Understanding EU Banking Regulations

Who Regulates the Banking Industry in the European Union?

The banking industry in the European Union (EU) is regulated by a comprehensive framework designed to ensure the stability and safety of the financial sector across its member states. The European Central Bank (ECB) plays a crucial role in this framework, especially through the Single Supervisory Mechanism (SSM). The SSM allows the ECB to directly oversee the largest and most significant banks within the Eurozone, ensuring they comply with ensuring they comply with critical prudential requirements including the EU’s implementation of Basel III through the Capital Requirements framework.

Supporting the ECB, the European Banking Authority (EBA) is responsible for developing a single rulebook for EU banks, setting regulatory standards, and conducting stress tests to evaluate how well banks can withstand economic stress. The EBA’s work is central to maintaining financial stability across the EU, ensuring that banks adhere to consistent regulatory practices.

Each EU member state also has its own National Competent Authorities (NCAs), such as BaFin in Germany or the Banque de France. These NCAs regulate and supervise banks within their borders, focusing on smaller institutions that may not fall directly under the ECB’s supervision. They collaborate closely with the ECB and EBA to ensure that banking regulations are consistently applied and effectively monitored throughout the region.

At an international level, standard-setting and coordination also matter for EU banks. The Basel Committee on Banking Supervision (BCBS) defines the global prudential standards (Basel III), while the Financial Stability Board (FSB) coordinates cross-border financial stability work and implementation monitoring. EU authorities then translate these standards into binding EU law and supervisory expectations.

‍

Short Summaries of Key EU Banking Regulations & Guidelines

‍

Capital Requirements Regulation (CRR) and Capital Requirements Directive (CRD IV/V)

The Capital Requirements Regulation (CRR) and Capital Requirements Directive (CRD IV/V) form the foundation of EU banking regulations, establishing comprehensive prudential requirements for banks and investment firms across Europe. This regulatory framework mandates the use of internal models for calculating risk-weighted assets (RWAs), ensuring that institutions assess and manage risks accurately. To comply, banks must implement robust governance structures and controls for model development, validation, and monitoring. By enforcing these standards, CRR/CRD IV/V aims to enhance the stability of the financial system and reduce the risk of financial crises.

Since August 2024, the EU has moved from CRR/CRD IV/V toward the “Banking Package” implementing the final Basel III reforms: CRR III entered into force on 9 July 2024 and generally applies from 1 January 2025, while most CRD VI applies from 11 January 2026 (with some elements phasing later). This package includes Basel III “final/endgame” components (e.g., output floor) and is being phased in over time, reflecting a broader global pattern of implementation sequencing and jurisdictional fragmentation.

‍

European Banking Authority (EBA) Guidelines

The European Banking Authority (EBA) is instrumental in shaping the regulatory landscape for EU banks, issuing guidelines that ensure sound governance and risk management practices. The EBA Guidelines on Internal Governance require institutions to establish comprehensive governance frameworks that include robust risk management systems, particularly for model risk management (MRM). Additionally, the EBA Guidelines on the Use of Internal Models provide detailed requirements for the governance, validation, and oversight of internal models used to calculate regulatory capital. The EBA also addresses outsourcing risks through its Guidelines on Outsourcing Arrangements, ensuring that third-party models are managed effectively and aligned with regulatory expectations.

In recent supervisory practice, EU expectations have broadened beyond purely “regulatory models” toward stronger institution-wide governance and risk management standards. For example, in January 2025 the EBA published final Guidelines on the management of ESG risks (https://www.eba.europa.eu/publications-and-media/press-releases/eba-publishes-its-final-guidelines-management-esg-risks), requiring institutions to integrate ESG risk identification and governance into their internal frameworks, and in late 2025 launched a consultation on revised internal governance guidelines to reinforce organisational risk management arrangements across functions (https://www.eba.europa.eu/publications-and-media/press-releases/eba-consults-revised-guidelines-internal-governance). Meanwhile, ongoing supervisory handbooks and validation guidance underscore expectations for robust validation and control functions as part of internal governance.

‍

Single Supervisory Mechanism (SSM) and ECB Guidelines

The Single Supervisory Mechanism (SSM), under the oversight of the European Central Bank (ECB), plays a critical role in supervising significant banks within the Eurozone. The ECB’s guidelines, particularly the Guide on the Targeted Review of Internal Models (TRIM), are designed to ensure consistency, accuracy, and adequacy in the use of internal models by banks.

Since its original publication, the guide has been updated—most notably in February 2024 and again in July 2025—to reflect changes in the regulatory framework (including CRR III) and supervisory experience. These revisions clarify expectations for credit risk, counterparty credit risk, market risk, and model governance, and explicitly address the use of more advanced modelling techniques, including machine learning–based approaches. In this context, the ECB emphasises principles such as proportionality, explainability, transparency, and effective governance, requiring banks to demonstrate that model complexity is justified, well understood, and subject to robust validation and oversight. Through the SSM, the ECB ensures that internal models—whether based on traditional statistical methods or more complex techniques—are used appropriately and governed in line with regulatory expectations, thereby supporting the stability of the European banking system.

‍‍

Supervisory Review and Evaluation Process (SREP)

The Supervisory Review and Evaluation Process (SREP) is a critical component of EU banking supervision, conducted by the ECB and national competent authorities to assess the risk profile and capital adequacy of financial institutions. During the SREP, banks must demonstrate robust model risk management practices, including proper governance, validation, and oversight of their internal models. This process not only evaluates the institution's current risk exposure but also determines whether additional capital requirements are necessary to cover any identified risks. The SREP ensures that banks operate with sufficient capital buffers, thereby safeguarding the financial system from potential instability.

‍

International Financial Reporting Standards (IFRS 9)

International Financial Reporting Standards (IFRS 9) significantly impact model risk management, particularly in credit risk modeling for expected credit losses (ECL). While primarily an accounting standard, IFRS 9 requires financial institutions to ensure that their models are robust, validated, and subject to stringent governance practices. Accurate modeling under IFRS 9 is essential for reflecting the true financial health of institutions and complying with international financial reporting standards. Institutions must integrate these models into their overall risk management frameworks, ensuring consistency and reliability in financial reporting.

In May 2024, the IASB issued targeted amendments to IFRS 9 and IFRS 7 (classification and measurement / disclosures), effective for annual reporting periods beginning on 1 January 2026 (early application permitted). EU firms applying IFRS should factor these changes into accounting policy, data and model governance planning.

‍

BCBS Principles and Global Standards (Basel III)

The Basel Committee on Banking Supervision (BCBS) provides foundational principles that guide global banking regulations, many of which are adopted by EU regulators to ensure sound model risk management practices. The "Principles for the Sound Management of Operational Risk" and the "Principles on Risk Data Aggregation and Risk Reporting" are key examples that influence EU regulations. These principles help banks implement effective risk management and governance practices that align with international standards, promoting stability and resilience in the global financial system. EU regulators integrate these principles into their supervisory frameworks, ensuring that banks manage risks comprehensively.

Basel III in the EU is primarily implemented through CRR/CRD. The “Basel III final/endgame” elements (notably the output floor and market/operational risk reforms) are being introduced with transitional measures, and their precise timing has been influenced by staggered adoption across jurisdictions.

‍

European Securities and Markets Authority (ESMA) Guidelines

The European Securities and Markets Authority (ESMA) issues guidelines specifically for entities operating in the securities markets, addressing various aspects of risk management and internal controls. These guidelines are crucial for investment firms and asset managers, ensuring that they manage model risk and other operational risks effectively. ESMA's guidelines help maintain the integrity of financial markets by requiring rigorous standards in risk management, promoting transparency, and protecting investors. By adhering to ESMA’s guidelines, firms contribute to the overall stability and trust in the European securities markets.

The MiFID II / MiFIR “review” package entered into force in March 2024, with additional Level 2 measures and phased implementation timelines still developing through 2025 and beyond;, relevant for investment firms and bank trading activities.

Pillar 2 Requirements

Under the Basel framework's Pillar 2 requirements, EU banks must thoroughly assess their model risk as part of the Internal Capital Adequacy Assessment Process (ICAAP). This self-assessment process is vital for understanding the potential risks associated with internal models and determining the necessary capital buffers to mitigate those risks. Supervisors also evaluate model risk during the SREP, and if the risks are deemed significant, banks may be required to hold additional capital. Pillar 2 ensures that banks have a comprehensive approach to risk management, with a focus on maintaining sufficient capital to support their overall risk profile.

‍

Governance and Risk Management Frameworks

EU financial institutions are required to establish robust governance and risk management frameworks that cover all aspects of model risk management (MRM). These frameworks must include specific policies and procedures for model development, implementation, validation, and ongoing monitoring, ensuring that models are managed effectively throughout their lifecycle. By adhering to these requirements, banks can better manage the risks associated with their models, align with international standards, and ensure the stability of the financial system. Comprehensive governance frameworks help institutions address potential risks proactively, supporting long-term financial resilience.

‍

‍

Operational resilience and technology risk expectations

Cross-sector operational and digital risk rules have become increasingly central to Europe’s banking compliance landscape. In particular, the EU’s Digital Operational Resilience Act (DORA) has applied since 17 January 2025, strengthening requirements for ICT risk management, incident reporting, resilience testing, and the oversight of critical ICT third-party providers for financial entities. DORA reinforces expectations around governance, controls, and operational preparedness for technology-driven risks, including those arising from complex and outsourced IT environments.

Alongside DORA, the EU Artificial Intelligence Act (EU AI Act) introduces a risk-based regulatory framework for the development and use of AI systems, with specific obligations for high-risk AI applications. While the AI Act applies across sectors, banks may fall within its scope where AI systems are used in areas such as creditworthiness assessment, fraud detection, or other decision-making processes that can affect individuals’ rights or financial outcomes. In addition, other financial institutions, such as insurance companies, may also be subject to high-risk AI obligations where AI systems are intended to be used for risk assessment or pricing in relation to natural persons, notably in the context of life and health insurance, as set out in Annex III of the AI Act.The regulation introduces requirements around risk management, data governance, documentation, transparency, human oversight, and post-market monitoring, which complement existing prudential and operational resilience expectations.

Financial crime rules have also evolved. In 2024, the EU adopted a new AML/CFT “single rulebook” package, including the creation of AMLA, a new EU Anti-Money Laundering Authority, and a directly applicable AML Regulation. In parallel, crypto-asset transfer rules reinforce “travel-rule”-style information requirements for certain transfers, expanding expectations around traceability, controls, and governance across traditional and digital financial activities.

‍