In European Union (EU) law and supervision, the term “bank” is largely a colloquial and non-technical shorthand, while the legally operative term is “credit institution”. For regulatory, supervisory, resolution and deposit as well as consumer protection purposes, it is the credit institution definition that determines the applicable regime and competent authorities.

Under EU prudential law, a credit institution is the legally defined category of firm that the banking regime applies to. In simple terms, it is an undertaking that both (i) accepts deposits or other repayable funds from the public, and (ii) grants credits for its own account. This two-pronged test is the cornerstone of the EU perimeter. If an entity does not take deposits/other repayable funds from the public or does not grant credit on its own balance sheet, it is generally outside the credit institution regime.

More fundamentally, the authorisation is for the credit institution; the law does not issue a separate “bank” licence. Firms commonly referred to as banks are legally authorised as credit institutions. Accordingly, commercial banks, savings banks, co-operative banks and building societies (depending on national law) generally meet the two-pronged test and are credit institutions. Moreover, banking groups may include financial holding companies and mixed activity holding companies subject to consolidated supervision around credit institutions.

The following firms, while regulated, are generally outside the perimeter of a credit institution:

• Investment firms under the dedicated Investment Firms Regulation (IFR)/Investment Firms Directive (IFD) regime (Markets in Financial Instruments Directive (MiFID) investment services) are not credit institutions unless they also conduct deposit taking; the prudential regime differs materially.
• Payment institutions and electronic money institutions (Payment Services Directive 2 (PSD2) and E Money regime) do not accept deposits/repayable funds in the banking sense and therefore are not credit institutions. Client funds are safeguarded but not treated as deposits subject to the EU’s Depositor Guarantee Schemes Directive.
• Credit providers that do not take deposits, such as certain consumer lenders or mortgage lenders funded via capital markets, are not credit institutions under EU banking law (though they may be licensed under national consumer credit or mortgage credit regimes).

The EU banking framework rests on a layered structure combining EU primary law, harmonised secondary legislation (regulations and directives) and extensive Level 2 rules and Level 3 standards generated by EU institutions and agencies.

In parallel, the Banking Union overlays this architecture in participating member states with two existing pillars: (i) centralised supervision in the form of the Banking Union’s Single Supervisory Mechanism (SSM) with the European Central Bank (ECB) at its helm; and (ii) centralised resolution planning and execution by the Single Resolution Board (SRB) at the helm of the Banking Union’s Single Resolution Mechanism (SRM). A proposed third pillar to complete the Banking Union is the European Deposit Insurance Scheme (EDIS) which would act as a common EU-level system to protect bank deposits of eligible depositors.   

The principle of maximum harmonisation governs many EU banking rules, but the architecture still permits narrow national discretions, gold-plating in particular areas and differing supervisory intensity. Examples include the calibration of macroprudential buffers, national fit-and-proper criteria details, enforcement practices and conduct supervision priorities. Banks operating in multiple jurisdictions must navigate these nuances while adhering to central EU standards.

Within the Banking Union, supervisory intensity is typically higher for SIs due to centralised, risk-based approaches and enhanced data requirements. Resolution planning is more integrated and expectations regarding resolvability, the Minimum Requirement for Own Funds and Eligible Liabilities (MREL) stacking and loss-absorbing capacity are scrutinised centrally. Nonetheless, legal obligations on prudential ratios, liquidity, governance and reporting are the same across the EU; the divergence lies in execution modalities and supervisory oversight structures.

Principal Laws and Regulations

The EU’s prudential and supervisory architecture for banks and systemically important investment firms rests on two core instruments – both applicable EU‑wide – and an integrated crisis‑management regime. This is built on the following principal laws (each as amended and supplemented):

• Capital Requirements Regulation (CRR) and Capital Requirements Directive (CRD) (specifically CRD IV, as amended by CRD V and CRD VI): The CRR, directly applicable, sets detailed Pillar 1 requirements for own funds, risk‑weighted capital, leverage, liquidity (Liquidity Coverage Ratio (LCR), Net Stable Funding Ratio (NSFR), large exposures, reporting and Pillar 3 disclosures. The CRD complements the CRR by establishing authorisation standards, governance and remuneration, Pillar 2 supervisory powers and processes (Supervisory Review and Evaluation Procedure (SREP), Internal Capital Adequacy Assessment Process (ICAAP), Internal Liquidity Adequacy Assessment Process (ILAAP), macroprudential buffers (Capital Conservation Buffer (CCoB), Countercyclical Capital Buffer (CCyB), buffers for global systemically important institutions (G-SIIs) and other systemically important institutions (O‑SIIs) and Systemic Risk Buffer (SyRB)) and passporting for Annex I activities. Recent CRD VI amendments also introduce a harmonised framework for third-country branches (TCBs) and reinforce environmental social governance (ESG) integration.
• Bank Recovery and Resolution Directive (BRRD) (EU‑wide): This underpins recovery planning, early intervention, resolution tools (sale of business, bridge bank, asset separation, bail‑in) and MREL, with national resolution funds and cross‑border arrangements aligning to Financial Stability Board (FSB) Key Attributes.
• Recent Reforms: CRR II/CRD V introduced leverage ratio and NSFR, refined large exposures and market/CCR, plus governance and Intermediate EU Parent Undertaking (IPU) measures. CRR III/CRD VI implement the final Basel standards (Basel 3.1), notably by introducing the output floor, and add EU-specific reforms on enhanced ESG integration, expanded supervisory powers, updated fit‑and‑proper requirements and a harmonised regime for TCBs with core obligations applying from January 2027.
• Banking Union-Specific Instruments for Participating States: the SSM Regulation centralises supervision for those credit institutions that are categorised for Banking Union purposes as (i) significant institutions (SIs) or (ii) as less significant institutions (LSIs) – both categories defined by size, cross-border activity and risk. The term “institution” in this context means credit institution per the prudential definition. The SSM Regulation is complemented by several rule-making instruments and communications issued by the European Central Bank – Single Supervisory Mechanism (ECB-SSM). Concurrently, the SRM Regulation centralises resolution decision‑making at the Single Resolution Board (SRB) with the Single Resolution Fund (SRF).

The use of EU Regulations – directly applicable and uniform across the EU – ensures a high degree of harmonisation in critical prudential and market integrity areas, while EU Directives require transposition, allowing calibrated national discretion in limited respects. Technical standards, guidelines and supervisory handbooks developed by the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the ECB (in its SSM capacity) operationalise uniform application and promote consistent supervision. Taken together, these rule-making instruments constitute a Single Rulebook as applied across the EU (subject to modifications for use in the Banking Union), heavily operationalised via EBA regulatory and implementing technical standards and guidelines and ECB-SSM as well as SRB supervisory guidelines and other communications.

Banking Regulators

From an institutional standpoint, EU-level actors include the European Commission, the Council and the European Parliament (as co-legislators), as well as (i) the European Systemic Risk Board (ESRB) (macroprudential co-ordination) and (ii) the European supervisory authorities (ESAs) comprised of the EBA, ESMA and the European Insurance and Occupational Pensions Authority (EIOPA.) Each of the ESAs, including when acting in their role as the Joint Committee, is responsible for regulatory technical standards and supervisory convergence.

In the Banking Union:

• the ECB-SSM exercises prudential supervisory tasks (i) directly for those credit institutions categorised as SIs – these are supervised directly by joint supervisory teams (JSTs) composed of staff from the ECB and the national competent authorities (NCAs); and (ii) indirectly for those credit institutions categorised as LSIs which remain under day-to-day NCA oversight subject to ECB-SSM co-ordination and methodology; and
• the SRB, which acts as the central resolution authority for Banking Union “institutions” falling within its remit – ie, credit institutions and certain systemically important investment firms.

The NCAs and national resolution authorities (NRAs) execute EU-derived powers domestically, including for member states outside the Banking Union. 

It is essential to distinguish EU-wide prudential pillars, which bind all member states, from mechanisms that operate only within the Banking Union. The EU-wide rulebook comprises the core prudential requirements for credit institutions and investment firms under:

• the CRR/CRD framework;
• recovery and resolution standards under the BRRD;
• harmonised deposit guarantee requirements under the Deposit Guarantee Schemes Directive (DGSD);
• the AML/CFT legislative suite;
• consumer credit and mortgage frameworks;
• payments and market infrastructure rules;
• digital operational resilience requirements under the Digital Operational Resilience Act (DORA);
• sustainability disclosure and taxonomy rules; and
• data protection legislation.

These instruments apply across the entire EU.

The CRR/CRD and BRRD apply EU-wide. By contrast, the SSM and the SRM operate only in the Banking Union, which comprises the euro area and any non-euro member states that have entered into close co-operation as participating states.

For institutions within the Banking Union, compliance integrates ECB-SSM supervisory methodologies and SRB resolution planning. Within the SSM, the ECB-SSM is responsible for licensing and the direct, ongoing supervision of significant institutions, conducting the SREP, thematic reviews and direct supervisory measures, performing fit and proper assessments and issuing supervisory and enforcement decisions. LSIs are overseen on a day-to-day basis by national authorities under ECB-SSM oversight.

On the resolution side, the SRM centralises resolution planning and execution at the SRB for SSM SIs and Banking Union cross-border groups, with resolution strategies determined by the SRB, including co-ordination of national execution and access to the SRF under strict conditions.

For institutions in non-Banking Union member states, EU-wide regimes are implemented through national supervisory structures, aligned by EBA standards and peer mechanisms. Outside the SSM, these authorisation, supervisory and enforcement functions are performed by NCAs, guided by EBA convergence tools.

Cross-border groups must co-ordinate compliance and reporting across multiple NCAs and resolution authorities, relying on colleges of supervisors and resolution colleges to manage group-level oversight.

For institutions outside the Banking Union, the BRRD framework governs resolution at national level, co-ordinated through EU directives and EBA-led convergence rather than SRB direction.

In addition, EU rules on state aid and competition shape the financial sector’s operating environment, restricting anti-competitive practices, conditioning public support to banks under resolution or restructuring and requiring market discipline. Banks must adhere to market abuse and insider trading rules for traded instruments, comply with short-selling restrictions where applicable and maintain robust compliance frameworks for market integrity. These requirements apply uniformly across the EU and are enforced by the European Commission, ESMA and national authorities. Banking Union participation does not alter substantive competition or state aid law, though resolution decisions co-ordinated by the SRB intersect with state aid assessments.

Macroprudential overlay

Macroprudential oversight is co-ordinated at EU level through the ESRB, supported by harmonised processes for the activation, reciprocation and communication of measures across member states. Macroprudential authorities may calibrate capital buffers, risk weights and sectoral requirements to mitigate systemic risks and address credit cycles. In particular, the systemic risk buffer, the countercyclical capital buffer and, where applicable, buffers for other systemically important institutions operate as supplements to the core prudential regime.

Within the Banking Union, macroprudential policymaking remains primarily national. However, the ECB has a designated “top-up” role and, within limits of EU law, may apply higher capital buffer rates or adopt more stringent macroprudential measures than those set domestically. This provides an overlay that promotes financial stability and deeper harmonisation within the Banking Union. This overlay coexists with member states’ own macroprudential toolkits, ensuring a consistent EU-wide baseline. Outside the Banking Union, national authorities exercise macroprudential powers within the framework of EU law. The EBA promotes information-sharing and consistent implementation, co-ordinated by the ESRB.

Deposit protection

A fully mutualised EDIS, if adopted, would establish a common liquidity support mechanism for Banking Union DGSs. The legislative progress for EDIS remains uncertain; until then, the DGSD remains the operative framework across the EU, with national DGSs harmonised on coverage and payout. Deposit insurance has not been centralised and funding arrangements for deposit insurance are set at national level, including within the Banking Union.

Authorisation Requirements

The authorisation of credit institutions is governed by an EU-wide harmonised framework. Applicants must satisfy the governance, capital, organisational and suitability standards set out in the CRD, as complemented by national implementing measures.

• Credit Institution Authorisation (EU‑Wide): Applicants must meet CRD requirements on initial capital (typically at least EUR5 million), programme of operations, governance (sound management body, effective risk control and compliance functions, fit and proper management), risk management frameworks (including ICAAP and ILAAP), remuneration policies aligned to prudent risk‑taking and adequate organisation and systems (data aggregation, reporting, ICT and security).
• Authorisation Perimeter: “Credit institution” captures those undertakings whose business is to take deposits or other repayable funds from the public and to grant credits for its own account, as defined in the CRR. Since 2021, certain systemically important investment firms that meet quantitative thresholds for dealing on own account and underwriting/placing on a firm commitment basis (CRR Article 4(1)(1)(b)), reflecting a bank‑like risk profile, are subject to the same authorisation standards as credit institutions.

Licensing Process

EU-wide mechanics relevant to the licensing process are anchored in the CRD and EBA regulatory technical and implementing technical standards, which specify information templates, procedural steps and indicative timelines. Whether in SSM or non-SSM states, the assessment focuses on governance arrangements, ownership structure and qualifying holdings, the programme of operations, risk management and internal control frameworks and the adequacy of capital and liquidity resources.

For SSM licence applications, the ECB’s licensing guides set additional expectations, including for fintech business models and the design and effectiveness of internal control functions.

EU-wide baseline

Under the CRD/CRR single market framework, authorisation requirements and passporting mechanics are harmonised across all member states. In non-participating (non-SSM) states, banking licences are granted by the NCA and, once authorised, institutions may exercise passporting rights for branches and services throughout the EU.

Approval is required for financial holding companies (FHCs) and mixed financial holding companies (MFHCs) to ensure effective consolidated supervision. Third-country groups (TCGs) that meet specified thresholds must establish an EU-domiciled IPU to facilitate supervision and resolution planning. That IPU may be constituted as an EU credit institution or as an FHC or MFHC, enabling coherent oversight of the EU group and its risks.

Separate to the considerations on IPUs, third-country entities (TCEs), including those that are equally TCGs, encounter a fragmented EU landscape. Equivalence frameworks exist for certain market segments but do not confer bank licensing rights. Prior to the harmonised framework under CRD VI, TCBs were authorised under host member state law and supervised by the local NCA, with cross-border services by non-EU firms constrained by national regimes in the absence of an EU-wide passport. While under the new regime TCBs will remain under NCA supervision for so-called Class 1 branches co-ordinated through colleges, for Banking Union TCBs of material systemic relevance, the SSM will provide risk-based supervisory co-ordination.

Banking Union specifics

In Banking Union participating states, the authorisation process is conducted within the SSM. Applications are submitted to the relevant NCA, which manages the file and prepares a draft decision; the ECB-SSM is the competent authority that adopts the final licensing decision. The ECB’s authorisation remit does not extend outside the Banking Union.

Activities and Services

Authorised activities for credit institutions are those listed in CRD Annex I, including taking deposits, lending, payment services, guarantees and commitments, trading for own account, underwriting/placing and custody services.

Ancillary services are permitted in line with CRD and national transposition.

Territorial scope and the definition of cross‑border services follow EU interpretations and Commission communications on “where services are provided”.

EU Passport

Once authorised in a member state, a credit institution benefits from an EU-wide passport, permitting the exercise of Annex I activities across the single market either through freedom of establishment (by way of branches) or under the freedom to provide services, in each case following the CRD notification and co-ordination procedures between home and host competent authorities, including the applicable Regulatory Technical Standards (RTS)/Implementing Technical Standards (ITS) on forms and information. The passport rests on mutual recognition of authorisations and prudential supervision and applies throughout the Union irrespective of participation in the Banking Union. While the host state may impose conduct-of-business and general good requirements consistent with EU law, the prudential regime remains the responsibility of the home state authority.

Qualifying Holding

A “qualifying holding” is a direct or indirect holding in an institution representing 10% or more of capital or voting rights or otherwise enabling significant influence over management. The CRD requires prior notification and no‑objection by the competent authority before acquiring or increasing a qualifying holding, including through concerted action or control structures.

Notification Thresholds

Acquisitions (and disposals) at or above 10%, 20%, 30% and 50% of capital or voting rights and the crossing of control thresholds (becoming or ceasing to be a subsidiary) trigger notification and assessment. Intra‑group restructurings may still fall in scope depending on the structure and prudential impact.

Authorisation Process

Competent authorities assess the proposed acquirer and transaction against harmonised criteria: reputation and financial soundness of the acquirer; reputation, experience and governance of proposed appointees; financial soundness of the target post‑transaction; compliance with prudential requirements (including resolution and AML/CFT considerations); and risks of money laundering/terrorist financing. Joint ESA guidelines provide a common assessment methodology. Authorities may oppose, attach conditions, or clear the transaction.

Decreasing Control Over a Credit Institution

Disposals crossing the same percentage thresholds must be notified. Authorities monitor whether the disposal compromises the institution’s sound and prudent management or group supervision arrangements. In certain cases, approval may be required for de‑mergers, material asset transfers, mergers or divisions (expanded under CRD VI).

EU governance standards for credit institutions emphasise robust management bodies; clear segregation of management and supervisory functions; comprehensive risk management and internal control frameworks; and clear lines of responsibility. Fit and proper requirements apply to members of the management body and key function holders, with suitability assessed on integrity, competence, experience and time commitment. Supervisory authorities maintain notification and assessment processes for appointments and EBA guidelines guide uniform application across the EU.

Regulatory Requirements

A credit institution’s governance framework should:

• establish a clear and coherent organisational structure with well-defined, transparent and consistent lines of responsibility;
• ensure effective and independent risk management, compliance and internal audit functions;
• support robust risk data aggregation and reporting; and
• embed comprehensive policies on conflicts of interest, outsourcing and ICT/security, together with remuneration arrangements aligned to prudent risk-taking.

These policies and frameworks should be formally documented, approved by the management body and subject to periodic review and challenge.

Management Functions

The management body must collectively possess adequate knowledge, skills and experience to understand the institution’s activities, risks and impacts over relevant horizons, including ESG risk dimensions. Individual members must be of good repute, act with integrity, commit sufficient time and avoid conflicts. Key function holders (heads of control functions, CFO) are within scope for suitability assessment, a requirement reinforced by CRD VI.

Governance Arrangements

Institutions must ensure effective segregation of duties, independent risk and compliance, robust outsourcing oversight (including third‑party and intra‑group), sound product governance and strong internal control over financial and regulatory reporting. Risk culture and conduct expectations should be embedded throughout the organisation.

EU supervisory expectations further require that control functions are independent, adequately resourced and vested with sufficient authority and stature, operating under formal charters with direct and unfettered reporting lines to the board or its relevant committees and able to challenge management and escalate issues. Internal audit should maintain a risk-based, entity-wide audit plan covering prudential, conduct, AML/CFT, ICT and third-party risk domains and must track and verify timely remediation of findings. The compliance function should monitor regulatory change, oversee the risk of regulatory breach and maintain appropriate training and awareness programmes across the firm. These expectations apply EU-wide; within the SSM, banks may be assessed against supervisory benchmarks for the effectiveness and independence of control functions, including comparative reviews across peer institutions.

In terms of firms and their disclosures, Pillar 3 disclosures, sustainability reporting and public communications demand consistency, reliability and non-misleading presentation. Banks should maintain controlled disclosure processes, ensure that prudential and sustainability metrics are subject to internal verification and, where applicable, external assurance, and avoid greenwashing and mis-selling risks. These obligations apply across the EU, with enforcement based on national regimes and supervisory monitoring. Banking Union institutions may face heightened scrutiny of models and disclosures through ECB reviews, but the legal framework remains common to the EU.

Diversity

EU supervisory expectations emphasise that boards of regulated institutions demonstrate genuine independence, a balanced diversity of skills and perspectives and a culture of robust challenge. Institutions should maintain clear segregation of roles, undertake periodic evaluations of board effectiveness and implement comprehensive policies on conflicts of interest and ethical conduct. Diversity is not merely an aspiration but a governance tool that enhances decision-making and risk oversight; it should be embedded in recruitment, succession planning and ongoing training frameworks to ensure the management body remains fit for purpose over time.

Supervisors across the EU actively assess board composition, independence and effectiveness and will intervene where deficiencies persist. Within the Banking Union, the ECB-SSM’s fit and proper assessments for SIs add a layer of centralised scrutiny aligned with EU-wide criteria. In parallel, the CRD requires institutions to adopt and disclose diversity policies for the management body, addressing dimensions such as age, gender, geographical provenance and educational and professional background. EBA guidelines and benchmarking exercises provide reference points for sound diversity practices and gender pay gap disclosures and supervisory authorities monitor progress against these benchmarks, setting clear expectations for remediation and improvement where warranted.

Voluntary Codes and Industry Initiatives on Corporate Governance and Conduct of Business Standards

Many institutions adhere to national corporate governance codes and international best practices (eg, FSB governance principles, Basel Committee on Banking Supervision (BCBS) corporate governance standards). Within the SSM, ECB expectations on governance and risk culture complement CRD/EBA guidance and are reflected in SREP.

Bankers’ Oath

Where a national “bankers’ oath” exists (even where such concept is not EU‑harmonised), it remains a domestic overlay. It does not displace CRD governance requirements and applies in parallel as a matter of national law and conduct supervision.

Fitness and Propriety Requirements

Fit and proper assessments cover reputation, honesty and integrity; knowledge, skills and experience; independence of mind; time commitment; and potential conflicts. CRD VI extends coverage to key function holders (such as heads of control functions and chief financial officers (CFOs)) and introduces governance body independence rules, including staff trading prohibitions and cooling-off periods.

Suitability Assessment Requirements

Institutions must have policies and procedures for selection, appointment, succession planning and ongoing suitability assessment. Joint EBA/ESMA guidelines provide a common methodology. Supervisors may object to appointments, require remedial actions, or remove members in defined cases, including where money laundering/terrorism financing (ML/TF) concerns arise.

Remuneration rules require institutions to adopt policies that align incentives with risk appetite and prudential objectives. Identified staff and material risk-takers are subject to proportionality-based constraints, including caps on variable remuneration relative to fixed pay, deferral and payout in instruments and malus/claw-back mechanisms. Shareholders’ oversight of remuneration frameworks, policy documentation and disclosure obligations underpin governance accountability. While the legal baseline applies EU-wide via CRD/CRR implementation, SSM banks may be subject to more intensive supervisory scrutiny, including thematic reviews and benchmarking exercises co-ordinated by the ECB, without altering the underlying legal standards that apply across the EU.

Staff Subject to the Remuneration Requirements

CRD remuneration rules apply to staff whose professional activities have a material impact on the institution’s risk profile identified under EBA RTS (material risk-takers), and to certain categories specified by regulation.

Remuneration Principles

Policies must promote sound and effective risk management and not encourage risk‑taking beyond the institution’s risk appetite. Variable remuneration is subject to malus/clawback, deferral and payout in instruments; proportionality may relax certain requirements for small and non‑complex institutions and staff with low variable pay. Institutions must disclose remuneration practices under Pillar 3 and participate in EBA benchmarking.

The EU’s AML/CFT regime, while primarily set out in sectoral AML/CFT legislation rather than in CRR/CRD, operates in close concert with prudential regulation and supervision. Institutions must comply with the new EU AML/CFT measures, comprising Directive No 2024/1640 (AMLD VI), Regulation No 2024/1624 (AMLR) and Regulation No 2024/1620 establishing the AMLA. This new architecture replaces key elements of the existing directives and establishes a dedicated EU AML Authority. In practice, money laundering and terrorist financing risks must be embedded within governance, the internal control framework and enterprise-wide risk management and are assessed as part of the SREP; material AML/CFT deficiencies may be treated as governance failings with prudential consequences.

Customer Due Diligence and Ongoing Monitoring

Institutions are required to operate risk-sensitive customer due diligence (CDD)/KYC processes at onboarding and throughout the relationship life cycle. This includes identifying and verifying customers and, where applicable, ultimate beneficial owners; assessing and documenting ownership and control structures; screening against relevant sanctions and watchlists; and conducting ongoing transaction monitoring calibrated to the customer’s risk profile. Enhanced due diligence must be applied in higher-risk situations, including for politically exposed persons (PEPs), complex or unusual transactions and higher-risk jurisdictions, with measures proportionate to the identified risks.

Group-wide AML/CFT policies and controls must ensure consistent standards across EU and non-EU branches and subsidiaries, including TCBs, with appropriate information-sharing and oversight arrangements.

Reporting, Record-keeping and Supervisory Co-Operation

Suspicious transaction and activity reports must be filed promptly with the relevant national Financial Intelligence Unit (FIU) in accordance with local rules implementing EU AML/CFT legislation. Credit institutions must maintain comprehensive records, ensure data quality and retrievability and provide timely, accurate information to competent authorities upon request. Effective co-operation with FIUs, prudential supervisors and, where relevant, law enforcement is integral to the EU’s co-ordinated AML/CFT architecture.

Internal Control, Resourcing and Accountability

Credit institutions must appoint a designated AML/CFT compliance officer with adequate authority and independence, ensure proportionate staffing, training and technological resources and adopt risk-based policies and procedures that are regularly reviewed and validated. AML/CFT considerations should be integrated into the three lines of defence, with clear management body accountability, periodic independent testing and escalation protocols. Supervisors assess the adequacy of these arrangements as part of broader governance evaluations; persistent weaknesses may trigger supervisory measures and enforcement.

Sanctions and Restrictive Measures

EU-level sanctions and restrictive measures are directly binding and must be fully reflected in screening, onboarding, payment filtering and asset control processes. Institutions must implement asset freezes and transaction prohibitions for designated persons and entities, maintain audit trails and ensure rapid updates to lists and controls to reflect evolving measures, including those adopted on an urgent basis.

Supervisory Architecture and Convergence

The AML/CFT framework applies EU-wide, with national FIUs, competent authorities and law enforcement implementing and enforcing requirements in coordination. The EU’s newly established Anti-Money Laundering Authority (AMLA) is intended to enhance convergence, strengthen direct and indirect supervision and promote uniform application across Banking Union and non-Banking Union jurisdictions, including through supervisory oversight, regulatory powers and enforcement. EU-level standards, supported by EBA guidelines and supervisory handbooks, guide expectations. Ultimate compliance outcomes, including enforcement and governance accountability, remain the responsibility of national authorities and sectoral supervisors, subject to the emerging EU-level oversight model.

The Deposit Guarantee Schemes Directive (DGSD) establishes uniform coverage levels for eligible deposits per depositor per institution across the EU, harmonises payout timeframes and information obligations and mandates DGS membership and funding arrangements. It preserves national administration of schemes, including contributions, target funding levels and governance structures. EU credit institutions must participate in national DGSs in their home member state, and branches in host states are covered by the home scheme under home/host co-operation.

Within the Banking Union, depositor protection follows the same harmonised yet national scheme model. While the SRM delivers centralised resolution decision-making and common resolution funding, deposit insurance has not been centralised and proposed mutualisation options remain politically unsettled. Consequently, depositor protection is an EU-wide framework administered domestically, and Banking Union participation does not alter scheme administration, even though supervisory and resolution aspects may be centralised.

EDIS

A proposal for an EDIS would, if adopted, provide a common liquidity support mechanism for Banking Union DGSs. Legislative progress remains uncertain; until then, DGSD remains the operative framework across the EU.

DGS Organisation

National DGSs are designated and supervised under member state law implementing DGSD. Eligible deposits held by branches of EU credit institutions are covered by the home state DGS; third‑country branches must disclose applicable protection.

DGS Funding

National DGSs are funded ex ante through risk‑based contributions by member institutions, with back‑up financing arrangements ex post as needed. Target levels and financing instruments are set by the DGSD and national law.

Covered Depositors and Deposits

Coverage generally extends to natural persons and SMEs, with exclusions for certain financial institutions and public sector entities. Temporary high balances may enjoy special protection subject to national transposition.

Limits of Coverage

Standard coverage is up to EUR100,000 per depositor per bank across the EU, harmonised under the DGSD.

Other Guarantee Schemes

Sector‑specific or national schemes may exist (eg, investor compensation schemes) in parallel; they do not affect DGSD coverage but can interact in specific cases.

Basel III Standards Implementation

Although Basel III standards do not have direct legal effect in the EU, their substance has been progressively incorporated into EU law through the CRR and the CRD. As a result, the prudential regime applicable to EU credit institutions broadly reflects the Basel Framework, adapted to EU-specific objectives and applied across the entire EU banking sector. Within the Banking Union, certain additional specific supervisory expectations apply. 

Legislative Waves of Implementation

The EU has implemented Basel III through three principal legislative waves, each extending and refining the prudential framework:

• June 2013: CRR and CRD IV introduced the core Basel III capital, leverage and liquidity standards into EU law and established the single rulebook format, with the CRR directly applicable and the CRD transposed at member state level.
• May 2019: CRR II and CRD V largely completed implementation of the initial Basel III package, enhancing the leverage and liquidity regimes, revising counterparty credit risk and market risk elements and advancing supervisory harmonisation.
• May 2024: CRR III and CRD VI finalised the reforms in the “Basel 3.1 package” in EU law, introducing the output floor and revising Pillar 1 methodologies for credit risk, operational risk, market risk (including the Fundamental Review of the Trading Book (FRTB)) and Credit Valuation Adjustment (CVA).

Scope and Core Content of the CRR/CRD Framework

The CRR/CRD framework implements Basel standards across Pillar 1, the leverage ratio and liquidity requirements, culminating in CRR III’s completion of the Basel 3.1 package. CRR III and CRD VI, in particular, are designed to finalise the EU’s implementation of Basel III and introduce EU-specific reforms by:

• introducing an output floor on risk-weighted assets to constrain model variability and improve comparability across institutions using internal models;
• overhauling market risk requirements through the FRTB framework, coupled with related adjustments to internal model permissions and standardised approaches;
• revising standardised and internal ratings-based approaches to credit risk, including recalibrations and new treatments for specific asset classes;
• replacing legacy operational risk approaches with the new standardised approach;
• strengthening the prudential treatment of CVA risk, while maintaining defined exemptions and enhancing supervisory monitoring of exempted positions; and
• establishing a harmonised regulatory and supervisory framework for TCBs under CRD VI, covering authorisation, classification, minimum capital endowment, liquidity requirements, governance, booking standards, periodic reporting, systemic importance assessments and subsidiarisation powers.

These measures sit alongside the existing leverage ratio and liquidity standards and collectively align the EU’s prudential architecture with the final elements of the Basel III framework.

EU-Specific Calibrations and Policy Choices

While implementing Basel standards, the EU has exercised targeted discretions and calibrated certain measures (importantly, within the Banking Union any national options and discretions exercised by NCAs in respective EU member states have been streamlined) to reflect its broader scope of application and policy priorities. Notable EU-specific elements include:

• application to all EU credit institutions, not solely to internationally active banks, thereby reinforcing a consistent single rulebook and level playing field across the Single Market;
• enhanced ESG-related governance and disclosure expectations and supervisory tools, reflecting the integration of environmental and broader sustainability risks within prudential supervision; and
• transitional and targeted treatments in areas with particular EU relevance, such as unrated corporates and strategic equity investments, as well as interim prudential treatments for certain crypto-asset exposures are pending the full implementation of the Basel standard.

These adjustments operate within the boundaries of the international framework while addressing European market specificities and financial stability considerations.

Consolidation of the EU Prudential Regime and TCBs under CRD VI

With CRR II and CRD V, the EU effectively completed the implementation of the original Basel III reforms. The subsequent adoption of CRR III and CRD VI finalises the Basel 3.1 package in EU law, consolidating the prudential regime in line with international standards and complementing it with EU-specific policy choices, including market access for TCGs, TCEs and more importantly TCBs. The result is a comprehensive, risk-sensitive and more harmonised prudential framework, implemented directly via the CRR and through national transposition of the CRD, and designed to support resilience, comparability and supervisory convergence across the EU banking sector.

CRD VI introduces an EU-wide, harmonised regime for TCBs in the EU:

• Authorisation and classification require branch authorisation in the host member state and introduce classification of TCBs by size/risk profile, with proportionate prudential expectations.
• Minimum prudential standards establish EU standards for local endowment, governance, risk management, reporting and booking controls (including local management of material risks and limits on back-to-back or remote booking), aiming to ensure that risks generated in the EU are appropriately managed and overseen locally.
• Supervisory powers and subsidiarisation enhance host authorities’ powers to restrict activities or require subsidiarisation where the TCB’s scale or risk profile warrants EU incorporation, or where supervisory co-operation with the third-country home authority is inadequate.
• Macroprudential co-ordination provides mechanisms for co-ordination across member states and, within the Banking Union, with the ECB/SSM on systemic risk issues affecting TCBs, while preserving the principle that supervision remains with national competent authorities.
• Transitional arrangements include transitional provisions for existing branches to migrate into the harmonised regime following national transposition and EU application timelines.

This new framework does not convert TCBs into EU credit institutions, nor does it subject them to CRR Pillar 1 capital or leverage ratios. Instead, it creates branch-specific prudential, governance and reporting obligations at EU level, while preserving the application of CRR/CRD requirements to EU-authorised institutions and their subsidiaries.

Risk Management Rules

Risk management is anchored in the ICAAP and the ILAAP, with supervisory authorities conducting Pillar 2 reviews to set institution-specific capital and liquidity add-ons that reflect the firm’s business model risks and the quality of its governance, risk management and control framework. Consistent with the principle of proportionality, Pillar 2 requires that ICAAP and ILAAP be calibrated to the institution’s risk profile and rigorously address concentration risks, interest rate risk in the banking book (IRRBB), model risk, outsourcing and other third-party risks, and information and communication technology (ICT) and security risks, and that they incorporate robust stress testing, clear risk appetite metrics and recovery indicators. These expectations are articulated in detail in the EBA and ECB supervisory guides, which are applied with particular granularity within the SSM, while Pillar 3 disclosures reinforce market discipline and transparency by providing stakeholders with consistent, decision-useful information on risk and capital adequacy.

For Banking Union institutions using internal models, ECB approval and ongoing monitoring apply under the ECB Guide to Internal Models. Banks should maintain comprehensive model inventories, validation and governance standards that meet targeted review of internal models (TRIM)-style benchmarks, with clear evidence of representativeness, data quality, prudent parameterisation and back-testing. Remediation plans must be time-bound and resourced, recognising that SSM scrutiny of credit risk, market risk/FRTB and IRRBB models is intensive and may result in measures, add-ons or permissions withdrawal. Disclosure narratives should explain output floor bindingness and model changes through the lens of SSM supervisory dialogue.

Equally, in terms of data governance generally as well as for risk management specifically, data governance has heightened importance in the Banking Union given ECB reliance on granular datasets. Institutions should strengthen data lineage, reconciliation and controls to meet analytical credit datasets (AnaCredit) and financial reporting quality benchmarks while preparing for the integration of the Integrated Reporting Framework (IReF). Programmes should prioritise supervisory data accuracy, timeliness and explainability, with independent assurance over key metrics and alignment to BCBS 239 principles as operationalised by the SSM.

Capital and Liquidity Requirements

EU capital and liquidity requirements distinguishe between (i) EU credit institutions (including EU-authorised institutions and EU subsidiaries of TCGs) and (ii) non EU credit institutions active in the EU via TCBs or other non-authorised establishments, and clarify the split between EU-wide rules (CRR/CRD and related Delegated Acts, including the new CRD VI regime for TCBs) and Banking Union overlays (SSM/SRM policies applicable in the euro area).

In summary:

• Initial Capital (EU-Wide v TCBs in the EU): EU credit institutions must maintain a minimum amount of paid-up initial capital of EUR5 million to obtain EU authorisation. EU subsidiaries of third-country groups are treated as EU credit institutions for authorisation and prudential purposes. By contrast, TCBs are not authorised as EU credit institutions but, under CRD VI, will be subject to a harmonised EU authorisation and prudential framework. That framework introduces EU-level rules on branch authorisation, local endowment requirements, governance and reporting, replacing the prior patchwork of purely member state-specific regimes.
• Risk-Based Capital Ratios (EU-Wide): For EU credit institutions (including EU subsidiaries of third-country groups), the EU-wide Pillar 1 minima apply: a total capital ratio of 8% of RWA, including at least 6% Tier 1, of which 4.5% must be Common Equity Tier 1 (CET1). On top of these minima, institutions must meet the combined buffer requirement: the CCoB of 2.5% CET1, any applicable CCyB, and institution-specific systemic buffers such as the G SII buffer, O SII buffer, and any SyRB set by national authorities under CRD. TCBs are not subject to the EU CRR Pillar 1 capital ratios as branches; instead, CRD VI establishes branch-level prudential standards (including endowment, governance and booking controls) and enhanced supervisory powers, with capital requirements continuing to apply at the head office/third-country group level under home country rules.
• Leverage Requirements (EU-Wide): EU credit institutions are subject to the leverage ratio minimum, with an additional leverage buffer for G SIIs. These non-risk-based standards operate alongside the risk-based framework and are calibrated under the CRR and Delegated Regulations. TCBs remain outside the scope of the EU leverage ratio regime; CRD VI does not extend CRR leverage requirements to branches, although member states may impose branch-specific constraints consistent with the EU framework.
• Liquidity Standards (EU-Wide): EU credit institutions must comply with the LCR and the NSFR. The LCR requires sufficient high-quality liquid assets to withstand a severe 30-day stress; the NSFR promotes stable funding over a longer horizon relative to assets and off-balance sheet activities. Detailed calibrations, asset eligibility and treatments of collateral and securities financing transactions (SFTs) are set out in the CRR/CRR II/III and relevant Delegated Regulations. TCBs are not directly in scope of LCR/NSFR under CRR; under CRD VI, branches will face harmonised EU liquidity governance and booking requirements (eg, local liquidity risk management and reporting), while quantitative LCR/NSFR metrics continue to apply to EU credit institutions.
• Systemic Institutions and Loss Absorbency (EU-Wide v Banking Union): EU-wide, G SIIs are subject to heightened capital via a CET1 G SII buffer and parallel non-risk-based leverage buffers and must meet loss absorbency and recapitalisation standards (eg, Total Loss Absorbing Capital (TLAC)/MREL requirements) in tandem with supervisory Pillar 2 requirements. Within the Banking Union, ECB-led SSM supervision applies to significant institutions, including setting Pillar 2 Requirements (P2R) and Pillar 2 Guidance (P2G) through the SREP process, and the SRB implements MREL policies under the SRM. The ECB may also apply top-up macroprudential measures (eg, buffers) over national decisions. TCBs are supervised by national competent authorities under CRD VI; they are not brought into SSM as EU credit institutions, though co-ordination mechanisms with the ECB may operate in the Banking Union for systemic risk considerations. Non-Banking Union EU members remain under NCAs/EBA frameworks for these overlays.
• Large Exposures (EU-Wide v Branches): EU credit institutions are subject to the CRR large exposure regime, which caps exposures relative to Tier 1 capital and applies connected client aggregation principles, with special limits for certain counterparties and consolidation across groups where applicable. Under CRD VI, TCBs will be subject to harmonised EU constraints on concentration risk and exposures, aligned with CRD/CRR concepts, while full CRR large exposure rules continue to apply to EU credit institutions.

The EU’s crisis management architecture hinges on credible recovery planning, resolvability assessments and resolute execution of resolution tools. Recovery plans set out escalation triggers, recovery measures and critical business function protections; resolution plans determine preferred strategies and MREL to ensure loss-absorbing capacity and facilitate orderly resolution without taxpayer bailouts. The BRRD provides the toolkit – bail-in, sale of business, bridge institution and asset separation – and establishes procedural safeguards and creditor hierarchy.

Within the Banking Union, the SRM centralises resolution planning and decisions for SIs and cross-border groups falling within its competence, with the SRB in the lead and NRAs implementing measures domestically. The SRF supports resolution financing in Banking Union states under strict conditions.

In summary, resolvability is assessed centrally by the SRB. Banks are expected to evidence credible bail-in execution capability, including liabilities data, instrument terms alignment, communications playbooks and agent bank arrangements. Separability analysis and transferability of critical functions must be supported by operational blueprints. Continuity of access to financial market infrastructures (FMIs) and payment/settlement systems should be demonstrated through tested contingency arrangements, recognising SRB’s focus on operational continuity, governance and third-party dependencies.

A further SRB priority is operationalising liquidity in resolution. Institutions are expected to maintain SRB-aligned liquidity in resolution playbooks covering collateral mobilisation, central bank facilities access mechanics, FMI margin and settlement obligations, and intercompany flows. Pre-positioning strategies (resolution liquidity adequacy and positioning (RLAP)/resolution liquidity adequacy capacity (RLAC)) should be documented, with legal and operational arrangements enabling rapid liquidity execution under stress. Dry runs and simulation exercises with NRAs/SRB should be reflected in remediation plans and board oversight.

Outside the Banking Union, the BRRD and national resolution authorities operate the same toolkit, but without centralised SRB oversight or access to the SRF. Non-Banking Union institutions co-ordinate with national resolution authorities and cross-border colleges to ensure consistency, acknowledging that resolution execution will be national but aligned to EU standards. Co-operation amongst NRAs is maintained via cross-border resolution colleges and EBA mediation powers.

Insolvency

Outside regulator-led bank resolution intervention, national law-governed bank insolvency/liquidation regimes apply, subject to EU law constraints (state aid; BRRD hierarchy alignment). CRD VI clarifies supervisory withdrawal of authorisation where “failing or likely to fail” (FOLTF) and “no alternative” conditions exist but public interest for resolution is not met.

Recovery

Firms must prepare recovery plans with options to restore viability under stress and defined indicators for escalation. Authorities can apply early intervention measures where deterioration threatens viability, including business restrictions and governance changes. Resolvability assessments focus on separability, valuation preparedness, bail-in execution and operational continuity of critical functions.

Resolution

Resolution planning identifies critical functions, preferred resolution strategies (single point of entry (SPE)/multiple point of entry (MPE)), MREL calibration and internal TLAC and resolvability deliverables (bail‑in playbooks, valuation, separability, continuity of access). In the Banking Union, SRB policies and the SRF overlay apply; elsewhere, NRAs implement BRRD transposition, co-ordinated via EBA and cross‑border colleges. The Commission’s proposed Crisis Management and Deposit Insurance (CMDI) reforms are expected to refine resolution triggers, public purchase and assumption (P&A) financing for resolution and interactions with deposit guarantee schemes.

EU Requirements

EU sustainability frameworks for banks serve two principal purposes: transparency and alignment. Transparency is driven by cross-cutting disclosure regimes that enable market discipline and comparability. Alignment is achieved through harmonised definitions, prudential integration of ESG risks and supervisory expectations that embed climate and environmental considerations into banks’ strategies and risk frameworks.

CRR III introduces harmonised definitions of ESG risks, specifically in CRR Article 4(1)(52d-52i), and strengthens quantitative and qualitative disclosure, including enhanced Pillar 3 disclosures for large institutions. CRD VI embeds ESG into governance, risk management and supervision, including board composition and oversight (Article 91), risk management frameworks (Article 87a), the Supervisory Review and Evaluation Process (Article 98) and prudential transition planning (Article 76). The European supervisory authorities have a mandate to develop joint guidelines on ESG stress testing (Article 100) and the EBA has issued guidelines on ESG risk management, further operationalising expectations for identification, measurement, monitoring and control of climate-related and environmental risks.

The Sustainable Finance Disclosure Regulation (SFDR) requires entity- and product-level sustainability disclosures from financial market participants, including banks, when they provide investment services or offer in-scope products, thereby enhancing consistency and comparability of information for clients and investors. The Taxonomy Regulation supplies the common classification of environmentally sustainable economic activities, informing both disclosure and investment decision-making and anchoring target-setting and reporting against a harmonised benchmark. Corporate sustainability reporting standards apply to large companies and listed entities, requiring comprehensive reporting on sustainability matters, which in turn enriches banks’ counterparty data and supports portfolio-level assessments.

Banks must incorporate sustainability considerations across their internal frameworks. This includes board-level oversight and expertise, risk identification and appetite calibration, scenario analysis and stress testing, data governance and metrics and internal control functions. Product governance and client-facing processes must reflect sustainability factors, including assessment of client sustainability preferences where relevant, with corresponding disclosures that are clear, fair and not misleading. These requirements operate alongside public commitments – such as net zero trajectories, interim sectoral targets and engagement strategies – which, while often voluntary in origin, create supervisory and market expectations that reinforce prudential objectives.

The ECB and national supervisors have intensified scrutiny through thematic reviews, on-site inspections, climate risk assessments and stress tests, leading to more granular expectations on integration timelines, data remediation and risk quantification. Within the SSM, the ECB’s climate-related expectations function as a convergence baseline and a Banking Union-specific supervisory overlay for institutions in the Banking Union. Outside the Banking Union, supervisory execution is guided by the EBA and national prudential authorities, but the underlying legal obligations remain EU-wide, supporting a consistent level of resilience and disclosure.

International Banking Industry’s Initiatives

Industry bodies and coalitions – such as the United Nations Environment Programme Finance Initiative (UNEP FI) Principles for Responsible Banking and the Net Zero Banking Alliance – complement EU rules by informing strategy, target-setting methodologies, sectoral pathways and disclosure practices. While voluntary, these frameworks shape market norms, interact with prudential transition planning and can influence supervisory dialogue where banks’ public commitments imply measurable implementation trajectories.

National Requirements

Member states may introduce supervisory expectations or disclosure overlays, provided they remain consistent with EU law and do not fragment the single rulebook. In practice, national competent authorities have used guidance, “comply or explain” expectations and targeted reviews to accelerate implementation, while SSM-level co-ordination promotes convergence for cross-border groups.

EU-Wide Developments

The main upcoming regulatory developments expected to have an impact on banks operating in the EU are outlined below.

Retail conduct and market reforms (MiFID/Markets in Financial Instruments Regulation (MiFIR)); Retail Investment Strategy (RIS))

The EU’s retail and markets conduct framework is undergoing significant recalibration that will materially affect banks’ distribution, product governance and inducement models. The MiFIR review and associated MiFID amendments advance consolidated tape, market structure and transparency changes; in parallel, the Commission’s RIS proposes tighter value-for-money expectations, enhanced disclosure simplification and targeted curbs on inducements in certain retail contexts. Banks providing investment services should anticipate revisions to product oversight, suitability/appropriateness processes, client communications and remuneration structures for sales staff, ensuring alignment across prudential governance, conduct controls and ESG preference assessments where relevant. Supervisory scrutiny of mis-selling risks is expected to intensify, with convergence tools deployed by ESMA and national authorities to promote consistent outcomes.

Payments overhaul (PSD3, Payment Services Regulation, instant payments)

EU payments law is being modernised through a two-pillar approach comprising a new Payment Services Directive 3 (PSD3) and a directly applicable Payment Services Regulation (PSR). Together with the instant payments regulation mandating 24/7 euro credit transfers, these measures strengthen fraud prevention (including International Bank Account Number (IBAN)/name check), refine strong customer authentication, reinforce access to account/RTS on strong customer authentication (SCA)/common and secure open standards of communication (CSC) and recalibrate authorisation and supervision of payment institutions. Banks must integrate real-time sanctions screening, AML/CFT monitoring and operational resilience for instant payments, update contractual arrangements with third-party providers (TPPs) and ensure coherent implementation of SCA across channels. Host state conduct overlays remain applicable, but prudential impacts – including operational risk and ICT resilience under DORA – should be embedded into the control framework.

Derivatives and market infrastructure (EMIR 3.0, CSDR refit)

The European Market Infrastructure Regulation (EMIR) reforms further develop central counterparty (CCP) supervision and EU clearing resilience, including the “active account” requirement for certain euro-denominated derivatives, strengthened margin and collateral transparency and enhancements to reporting and data quality. Banks with derivatives books should reassess clearing strategies, counterparty risk management, collateral transformation practices and operational readiness for reporting changes, recognising overlaps with DORA (ICT/data integrity) and CRR market risk/CVA adjustments. In post-trade, the Central Securities Depositories Regulation (CSDR) refit eases settlement discipline while reinforcing supervisory oversight and operational continuity at central securities depositories (CSDs) – relevant for custody, issuance and securities financing businesses.

Data, AI and cybersecurity overlays (General Data Protection Regulation (GDPR), Data Act, AI Act, Network and Information Security Systems 2 (NIS2))

Beyond DORA, EU horizontal regimes shape banks’ data governance and technology deployment. GDPR enforcement and cross-border data transfer constraints – now framed by the EU–US Data Privacy Framework (DPF) – necessitate sustained controls over lawful processing, minimisation, and vendor oversight. The Data Act introduces rights and obligations around access to and sharing of data generated by products and services, including in financial services ecosystems. The AI Act classifies certain AI use cases – such as credit scoring and risk assessment – as high risk, requiring risk management, data governance, transparency and human oversight; banks should inventory AI systems, document conformity and adjust model governance accordingly. NIS2 extends cybersecurity obligations for essential entities; banks must ensure consistency across DORA ICT controls, NIS2 cyber obligations and GDPR security of processing.

Sanctions and restrictive measures: operationalisation and circumvention risk

EU restrictive measures have expanded rapidly and are directly applicable; banks must maintain agile list management, comprehensive ownership/control look-through and robust circumvention detection (eg, trade flows, transshipment routes, complex corporate structures). Controls should cover onboarding, payment filtering, asset freeze administration and exit strategies for sanctioned exposures. Governance should document escalation and decision-making, with periodic independent testing of sanctions screening effectiveness and remediation tracking, recognising that sanctions failings frequently trigger both conduct and prudential consequences.

Sectoral asset class regimes: securitisation and covered bonds

The EU securitisation framework embeds due diligence, risk retention and transparency requirements, with short-term business statistics (STS) providing preferential regulatory treatment subject to strict criteria. Banks acting as originators, sponsors or investors must maintain documented verification of compliance and integrate securitisation risks into ICAAP and model risk oversight. The covered bonds directive harmonises structural features and supervision; issuance programmes should evidence asset quality, cover pool management, liquidity buffers and investor disclosure, aligning prudential and resolution separability expectations.

Resolution liquidity and CMDI refinements

The CMDI package is expected to enhance early intervention measures, improve interaction with the CGSs and refine the public financing of transfer tools. Additionally, it aims to clarify the withdrawal of authorisation when FOLTF conditions are met but there is no public interest in resolution. A critical operational dimension – liquidity in resolution – requires banks to develop playbooks, collateral mobilisation strategies and FMI access continuity plans that demonstrate credible liquidity execution under stress. Institutions should align recovery and resolution plans with SRB expectations on separability, bail-in execution, valuation readiness and continuity of access to payment/settlement systems.

MREL/TLAC and capital stack interactions (MDA constraints and buffers)

Loss-absorbing capacity expectations continue to tighten. Banks should articulate internal TLAC/MREL frameworks, subordination strategies and issuance plans and model interactions between combined buffer requirements, P2R/P2G and MREL breaches, including management of maximum distributable amount (MDA) constraints for distributions, Additional Tier 1 (AT1)/Additional Tier 2 (AT2) coupons and variable remuneration. Disclosure of stack resilience and contingency measures enhances market discipline and supervisory dialogue.

Third-country market access: services, branches and booking

While CRD VI harmonises TCB authorisation, classification and prudential expectations, market access for non-EU banks remains constrained in the absence of an EU-wide services passport. Banks should assume a strict reading of the perimeter: cross-border services into the EU are generally limited, with reverse solicitation narrowly construed. Booking models must ensure that risks generated in the EU are managed locally, with clear governance over back-to-back transactions and remote booking to prevent supervisory arbitrage. Colleges and co-operation arrangements will be pivotal, but host authorities retain enhanced powers to require subsidiarisation where warranted.

Consumer credit and mortgage frameworks: CCD recast and mortgage conduct

The consumer credit directive recast expands scope and strengthens advertising, pre-contractual disclosure and affordability assessments, with digital channels explicitly addressed. Mortgage credit rules continue to emphasise responsible lending and appraisal standards; banks should align product governance, affordability metrics and vulnerable customer frameworks, integrating ESG and energy efficiency considerations where they intersect with collateral values and lending policies.

Competition/technology interface (DMA, card payments, wallets)

Digital platform regulation – particularly the Digital Markets Act (DMA) – affects payments initiation, wallet interoperability and default settings that shape consumer journeys. Banks should monitor gatekeeper obligations, ensure fair access and preserve competitive neutrality in digital payments ecosystems. Interchange fee constraints and evolving card network rules require pricing and conduct alignment; consumer protection authorities increasingly co-ordinate with competition enforcement in retail payments.

RTS/ITS roll-out under CRR III/CRD VI

CRR III/CRD VI mandates extensive secondary legislation. Institutions should track and implement EBA/ESMA/ECB technical standards on credit risk (including real estate exposures), FRTB market risk permissions and reporting, operational risk, CVA, ESG Pillar 3 templates and TCB governance/reporting. Transitional arrangements and phase-ins will affect model approvals, output floor bindingness across portfolios and disclosure sequencing; the supervisory calendar should be integrated into programme plans with board oversight.

Banking Union-Specific Developments

Regarding the Banking Union’s framework, many regulations and directives are expected to affect credit institutions in the coming year.

CMDI alignment within the SRM and interactions with national DGSs

CMDI reforms will refine the use of transfer tools and public financing in bank crises and clarify supervisory withdrawal of authorisation where FOLTF is met but public interest for resolution is absent. Banking Union institutions should update recovery and resolution plans to reflect SRB guidance on purchase and assumption financing, DGS contribution mechanics and early intervention triggers, with explicit documentation of governance escalation, valuation readiness and creditor hierarchy application under the SRM Regulation.

Third-country branches in the Banking Union: SSM co-ordination and booking controls

While third-country branches remain supervised by host NCAs under CRD VI, the Banking Union introduces SSM co-ordination for systemic risk considerations. TCEs and TCGs operating TCBs in Banking Union states should implement robust local governance, liquidity risk management and booking controls, ensuring that risks generated in the euro area are managed locally, and document co-operation arrangements with the SSM, SRB and NRAs for colleges and crisis management. Group booking models must preclude supervisory arbitrage and preserve resolvability.

Cross-border waivers and intragroup flows within the Banking Union

Capital and liquidity waivers and intragroup financial support arrangements may be facilitated within the SSM/SRM framework subject to supervisory approvals and safeguards. Institutions should assess the feasibility and benefits of waivers for Banking Union entities, design support agreements consistent with resolution strategies and ensure that intragroup exposures, guarantees and operational services are structured to enhance resilience and resolvability rather than create impediments.

ECB climate supervisory expectations and Banking Union stress testing

Banking Union institutions should explicitly integrate ECB climate expectations and SSM stress testing methodologies into risk management. This includes board oversight, scenario analysis, transition and physical risk quantification, and remediation plans for data gaps. Pillar 2 engagement should demonstrate credible timelines and resource allocations, with internal audit validating integration and controls consistent with SSM guidance.