ESMA and the EBA consult on draft suitability Guidelines under CRD6

On 25 February 2026, ESMA and the EBA published a joint consultation paper proposing targeted updates to their Guidelines on assessing the suitability of management body members and key function holders (KFHs) across banks, investment firms and third‑country branches. The revisions align the Guidelines with Capital Requirements Directive 6 (CRD 6) changes, reinforce expectations on anti-money laundering (AML) and counter terrorist financing (CFT), ESG and digital risks (including AI), and clarify how supervisors and firms should handle ex‑ante applications and "enhanced dialogue" where concerns arise. The consultation closes on 25 May 2026, with the finalised Guidelines expected to apply six months after publication of translations.

We cover this update in our CRD6 Manager product. See more details of that here: CRD6 Manager | Simmons & Simmons

The essentials at a glance

• Scope. The draft Guidelines apply to institutions under CRD, Markets in Financial Instruments Directive (MiFID) investment firms (with proportional carve‑outs for small and non‑interconnected firms), and third‑country branches (TCBs). They also set out supervisory procedures for competent authorities, with fuller obligations for "large entities".

• Continuity with targeted change. The framework retains its core structure (individual and collective suitability; time commitment; independence of mind; diversity; induction/training; ongoing monitoring) but is updated to reflect CRD 6 (including Articles 91, 91a and the new TCB regime) and recent EU files such as the Digital Operational Resilience Act (DORA) and the Artificial Intelligence Act (AI Act).

• Process clarity. The paper formalises ex‑ante applications in Member States operating ex post regimes, introduces an "enhanced dialogue" process where concerns exist, and encourages consistent, risk‑based re‑assessments when material events occur (including  ML/TF indicators).

What has changed - the key proposals

1) Alignment with CRD VI and MiFID II linkages

The Guidelines are re‑cast to reflect CRD 6's split between Article 91 (management body) and Article 91a (KFHs). To preserve continuity where MiFID II has not yet been updated to reference Article 91a, ESMA/EBA propose to maintain coverage of KFH assessments for non‑CRD investment firms as an element of robust governance, with proportionality for small/non‑interconnected firms.

2) Third‑country branches brought firmly within scope

The paper confirms that TCBs must assess the suitability of persons effectively directing the branch and their heads of internal control functions. Where Member States do not apply full CRD‑equivalent requirements to TCBs, the draft still expects robust governance consistent with Article 74 CRD, using the same core criteria (good repute; honesty and integrity; sufficient knowledge/skills/experience; time commitment).

3) Ex‑ante applications and "enhanced dialogue"

In Member States where supervisor assessments are conducted ex post, "large entities" must submit an ex‑ante application for:

• Members of the management body in its management function; and

• The chair of the management body in its supervisory function. If the authority has concerns, it will engage in an enhanced dialogue with the firm to ensure the candidate is or becomes suitable when taking up the role. The paper suggests a four‑month period for assessment, extendable by two months in justified cases, remaining within the CRD VI six‑month maximum under authorisation scenarios.

4) Stronger expectations on AML/CFT risk indicators

Competent authorities must consider whether there are reasonable grounds to suspect ML/TF is being or has been committed, or there is increased risk, "in connection with the entity", and integrate that into suitability outcomes. Authorities may consult the AML/CFT supervisor and share relevant findings. Entities are expected to trigger re‑assessments where ML/TF‑relevant events arise.

5) ICT, DORA and AI competence embedded

Collective competence now explicitly spans ICT, cyber and operational resilience (DORA) and governance/oversight of AI systems (AI Act). Induction and ongoing training should ensure boards understand the technology landscape and associated prudential and conduct risks, with adequate human and financial resources dedicated to training.

6) ESG knowledge and diversity reinforced

The Guidelines weave ESG risk knowledge into both collective competence and training. Diversity expectations are reiterated to mitigate groupthink; firms should maintain policies and targets that promote gender balance and wider diversity dimensions, supported by succession planning that sustains continuity and breadth of skills.

7) Proportionality preserved, with clearer minima

The principle of proportionality is maintained and operationalised throughout. For independence, the baseline of at least one independent non‑executive for institutions other than significant ones is restated, with consultation questions inviting stakeholder input on how the independence criteria work in practice across different business models.

8) Group‑wide application and documentation

EU parent undertakings must ensure consistent, well‑integrated suitability frameworks across groups, including subsidiaries outside the CRD perimeter and in third countries, to the extent permitted by local law. Firms should document both individual and collective assessments, identify gaps, and set corrective actions; outcomes for new appointments should be shared with supervisors using harmonised RTS information sets.

9) Interfaces with resolution

The paper clarifies expectations for suitability in resolution and early intervention. Where appointments occur under the BRRD, authorities should assess suitability post‑appointment without undue delay (targeting about one month), while "special managers" appointed by resolution authorities solely to implement resolution actions are outside prudential suitability scope.

Practical implications for firms

• Board composition and skills matrices. Expect closer supervisory scrutiny of collective competence in ICT/AI, DORA and ESG. Update matrices and Annex I "collective competence" templates accordingly; link gaps to targeted training plans and succession planning.

• Induction and training budgets. Ensure training programmes and budgets explicitly cover DORA, AI governance and ESG transmission channels, with completion timelines for new appointees (key information within one month; induction within six months).

• Enhanced dialogue readiness. In jurisdictions with ex post regimes, implement internal playbooks, document repositories and timelines for ex‑ante applications and potential enhanced dialogue, including remediation options (mentoring, redistribution of responsibilities, conditions).

• Standardise documentation and governance group‑wide. Apply consistent assessment, record‑keeping and reporting across groups (including third‑country branches), aligned to RTS information sets and recognising local‑law constraints.

• AML/CFT triggers. Embed ML/TF "event triggers" into ongoing monitoring and re‑assessment procedures; pre‑agree evidence packages demonstrating honesty, integrity and remediation where concerns arise.

Next steps

Stakeholders should consider responding by 25 May 2026 with evidence‑based views on operational feasibility, proportional calibration, and any unintended overlaps with other EU files (e.g. DORA implementation and AI governance frameworks). In the meantime, firms should run a high‑level gap analysis, refresh competence matrices and training, ready materials for ex‑ante applications/enhanced dialogue, strengthen AML/CFT triggers, and align group/TCB documentation.

If adopted largely as proposed, the revised Guidelines will not overhaul firms' governance frameworks, but they will raise the bar on process discipline and demonstrable competence in technology, operational resilience and ESG. 

EBA Consultation on Draft Regulatory Technical Standards (RTS) for Suitability Assessments

In addition to the joint ESMA/EBA guidelines on suitability, the EBA has also published a consultation paper on draft regulatory technical standards (RTS) that specify the minimum content of documentation to be submitted to competent authorities when conducting suitability assessments. This consultation, issued pursuant to Article 91(10) of the CRD, sets out detailed requirements for the suitability questionnaire, curriculum vitae, and internal suitability assessment for large entities as defined under Article 91(1d) of the CRD.

The draft RTS establish a harmonised framework for the information that large entities must submit to competent authorities, covering assessments of members of the management body, heads of internal control functions, and the chief financial officer. The principal requirements include:

Internal Suitability Assessments:

• For management body members, assessments must cover knowledge, skills and experience; reputation, honesty and integrity; independence of mind; time commitment; collective suitability; and the entity's conclusion.

• For heads of internal controls and the CFO, requirements are narrower. Where non-material weaknesses are identified, any mitigating measures must be documented, including training plans with a maximum six-month timeline.

Suitability Questionnaire and CV:

• The questionnaire must include the individual's identity, previous suitability assessments, role details, professional experience in banking and finance over the last ten years, relationships with other management body members or key function holders, and financial obligations towards the entity.

• Both the individual and entity must provide signed statements confirming accuracy and committing to notify the competent authority of any material change.

• If all required information is included in the questionnaire, a separate CV is not required.

Implications for Firms

The draft RTS are designed to foster supervisory convergence and ensure a level playing field across Member States by harmonising the information that large entities must submit for suitability assessments. The EBA has adopted a "flexible maximum harmonisation" approach, drawing substantially from existing ECB-SSM practices. As a result, significant institutions already subject to European Banking Single Supervisory Mechanism (SSM-ECB supervision) may find that the new requirements do not represent a material departure from current expectations, and the EBA anticipates implementation costs will be negligible. However, other firms may need to update their existing templates and processes to meet the minimum content requirements. All entities should note the ongoing obligation to ensure information remains accurate and to notify competent authorities of any material changes.

Next Steps

The EBA is inviting comments on the draft RTS by 26 May 2026. Firms within scope should consider responding, particularly if they identify any ambiguities or practical challenges. We will continue to monitor developments and provide further updates as the regulatory position evolves.

Linkages with local Spanish law

The ESMA/EBA consultation on suitability largely confirms the existing Spanish framework for credit institutions, where the separation between management and supervisory functions within the board and ex‑ante fit and proper assessments for key roles are already embedded in banking law and supervisory practice. For investment firms, however, the consultation is more consequential: while Spanish securities regulation already requires suitability assessments, it has traditionally treated the board as a more unitary body. The consultation therefore pushes towards a more "bank‑like" approach, with clearer differentiation between management and supervisory functions and a greater focus on ex‑ante applications and enhanced supervisory dialogue for executive board members and the chair, particularly for larger firms.

More broadly, the consultation updates the suitability framework to reflect new supervisory priorities that were not previously addressed in the same depth, including the assessment of board members' collective knowledge and oversight digital transformation, ICT and cyber risks under DORA, and the use of AI systems, as well as reinforced expectations around diversity (including gender diversity), independence of mind and time commitment. While many of these elements are already indirectly covered in Spanish law, the consultation signals a more explicit and structured supervisory focus on these areas going forward.

In parallel, the new EBA draft RTS on suitability documentation goes beyond the current Spanish practice, where the format and content of documentation still follow national templates without EU‑level standardisation.