top of page

Upcoming Changes to the EBA Guidelines on Internal Governance

  • Antonis Hadjicostas
  • Aug 30
  • 3 min read
ree

Introduction


The European Banking Authority (“EBA”) has published revised draft guidelines on internal governance under Directive 2013/36/EU (“CRD”) (“Draft Guidelines”), reflecting regulatory and supervisory developments since the previous version of July 2021 (EBA/GL/2021/05).

The revisions are designed to further harmonize internal governance arrangements, processes, and mechanisms across EU financial institutions and third-country branches (“TCBs”), in line with amendments introduced by Directive (EU) 2024/1619 (“CRD VI”) and other recent legislative acts, including the Digital Operational Resilience Act (DORA).


Draft Guidelines will also reflect lessons learned from supervisory practices, the growing importance of ESG risks, the impact of digitalization, and the need for robust internal controls.


Finally, the Draft Guidelines will incorporate findings from the EBA’s benchmarking of diversity practices and gender-neutral remuneration policies.


Scope of Application / Addressees


The Draft Guidelines clarify and expand their scope:

  • Addressed to competent authorities, financial institutions (credit institutions & investment firms subject to CRD), and now also financial holding and mixed financial holding companies approved under Article 21a(1) CRD.

  • Explicit extension to third-country branches (TCBs), with governance provisions tailored to their risks and specificities.

  • Particularly relevant for significant CRR institutions under direct ECB supervision, aligning with the ECB’s Draft Guide on governance and risk culture (July 2024).


Strengthened Role and Composition of the Management Body


Role and Responsibilities


The management body retains ultimate responsibility (Article 88(1) CRD). The Draft Guidelines reinforce:

  • A clear distinction between executive (management) and non-executive (supervisory) functions.

  • Written documentation of responsibilities and duties, plus an updated mapping of duties available to supervisors.

  • Expanded scope of oversight to include:

    • ESG risks (short, medium, long term) and concentration risks.

    • ICT systems under DORA.

    • A corporate culture promoting diversity and inclusion.

    • Quantifiable targets for exposures to systemic central counterparties.


Board Committees


  • Risk, nomination, remuneration, and audit committees remain required for significant institutions.

  • Members of remuneration committees must have skills to assess ESG impacts and align remuneration with ESG risk appetite.

  • Risk committees must now also oversee fundamental rights, discrimination, and ICT risks.


Internal Governance of Third-Country Branches (TCBs)


New section introduced under Article 48g CRD:

  • At least two persons located in the EU must direct the branch, with sufficient presence, independence, and expertise.

  • Heads of risk, compliance, and audit in class 1 TCBs cannot be removed without supervisory function approval.

  • TCBs must not operate as “empty shells”; EU substance is required.

  • ICT and third-party risks must be managed in line with DORA.

  • Back-to-back booking cannot systematically shift risk outside the EU.

  • Remuneration policies must be gender neutral and ESG-consistent.


Third-Party Risk Management Policy


A renamed and expanded policy (formerly “outsourcing policy”):

  • Must be approved, reviewed, and updated by the management body.

  • Covers all ICT third-party arrangements under DORA (not only outsourcing).

  • Confirms that third-party contracts do not relieve institutions of legal/regulatory obligations.


Risk Culture and Corporate Values


  • Development of an institution-wide risk-aware culture.

  • Stronger emphasis on diversity, equality, and anti-discrimination.

  • New indicators: gender representation across levels, age distribution, ratio of full-time vs part-time roles by gender.

  • Clearer rules on conflicts of interest:

    • Ban on simultaneously being chair of supervisory body and CEO.

    • Restrictions on cross-group directorships.

    • Cooling-off safeguards when a CEO transitions into a non-executive role.


Internal Control Functions


Key reinforcements:

  • Independence of risk, compliance, and audit functions.

  • Heads of control functions must be senior, independent, and report directly to the supervisory body.

  • Combination of risk and compliance roles will no longer be permitted under one head.

  • Risk management function (RMF) must be led by an independent senior manager.

  • Compliance function now explicitly tasked with ensuring that all material management decisions account for legal risk.

  • Internal audit remains independent but may be combined with other functions if safeguards exist.


Business Continuity Management

  • Institutions must establish a continuity policy, as well as response and recovery plans.

  • Plans must be documented, tested, and updated; results reported to the management body.

  • Business continuity requirements must align with DORA for ICT risk.

  • Training and awareness programmes required to ensure resilience.


Conclusion & Next Steps

The Draft Guidelines represent a comprehensive upgrade of the EU governance framework, aligning institutions with evolving supervisory expectations.


📅 The consultation runs until 7 November 2025.

 
 

The material reflected in our website, including Blog material, is for informational purposes only and does not constitute legal advice, consulting, or any other professional advice. Please seek independent professional guidance for your specific needs.

All rights reserved. No part of this work may be reproduced, stored in a retrieval system of any nature, or transmitted, in any form or by any means including photocopying and recording, without the prior written permission of the ENAH Services Ltd. The reproduction or transmission of all or part of the work, whether by photocopying or storing in any medium by electronic means or otherwise without the written permission of the owner is strictly prohibited and the commission of any unauthorised act in relation to the work will result in civil and/or criminal actions. 

bottom of page