EBA consults on Guidelines on internal governance under CRD6 and DORA

On 7 August 2025, the European Banking Authority ('EBA') published a consultation paper proposing amendments to its Guidelines on internal governance under Directive 2013/36/EU ('CRD') (the 'revised Guidelines'). The EBA's existing Guidelines on internal governance (EBA/GL/2021/05) provide a framework for sound governance practices. However, these revised Guidelines aim to address evolving regulatory requirements, including those introduced by Directive (EU) 2024/1619 ('CRD6'), and to reflect lessons learned from supervisory practices. The revisions focus on enhancing governance frameworks, risk management and compliance functions, while also incorporating considerations for environmental, social, and governance ('ESG') risks. The revised Guidelines also reflect internal governance requirements for third country branches ('TCBs').

The consultation is open for feedback until 7 November 2025, and the EBA encourages impacted credit institutions and investment firms (in this article, together, 'firms') to provide input on the proposed changes. Firms should assess the practical implications of the changes and consider submitting feedback to ensure the revised Guidelines are proportionate and workable.

It is not yet clear when the final Guidelines will apply.

Background

CRD6 imposes a new internal governance and suitability framework on management bodies, senior management and key function holders of credit institutions (including TCBs) that is more rigorous than currently exists under CRD. In some ways, it is akin to requirements under the UK Senior Managers and Certification Regime ('SM&CR') or the Irish Senior Executive Accountability Regime ('SEAR').

More Level 3 measures are still anticipated on other aspects of this regime such as the management body suitability applications that will need to be submitted to National Competent Authorities ('NCAs') for approval (see our CRD6 Manager tool for more details: CRD6 Manager | Simmons & Simmons). However, the amendments to these internal governance Guidelines address some of the new requirements, such as the individual statements of responsibility and management responsibilities map (see more detail below).

Impact on firms

The proposed amendments will require firms to review and update their internal governance frameworks to align with the revised Guidelines. Practical steps firms should take are:

• Enhanced governance frameworks: Firms will need to ensure robust organisational structures, clear lines of responsibility, and effective internal control mechanisms. Firms should conduct a gap analysis of their current governance arrangements against the proposed guidelines. If the Chair and CEO of the management body are the same person, for example, firms will need to change this. For firms with a UK or Irish presence, there may be some lessons learnt from SM&CR or SEAR implementation that can be implemented here. Any domestic laws/rules around the roles that Board members can take on, for example, will need to be considered and their interaction with the new CRD6 requirements (see Conflicts of interest below).
• ESG risk integration: Firms must incorporate ESG risks into their risk management frameworks, with a long-term horizon of at least 10 years. This is a new requirement and will involve some subject matter expertise in order to integrate consideration of these risks into internal governance.
• Individual statements of roles and duties: Firms will need to document and maintain individual statements for members of the management body, senior management, and key function holders. This is a new requirement so it may require significant administrative effort. For firms with a UK or Irish presence, there may be some lessons learnt from SM&CR or SEAR implementation that can be implemented here.
• Mapping of duties: Firms must create a comprehensive mapping of responsibilities, reporting lines, and governance arrangements. This is a new requirement so it may require significant administrative effort. For firms with a UK or Irish presence, there may be some lessons learnt from SM&CR or SEAR implementation that can be implemented here.
• Third-country branches (TCBs): Specific governance requirements will apply to TCBs, including the need for robust local governance frameworks. TCBs should assess their compliance with the new governance requirements and consider establishing local management committees where necessary.
• Diversity and inclusion: The revised Guidelines reflect the results of the EBA benchmarking report on diversity practices and gender neutral remuneration policies. Firms will need to look at their practices in light of this, particularly within the management body.
• Proportionality: The guidelines emphasise proportionality, allowing smaller and less complex institutions and Class 2 TCBs to adopt simpler governance arrangements. Larger firms will face more stringent requirements, including the establishment of dedicated committees (e.g., risk, nomination, and remuneration committees).

While these changes aim to harmonise governance practices across the EU, they may impose additional compliance and administrative burdens on firms, particularly smaller institutions and TCBs.

Please reach out to us if you would like to discuss this in more detail.

Objective of the Guidelines

The internal governance Guidelines were put in place to ensure that internal control frameworks are organised and implemented appropriately, focussing on the management and oversight of risks, including third party risk, AML risk, ICT risks and ESG risks. These Guidelines apply to credit institution management bodies and senior management and impact all internal control functions.

Summary of proposed amendments in the revised Guidelines

• Third country branches (TCBs): The revised Guidelines have been expanded to cover not just credit institutions but also TCBs. The two persons or more who are located in the relevant Member State and are effectively directing the business of a TCB, should have the same duties and responsibilities as the members of the head office management body in its management function.  Persons effectively directing the business of a TCB must be able to commit sufficient time to fulfil their role and consider any conflicts of interest arising from holding another role at head office level, where relevant. These persons will also need to meet the knowledge and skills requirements as set out in the Joint EBA and ESMA Guidelines on the assessment of the suitability of members of the management body and key function holders and be remunerated in accordance with EBA guidelines on sound remuneration policies. In the spirit of proportionality, Class 1 TCBs (but not Class 2 TCBs) may need to establish local management committees and ensure compliance with EU governance standards. Heads of the internal risk management, compliance and audit functions of TCBs should not be removed from their posts without prior approval of the head office management body. TCBs  should ensure, at a minimum, that transactions with an EU nexus are neither systematically nor substantially back-to-backed, and are risk-managed from the EU.
• Risks: References to 'risks' in the Guidelines have been expanded to include, amongst others, risks of AI services, ESG risks (in the short term and over a long term horizon of at least 10 years), ICT systems risk (including business continuity planning in accordance with DORA) and concentration risk.
• Management body responsibilities: The revised Guidelines provide enhanced clarity on the roles and responsibilities of the management body, including supervisory and management functions. There is a new requirement for each member of the management body to have an individual statement setting out their roles and duties and a mapping of those duties (see below). A member of the management body may be responsible for an internal control function, as long as that function remains independent and conflicts of interest are avoided. The compliance function should be headed by an independent senior manager.
• Individual statements of roles and duties: Each member of the management body, senior management and key function holders ('KHF') should have a documented statement of roles and duties which clearly sets out their role in respect of that institution. These should be reviewed on a regular basis ad remain consistent with the mapping of duties (see below). This does not exempt members of the management body from their general duty to have an appropriate understanding and contribution to other areas of the business. These individual statements will have to be submitted to the relevant NCA in order for that NCA to conduct a suitability assessment of that individual. Firms should take appropriate measures to ensure that individuals fulfil their duties. An optional template for individual statements of roles and duties is included at Annex II of the revised Guidelines.

There are equivalent requirements for individual statements of responsibility under both the UK SM&CR regime (for all Senior Managers) and the Irish SEAR regime (for individuals holding Pre-Approved Control Functions).

• Mapping of duties: Firms will be required to draw up in a single set of documents a comprehensive mapping of duties including reporting lines, lines of responsibility and the people who are part of the governance arrangements and their duties. It should include and accord with the individual statements of roles and duties (see above). The mapping should include, inter alia, a description of the key aspects of the institution's activities, a rationale for any roles that are shared and details of who is responsible for any outsourced functions (if any). This should be done at both entity and group level. The idea is this will help firms identify gaps in the governance framework.

There are equivalent requirements for a responsibilities map under both the UK SM&CR regime and the Irish SEAR regime.

• Sufficient substance: The revised Guidelines include a new requirement for institutions, TCBs and subsidiaries of third-country undertakings to maintain "sufficient substance" to satisfy the conditions of their authorisation, to avoid becoming "empty shells" or "letterbox entities".
• Diversity and inclusion: The notion of 'corporate culture and values' has been expanded to cover diversity and inclusion. Institutions should aim to establish a culture of equality, diversity and inclusion and prevent discrimination and harassment. Institutions should monitor this by looking at, inter alia, the representation of genders at different management levels, the ratio of temporary and permanent contracts by gender and staff turnover by gender.
• Conflicts of interest: The revised Guidelines state that the Chair and the CEO of the management body cannot be the same person.There are equivalent requirements under both the UK SM&CR regime (although firms can request a waiver/modification) and the Irish SEAR regime. The Chair of the management body of a parent entity should not be the CEO of its subsidiary (the parent entity should be supervising the subsidiary and this would be a conflict of interest). The ex-CEO of a subsidiary can become a member of the management body of the parent entity either after a cooling-off period of at least 3 years or where certain measures are in place to mitigate conflicts of interest, including the ex-CEO not chairing the management body where the item being discussed could lead to a significant professional conflict of interest, and potentially abstaining from voting on such items.