EBA Banking Regulation Updates 2026: What Banks Need to Prepare For

European banking compliance in 2026 is shaped by the convergence of three generational regulatory reforms: the completion of the Basel III/IV implementation cycle (CRR3/CRD6), the new operational resilience regime under DORA, and the harmonised AML framework under the EU AML Package. Each of these alone would represent a significant compliance project. Together, they require banking compliance teams to manage parallel implementation workstreams while maintaining BAU regulatory obligations — including the EBA's ongoing supervisory convergence agenda, stress testing, and Pillar 2 assessments.

This guide covers the specific regulatory developments that banking compliance officers must address in 2026, with implementation details rather than high-level summaries.

Basel IV / CRR3: The Core Capital Reform

The Capital Requirements Regulation III (CRR3, Regulation 2024/1623) and Capital Requirements Directive VI (CRD6, Directive 2024/1619) implement the final Basel III reforms in the EU. These are commonly referred to as "Basel IV" given the extent of changes from the original Basel III framework. The application date is 1 January 2025, with transitional provisions phasing in the full requirements through 2030 for some elements.

Standardised Approaches Overhaul

The most operationally significant CRR3 change for many banks is the overhaul of the standardised approaches for credit risk. The revised standardised approach (SA) provides more risk-sensitive treatment for several exposure classes:

• Retail exposures: The new SA introduces a more granular treatment of retail exposures, distinguishing between transactors (who pay off balances monthly), revolvers, and other retail. Transactor treatment is more favourable (45% risk weight), recognising lower default risk.
• Real estate exposures: Significant changes to residential and commercial real estate risk weights. The loan-to-value (LTV) ratio becomes the primary driver of risk weighting, replacing the blanket 35% residential mortgage risk weight. Banks must implement LTV-based bucketing for their mortgage portfolios.
• Unrated corporate exposures: The revised SA introduces investment-grade (IG) corporate treatment (65% risk weight) for unrated corporates meeting specific criteria, replacing the blanket 100% weight.
• Specialised lending: Object finance, project finance, and commodities finance receive specific risk weight treatment under the revised SA, replacing the generic corporate or slotting approaches for banks not using internal models.

Internal Model Reforms: The Output Floor

The most controversial element of Basel IV is the output floor: a requirement that risk-weighted assets (RWAs) calculated using internal models (IRB for credit risk, IMA for market risk) cannot fall below 72.5% of the RWAs calculated under the standardised approaches. This is being phased in over five years:

For banks with highly optimised IRB models — particularly those with low mortgage default rates driving favourable capital treatment — the output floor represents the most significant capital impact of CRR3. The EBA's quantitative impact study (QIS) estimated that EU banks would face an average RWA increase of approximately 9% upon full implementation, with significant variation by business model and jurisdiction. Banks with large residential mortgage portfolios in low-default jurisdictions face the highest impact.

Credit Valuation Adjustment (CVA) Reform

CRR3 implements the Basel Committee's revised CVA framework. The revised approaches (basic, standardised, and advanced) replace the current CRR's CVA charge. Key changes:

• The revised standardised approach (SA-CVA) is more risk-sensitive and requires more sophisticated data inputs than the current standardised method.
• The basic approach (BA-CVA) replaces the current simplified BCVA calculation and is available to banks that do not meet the criteria for SA-CVA.
• The full advanced approach (using internal models for both CVA risk and market risk) is preserved but narrowed in scope.

Operational Risk: New Standardised Approach

CRR3 replaces the three existing operational risk approaches (basic indicator, standardised, and advanced measurement approaches) with a single standardised approach based on the Business Indicator Component (BIC). The BIC is calculated from three P&L-derived indicators weighted by size bucket. Internal loss data is no longer used in the regulatory capital calculation, though banks should maintain loss data for internal risk management purposes. Operational risk capital requirements are expected to increase for many banks, particularly those with high fee income and strong trading revenues.

DORA: Operational Resilience for Banks

The Digital Operational Resilience Act (DORA, Regulation 2022/2554) has been fully applicable since 17 January 2025. For banks, DORA creates a comprehensive framework for managing ICT risk — replacing the patchwork of EBA ICT guidelines and national supervisory expectations with a harmonised, directly applicable EU regulation.

ICT Risk Management Framework

DORA Article 6 requires financial entities to maintain a comprehensive ICT risk management framework as an integral part of their overall risk management system. The framework must include:

• ICT risk identification: Maintain and regularly update an inventory of all ICT assets (hardware, software, data) and their interconnections. Map dependencies between ICT assets and business functions.
• Protection and prevention: Information security management covering access controls, encryption, authentication, and physical security for ICT assets. Patch management and vulnerability handling procedures.
• Detection: Mechanisms to detect anomalies in ICT systems and networks. Real-time or near-real-time monitoring of ICT infrastructure.
• Response and recovery: ICT business continuity policy and disaster recovery plans tested at least annually. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) defined and tested.
• Learning and evolving: Post-incident reviews following significant ICT disruptions, incorporating lessons learned into the framework.

ICT-Related Incident Reporting

DORA Article 19 establishes a harmonised incident classification and reporting regime that replaces varying national reporting obligations. Banks must classify ICT-related incidents using the criteria in the EBA/ESMA/EIOPA Joint RTS on incident classification (published 2024). Major incidents must be reported:

• Initial notification: Within 4 hours of classifying an incident as major (or within 24 hours of becoming aware, whichever is earlier).
• Intermediate report: Within 72 hours of the initial notification.
• Final report: Within one month of incident resolution.

The classification criteria assess incidents against thresholds for: number of clients affected, geographic spread, duration, data losses, criticality of services affected, economic impact, and reputational impact. Banks must implement processes to evaluate every ICT disruption against these criteria and escalate those meeting the thresholds within the four-hour window.

Digital Operational Resilience Testing

DORA requires all in-scope entities to conduct digital operational resilience testing. The minimum requirement is threat-led penetration testing (TLPT) for significant entities — defined by size, systemic importance, and the nature of ICT-dependent services — at least every three years. The TIBER-EU framework (Threat Intelligence-Based Ethical Red-teaming) is the EU's implementation methodology for TLPT. Banks designated as significant by their supervisor must coordinate TLPT with the relevant competent authority.

Third-Party ICT Risk: Critical ICT Providers

DORA Articles 28-44 establish a framework for managing ICT third-party risk that goes substantially beyond the EBA's previous outsourcing guidelines. Key provisions:

• Contractual requirements: Contracts with ICT third-party service providers must include specific provisions on service levels, audit rights, data location, sub-outsourcing, incident notification, and exit strategies. The EBA has published standard contractual clauses to assist compliance.
• Designation of critical ICT providers: The ESAs jointly designate critical ICT third-party service providers (CTPPs) based on systemic importance. CTPPs are subject to direct oversight by a lead overseer (EBA, ESMA, or EIOPA). Banks using CTPPs must maintain information about their reliance on critical providers and consider the associated concentration risk.
• ICT concentration risk: Banks must identify and manage concentration risk arising from reliance on a small number of ICT providers — including major cloud providers (AWS, Azure, GCP). Supervisors are paying close attention to cloud concentration risk in banking.

EBA 2025 Stress Test and Pillar 2

The EBA's 2025 EU-wide stress test — covering approximately 50 banks across the EU and EEA — is running through Q2 2026, with results expected in August 2026. The 2025 exercise introduces several methodological changes from the 2023 exercise:

• CRR3 interaction: For the first time, the stress test incorporates the CRR3 standardised approaches for capital requirement calculations, reflecting the new regulatory framework. Banks must apply the revised SA risk weights and the output floor in their stress test projections.
• Climate risk integration: The 2025 exercise includes a climate risk sensitivity analysis component, building on the 2022 and 2023 ECB climate stress tests. Physical risk and transition risk scenarios are included.
• Net interest income (NII) methodology: Given the interest rate environment of 2022-2024, the EBA has refined its NII projection methodology to better capture interest rate risk in the banking book (IRRBB) impacts under the stress scenarios.

Stress test results directly inform supervisory decisions on Pillar 2 Requirements (P2R) and Pillar 2 Guidance (P2G). Banks with weaker stress test performance face higher P2R add-ons, reducing their distributable profits and constraining dividend and buyback capacity. Compliance teams should ensure their capital planning frameworks incorporate realistic stress test projections ahead of the August results.

IRRBB: Interest Rate Risk in the Banking Book

The EBA's revised guidelines on IRRBB and credit spread risk in the banking book (CSRBB) — EBA/GL/2022/14 — have been applicable since October 2023 and are now fully embedded in supervisory expectations. Key elements driving ongoing compliance work:

• Standardised outlier tests: Banks must apply the EBA's standardised interest rate shock scenarios (six scenarios including parallel up/down shifts and steepening/flattening yield curves) and report Economic Value of Equity (EVE) and Net Interest Income (NII) sensitivities quarterly. Banks where EVE declines by more than 15% of Tier 1 capital are classified as IRRBB outliers and face supervisory scrutiny.
• Internal model requirements: Banks using internal models for IRRBB measurement must meet governance and validation standards aligned with the EBA guidelines. Model validation frequency, back-testing, and sensitivity analysis requirements are more prescriptive than under previous guidance.
• Non-Maturing Deposits (NMDs): The treatment of NMDs — current accounts, savings accounts without fixed maturity — is a key IRRBB modelling challenge. The EBA guidelines set constraints on NMD modelling, including caps on assumed average repricing maturities. Banks with large retail deposit franchises must ensure their NMD models comply with the EBA constraints while accurately reflecting their actual customer behaviour.

EU AML Package: Impact on Banks

The EU AML Package — comprising the AML Regulation (AMLR), AMLD6, and the establishment of AMLA — creates significant changes for banks as obliged entities. The most material changes from the existing AMLD5 framework:

Harmonised Customer Due Diligence

The AMLR's directly applicable provisions replace the transposed national AML laws that currently govern CDD in each Member State. For banks operating cross-border, this eliminates the need to maintain jurisdiction-specific CDD procedures that reflect transposition variations. A single AMLR-compliant CDD framework can apply EU-wide.

However, the AMLR also tightens certain CDD requirements. Beneficial ownership verification must now include documentary evidence for all corporate customers above €10,000 in aggregate transactions, not just those classified as higher risk. Enhanced due diligence is mandatory for relationships with politically exposed persons (PEPs), with the definition of PEP extended and the list of senior officials who qualify as PEPs expanded.

AMLA Direct Supervision

When AMLA begins direct supervision in 2028, it will directly supervise the highest-risk financial institutions across the EU — including the largest and most internationally active banks. The selection criteria are being finalised, but AMLA is expected to take direct responsibility for approximately 40 institutions in its first supervisory cycle. For banks selected for direct AMLA supervision, compliance teams must prepare for a new supervisory relationship with a pan-EU authority that will apply consistent standards across all supervised entities.

"The combination of CRR3, DORA, and the AML Package means that 2026 is the year when every implementation project that was deferred, scoped down, or left at 'Phase 1' needs to be completed. Supervisors are no longer treating these as new frameworks — they are expected to be operational."

EBA Work Programme: What Else Is Coming

Beyond the major reforms, the EBA's 2025-2026 work programme includes several supervisory convergence initiatives relevant to banking compliance teams:

• ESG risk management guidelines: The EBA is finalising guidelines on the management and supervision of ESG risks in banks, building on the 2023 discussion paper. These will set expectations for integrating climate and environmental risk into credit risk management, ICAAP, and recovery and resolution planning.
• Fit and proper assessments (CRD6): CRD6 harmonises the criteria for assessing the fitness and propriety of management body members and key function holders. Banks must review and update their fit and proper assessment processes to reflect the new criteria, including more prescriptive requirements for collective suitability of management bodies.
• Remuneration: CRD6 introduces changes to variable remuneration rules, including the application of the bonus cap to a broader range of "material risk takers" and clarifications on the deferral and clawback requirements. HR, legal, and compliance teams need to assess whether their current remuneration structures comply with the revised rules.
• Recovery and resolution: The EBA continues its work on MREL (Minimum Requirement for own funds and Eligible Liabilities) calibration guidance and resolvability assessment frameworks. Banks' resolution planning teams should track EBA publications in this area closely.

Practical Priorities for Banking Compliance Teams in 2026

Given the weight of regulatory change, prioritisation is essential. Here is how banking compliance teams should sequence their 2026 workload:

1. CRR3 capital impact quantification: If not already complete, quantify the capital impact of the revised SA, output floor, and CVA/operational risk reforms for your specific portfolio. This is the input to capital planning, dividend policy, and any balance sheet restructuring decisions.
2. DORA gap closure: With DORA already applicable since January 2025, supervisors are now assessing compliance in earnest. Priority gaps to close: ICT asset inventory completeness, incident classification procedures, TLPT scheduling for significant entities, and third-party contract remediation against DORA Article 30 requirements.
3. IRRBB model review: Ensure IRRBB models comply with EBA/GL/2022/14, particularly the NMD modelling constraints and the standardised outlier test thresholds. The 2025 stress test's NII component makes IRRBB model robustness a supervisory priority.
4. AML programme update: Map your existing CDD procedures against AMLR requirements and identify gaps. Priority areas: beneficial ownership verification enhancements, PEP definition updates, and transaction monitoring coverage for the revised risk categories.
5. Regulatory change monitoring: With the EBA publishing implementing technical standards, regulatory technical standards, Q&As, and guidelines across all of these frameworks simultaneously, structured regulatory change monitoring is essential. Manual tracking of the EBA's publication schedule is no longer viable for teams managing multiple frameworks.

For broader context on how the EU's regulatory agenda affects different sectors, see our guides on DORA compliance, GDPR for financial services, and sanctions compliance in 2026.