Laws and Regulations Applicable to Dutch Licensed Banks

Dutch-licensed banks are regulated by a broad set of laws which predominantly arise from European directives, regulations and guidelines issued by the European supervisory authorities.

The main European regulations (not exhaustive) are:

• the Capital Requirements Directive (2013/36/EU);
1. Directive ((EU) 2024/1619) amending Directive (2013/36/EU) (CRD6) entered into force on 9 July 2024, but as a directive the changes will need to be transposed into national law in each member state before they become applicable;
• the Capital Requirements Regulation ((EU) 575/2013);
1. Regulation ((EU) 2024/1623) amending Regulation ((EU) 575/2013) (CRR3) entered into force on 9 July 2024 and largely applies directly in all member states since 1 January 2025;
• the Deposit Guarantee Schemes Directive (2014/49/EU);
• the Bank Recovery and Resolution Directive (2014/59/EU);
• the Anti-Money Laundering Directive ((EU) 2015/849), as amended, AMLD);
• to the extent that a bank performs investment services: the second Markets in Financial Instruments Directive (2014/65/EU), the Markets in Financial Instruments Regulation ((EU) 600/2014) and delegated regulations and technical standards thereto; and
• for payment services provided by the bank: the revised Payment Services Directive ((EU) 2015/2366).

European regulations have direct effect in the Netherlands and are not separately copied in Dutch laws. The abovementioned European directives, except AMLD, are implemented in Dutch law in the Dutch Financial Supervision Act (Wet op het financieel toezicht, DFSA) and underlying regulations. AMLD is implemented in the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme).

The DFSA is the main law governing financial institutions, including banks, and, for example, provides rules on authorisation, the code of conduct, capital, capital markets, and division of tasks/co-operation between the relevant regulatory authorities.

In addition to implementing European laws, the DFSA contains purely national laws, such as rules on the duty of care that applies to banks and remuneration rules, which are more stringent than European laws.

Another important source of regulation is formed by a set of guidelines issued by the European Banking Authority (EBA). Although these guidelines are not formal law, the Dutch Central Bank (De Nederlandsche Bank, DNB) must apply these guidelines unless it has informed the EBA that it will deviate from them, which only happens on rare occasions. For example, the EBA guidelines provide detailed rules on the governance of banks and outsourcing of operations by banks. Also notable is the ECB Guide on climate-related and environmental risks.

Supervisory Authorities

The main regulators for banks are:

• the European Central Bank (ECB);
• DNB; and
• theDutch Authority for the financial markets (Autoriteit Financiële Markten, AFM).

The division of tasks between the ECB and the national regulators is based on the Single Supervisory Mechanism (SSM) Regulation and the SSM Framework Regulation, and is summarised below.

• The ECB is responsible for (i) granting and revoking bank licences; (ii) granting Declarations of No Objection (verklaring van geen bezwaar, DNO) to qualified holders in a licensed bank, being those entities/persons that (in)directly hold 10% or more of the shares, voting rights or comparable control in a bank; and (iii) ongoing supervision of banks that qualify as significant institutions. Ongoing supervision is performed by Joint Supervisory Teams (JSTs), which are composed of ECB staff and staff of the national regulators.
• Under overall oversight by the ECB, DNB is responsible for prudential supervision of non-significant banks.
• The AFM is responsible for ongoing code of conduct supervision (gedragstoezicht) of non-significant banks.

The AFM and DNB closely co-operate. In practice, Dutch-licensed banks primarily interact with DNB as part of ongoing supervision, including code of conduct supervision.

Introduction to Banking Licences in the Netherlands

The requirement to obtain a banking licence in the Netherlands is laid down in the DFSA in conjunction with the Capital Requirements Regulation (CRR). Broadly, a licence is required when an institution both (i) takes deposits or other repayable funds from the public (such as attracting debt); and (ii) grants credit for its own account.

Limited exemptions to the licence requirement exist, such as the exemption for group financing companies, which covers institutions that raise funds through the issuance of securities and use these funds within their corporate group, subject to certain conditions.

The available services that a bank can apply for under a licence are set out in Annex I to the Capital Requirements Directive 5 (CRD5). At a minimum, such services must include taking deposits and other repayable funds, as well as granting credit for own account. Depending on the activities of the institution, other services set out in this Annex must be applied for as part of the licence application process or later added following a licence expansion or notification procedure. These include but are not limited to:

• investment activities or investment services originating from the Markets in Financial Instruments Directive 2 (MiFID2);
• crypto-asset services following from the Markets in Crypto-Assets Regulation (MiCAR);
• e-money and payment services originating from the Electronic Money Directive 2 (EMD2) and Payment Services Directive 2 (PSD2), including the issuance of e-money tokens (stablecoins) under MiCAR; and
• consumer credit provision and servicing.

In all cases, the respective bank must adhere to relevant additional conduct of business requirements set out in the DFSA or applicable regulations.

Licensing Process

In practice, two phases can be distinguished in the process of obtaining a banking licence: the preliminary phase and the formal phase. The preliminary phase is used by DNB and the ECB to provide feedback to the applicant prior to the formal licence being submitted. Formal submission must be done via the IMAS portal operated by the ECB. The application itself, along with all subsequent communication, is conducted primarily in English through DNB. This reflects the international standards and practices of the banking industry. DNB offers comprehensive resources on its website, providing applicants with essential information on relevant laws, terms, and regulations. This includes updates and guidance, ensuring applicants are well-informed throughout the process.

Once the formal licence application is received, the formal decision-making timeframe is 26 weeks. However, this period can be extended if further information is required or if additional questions arise from the application. The quality and completeness of the application are crucial as they significantly influence the duration of the process. Upon finalisation of the review by DNB, DNB provides a draft proposal to the ECB and the ECB will issue the final decision on the licence application. In practice, close to finalisation of the review by DNB, DNB will first share a written intention for a draft proposal with the ECB. The ECB will then review and provide feedback to DNB, allowing DNB and the applicant to address concerns that the ECB may have with the draft proposal.

The banking licence application process, overseen by DNB and the ECB, is designed to ensure that new banking entities meet the many standards necessary for operating in the financial sector. In addition to the licence application process, all direct and indirect qualifying shareholders of the prospective bank have to obtain a DNO from the ECB. The application process for DNOs runs parallel to the banking licence process and ultimately is part of the draft proposal prepared by DNB for the ECB to formally decide on.

The cost of processing a banking licence application applies regardless of the outcome of the application, whether it results in the granting, rejection, withdrawal, or a temporary hold of the licence.

European Passport

A Dutch-licensed bank that seeks to provide services in other European Economic Area (EEA) jurisdictions can do so on the basis of a so-called European passport, either by opening a branch or providing cross-border services in the respective EEA jurisdictions. The process of obtaining a passport involves several stages.

A Dutch-licensed bank can follow a passport notification procedure through the IMAS portal of the ECB which will then be forwarded to DNB. The services that a Dutch-licensed bank can provide in other EEA jurisdictions may be all or a selection of services for which the Dutch-licensed bank is authorised. When launching new activities or changing notification details, the Dutch-licensed bank must re-run the notification procedure. On receipt of a European passport notification, DNB, as regulator of the home member state, will assess the completeness and accuracy of the information provided. Where the information provided in the notification is assessed to be incomplete or incorrect, DNB must inform the bank without delay, indicating in which respect the information is assessed to be incomplete or incorrect. DNB must, within one month of receipt of a complete and accurate notification, send that notification to the competent regulator of the host state.

To establish a branch, DNB submits the branch notification to the host state regulator within thirteen weeks. The host state regulator then has two months to prepare its supervision for the new branch. Unlike the provision of cross-border services, a branch can start its activities two months after the host state regulator confirms the receipt of a complete notification.

For the acquisition, holding, or increase of a qualifying holding in a Dutch-licensed bank, prior approval from the ECB is required in the form of a DNO.

The requirements regarding DNOs are laid down in sections 1.6.1a and 3.3.11.1 DFSA. Furthermore, the following guidelines are relevant:

• EBA, EIOPA and ESMA Guidelines on qualifying holdings of December 2016 (the “Joint Guidelines”); and
• ECB Guide on qualifying holding procedures of March 2023.

Qualifying Holding

There are three situations in which a qualifying holding exists:

• a direct or indirect holding of 10% or more of the issued capital of a Dutch-licensed bank;
• the power to exercise, directly or indirectly, 10% or more of the voting rights in a Dutch-licensed bank; or
• the power to exercise a significant influence over the management of a Dutch-licensed bank.

To assess whether qualifying holdings exist, the ownership chain of the Dutch-licensed bank must be analysed using the calculation methods set out in the Joint Guidelines. The calculation methods include certain aggregation rules. One such rule is that for parties that “act in concert”, the holdings of the relevant parties are aggregated, and each party is considered to hold the resulting aggregated percentage. The Joint Guidelines list various indicative factors for acting in concert, including the existence of family relationships or a consistent voting pattern.

In complex acquisition structures, such as private equity firms, sovereign wealth funds and conglomerates, an extensive qualifying holding analysis may be required.

DNO Application

A DNO must be obtained from the ECB. DNB plays a key role in preparations and serves as the primary contact. The DNO application form is to be submitted through the ECB’s IMAS Portal. The current version of the form requests applicants to also submit one or more ancillary forms through DNB’s MyDNB Portal. The statutory consideration period is 62 business days, which can be extended once by 30 business days if supplementary information is needed.

The DNO assessment encompasses, at a high level, the following areas:

• (i) the integrity (betrouwbaarheid) and reputation (reputatie) of the qualifying holder;
• (ii) the financial soundness of the qualifying holder;
• (iii) whether the licensed bank will be able to continue meeting its prudential requirements as a result of the holding; and
• (iv) whether the holding may involve actual or attempted money laundering or terrorist financing or might increase the risk thereof.

For legal entity DNO applicants, the individuals who effectively direct the business of the legal entity are also screened. This screening primarily relates to areas (i) and (iv).

Ongoing Requirements

Once the DNO is obtained, ongoing requirements apply towards the ECB and/or DNB, such as the requirements to:

• notify material changes in previously provided information or circumstances;
• report any instances where the holding falls below 10%, 20%, 33%, 50% or 100%;
• obtain a new DNO before increasing the holding to or above 20%, 33%, 50% or 100%, unless the threshold falls within the specified bandwidth of the existing DNO; and

obtain prior approval for appointing new individuals who effectively direct the business of a legal entity holding a DNO.

CRD VI and Qualifying Holding RTS

CRD VI introduces legally binding EBA Regulatory Technical Standards (RTS), for which the consultation period has recently ended, that set an EU‑wide minimum information list for qualifying holding notifications, replacing the variable, guidance‑based approach under CRD V. CRD VI must be transposed by 11 January 2026, and the RTS will apply directly once adopted by the Commission.

The RTS add a clearer completeness test and more granular content on the topics above. Process harmonisation via standardised templates and data fields should reduce variation across jurisdictions and routine gold‑plating. Unchanged are the assessment criteria, the 60-working-day timeline for the DNO decision date, and the principle of proportionality.

The corporate governance requirements applicable to Dutch-licensed banks are primarily laid down in (i) the DFSA; (ii) Book 2 of the Dutch Civil Code (Burgerlijk Wetboek); (iii) the EBA Guidelines on internal governance; and (iv) the Dutch Corporate Governance Code (DCGC). 

Two-Tier Model

The DFSA prescribes that a Dutch-licensed bank must apply a two-tier model, whereby management is separate from management supervision. Management is performed by a management board consisting solely of executive directors, while management supervision is carried out by the supervisory board. As follows from the Dutch Civil Code and the EBA Guidelines on internal governance:

• the management board is responsible for the general day-to-day operations of the bank; and
• the supervisory board supervises the management board and provides the management board with solicited and unsolicited advice. 

The DFSA determines that the day-to-day operations of the bank must be determined by at least two individuals that operate from the Netherlands. The day-to-day management is considered to be performed by the management board.

The supervisory board must consist of at least three individuals. All members of the supervisory board must be independent in mind and appearance. In addition, at least 50% of the supervisory board members must meet formal independence criteria. If a bank is significant, the supervisory board must establish a risk committee, nomination committee, and a remuneration committee from among its members.

EBA Guidelines on Internal Governance

Apart from the statutory laws set out in the DFSA, the EBA Guidelines on internal governance are the main source as regards the organisation of the internal governance of banks. The EBA Guidelines contain detailed provisions regarding a broad set of topics which focus on ensuring sound internal governance. For example, the EBA Guidelines determine that banks must have a compliance function, a risk function and an independent internal audit function and provide detailed provisions as regards the composition and tasks of such functions.

DCGC

In addition to the EBA Guidelines on internal governance, the DCGC provides best practices regarding (i) sustainable long-term value creation; (ii) effective management and supervision; (iii) remuneration; and (iv) the relationship with and role of the shareholders. The DCGC is formally only applicable to listed companies. However, DNB generally expects Dutch-licensed banks to take the DCGC into account. The DCGC applies on a “comply or explain” basis.

Diversity

Diversity at the board level has become a prominent focus in recent years, driven by the principles of fairness and the acknowledgement of its positive impact on governance. Banks are expected to implement policies that promote diversity, aiming for balanced representation across gender, educational and professional backgrounds, and age.

Fit and Proper Screening

Individuals appointed as management board members (ie, day-to-day policymakers) or as supervisory board members are subject to screening by DNB or the ECB. The division of tasks between DNB and the ECB depends on whether it concerns screening in the context of a licence application and whether it concerns a significant or non-significant bank.

The regulator (ie, DNB or the ECB) assesses whether the integrity (betrouwbaarheid) of the individual subject to screening is beyond doubt and whether the individual is suitable (geschikt) for the function. This is sometimes also referred to as fit and proper screening.

Integrity screening relates to the individual and not to the function that the individual will hold. Integrity is assessed on the basis of antecedents disclosed in a standard questionnaire. Suitability screening involves an assessment of whether the individual has sufficient and relevant knowledge, work experience and other relevant competencies for the function to be held.

Screening Requirements for Second-Tier Functions

Screening also applies to second-tier functions. These are management functions directly below the executive board, responsible for individuals whose activities can significantly impact the risk profile of the bank. For these second-tier functions, DNB assesses the integrity, while the bank itself must establish whether the individual is suitable.

An individual cannot start their role until they receive a positive screening decision from DNB.

The remuneration requirements applicable to Dutch-licensed banks are laid down in the DFSA, the Regulation on Sound Remuneration Policy DFSA (Regeling beheerst beloningsbeleid Wft 2021, Rbb), the EBA Guidelines on Sound Remuneration policies, and the DCGC.

These regulations and guidelines differentiate between several types of staff, and each may have different requirements for fixed remuneration and variable remuneration.

DFSA

The remuneration rules in the DFSA apply to individuals working under the responsibility of the Dutch-licensed bank, and its subsidiaries. The most relevant remuneration requirements under the DFSA are as follows:

• Remuneration Policy Requirements: Banks must have a remuneration policy tailored to their size and activities, among others setting out specific principles for awarding fixed and variable remuneration.
• Disclosure Requirements: Banks must publish a description of their remuneration policy in their annual accounts and on their website, including information on the amount of variable remuneration awarded.
• Bonus Cap: The amount of variable remuneration awarded must be limited to 20% of the individual’s fixed remuneration. There are limited exemptions to this bonus cap, such as for individuals predominantly working outside of the Netherlands.
• Welcome Bonuses and Severance Payments: Banks can only award guaranteed variable remuneration (welcome bonuses) and severance payments under specific conditions. 
• Malus and Clawback: In certain circumstances, banks can reduce or reclaim variable remuneration (also known as malus and clawback measures).
• Retention of Shares: A retention requirement of five years applies to shares (or comparable instrument) awarded by the bank as fixed remuneration.

A breach of these remuneration rules, such as an employment contract in breach of the Dutch bonus cap rules, is considered null and void (nietig) under Dutch law.

Rbb

The Rbb contains remuneration requirements for individuals who can materially affect the risk profile of the bank (identified staff). The Rbb implements most of the remuneration requirements following CRD V. As follows from the Rbb: 

• The supervisory board must adopt the remuneration policy of the bank, and must be responsible for reviewing and implementing this policy.
• Significant banks must establish a remuneration committee responsible for, inter alia, preparing remuneration decisions to be made by the supervisory board. 
• A significant portion of variable remuneration (at least 50%) must consist of shares (or comparable instruments), which must also be subject to an appropriate retention period linked to the bank’s performance.
• When awarding variable remuneration, a considerable portion (at least 40%) must be deferred over a period of at least four to five years (depending on the individual’s role).

An exemption exists to the financial instruments and deferral requirements described above, available to small banks and individuals who are awarded a certain (limited) amount of variable remuneration.

EBA Guidelines on Sound Remuneration Policies

DNB applies the EBA Guidelines in its supervision of Dutch-licensed banks, which further detail the remuneration requirements as set out in the DFSA and Rbb. The EBA sets detailed remuneration requirements, such as on the identification process of identified staff, the tasks and responsibilities of the remuneration committee and the pay-out process for variable remuneration.

Dutch Corporate Governance Code

According to the DCGC, the supervisory board should determine the remuneration of the individual management board members, within the boundaries of the management board remuneration policy as adopted by the general meeting of the bank.

Banks are expected to have a comprehensive anti-money laundering and counter-terrorist financing (AML-CFT) framework in place. The requirements and expectations on AML-CTF primarily follow from:

• the Dutch anti-money laundering act (Wet ter voorkoming van witwassen en financieren van terrorisme, Dutch AML Act) and underlying regulations;
• EBA Guidelines, such as the EBA Guidelines on risk factors;
• DNB AML-CFT Q&As and Good Practices of May 2024; and
• AML-CFT Industry Baselines of 2023.

Dutch AML Act

The Dutch AML Act implements the European anti-money laundering directives, and is largely the same as in other EEA member states, with certain deviations. The Dutch AML Act has three main elements which are outlined below.

AML-CFT risk analysis

The Dutch AML Act follows a risk-based approach. The actual measures that banks implement in the context of these requirements depend on the associated risks. The cornerstone of the risk-based approach is the AML-CFT risk analysis, based on which the concrete AML-CTF measures must be determined. The AML-CFT risk analysis is often part of the Systematic Integrity Risk Analysis (SIRA).

Customer due diligence (CDD)

The purpose of conducting CDD is that the bank knows who it is doing business with. CDD, among others, requires the bank to identify and verify the identity of a customer, its Ultimate Beneficial Owner(s) (UBO), the individual(s) representing the customer and the purpose and nature of the business relationship.

CDD is required when the bank enters into a business relationship with a customer or when it conducts an incidental transaction(s) amounting to EUR15,000 or more on behalf of the customer. The bank applies (i) regular; (ii) simplified; or (iii) enhanced CDD, each with minimum requirements depending on the customer risks involved.

Throughout the business relationship, the bank is obligated to conduct CDD reviews, typically triggered periodically or based on specific events.

Transaction monitoring

Banks must monitor transactions within a business relationship to identify unusual activities by means of objective and subjective indicators as laid down in the Dutch AML Act. If a transaction meets certain criteria, it qualifies as unusual and must be promptly reported to the Financial Intelligence Unit Netherlands (FIU-NL).

EBA Guidelines

The EBA has published numerous guidelines on AML-CTF that are also relevant to Dutch-based banks. In these guidelines, the EBA addresses various topics, such as the onboarding of remote customers, the application of risk factors, and the roles and responsibilities of compliance officers.

DNB AML-CFT Q&As and Good Practices

DNB has published Q&As and Good Practices on AML-CTF. The Q&As provide interpretations of legal standards, while the Good Practices offer recommendations for compliance, though institutions may choose alternative methods as long as they continue to meet legal requirements.

AML-CFT Industry Baselines

In consultation with DNB, the Dutch Banking Association (De Nederlandse Vereniging van Banken, DBA) has developed various practical principles for the risk-based application of the Dutch AML Act. Nearly all Dutch banks are members of the DBA.

AMLR and AMLD6

The Anti-Money Laundering Regulation (AMLR) will apply directly in the Netherlands as of 10 July 2027. The Anti-Money Laundering Directive 6 (AMLD6) will need to be transposed into Dutch law before 10 July 2027. The AMLR and AMLD6 will replace the Dutch AML act.

Dutch Deposit Guarantee Scheme

The Dutch Deposit Guarantee Scheme (DGS) is laid down in Section 3.5.6 of the DFSA and the relevant regulations thereto. The DGS implements the EU Directive 2014/49/EU on deposit guarantee schemes. The DGS regime is administered by DNB. The DGS funds are kept in the Deposit Guarantee Fund (depositogarantiefonds, DGF), which is managed by DNB.

Since 2016, Dutch-licensed banks have been required to contribute to the DGF on a quarterly basis. These contributions are divided into collective and individualised components, with DNB determining each bank’s contribution based on their deposit base and that of all banks combined. Supplementary contributions may be set if covered deposits increase. When DNB has to repay depositors out of the DGF but the available funds in the DGF are not sufficient to finance the payments, extraordinary contributions are levied. DNB determines these contributions ex post and may ask banks for an advance payment if needed.

Accounts Eligible for Protection Under the Dutch DGS

Various types of accounts are eligible for protection under the DGS. These include:

• Payment Accounts: This category covers standard bank accounts used for daily financial transactions, such as current accounts.
• Savings Accounts: These accounts, specifically designated for saving money, which may offer interest on the saved amount, are protected.
• Fixed-Term Deposits: These are deposits made for a fixed period, often at a fixed interest rate, and cannot be accessed until the term ends without incurring penalties.
• Life-Cycle Saving Schemes: These accounts are designed for long-term saving, often linked to significant life events like retirement.
• Bank Savings Accounts: Similar to regular savings accounts, these accounts may have specific terms and conditions regarding deposits and withdrawals.
• Investment Accounts: These accounts hold investments rather than cash.

It is important to note that while the account itself may be covered, investment products (like shares or bonds) held within these accounts are not covered by the DGS. Furthermore, subordinated deposits are generally not covered by the DGS.

The types of account holders covered include:

• Natural Persons: Personal account holders, irrespective of their age, nationality, or residence status, are covered by the DGS.
• Businesses: Small, medium, and large businesses holding accounts in participating banks are eligible for protection.
• Associations and Foundations: Non-profit organisations, including associations and foundations, are also covered under the scheme.
• Joint Account Holders: Accounts held jointly by multiple individuals are protected. The coverage is typically divided equally among the account holders unless a different division is agreed upon.

Notably, the DGS excludes certain account holders from its protection, such as account holders involved in financial crimes and account holders who have failed to provide necessary identity verification documents.

Maximum Reimbursement

The maximum reimbursement under the DGS is in principle EUR100,000 per account holder per bank. This applies collectively to all the accounts a person holds with the same bank. Joint accounts and accounts held in the names of two or more legal persons have their cover calculated proportionately, unless a different division is agreed upon in advance. The limit of EUR100,000 still applies in these cases. In principle, account holders have five years to claim their deposits.

In certain cases, a temporary limit of EUR500,000 applies for account balances of natural persons, on top of the standard protection of EUR100,000. This limit covers temporarily high account balances in connection with:

• the sale or purchase of a principal residence;
• pension payments;
• severance payments; or
• insurance payouts.

The temporary limit applies up to six months following the respective deposit.

Prudential Regime for Banks

The legal basis for prudential supervision in the Netherlands follows from CRR and CRD V as implemented in the DFSA and the Decree on Prudential Rules for Financial Undertakings (Besluit Prudentiële regels Wft, Bpr).

Broadly, the prudential rules cover risk management, capital requirements and liquidity requirements for Dutch-licensed banks and branches of banks with a registered office in a non-member state conducting business in the Netherlands.

The prudential rules of CRR and CRD V are the European implementation of the international Basel III standards (Basel III), an international regulatory framework that aims to strengthen the regulation, supervision and risk management of the banking sector.

The final texts of CRR3 and CRD VI were adopted in June 2024. Since January 2025, most of the CRR3 provisions have started to apply in the Netherlands. CRD VI must be implemented into Dutch law and will be applicable from January 2026. Accordingly, this chapter takes into account the 2025 regime covering CRR3 changes and the rules that are (still) applying under CRD V.

Risk Management

Dutch-licensed banks are required to have sound risk management policies to control relevant risks. Relevant risks at least include concentration risks, credit risks, counterparty risks, liquidity risks, market risks, operational risks, ESG risks, interest rate risks from non-trading activities, rest risks, risks due to excessive leverage, securitisation risks, insurance risks, lapse risk and risks arising from the macroeconomic environment in which the bank operates and which are related to the state of the business cycle.

Risk management policies must be translated into specific procedures and measures to control the relevant risks and must be integrated into the business processes of the bank. The procedures and measures must consist of, inter alia, authorisation procedures, limit settings and limit monitoring tailored to the bank’s nature, size, risk profile and complexity.

Dutch-licensed banks must have an independent risk management function. This function is tasked with the systematic and independent conduct of risk management, aimed at identifying, measuring and evaluating the risks banks are exposed to. The management board and the supervisory board must be actively involved in a bank’s risk management.

The ESG risk framework of Dutch-licensed banks must be further enhanced when CRD VI is implemented into Dutch law.

Capital Requirements

To ensure financial stability and mitigate risks, banks are subject to two distinct regulatory measures: capital requirements and liquidity requirements. The first set of measures follows from the CRR, and aims to establish minimum capital requirements for credit, market, and operational risks, ESG risks and other relevant risks. This requires banks to maintain an adequate capital buffer to absorb unexpected financial setbacks. Capital requirements can be divided into (i) qualitative; and (ii) quantitative requirements.

Qualitative requirements

The CRR addresses the quality of capital by the extent to which the capital can absorb losses and classifies the capital into different tiers.

Tier 1 capital, comprised of Common Tier 1 (CET1) capital and Additional Tier 1 (AT1) capital:

• CET1 Capital: As the highest quality of capital, CET1 capital represents the core equity capital of a bank and enables it to absorb losses immediately without significantly impacting its operations or stability. It consists of capital instruments, share premium accounts related to these capital instruments, retained earnings, accumulated other comprehensive income, other reserves and funds for general banking risks.
• AT1 Capital: AT1 capital is Tier 1 capital that is not CET1 capital and consists of capital instruments and the share premium accounts related to these capital instruments. AT1 capital has certain characteristics; eg, the provisions governing the instruments must require that, when the CET1 capital ratio falls below 5.125%, the principal amount of the instruments will be written down on a permanent or temporary basis or the instruments will be converted into CET1 instruments.
• Tier 2 Capital: Tier 2 capital is considered to be of lower quality. This tier includes instruments such as subordinated debt instruments, which hold a subordinate position to other debts in the event of liquidation or bankruptcy. While Tier 1 capital forms the primary layer of a bank’s capital structure, Tier 2 capital provides an additional cushion.

Quantitative requirements

In order to ensure that banks maintain sufficient financial cushion to absorb potential losses, the CRR addresses the quantity of capital by stipulating that banks must maintain specific capital ratios, expressed as percentages of the total risk exposure amount. This exposure amount is calculated using risk-weighted assets (RWA). In principle, banks must maintain (i) a Common Equity Tier 1 capital ratio of 4.5%; (ii) a Tier 1 capital ratio of 6%; and (iii) a total capital ratio of 8%.

CRR3 changes the way banks calculate their RWA, requiring a more standardised calculation approach. Additionally, CRR3 introduces an output floor, setting a minimum limit on the own funds requirements of banks calculating their RWA by using internal models.

In addition to the above three capital ratios, banks are required to maintain a minimum of 3% leverage ratio. The leverage ratio is calculated by dividing a bank’s Tier 1 capital by its total exposure. Unlike the capital ratios above, the leverage ratio takes into account the unweighted total exposure rather than the total risk-weighted exposure.

Banks must also uphold a capital buffer, comprising the following elements: (i) the capital conservation buffer, set at 2.5%, which consists of CET1 capital, and (ii) the institution-specific countercyclical capital buffer, confirmed by DNB in September 2025 to remain at 2%.

Systemically important banks may be subject to additional buffer requirements, including a Global Systemically Important Institution buffer (G-SII) or an Other Systemically Important Institution (O-SII) buffer, as well as a systemic risk buffer.

Liquidity requirements

Besides the capital requirements, Dutch-licensed banks must adhere to liquidity requirements. These requirements are designed to guarantee that Dutch-licensed banks maintain an adequate amount of liquid assets to fulfil their short-term obligations, particularly in times of financial strain. The CRR outlines two primary liquidity requirements: the liquidity coverage ratio and the stable funding ratio.

The liquidity coverage ratio focuses on short-term liquidity risks and requires banks to hold sufficient liquid assets to be able to convert these assets into cash under stressed conditions over a thirty-day period. The stable funding ratio, on the other hand, focuses on the long-term liquidity risks and requires banks to ensure that their long-term obligations are met with diverse stable funding instruments.

The key piece of legislation around insolvency, recovery and resolution of banks is the Bank Recovery and Resolution Directive (BRRD). BRRD is implemented in Part 3A of the DFSA.

The BRRD serves the purpose of ensuring the continuity of a bank’s critical financial and economic function, while minimising the impact of a bank’s failure on the economy and financial system. To that effect, the BRRD provides the national resolution authorities (in the Netherlands, this is DNB) with a set of tools to intervene sufficiently early and quickly in an unsound or failing bank.

The BRRD distinguished three phases with regard to recovery and resolution:

• recovery and resolution planning (Title II BRRD);
• early intervention for recovery (Title III BRRD); and
• resolution (Title IV BRRD).

Phase 1: Recovery and Resolution Planning

Dutch-licensed banks must establish a recovery plan. The recovery plan must include a framework of qualitative and quantitative indicators identifying the points at which escalation processes/action plans must be activated. The EBA has issued guidelines on the minimum indicators that banks must include in their recovery plan (EBA Guidelines on recovery plan indicators). With a view to proportionality, DNB has the option to simplify these recovery plan requirements for certain less significant institutions (LSIs).

DNB, as the resolution authority in the Netherlands, must establish a recovery plan for each licensed bank. The recovery plan will be based on information to be provided by the respective bank.

Recovery and resolution plans must be updated at least annually.

Phase 2: Early Intervention for Recovery

If the financial condition of a bank is rapidly deteriorating (as further set out in the EBA Guidelines on early intervention triggers), the BRRD confers a number of powers on DNB to intervene. These powers include:

• convening (with or without management co-operation) a meeting of shareholders of the bank and requiring certain decisions to be considered for adoption by the shareholders;
• requiring one or more members of the management body or senior management to be removed or replaced; and
• requiring changes to the strategy, legal or operational structures.

If the powers reflected above do not suffice, DNB may impose the following (additional) measures:

• the removal of the senior management or management body of the institution, in its entirety or with regard to individuals; or
• the appointment of one or more temporary administrators to the bank.

Phase 3: Resolution

The BRRD provides for resolution tools. The aim of applying such tools is (i) to ensure the continuity of critical functions; (ii) to avoid a significant adverse effect on the financial system; (iii) to minimise reliance on public financial support (ie, prevent a bailout); and (iv) to protect depositors, client funds and client assets.

Resolution tools can only be applied if all the following conditions are met:

• (i) DNB determines that the bank is failing or is likely to fail;
• (ii) there is no reasonable prospect that any alternative private sector measures, including the write-down or conversion of relevant capital instruments and eligible liabilities, would prevent the failure of the bank within a reasonable timeframe; and
• (iii) resolution is necessary in the public interest.

As regards condition (i), a bank is failing or likely to fail if:

• the bank infringes or likely will, in the near future, infringe the requirements for continuing authorisation in a way that would justify the withdrawal of the authorisation;
• the assets of the bank are or will, in the near future, be less than its liabilities;
• the institution is or will, in the near future, be unable to pay its debts or other liabilities as they fall due; or
• extraordinary public financial support is required.

The BRRD distinguishes four resolution tools, which may be applied individually or in any combination, as outlined below.

The sale of business tool

• DNB can transfer the shares in the bank or (part of) the assets, rights or liabilities to a purchaser that is not a bridge institution. This transfer does not require shareholder consent.
• If only the sale of business tool is used and only part of the assets are transferred, the bank and its remaining assets/activities shall be wound up under normal insolvency proceedings.

The bridge institution tool

• DNB can transfer the shares in the bank or (part of) the assets, rights or liabilities to a bridge institution. This transfer does not require shareholders consent.
• A bridge institution must be wholly or partially owned by one or more public authorities and is controlled by DNB.
• The purpose of the bridge institution is maintaining access to critical functions of the bank and selling the bank.
• If only the bridge institution tool is used and only part of the assets are transferred, the bank and its remaining assets/activities shall be wound up under normal insolvency proceedings.

The asset separation tool

• DNB can transfer assets, rights or liabilities of a bank or a bridge institution to one or more asset management vehicles. This transfer does not require shareholder consent.
• An asset management vehicle must be wholly or partially owned by one or more public authorities and controlled by DNB.
• The asset management vehicle will manage the assets transferred to it with a view to maximising their value through eventual sale or orderly wind-down.

The bail-in tool

• The bail-in tool is applied to absorb losses and recapitalise the distressed bank so that it once again meets its licence requirements.
• The bail-in tool allows unsecured debt to be written down or converted to equity. That way, the creditors of a bank bear the losses and the need for a taxpayer bailout is avoided.
• The bail-in tool may be applied to all liabilities of a bank except for the liabilities excluded by the BRRD, which include covered deposits, secured claims, claims with an original maturity of fewer than seven days, claims of employees, claims of commercial or trade creditors and claims arising from the provision of goods or services to the bank that are critical to the daily functioning of its operations, including IT services, utilities and the rental, servicing and upkeep of premises.
• Once CET1 capital instruments have been wholly or partly written down, non-excluded liabilities are written down or converted into rights to newly issued shares or other instruments of ownership of the bank.
• For bail-in, the “no creditor worse off principle” applies, meaning that shareholders and creditors may not incur greater losses than they would have incurred if the bank had been wound up immediately beforehand under normal insolvency proceedings.

Minimum Requirements for Own Funds

Banks are subject to minimum requirements for own funds and eligible liabilities (MREL). The MREL serve to ensure that a bank maintains at all times sufficient eligible instruments to facilitate the implementation of the preferred resolution strategy. MREL is the European equivalent of worldwide Total Loss Absorbing Capacity standard (TLAC) developed by the Financial Stability Board (FSB).

DGS

If a bank is unable to meet its obligations towards eligible deposit holders, such deposit holders are protected under the Dutch DGS. Please see 6.1 Deposit Guarantee Scheme (DGS).

ESG requirements for Dutch-licensed banks primarily consist of (i) climate risk management requirements; and (ii) ESG disclosure requirements.

Climate Risk Management

Currently, climate risk management requirements for banks primarily follow from the ECB’s Guide on climate-related and environmental risks (2020) (the “ECB Guide”). The ECB Guide is strictly speaking not binding for banks. However, it reflects the ECB’s understanding of how banks are expected to adequately manage climate risks under the current prudential framework, as primarily follows from CRD V, pending the application of CRD VI in 2026.

The ECB, as direct supervisor of significant banks, applies the ECB Guide in its supervision. DNB also applies the ECB Guide in its supervision of less significant banks, but in a proportionate manner.

The supervisory expectations in the ECB Guide can be summarised as follows:

• Business Strategy: Banks should integrate short-, medium-, and long-term climate risks into their business strategies.
• Risk Appetite and Governance: Banks should incorporate climate risks into their risk appetite frameworks, allocate responsibilities, and report aggregated risk data.
• Risk Management: Banks should integrate climate risks into the risk management framework, conduct regular reviews and consider these risks across a range of risks, including credit, liquidity and operational risks.

In 2022, the ECB set a deadline for banks to achieve full alignment with supervisory expectations in the ECB Guide, ensuring the integration of climate and environmental risks into stress testing frameworks and the ICAAP.

The ECB has already communicated that it has started enforcement towards banks that have failed to adequately manage climate risks in line with the ECB’s expectations.

In 2026, CRD VI will integrate ESG risks directly into the existing prudential framework for risk management by banks. Compared to the ECB Guide, CRD VI will impose more detailed requirements on the identification, assessment, management and monitoring of ESG risks.

On 9 January 2025 the ECB published guidelines for the new CRD VI requirements on ESG risks. The guidelines will apply from 11 January 2026 except for small and non-complex institutions for which the guidelines will apply at the latest from 11 January 2027.

ESG Disclosure Requirements

As of 2025, CRR3 requires banks to enhance their disclosures for ESG risks. These disclosures should distinguish between environmental, social and governance risks, and differentiate between physical and transition ESG risks. Notably, CRR3 introduces regulatory reporting on ESG risk exposures as well as on the integration of ESG risks into the strategy, processes, policies, governance and risk management of banks. 

Following the Corporate Sustainability Reporting Directive (CSRD), Dutch banks meeting certain size criteria will have to publish a sustainability report together with their annual accounts. Following the Stop-the-Clock Directive, the application of the reporting requirements has been postponed from financial year 2025 to financial year 2027.

Other ESG Requirements

Other ESG requirements relevant for Dutch-licensed banks include, but are not limited to:

• The EBA Guidelines on Loan Origination and Monitoring: These guidelines detail how banks should incorporate ESG factors into their credit risk policies for corporate lending.
• DCGC: The DCGC includes best practices on sustainability, emphasising long-term value creation for companies and the role of management boards in developing strategies and procedures to achieve this goal.
• Sustainable Finance Disclosure Regulation (SFDR): Banks providing portfolio management or investment advice services are subject to disclosure requirements following from SFDR. These disclosures cover, besides ESG topics, the integration of sustainability risks into the bank’s investment processes, and how the bank considers adverse impacts that investments may have on sustainability.
• Taxonomy Regulation: This establishes criteria for identifying and classifying the sustainable economic activities of a bank, used for the purposes of other sustainability regulations (such as CSRD and SFDR).

The Digital Operational Resilience Act (DORA) is a European regulation that entered into force on 16 January 2023 and applies as of 17 January 2025 to Dutch-licensed banks. DORA is part of a larger European digital finance package that aims to ensure financial stability and consumer protection through technological development. This digital finance package also includes a European digital finance strategy, regulation on markets in crypto-assets (MiCAR), and regulation concerning market infrastructures based on distributed ledger technology.

DORA has direct effect in member states and aims to harmonise the rules relating to digital operational resilience for the financial sector. Besides Dutch-licensed banks, it applies to a total of 21 types of financial entities, including payment institutions, investment firms, crypto-asset service providers, and the information and communication technology (ICT) third-party providers that are critical to the financial infrastructure, bringing technology vendors under direct financial supervision. Each of these entities must align their operational and risk management processes with DORA’s stringent requirements to effectively manage and mitigate ICT risks.

Five Pillars of DORA

DORA is built on five key pillars, each addressing different aspects of digital operational resilience for financial institutions:

• ICT Risk Management: Chapter II of DORA requires financial entities to have in place an elaborate system of processes, controls, digital operational resilience strategies, policies, and procedures, ICT protocols, and tools to manage their ICT risks. These measures, which together form the DORA risk management framework, need to address aspects such as governance and organisation; ICT risk management framework; ICT systems, protocols, and tools; identification; protection and prevention; detection; response and recovery; back-up policies, restoration and recovery; learning and evolving; and crisis communication plans.
• Moreover, particular emphasis is placed on the role of management bodies in ensuring compliance, and ensuring that ICT risk management is embedded in their internal governance and control framework.
• ICT Incident Management: Chapter III of DORA requires financial entities to establish and implement a specific ICT-related incident management process to detect, manage, and notify ICT-related incidents, and to record them together with significant cyber threats. Financial entities will also have to classify ICT-related incidents and determine their impact in accordance with a set of prescribed criteria, details of which are to be set out in secondary legislation, and report major ICT-related incidents to the competent authority.
• Digital Operational Resilience Testing: Chapter IV of DORA requires financial entities to put in place a sound and comprehensive digital operational resilience testing programme, comprising a range of assessments, tests, methodologies, practices, and tools. Testing should be applied on a risk-based approach by an independent party – either internal or external. In addition, significant financial entities will be required to carry out threat-led penetration testing (TLPT) every three years.
• ICT Third-Party Risk Management: Chapter V of DORA covers the required policy documents, risk analysis, and contractual provisions with ICT third-party providers to ensure that financial entities maintain strong contracts with their ICT third-party providers. DORA also requires that all contractual arrangements for the provision of ICT services must be recorded in a register of information. Section II of Chapter V defines the oversight framework for critical third-party providers of ICT services.
• Information Sharing: Chapter VI of DORA provides a framework for the sharing of information about cyber threats and vulnerabilities with other financial entities.

In addition to the requirements described in the regulation, a number of topics are further elaborated in the Regulatory Technical Standards (RTS), Implementation Technical Standards (ITS), and Guidelines (GL) developed by the three European Supervisory Authorities (ESAs).

The DORA requirements will be applied in accordance with the principle of proportionality. This means that, when implementing DORA, financial entities should consider their size and overall risk profile, as well as the nature, scale, and complexity of their services, activities, and operations.

Supervision and Enforcement

DORA places the supervision of compliance with its requirements on the respective competent authorities responsible for overseeing the in-scope financial entities. For Dutch-licensed banks, this responsibility will be placed on DNB. To this end, DNB will have supervisory, investigatory, and sanctioning powers, including powers to request access to documents and data, carry out on-site inspections and investigations, and impose administrative penalties and remedial measures.

EU Banking Package

In July 2024, the new EU banking package came into effect. This package, consisting of the Capital Requirements Regulation 3 (CRR3) and the Capital Requirements Directive (CRD6), ensures the implementation of the final elements of the Basel III agreement. CRD 6 introduces various interesting changes.

CRD6 introduces a prohibition on the provision of cross-border banking services in the EU of a third-country (non-EU) institution. It requires institutions from third countries to establish a branch (third-country branch, TCB) in a member state and to apply for a licence for that TCB before they can provide “core banking services” in the respective member state. It should be emphasised that for the applicability of the TCB regime, the qualification of the services – not the service provider – is decisive. Core banking services in this context include deposit taking, lending, guarantees and commitments. Of course, there are some exceptions to this TCB regime. For instance, it does not apply in the case of reverse solicitation – in short, when a client approaches the enterprise in the third country on their own initiative. Additionally, the regime does not apply to enterprises in third countries that offer MiFID services and provide ancillary services, such as receiving deposits or granting loans for the purpose of providing those MiFID services.

Furthermore, CRD6 establishes a renewed, more detailed framework for assessing the suitability of members of the management body and key function holders. This framework is currently not well harmonised. CRD6 prescribes standard information requirements for a suitability application, including a suitability questionnaire and a curriculum vitae. The EBA will issue technical regulatory standards at a later stage specifying the information that must be provided to the competent authority. Regarding a related change, under CRD6, the chair of the supervisory board of an institution cannot also be the CEO of the same institution. The impact of this on Dutch banks is negligible given the existing two-tier model with a management board and a supervisory board.

CRD6 must be transposed into Dutch legislation by 10 January 2026, with the TCB regime not coming into effect until 11 January 2027.

New Payment Rules

In June 2023, the European Commission (EC) published its legislative proposals for payment services, financial data access and the establishment of the digital euro. The legislative proposals consist of, inter alia:

• a third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR);
• a Financial Data Access Regulation (FIDA); and
• a regulation on the established of the digital euro (Digital Euro Regulation)

The PSD3, PSR and FIDA proposals are part of the EC “financial data access and payments package”, which was launched by the EC to modernise the regulatory landscape in relation to the provision of payment services and sharing financial services data.

The Digital Euro Regulation is part of the EC’s “single currency package” and sets out a framework for a possible new digital form of the euro that the ECB could choose to issue in the future, as a complement to cash.

The final text of PSD3 and PSR are not yet available. However, PSD3 is still expected to come into force in 2026. After PSD3 becomes final, member states will have 18 months to implement the directive into national law. PSR is also expected to come into force in 2026. A phased implementation of FIDA is expected to begin in 2027. The establishment of the digital euro is expected to take a few more years. The ECB will only issue the digital euro once the Digital Europe Regulation has been adopted. At the moment of writing this overview, the latest update is that the ECB has selected and signed agreements with providers for five digital euro components and related services.

SSM Supervisory Priorities for 2025-2027

The ECB has set its SSM supervisory priorities for 2025-2027. These priorities reflect ECB Banking Supervision’s medium-term strategy for the next three years, based on a comprehensive assessment of the main risks and vulnerabilities for supervised entities. They support efficient allocation of the available supervisory resources and can be adjusted if warranted by changes to the risk landscape. Banks will be requested to strengthen their ability to withstand immediate macro-financial threats and severe geopolitical shocks (Priority 1), remedy persistent material shortcomings in an effective and timely manner (Priority 2) and strengthen their digitalisation strategies and tackle emerging challenges stemming from the use of new technologies (Priority 3).

EBA Financial Regulatory Work Programme 2026

Every year, the key EU financial regulatory institutions publish their annual work programmes, setting out their priorities for the year ahead. These priorities align with each institution’s broader long-term strategy (published every three to five years). On 1 October 2025, the EBA published its Work Programme for 2026. In 2026, the EBA will start executing its priorities for the period 2026-2028. EBA’s priorities for 2026-2028 are defined in its Single Programming Document for 2028-2028:

• contributing to an efficient, resilient and sustainable single market (Rulebook);
• developing tools, data and methodologies for effective analysis, supervision and oversight (Risk Assessment); and
• enhancing technological capacity for all stakeholders (Innovation).

According to the EBA, 2026 will be a landmark year as it takes on new oversight and supervisory functions. These responsibilities arise from new legislation covering critical third-party providers (DORA), issuers of crypto-assets (MICA), and the use of internal margin models (EMIR). These new functions will be carried out alongside the EBA’s traditional policy development and supervisory convergence work. Taking the above priorities for 2026-2028 into account, the EBA has set priorities and areas of focus for 2026.

The rulebook priority relates to EBA’s core responsibilities of (i) developing a single rulebook and (ii) ensuring its consistent implementation for the activities and supervision of the financial entities in its remit, to contribute to an efficient, resilient and sustainable single market in financial services. Regarding developing a single rulebook, EBA will focus on simplification and efficiency, the banking package, payment services, Crisis Management and Deposit Insurance (CMDI) with Bank Recovery and Resolution (BRR) and the Deposit Guarantee Schemes Directive (DGSD), Enhanced Supervisory Interaction and Undertakings (ESIU) and securitisation. Regarding consistent implementation, the EBA will focus on rebalancing ex ante harmonisation towards ex post convergence, peer reviews, IRRBB and liquidity/funding.

The risk assessment priority relates to:

• (i) the EBA’s responsibility for assessing risks and vulnerabilities in the EU/EEA banking and financial sector through regular and ad hoc analyses;
• (ii) the EBA’s new roles as the lead overseer of critical ICT third-party service providers, supervisor of significant asset-referenced and e-money token issuers and validator of certain EMIR IMM models; and
• (iii) its need for reliable and adequate data supporting efficient methodologies and tools as an enabler of (i) and (ii).

Regarding risk assessment and stress testing, the EBA will focus on efficient EU stress testing capacity, timely risk analysis, outreach, and analysis of ICT incidents and cyber threats. Regarding supervision and oversight, EBA will focus on DORA oversight, MiCAR supervision and EMIR IMM validation. In the context of data, tools and methodologies, the EBA will focus on integrated reporting and reviewed data collections.

The EBA’s third priority is to enhance technological capacity within the financial sector with special attention paid to consumer protection. In the context of technological capacity, the EBA will focus on innovation monitoring and knowledge-sharing, AI/ML and crypto, DLT and value chain. Regarding consumer protection, the EBA will focus on over-indebtedness, de-risking and education, and implications of innovation. 

ESAs’ 2026 Joint Work Programme

The three ESAs, the EBA, the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), have their Joint Work Programme for 2026. In 2026 the Joint Committee (JC) of these ESAs will, amongst other things, focus on the following points:

• Digital Operational Resilience: With the implementation of DORA, the JC will concentrate on the effective operation of the new Oversight Framework and work related to supervisory convergence of DORA.
• Consumer Protection and Financial Innovation: The JC will strengthen European consumer confidence and protection in the areas of banking, insurance and pensions as well as securities products and services.
• Sustainable Finance: The ESAs will continue to prioritise sustainable finance as a key topic and to deliver any tasks asked of the ESAs. Regarding SFDR, the ESAs will monitor the ongoing review of its text while providing clarifications where necessary on the existing framework.
• Risk Assessment: The JC will continue to remain an important forum for discussion of cross-sectoral risks. As a result, the ESAs will jointly assess key trends and vulnerabilities to financial stability and continue producing targeted cross-sectoral risk analysis in addition to their respective sectoral risk analysis.