to the point: financial regulation

The European Banking Authority (EBA) has published a Follow-up Report to its 2022 Peer Review Report on ICT risk assessment under the Supervisory Review and Evaluation Process (SREP), concluding that national competent authorities have significantly strengthened their supervisory practices, largely due to the application of the Digital Operational Resilience Act (DORA) since January 2025 and the forthcoming integration of the dedicated ICT SREP Guidelines into the revised general SREP framework. For obliged entities, particularly credit institutions and other supervised financial institutions subject to the SREP, this development signals a more structured, consistent and technically robust assessment of ICT risk by supervisors across the EU, with greater use of harmonised ICT risk sub-categories, horizontal analyses and supervisory tools. In practical terms, institutions should expect ICT risk, including operational resilience, cyber risk management, governance and incident handling, to be scrutinised more systematically and comparatively, with less room for divergent national supervisory approaches. The report encourages competent authorities to fully embed ICT risk methodologies into supervisory processes, which implies that supervised entities must ensure their internal ICT risk frameworks, documentation, controls and reporting are aligned with DORA requirements and capable of withstanding deeper and more convergent supervisory review.

The European Securities and Markets Authority (ESMA) has withdrawn its previous Guidelines on the MiFID II/ MiFIR obligations on market data with immediate effect in order to streamline and simplify the regulatory framework. Supervisory expectations are now aligned exclusively with the directly applicable regulatory technical standards on making market data available on a reasonable commercial basis, which have been in force since 23 November 2025. For obliged entities, particularly trading venues, approved publication arrangements, consolidated tape providers and other authorised market data providers, this means that compliance is now assessed solely against the binding requirements set out in the Regulatory Technical Standards (RTS) on reasonable commercial basis, rather than against both the RTS and the earlier ESMA guidelines, thereby reducing interpretative overlap and potential duplication. Market data providers authorised before 23 November 2025 benefit from a transition period until 22 August 2026, but this period is strictly limited to adjusting and renegotiating existing contractual arrangements to ensure alignment with the new RTS requirements; it does not postpone substantive compliance. In practical terms, obliged entities must review their pricing structures, data policies and contractual documentation to ensure that market data is offered on terms that meet the reasonable commercial basis standard as defined in the RTS, while recognising that supervisory authorities will now rely on this harmonised technical standard as the sole benchmark for enforcement and oversight.

ESMA has issued a statement to support the smooth implementation of the Listing Act by clarifying how the revised prospectus framework should be applied in practice, with direct implications for issuers, their advisors and national competent authorities. In particular, ESMA confirms that any registration documents and universal registration documents approved or filed until 4 June 2026 fall under the transitional regime in Article 48a of the Regulation (EU) 2024/2809 and may continue to be used in prospectuses for the remainder of their validity period, which provides legal certainty and avoids the need for immediate re-approval or redrafting under the new regime. Obliged entities, such as issuers preparing prospectuses, can therefore rely on existing approved documentation during the transition, reducing administrative burden and costs while still complying with EU disclosure standards. ESMA also clarifies what information should be included in EU Follow-on prospectuses and EU Growth issuance prospectuses until the amendments to Commission Delegated Regulation (EU) 2019/980 introduced by the forthcoming Delegated Act begin to apply, giving issuers and advisors clear expectations on disclosure content during the interim period. National competent authorities are expected to follow ESMA's approach, which means market participants can reasonably rely on this guidance when structuring prospectus documentation, thereby enhancing consistency across Member States while maintaining investor protection and regulatory compliance.

The EBA has published its Final Report on Guidelines on Retail Diversification, establishing a harmonised and proportionate framework for assessing retail portfolio diversification under the Standardised Approach for credit risk in the CRR. The Guidelines directly affect credit institutions seeking to apply the preferential 75 % risk weight to retail exposures. For obliged institutions, the key implication is that they must now demonstrate that their eligible retail portfolios are sufficiently granular as a condition for applying the 75 % risk weight, with a baseline expectation that no single exposure to a counterparty or group of connected clients exceeds 0.2 % of the total eligible retail portfolio. However, recognising proportionality concerns, particularly for smaller institutions, the Guidelines introduce a more flexible rule allowing institutions to continue applying the preferential risk weight even if individual exposures exceed the 0.2 % threshold, provided that no more than 10 % of the total eligible retail portfolio breaches that limit, thereby easing the quantitative constraint compared to earlier proposals. By choosing a one-step diversification assessment instead of the more complex iterative method initially consulted on, the EBA reduces the operational burden and simplifies implementation, meaning institutions can apply a clearer and less resource-intensive calculation when evidencing compliance. The Guidelines also clarify how securitised retail exposures must be treated, distinguishing between institutions acting as originators and those acting as investors, and introduce a limited and temporary derogation for investor institutions where obligor-level data is unavailable under transparency templates, allowing the diversification requirement to be deemed satisfied in such cases. In practical terms, obliged institutions must review their retail portfolio composition, concentration metrics, internal monitoring systems and regulatory reporting to ensure they meet the updated diversification tests if they wish to benefit from the 75 % risk weight, while smaller and medium-sized institutions gain additional flexibility that mitigates capital impact without removing the prudential expectation of adequate risk dispersion.

The EBA has issued an Opinion to national competent authorities under PSD2 setting out how they should act once the nine-month transition period established by its No-Action Letter of 2 June 2025 expires on 2 March 2026, directly affecting crypto-asset service providers (CASPs) that transact electronic money tokens qualifying as payment services. During the transition, CASPs were allowed to continue providing such EMT-related payment services while applying for authorisation under PSD2, with national authorities encouraged to treat only a subset of EMT activities as payment services and to use a streamlined authorisation process leveraging information already submitted under MiCA, thereby reducing duplication and administrative burden. With the transition period ending, the EBA now advises that, after 2 March 2026, CASPs may continue providing EMT services qualifying as payment services without yet holding a PSD2 licence only if they meet the specific conditions set out in the Opinion; otherwise, national authorities are advised to require them to discontinue those services. For obliged entities, this means that CASPs engaging in EMT payment activities must either have secured PSD2 authorisation or be demonstrably compliant with the conditions permitting continued activity pending approval, or they risk being required to cease those services. National competent authorities are also instructed to prioritise authorisation efforts and, where necessary, coordinate with authorities responsible under MiCA and other enforcement bodies to ensure compliance. In practical terms, the new guidance signals the end of regulatory forbearance and requires CASPs to ensure full alignment with PSD2 licensing requirements in addition to MiCA authorisation, reinforcing the expectation of dual compliance where EMTs function as payment services and increasing the regulatory consequences for operating without the appropriate authorisation after the transition period.

The European Insurance and Occupational Pensions Authority (EIOPA) has published the first batch of guidelines and draft regulatory technical standards to implement the Insurance Recovery and Resolution Directive (IRRD), which will become operational in 2027 and establishes a recovery and resolution framework for insurers and reinsurers. Namely: (i) RTS on the content of pre-emptive recovery plans; (ii) RTS on criteria for pre-emptive recovery planning requirements and methods to be used when determining the market shares; (iii) RTS on the content of resolution plans and group resolution plans; (iv) Guidelines on the criteria for the identification of critical functions; (v) Guidelines on the assessment of resolvability; and (vi) Guidelines on measures to remove impediments to resolvability and the circumstances in which each measure may be applied. Obliged entities must therefore prepare robust pre-emptive recovery and resolution plans, ensure critical functions are identified, and be able to demonstrate resolvability, with a focus on maintaining continuity for policyholders and financial stability. The draft RTS on recovery plans defines minimum content, including indicators, remedial actions and communication strategies, while easing the burden through simplified assessments and cross-referencing existing documents. Guidelines on critical functions, resolvability and removal of impediments provide a framework for supervisors to assess and, if necessary, act on resolution strategies, allowing some flexibility to reflect national or business-specific features. Overall, insurers and reinsurers must strengthen governance, risk management and documentation to meet supervisory expectations, while EIOPA has limited the additional burden by aligning the requirements with existing reporting and streamlining them.

EIOPA has updated its Guidelines on the supervisory review process and Guidelines on the treatment of market and counterparty risk exposures under the standard formula to reflect the Solvency II review, with the aim of clarifying, streamlining and modernising the framework while limiting changes to what is strictly necessary. For insurance and reinsurance companies subject to Solvency II, the revisions to the supervisory review process primarily mean that national supervisory authorities will apply a more up-to-date, structured and risk-sensitive approach, incorporating new elements such as business model analysis, joint on-site inspections, early intervention measures, pre-emptive recovery planning and enhanced supervision of conduct of business. Supervisors are now also explicitly expected to integrate sustainability risks, IT and cyber risks, and the use of supervisory technology into their review processes. In practice, this raises expectations for insurers to demonstrate that these emerging risks are properly embedded in governance, risk management, internal controls and strategic planning. Although the Guidelines are formally addressed to supervisory authorities, they indirectly increase the standards insurers must meet, as supervisory engagement is likely to become more consistent, forward-looking and intrusive across Member States. Regarding the treatment of market and counterparty risk exposures in the standard formula, the changes clarify legal references, streamline provisions, delete four existing guidelines, broaden the scope of certain others and introduce a new guideline on the treatment of leveraged funds, meaning that insurers must reassess how such exposures are calculated and reflected in their solvency capital requirement where relevant.

The Czech National Bank (CNB) has announced the publication of ESMA's Q&A (here), which clarifies how EU remuneration rules apply to tied agents and confirms that the balance requirement in Article 27(4) of Commission Delegated Regulation (EU) 2017/565 also covers them. In practical terms, this means that obliged entities such as investment firms and intermediaries, as well as the natural persons acting as their tied agents, must structure remuneration so that there is an appropriate balance between fixed and variable components and so that the overall pay structure does not incentivise behaviour that favours the firm or its relevant persons over clients' interests. Although recital 41 allows a degree of flexibility reflecting the specific position of tied agents and national particularities, and therefore permits a relatively higher share of variable remuneration compared to other staff, this flexibility is conditional on the fixed component remaining sufficiently robust, in line with national law, to prevent conflicts of interest. Importantly, ESMA makes clear that these requirements apply not only under the full MiFID II regime but also in the exemption regime under Article 3 of MiFID II, which in the Czech context extends the same standards to investment intermediaries and their tied agents.

On 1 February 2026, the obligation to issue structured invoices in the National e-Invoice System (KSeF) came into force. This represents one of the most significant changes in the area of VAT transaction documentation, introducing centralised invoice registration, where sales documents are sent to a central database at the Ministry of Finance. Electronic invoicing is currently mandatory for businesses with a sales value (including tax) exceeding PLN 200m in 2024 and will become mandatory for other businesses from 1 April 2026.

The President has signed an amendment to the Act on the National Cybersecurity System (KSC), which implements the EU's NIS2 Directive. The Act significantly tightens cybersecurity requirements, imposes stricter liability on management and introduces rigorous incident reporting obligations. The authorities responsible for cybersecurity in specific sectors (e.g. the Polish Financial Supervision Authority (KNF) for the banking sector) will be able to issue warnings, appoint an official to monitor the performance of duties by a given key entity, or order an information system security assessment or security audit. Banks are considered key entities for the functioning of the state, subjecting them to the highest level of supervision. The new provisions will enter into force one month after their publication in the Journal of Laws.

provider	schoenherr
name	sch-ckmdl, sch-nwsltr
runtime	1 year

provider	Matomo
name	_pk_id,_pk_ses

to the point: financial regulation | 2/2026