state the date of their application as 6 June 2026.

5. EIOPA Chair delivers speech focused on simplification and burden reduction in insurance