On 26 January 2026, the AMLA announces launching data collection exercise to test risk assessment models for the financial sector.

AMLA will launch a data collection exercise to test and calibrate its risk assessment models. These models serve two purposes: to inform the selection, taking place in 2027, of up to 40 entities for AMLA’s direct supervision starting in 2028, and to ensure that money laundering risks of financial institutions are assessed consistently by supervisors across the EU.
The exercise, set to start in March, is being conducted in close cooperation with national supervisors and the private sector. It represents a preparatory step towards AMLA’s direct supervision. The data collection will involve two groups of financial institutions: those that may be eligible for AMLA’s direct supervision, and a representative sample of entities likely to remain under national supervision. National supervisors have provided AMLA with lists of both groups, and AMLA has notified them of those selected to participate in this exercise.

High-quality data from the private sector is essential to building a reliable selection model and developing a common EU-wide risk assessment methodology. The exercise will allow participating financial institutions to test and prepare their systems for future data collections, while AMLA will use the insights gained to optimise the data collection planned in view of the selection process for direct supervision.

Once the models have been fully tested and calibrated, AMLA will establish the final list of entities eligible for direct supervision. National supervisors will then collect data points from the identified eligible entities in early 2027, which will inform AMLA’s subsequent selection of the 40 directly supervised entities.

On 19 January 2026, the EBA published press release on EBA and AMLA complete handover of AML/CFT mandates.

On 1 January 2026, the European Banking Authority (EBA) and the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) completed the transfer of all AML/CFT mandates and functions from the EBA to AMLA, marking a milestone in the EU's fight against financial crime. The handover concludes the EBA's stand-alone AML/CFT mandate that began in 2020 and is part of the new EU AML/CFT package which established AMLA at the centre of an integrated, European system of AML/CFT supervision.

AMLA's responsibilities include harmonising AML/CFT rules across the EU by completing the EU Single Rulebook, directly supervising 40 of the most complex high-risk financial institutions from 2028, indirectly supervising the financial sector by setting common supervisory practices while national authorities maintain direct supervision, overseeing the non-financial sector to ensure consistent application of AML/CFT rules, and supporting national Financial Intelligence Units through coordination and technical resources.

Meanwhile, the EBA retains a vital role in safeguarding the integrity of the financial system from a prudential perspective by embedding money laundering and terrorist financing risks into authorisations, licensing, fit and proper assessments, governance frameworks, and ongoing prudential supervision, promoting consistent supervision through harmonised policies and convergent supervisory practices, collaborating with AMLA to develop joint regulatory instruments such as guidelines on de-risking and supervisory cooperation, and monitoring emerging risks by continuously tracking regulatory and market developments. All existing EBA AML/CFT guidelines remain in force until AMLA replaces them, with AMLA providing suitable transition periods for stakeholders when introducing new guidelines.

On 27 January 2026, the EP publishes press release on MEPs approved the trilogue deal on the EU’s anti-corruption directive.

The publication explains that the trilogue deal establishes EU wide minimum rules defining corruption-related offences, including bribery, misappropriation, obstruction of justice, trading in influence, unlawful exercise of functions, illicit enrichment linked to corruption, concealment, and private sector bribery. It confirms the creation of a structured sanctions system setting EU wide statutory maximum penalties while allowing member states discretion to adopt stricter rules.

The directive also updates and modernises the EU’s anti corruption architecture by aligning terminology, reducing enforcement gaps in cross border cases, and harmonising the scope of criminal conduct in both private and public sectors.

In parallel, the text introduces prevention focused obligations, requiring member states to:

• adopt and publicly release national anti corruption strategies developed with civil society input;
• conduct sector-specific corruption risk assessments;
• strengthen rules on conflicts of interest, political financing transparency, and integrity standards in public administration;
• ensure independent and sufficiently equipped national bodies for the prevention and repression of corruption.

The directive reinforces cooperation mechanisms with EU bodies such as OLAF, EPPO, Europol, and Eurojust, and requires annual publication of machine readable, comparable data to enhance transparency. A plenary vote confirming the new rules is expected in March. The publication also notes the broader context of the Commission’s anti-corruption package and survey data showing high public concern about corruption across the EU.

On 20 January 2026, EC published a new cybersecurity package.

The package includes a proposal for a revised Cybersecurity Act, which enhances the security of the EU's Information and Communication Technologies (ICT) supply chains. It ensures that products reaching EU citizens are cyber-secure by design through a simpler certification process. It also facilitates compliance with existing EU cybersecurity rules and reinforces the EU Agency for Cybersecurity (ENISA) in supporting Member States and the EU in managing cybersecurity threats.

The new Cybersecurity Act aims to reduce risks in the EU's ICT supply chain from third-country suppliers with cybersecurity concerns. It sets out a trusted ICT supply chain security framework based on a harmonised, proportionate and risk-based approach. This will enable the EU and Member States to jointly identify and mitigate risks across the EU's 18 critical sectors, considering also economic impacts and market supply.

The Cybersecurity Act will enable the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox.

The revised Cybersecurity Act will ensure that products and services reaching EU consumers are tested for security in a more efficient way. This will be done through a renewed European Cybersecurity Certification Framework (ECCF). The ECCF will bring more clarity and simpler procedures, allowing certification schemes to be developed within 12 months by default. It will also introduce more agile and transparent governance to better involve stakeholders through public information and consultation.

Certification schemes, managed by ENISA, will become a practical, voluntary tool for businesses. They will allow businesses to demonstrate compliance with EU legislation, reducing the burden and costs. Beyond ICT products, services, processes and managed security services, companies and organisations will be able to certify their cyber posture to meet market needs. Ultimately, the renewed ECCF will be a competitive asset for EU businesses. For EU citizens, businesses and public authorities, it will ensure a high level of security and trust in complex ICT supply chains.

In addition, the package introduces measures to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU, complementing the single-entry point for incident reporting proposed in the Digital Omnibus. Targeted amendments to the NIS2 Directive aim to increase legal clarity. They will ease compliance for 28,700 companies, including 6,200 micro and small-sized enterprises. They will also introduce a new category of small mid-cap enterprises to lower compliance costs for 22,500 companies. The amendments will simplify jurisdictional rules, streamline the collection of data on ransomware attacks and facilitate the supervision of cross-border entities with ENISA's reenforced coordinating role.

Finally, the revised Cybersecurity Act presented today enables ENISA to help the EU and its Member States understand the common threats. It also enables them to prepare and respond to cyber incidents. The agency will further support companies and stakeholders operating in the EU by issuing early alerts of cyber threats and incidents. In cooperation with Europol and Computer Security Incident Response Teams, it will support companies in responding to and recovering from ransomware attacks. ENISA will also develop a Union approach to provide better vulnerabilities management services to stakeholders. It will operate the single-entry point for incident reporting proposed in the Digital Omnibus.

The Cybersecurity Act will be applicable immediately after approval by the European Parliament and the Council of the EU. The accompanying NIS2 Directive amendments will also be presented for approval. Once adopted, Member States will have one year to implement the Directive into national law and communicate the relevant texts to the Commission.

On 27 January 2026, the ENISA published its Single Programming Document 2026-2028.

The document defines ENISA’s role in supporting EU cybersecurity policies, including the Cybersecurity Act, NIS2 Directive, Cyber Resilience Act (CRA), Cyber Solidarity Act (CSoA) and the upcoming Digital Omnibus. It outlines seven strategic objectives—three horizontal (empowered communities, foresight, consolidated knowledge) and four vertical (policy implementation, crisis preparedness, cybersecurity capacity, trust in digital solutions).

For 2026, ENISA prioritises: the operationalisation of the EU Cybersecurity Reserve; the development and launch of the CRA Single Reporting Platform; publication of the second State of Cybersecurity in the Union Report; coordinated resilience stress tests; and strengthened support for Member States on NIS2 implementation. ENISA will expand its certification portfolio, including schemes for EU Digital Identity Wallets, Managed Security Services and 5G, maintain the EUCC scheme and complete EUCS. The Agency will also enhance the EU Vulnerability Database and threat analysis capabilities, including contributions to joint threat assessments and cyber situational awareness.

Operational activities cover policy monitoring, critical sector resilience, capacity building, operational cooperation, situational awareness, support services, certification, and market/technology security. ENISA also plans substantial internal upgrades, including data centre migration from Heraklion in 2026 and a multiannual cybersecurity maturity plan.

The SPD includes detailed resource projections: a 2026 core budget of €27.19 million and 130 FTEs, with significant additional funding through contribution agreements for the Cyber Reserve, CRA reporting platform and situational analysis centre. Impacts include improved harmonisation of cyber incident reporting, strengthened sectoral maturity, enhanced cross border response capability, and more coordinated EU wide threat intelligence.

On 28 January 2026, the EU publishes Commission Implementing Decision (EU) 2026/179 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data by Brazil.

The Decision is adopted pursuant to Article 45(3) GDPR following a comprehensive assessment of Brazil’s legal order, including constitutional safeguards, the Lei Geral de Proteção de Dados (LGPD), and the supervisory powers of the Brazilian Data Protection Authority (ANPD). The Commission concludes—based on detailed analysis contained in recitals 7–223—that Brazil guarantees a level of protection “essentially equivalent” to that provided within the EU.

The Decision outlines Brazil’s data protection framework: lawful bases for processing (Articles 6–7 LGPD), strict conditions on consent, rules for legitimate interest, safeguards for processing sensitive data, data subject rights (access, rectification, erasure, portability, objection), cybersecurity requirements, breach notification obligations, transparency duties, accountability measures including DPIAs and DPO requirements, and restrictions on onward transfers via contractual clauses, binding corporate rules, adequacy decisions, and strict conditions on consent based transfers. The LGPD’s material and territorial scope and definitions closely mirror those in the GDPR.

The Decision also assesses government access to data transferred from the EU. Access for law enforcement and national security purposes is tightly regulated, requiring judicial authorisation with strict necessity and proportionality safeguards. Oversight is ensured by courts, the Public Prosecutor’s Office, the ANPD, and specific intelligence oversight mechanisms. Individuals—regardless of nationality or residence—have access to redress via the ANPD, civil courts, and the constitutional instrument of Habeas Data.

The Decision takes effect upon publication and enables transfers from EU controllers and processors to Brazilian recipients without further authorisation. It does not alter the direct applicability of the GDPR where Article 3 GDPR applies.

BACKGROUND

On 28 January 2026, ESMA published Guidelines on the criteria for the assessment of knowledge and competence under MiCA.

These Guidelines establish a common supervisory framework for assessing the knowledge and competence of staff involved in the provision of crypto-asset services. They are intended to support the uniform application of MiCA conduct of business requirements and to promote supervisory convergence across the EU.

They clarify supervisory expectations for crypto-asset service providers (CASPs) at both individual staff level and organisational level, covering competence assessment, supervision, training and internal governance.

WHAT'S NEW?

The Guidelines introduce a structured and differentiated framework under MiCA for staff providing crypto-asset services.

First, they define the scope of staff in scope. The framework applies to staff providing information or advice on crypto-assets or crypto-asset services, including where such services are delivered in an automated or semi-automated manner. Back-office staff without client relevance are excluded.

Second, they establish a clear distinction between information and advice activities. Staff giving advice are subject to higher knowledge and competence standards than staff giving information only, reflecting the greater complexity and client impact of advisory services.

For information activities, staff must understand, inter alia:

• key characteristics, risks and volatility of crypto-assets and crypto-asset services;
• DLT functioning, protocols, governance and validation mechanisms;
• costs and charges, including platform fees and network-related fees (e.g. gas fees);
• market functioning, liquidity, price formation and investor sentiment effects;
• differences in investor protection between MiCA and MiFID II;
• market abuse, AML/CFT risks, valuation basics and available data sources.

For advisory activities, additional requirements apply. Staff must understand:

• MiCA suitability requirements;
• portfolio construction and diversification principles;
• total costs and charges incurred by the client;
• situations where crypto-assets or crypto-asset services may be unsuitable for a client;
• valuation mechanisms relevant to advised crypto-assets.

The Guidelines also set minimum thresholds for qualifications, experience and training. For information activities, this includes, for example, a professional qualification (minimum 80 hours) combined with supervised experience, or one year of supervised experience, and ongoing CPD (e.g. 10 hours per year). For advisory activities, higher thresholds apply, including longer professional training or education paths, extended supervised experience, and increased CPD expectations (e.g. 20 hours per year).

At organisational level, CASPs must establish policies for assessment, supervision, CPD and annual review of staff competence, and maintain appropriate documentation.

WHAT'S NEXT?

The Guidelines apply six months after publication in all EU official languages.

Competent authorities must notify ESMA within two months whether they comply or intend to comply, under the comply-or-explain mechanism.

From an operational perspective, CASPs will need to:

• review role definitions and distinguish clearly between information and advisory functions;
• assess current staff against the minimum qualification and experience thresholds;
• implement or update CPD frameworks in line with the annual hour expectations;
• formalise supervision arrangements where required; and
• ensure that records concerning staff knowledge and competence can be submitted to competent authorities upon request, containing sufficient information to allow verification of compliance with the Guidelines.

On 6 January 2026, the ESMA published report on cross-border marketing of funds .

The report covers the period between 1 February 2023 and 31 January 2025 and provides an overview of national laws, regulations, and administrative provisions governing marketing requirements in all Member States, along with an analysis of their effects based on information received from national competent authorities (NCAs). The main finding indicates that national rules regarding fund marketing have not been subject to significant changes since 2023, as most modifications highlighted in the 2023 report were driven by the transposition of Directive (EU) 2019/1160 (CBDF Directive) and the entry into force of the Regulation and ESMA Guidelines on marketing communications.

The report documents that high levels of harmonization have been achieved in areas such as de-notification procedures for cross-border marketing, the obligation to appoint local contact points in host Member States, and prior authorization rules for AIF marketing. New statistical data from the ESMA central database reveals that 149,363 cross-border marketing notifications have been recorded, with UCITS representing 56% (83,773 notifications) and AIFs 44% (65,590 notifications). Luxembourg accounts for 59% of outbound notifications, followed by Ireland with 30%, while Germany, Italy, France, and Spain constitute the main host Member States.

The analysis of ex-ante and ex-post verification activities shows that only a limited number of Member States conduct mandatory verification of marketing communications, with most frequent breaches relating to failure to identify communications as marketing, unbalanced risk-reward presentation, and non-compliance with ESG provisions. The next iteration of this report will be submitted in two years.

On 15 January 2026, the FinDatEx publishes European MiFID Template (EMT) V4.3.

Compared to earlier versions, EMT V4.3 adds three optional fields related to "Value Cost Advantage" (VCA), which are relevant only for structured products distributed in France. These fields are:

• 11000_EMT_Data_Reporting_VCA_FR
• 11010_Used_VCA_Methodology_FR
• 11020_Hyperlink_To_VCA_Methodology_FR

These new fields have become necessary due to evolving regulatory expectations for distributors of structured products in France, who will need to exchange information on the successful outcome of a test (and the methodology employed) to evaluate a product’s value. The fields related to the ‘Value Cost Advantage’ are separate from, and without prejudice to, the ongoing discussions on Value for Money in the context of the Retail Investment Strategy and should not be regarded as prejudging their outcome

EMT V4.3 is available from 15 January 2026. This version will be completely optional and will coexist with EMT 4.2.

On 13 January 2026, the ESMA publishes its Digital Strategy 2026-2028 and updates its Data Strategy 2023-2028.

The digital strategy aims to continue ESMA’s digital transformation, while the Data Strategy update is oriented to capitalise on opportunities to simplify, better integrate and streamline data management and technology.

The new Digital Strategy 2026–2028 sets out a roadmap for innovation, efficiency, and resilience. The key objectives include:

• Building EU digital synergies
• Enhancing digital capabilities of ESMA and the European System of Financial Supervision (ESFS)
• Bolstering operational efficiency
• Establishing a secure and future-ready ecosystem.

The Data Strategy 2023–2028 has been updated to reflect the focus on burden reduction, the evolving technological landscape, and ESMA’s desire for unlocking efficiency opportunities. While its key objectives remain the same, the key new actions include:

• Flagship initiatives related to streamlining supervisory reporting, relating to transaction data and in the funds domain
• Expanding the capacity of the ESMA Data Platform to benefit national and European authorities
• Implementing next phases of the MiCA joint supervisory tool for crypto-market monitoring
• Finalising the development of the European Single Access Point (ESAP).

With the alignment of both the digital and data strategies, ESMA ensures that innovation and technology translate into tangible benefits for stakeholders, with more possibilities for synergies and digital transformation across ESMA and the ESFS at large.

On 21 January 2025, the ESMA published compliance table on the Joint ESAs Guidelines on the system for the exchange of information relevant to fit and proper assessments.

Joint Guidelines on the system established by the European Supervisory Authorities for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities (JC/GL/2024/88).

The document lists the competent authorities intention to comply or intend to comply with ESAs’ Joint Guidelines

BACKGROUND

On 9 January 2026, the European Banking Authority published its Final Report EBA/GL/2026/01 containing Guidelines specifying the criteria for the identification of activities referred to in Article 4(1)(18) of Regulation (EU) No 575/2013 (CRR).

These Guidelines follow the amendments introduced by Regulation (EU) 2024/1623, which revised the definitions of “ancillary services undertaking” (ASU) and “financial institution” under Article 4 CRR, with the objective of strengthening clarity and ensuring consistent application of prudential consolidation rules across Member States.

A draft version of the Guidelines was published for consultation in July 2025, with feedback open until October 2025. Following the public consultation process, during which industry stakeholders raised concerns notably regarding the scope of “direct extension of banking”, the reliance criterion, and the consolidation perimeter, the EBA introduced targeted amendments and clarifications.

The text published on 9 January 2026 therefore constitutes the final version of the Guidelines, incorporating adjustments made in response to consultation feedback while maintaining the overall structure and prudential objectives of the draft.

Under the amended framework, an ASU is an undertaking whose principal activity consists of:

• (a) a direct extension of banking;
• (b) certain activities (e.g. operational leasing, property management, data processing) insofar as they are ancillary to banking; or
• (c) any other activity considered similar by the EBA.

Given the prudential consequences of qualifying as an ASU — including inclusion within the prudential perimeter of consolidation and treatment as a financial sector entity — further operational clarification was required, which these final Guidelines now provide.

WHAT'S NEW?

1. Clear criteria for “direct extension of banking”

The Guidelines define activities considered fundamental to the value chain of core banking services (Annex I CRD), including:

• Brokerage of loans or deposits
• Loan servicing
• Creditworthiness assessment of individual clients
• Debt recovery
• Loan intermediation via innovative channels (e.g. crowdfunding or marketplace lending platforms)

These activities may qualify as a direct extension of banking even if performed outside the group, given their intrinsic financial nature.

2. Structured test for “ancillary to banking”

An activity is considered ancillary to banking when it:

• Supports banking (e.g. operational support, compliance, data processing);
• Complements banking (e.g. cross-selling via shared distribution channels); or
• Relies on banking (e.g. significant dependence on intragroup funding or banking services).

Importantly, this assessment applies only to undertakings that have to or may be included in prudential consolidation under Articles 11 and 18 CRR.

Specific clarifications are provided for:

• Operational leasing
• Ownership or management of property
• Data processing services

The assessment must consider the relevance and materiality of the link to banking.

3. Case-by-case mechanism for “similar activities”

Where an activity is not explicitly covered under points (a) or (b), competent authorities may notify the EBA. The EBA retains the final decision on whether the activity should be treated as similar under Article 4(1)(18)(c) CRR.

This ensures flexibility and responsiveness to evolving business models (e.g. digital finance structures).

4. Clarification of “principal activity”

An undertaking qualifies as an ASU where the relevant activities represent at least 50% of assets, revenues, or personnel, assessed on an individual basis.

A cumulative approach applies where multiple relevant activities are performed.

Competent authorities may also determine principal activity on a case-by-case basis where thresholds are not met but prudential relevance is established.

WHAT'S NEXT?

The Guidelines will be translated into all official EU languages. They will apply two months after publication of the translations. Competent authorities must notify the EBA within two months of translation publication whether they comply or intend to comply.

On 13 January 2026, the ESMA published Guidelines on stress test scenarios under the MMF Regulation.

The guidelines establish common reference parameters for stress test scenarios that MMFs or their managers must conduct, covering six risk categories: hypothetical changes in liquidity levels, credit risk (including credit events and rating events), interest rates and exchange rates, redemption levels, widening or narrowing of spreads among benchmark indices, and macro-systemic shocks.

The 2025 update reflects a severe adverse scenario calibrated to tail risks amid elevated geopolitical uncertainty stemming from global trade tensions and multiple conflicts worldwide, which amplify trade disruptions and lead to sharp rises in commodity prices, supply chain disruptions, and inflationary pressures that trigger spikes in risk-free rates. ESMA developed this calibration in collaboration with the ESRB and ECB as of November 2025. The main calibration changes include: EUR swap rate shocks slightly lower (83-106 basis points) while USD shocks are higher (118-164 bps); government bond spreads slightly higher (EA weighted average 38-67 bps); bid-ask spreads smaller than 2024 (sovereign bonds 0.08%-0.38%, corporate bonds 0.39%-0.73%); and redemption parameters unchanged from the COVID-19 crisis calibration.

The guidelines require managers to conduct mandatory common reference stress tests whose results must be reported quarterly to national competent authorities using the template in Commission Implementing Regulation (EU) 2018/708. The seven specific scenarios include: (1) liquidity stress test applying discount factors and price impact parameters (1E-13 to 8E-13) for asset sales during redemptions; (2) credit risk stress test with spread increases (corporate bonds 116-385 bps) and concentration risk simulating default of two main exposures (45% loss for senior, 75% for subordinated); (3) interest rate shocks across yield curves; (4) FX shocks (EUR appreciation up to 18% vs HUF, depreciation 12% vs USD); (5) spread widening for floating rate instruments; (6) redemption scenarios (reverse liquidity test, weekly liquidity test assuming 40% professional/30% retail investor outflows, concentration test); and (7) macro-systemic shock combining all risk factors. Stress tests must assess impacts on both portfolio NAV and liquidity buckets/ability to meet redemptions, using historical and hypothetical scenarios including reverse stress testing.

The updated guidelines apply two months after publication of translations in all EU official languages, triggering a two-month period for national competent authorities to notify ESMA of compliance intentions. After application starts, managers must report quarterly stress test results calculating impacts as percentage of NAV. Until then, managers should continue using the 2024 guidelines published on 7 January 2025.

On 9 January 2026, the EU publishes Decision (EU) 2026/77 of the European Central Bank of 19 December 2025 amending Decision (EU) 2019/166 on the Market Infrastructure Board (ECB/2019/3) (ECB/2025/43).

The Decision, adopted on 19 December 2025 by the ECB Governing Council, updates the governance framework of the Market Infrastructure Board (MIB) to reflect operational developments and the go-live of the Eurosystem Collateral Management System (ECMS).

The scope encompasses amendments to four annexes of the original Decision (EU) 2019/166 (ECB/2019/3), covering the MIB's operational framework, rules of procedure, code of conduct, and procedures for selecting non-central bank members. The main objective is to update the MIB's governance structures in light of experience gained since the last amendment and to integrate ECMS-related responsibilities into the MIB's mandate. The MIB's competencies now encompass all ECMS-related topics but explicitly exclude the collateral framework and related legal acts such as Guideline (EU) 2024/3129 (ECB/2024/22).

Key requirements include updating definitions of Eurosystem infrastructure services to explicitly include TARGET services (T2, T2S, TIPS) and ECMS alongside cash settlement, securities settlement, and collateral management services. The amended MIB composition maintains nine members from Eurosystem NCBs representing at least 85% of the Eurosystem capital key, with voting rights for two non-euro area NCB members and two non-voting non-central bank members. Enhanced provisions address the Eurosystem Informal Group for Market Infrastructure (EIG), granting automatic access to all MIB documentation and enabling written comments during procedures. Updates to the Code of Conduct align with recent developments and clarify obligations for non-central bank members.

The Decision entered into force on 29 January 2026, twenty days following its publication.

BACKGROUND

On 8 January 2026, the European Commission published in the Official Journal of the European Union Commission Delegated Regulation (EU) 2026/73 of 4 July 2025, amending the EU Taxonomy disclosure and technical screening framework.

The Delegated Act was adopted by the Commission on 4 July 2025 with the objective of simplifying EU Taxonomy reporting requirements for companies. Its publication in the Official Journal on 8 January 2026 marks the formal entry into force process of those simplification measures.

The Regulation amends the framework established under Regulation (EU) 2020/852 on the establishment of a framework to facilitate sustainable investment (the Taxonomy Regulation). It specifically revises:

• Commission Delegated Regulation (EU) 2021/2178, which sets out the content, presentation and methodology of Article 8 Taxonomy disclosures (turnover, CapEx, OpEx and financial KPIs);
• Commission Delegated Regulation (EU) 2021/2139, which establishes technical screening criteria for climate change mitigation and climate change adaptation;
• Commission Delegated Regulation (EU) 2023/2486, which establishes technical screening criteria for the remaining four environmental objectives (water, circular economy, pollution prevention and control, biodiversity and ecosystems).

The amendments respond to implementation experience from the first reporting cycles, during which both non-financial and financial undertakings reported significant operational complexity and administrative burden in applying KPI calculations and Do No Significant Harm (DNSH) criteria.

WHAT'S NEW?

1. Introduction of a 10% materiality threshold

A cross-cutting 10% financial materiality threshold is introduced across key performance indicators (KPIs):

• Non-financial undertakings may omit assessing taxonomy-eligibility and taxonomy-alignment where turnover, CapEx or OpEx linked to certain activities is below 10% of the respective KPI denominator.
• OpEx may be omitted entirely where it is not material to the business model (subject to disclosure of the denominator and justification).
• Omitted items must be disclosed separately as non-material.
• Financial undertakings (credit institutions, asset managers, investment firms, insurers) may similarly omit assessment where exposures, guarantees, assets under management, revenues or premiums fall below 10% of the relevant KPI denominator (e.g. GAR, AuM KPI, FinGuar KPI, revenue KPI).

This introduces proportionality while preserving transparency through separate reporting of non-material items.

2. Recalibration of financial KPIs

The Regulation clarifies the scope of financial KPIs:

• Exposures to undertakings not subject to Articles 19a or 29a of Directive 2013/34/EU are excluded from KPI denominators.
• Certain asset classes (e.g. derivatives, cash and cash equivalents, on-demand interbank loans, goodwill, commodities) are excluded from denominators.
• Specific treatment is clarified for SPVs and voluntary Taxonomy reporting by counterparties.
• Financial undertakings that do not claim Taxonomy alignment may, until 31 December 2027, publish a standard statement instead of using the full reporting templates.

In addition, the application of the Trading Book KPI and the Fees and Commissions KPI is deferred until 1 January 2028.

3. Streamlining of reporting templates

Annexes to Delegated Regulation (EU) 2021/2178 are substantially revised:

• Templates are shortened and simplified;
• The standalone fossil gas and nuclear template (former Annex XII) is deleted;
• Fossil gas and nuclear disclosures are integrated into the general templates;
• Additional transparency is required on sectors considered non-material.

4. Simplification of DNSH chemical criteria

The generic DNSH criteria on pollution prevention and control are amended to:

• Clarify exemptions under EU legislation on ozone-depleting substances;
• Allow legally permitted exemptions under RoHS and REACH;
• Remove certain horizontal screening requirements for substances in articles where no supply-chain reporting obligation exists;
• Maintain the 0.1% threshold for substances of very high concern (SVHC), subject to documented absence of alternatives.

This reduces supply-chain data collection burdens while maintaining core environmental safeguards.

WHAT'S NEXT?

The Regulation applies from 1 January 2026, following its publication in the Official Journal on 8 January 2026.

Undertakings may, however, apply the previous versions of Delegated Regulations (EU) 2021/2178, 2021/2139 and 2023/2486 for financial years starting between 1 January and 31 December 2025, in order to avoid undue transition costs.

On 19 January 2026, the EBA publishes Joint Bank Reporting Committee (JBRC) 2026 Work Programme and Recommendations on ESG disclosures.

The JBRC’s Work Programme for 2026 sets out the Committee’s main priorities as it continues supporting progress towards an integrated European reporting system for banks.

The work programme identifies five main activities with varying priority levels. The highest priority activity involves semantic integration, carried out continuously by the Expert Group on Semantic Integration (EG SINT), including work on EBA ESG Reporting and the SRB Valuation Data Set. Medium priority activities include initial investigation and preparatory work on establishing a common data dictionary (Q4 2025-Q4 2026), assessing progress and future directions for building blocks of an integrated reporting system (Q4 2025-Q2 2026), and further harmonisation of regulatory reporting on topics prioritised by the Reporting Contact Group, including harmonisation of party identifiers. Lower priority activities cover investigating proportionality options to reduce burden on small and less complex institutions without creating significant data gaps, and maintaining a set of terms and definitions related to integrated reporting.

The recommendations address specific templates within the ESG disclosure framework, covering areas such as residual maturity breakdowns, energy performance metrics for collateral, economic activity classifications (NACE sectors), carbon-intensive firm exposures, physical risk exposures, Green Asset Ratio (GAR) metrics, and taxonomy-aligned assets. Key recommendations include aligning collateral allocation for real estate protection with FinRep requirements, harmonizing residual maturity calculations across COREP, Asset Encumbrance, IReF, and ESG disclosures, and clarifying definitions for concepts such as motor vehicle loans, assets under management, and cash-related assets.

The document emphasizes the importance of semantic consistency across regulatory frameworks, recommending the adoption of uniform definitions where possible, particularly from established sources like CRR, ESA 2010, and Commission Delegated Regulations. The recommendations also address data quality controls, estimation methodologies for energy performance scores when actual data is unavailable, and the treatment of exposures with multiple types of collateral or physical risk sensitivities. This publication demonstrates the collaborative framework between industry and authorities through the Reporting Contact Group (RCG), with further enhancements underway for the ESCB's Integrated Reporting Framework (IReF), FinRep, and other key areas.

On 22 January 2026, ECB publishes supervision blog on its Supervisory priorities 2026-28.

The document establishes two key priorities: improving banks' resilience to geopolitical risks and macro-financial uncertainties, and ensuring banks strengthen their operational resilience and ICT capabilities to avoid disruptions to critical operations and services.

The ECB acknowledges that the European banking sector faces a challenging external environment shaped by heightened geopolitical risks, protectionism, geoeconomic fragmentation, and structural shifts driven by technological innovation, climate crises, and demographic changes. While the sector has proven broadly resilient, full consequences of these structural shifts remain uncertain, requiring continued vigilance.

Key supervisory initiatives include a 2026 thematic reverse stress test where each bank will define its own geopolitical scenario tailored to bank-specific vulnerabilities. The ECB will assess how geopolitical risks are incorporated into capital planning, stress testing, risk management frameworks, and governance structures through regular supervisory dialogue. A thematic review of credit underwriting standards will examine new lending practices to assess how banks plan to mitigate potential credit losses.

Regarding operational resilience, supervisors will assess ICT risk management practices with particular attention to cybersecurity and third-party risk management, ensuring swift implementation of Digital Operational Resilience Act requirements introduced in early 2025. The ECB will also monitor banks' progress on risk data aggregation and risk reporting deficiencies, given slow progress to date.

For climate risks, as the multi-year program launched in 2020 concludes with banks reaching mature risk management levels, supervision will shift from remediation towards business-as-usual approaches, supporting banks in planning their transitions. On artificial intelligence, the ECB will expand focus from prudentially relevant applications to generative AI, assessing impacts on risk profiles and governance frameworks.

On 9 January 2026, the ESMA published its principles on risk-based supervision.

The document sets out non-binding principles aimed at developing a common EU supervisory culture, applicable to all mandates covering markets, entities, and products under supervisory authorities' remit.

The scope encompasses key concepts, foundational elements, and operational phases of risk-based supervision. The principles cover the definition and understanding of RBS, risk identification methodologies (both industry-wide and entity-based), risk assessment frameworks including probability and impact scoring, and risk prioritisation and treatment processes. The document introduces an entity-based approach that can be adapted to transaction-based or product-based models depending on supervisory processes.

Regarding supervisory implementation, supervised entities will experience supervision through several mechanisms. NCAs will conduct entity-based risk identification to understand individual risk profiles, assessing organizational structures, business operations, governance frameworks, financial resources, internal controls, IT systems, staffing levels, and operational resilience. Authorities will evaluate entities using both regulatory and third-party datasets, employing cluster-based approaches for entities with similar features or detailed individual analysis for firms of greater size, complexity, geographical reach, or systemic importance.

Supervision intensity will be proportionate to identified risk levels, considering the nature, scale, and complexity of each entity and their potential effects on investor protection, financial stability, and orderly markets. Entities will be assigned risk scores based on probability of risk occurrence (informed by governance quality, internal controls, past incidents, complaints, and behavioral indicators) and potential impact assessments. Higher risk scores will result in prioritised supervisory attention through targeted work plans, combining desk-based supervision with on-site inspections tailored to entity-specific conditions and risk profiles. The framework operates as a continuous and recurrent process with regular monitoring, reprioritisation of risks as circumstances evolve, and feedback loops to test the adequacy of risk assessments.

On 8 January 2026, the ESAs published joint Guidelines on ESG stress testing.

The Joint Guidelines aim to ensure that competent authorities consistently integrate ESG risks into their national supervisory stress testing activities. These guidelines are addressed to competent authorities and should be applied when performing supervisory stress tests, either by integrating ESG related risks into their existing framework or by measuring the impact of ESG risks under adverse scenarios in a complementary assessment, where applicable according to the sectoral legislation.

Competent authorities should ensure that sufficient human and material resources are allocated to the ESG stress testing process. This includes the involvement of staff with expertise in ESG risk assessment, stress testing methodologies, and financial supervision. They should also have data management and collection capabilities that support access to high-quality ESG data and develop and maintain IT infrastructure for efficient data collection, scenario determination, and result analysis.

Appropriate timelines should be set for conducting ESG stress tests and scenario analyses, balancing the need for completeness and accuracy with the requirements of the decision-making process. Financial entities should be given sufficient preparation time to compile relevant information and conduct their assessments, enabling competent authorities to perform a comprehensive review and ensure accurate reporting. The process should facilitate efficient analysis, consistent communication of findings, and integration into the broader supervisory framework.

The Joint Guidelines apply from 1 January 2027.

On 13 January 2026, the ESMA publishes Regulatory timeline for SFDR, TR , CSRD, BMR, EuGBR, ESGRR.

It maps the progressive entry into application of the Sustainable Finance Disclosure Regulation (SFDR), the Taxonomy Regulation (TR) and its Disclosures Delegated Acts, the Corporate Sustainability Reporting Directive (CSRD) and ESRS, the Benchmark Regulation (BMR), the European Green Bonds Regulation (EuGBR), and the ESG Ratings Regulation (ESGRR).
The timeline outlines the expansion of taxonomy alignment reporting. Financial undertakings began disclosing climate objective KPIs earlier, and from 1 January 2026 must disclose KPIs for additional environmental objectives under the TR Disclosures Delegated Act. Non financial undertakings will also disclose additional taxonomy alignment KPIs by 2029. The “Quick Fix” Delegated Act reduces reporting requirements from FY 2025.

For sustainability reporting under CSRD, the document differentiates three waves of ESRS application: Wave 1 applies from FY 2024 (reporting in 2025) to undertakings previously subject to NFRD; Wave 2, postponed by the “Stop the Clock” Directive, applies from FY 2027 (reporting in 2028) to large undertakings not previously covered; Wave 3, also postponed, applies optionally from FY 2028 and mandatorily from FY 2029 to listed SMEs and small and non complex financial institutions. Certain third country undertakings will also begin reporting from FY 2028.

The document also details key transition deadlines such as the EuGBR becoming applicable on 21 December 2024, the end of transitional periods for pre existing funds under SFDR in May 2025, for third country benchmarks under BMR at end 2025, and for EuGBR external reviewers in June 2026. The ESG Ratings Regulation becomes applicable on 2 July 2026. Overall, the timeline is a consolidated planning tool for understanding the sequencing of sustainable finance regulatory obligations.

On 14 January 2026, the ESMA published thematic notes on sustainability-related claims - ESG strategies.

The publication builds on observed market practices and focuses specifically on ESG integration and ESG exclusions strategies, with additional thematic notes to follow as necessary. The scope encompasses all market participants across the Sustainable Investment Value Chain (SIVC), including issuers, fund managers, benchmark administrators, and investment service providers who make sustainability claims in non-regulatory communications such as marketing materials and voluntary reporting.

The document establishes four core principles that sustainability claims must follow: Accurate (fairly representing sustainability profiles without exaggeration or cherry-picking), Accessible (easy to access and understand with appropriate layering), Substantiated (based on clear reasoning, credible facts, and transparent methodologies), and Up to date (reflecting current information with timely disclosure of material changes). These principles do not create new disclosure requirements but remind market participants of existing obligations under the "clear, fair, and not misleading" standard.

For ESG integration strategies, the guidance clarifies that market participants must transparently explain whether integration is binding or non-binding, whether ESG factors trigger portfolio decisions, the extent of their use in financial analysis, and their actual impact on portfolio composition.

For ESG exclusions strategies, firms must describe in plain language the process, ESG criteria, and thresholds used, clarify whether exclusions are absolute or relative, explain materiality assessments, and be transparent about the actual impact on the investable universe. The guidance includes practical do's and don'ts with concrete examples of good and poor practices to help market participants avoid misleading investors through vague or inconsistent sustainability claims.