EBA and ESMA consultation on revised joint Guidelines on the suitability assessment of members of management bodies and key function holders

EU RegCORE Client Alert | Capital Markets Union + Savings and Investment Union

Quick Take

On 25 February 2026, the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) launched a joint consultation on revised joint Guidelines for the suitability assessment of members of the management body and key function holders (KFH) of banks and investment firms (collectively the Guidelines).Details available here.Show Footnote The consultation implements the amendments introduced by CRD VI (Directive (EU) 2024/1619), substantially strengthening the EU's harmonised fit-and-proper framework for the governance of credit institutions and investment firms.

In parallel, the EBA published draft Regulatory Technical Standards (RTS) specifying the minimum content requirements for suitability questionnaires, curricula vitae and internal assessments that in-scope entities must submit to competent authorities. Mandated by Article 91(10) CRD as amended, the RTS aim to harmonise submission standards and address divergent national practices.

As explored in this Client Alert the two consultation papers serve distinct but complementary purposes: (i) the RTS establish a harmonised information baseline for large entities, whilst (ii) the Guidelines set out substantive assessment criteria applying proportionately to a broader range of entities.

Importantly, the revised joint Guidelines replace the existing EBA/ESMA Guidelines (EBA/GL/2021/06) and apply to a broad range of entities including large institutions, other credit institutions, Class 1(-), Class 2 and Class 3 investment firms, third country branches, and financial holding companies. Under Article 121 CRD, members of financial holding company management bodies must be of sufficiently good repute and possess adequate knowledge, skills and experience. As explored in this Client Alert, the Guidelines apply irrespective of board structure – unitary, dual, or otherwise – and do not advocate any particular governance model. Proportionate application however also applies: Class 2 investment firms are exempt from directorship counting, independent member and nomination committee requirements; Class 3 firms have additional exemptions including KFH assessment requirements. However, good repute, honesty, integrity and independence of mind apply absolutely regardless of entity size.

The consultation runs until 25 May 2026, with a public hearing scheduled for 15 April 2026. The joint Guidelines are expected to enter into force six months after publication of all translations, but not later than 31 December 2026.

As explored below, the regulatory requirements and supervisory objectives contained in the RTS and Guidelines apply to EU entities, staff and operations of existing financial services firms but also to new applicants as well as in the context of change of control scenarios. While much of the below may be familiar to incumbent firms it may be less so for new applicants nor acquirers or indeed regulated firms that have only recently become subject to a respective regulatory perimeter in the EU. These EU-wide requirements may be supplemented by jurisdictional specifics and further expectations as communicated by respective national competent authorities (NCAs) and/or, in the context of the Banking Union, joint supervisory teams. 

Key action points

While the proposed RTS and the Guidelines, like with previous versions, aim to drive harmonisation at an EU-wide level, certain procedures divergences across NCAs (regrettably) continue to apply. 

A fundamental distinction across Member States concerns the timing of regulatory suitability assessments. In "ex ante" (before-the-fact) jurisdictions, regulators assess suitability before the individual takes up their position, with notifications made after the entity decides to propose the member or at latest after appointment but before they assume the role. In "ex post" (after-the-fact) jurisdictions, by contrast, the assessment occurs after the individual has already taken up their position, with notifications required within two weeks of appointment. The Guidelines acknowledge that a higher level of harmonisation in the timing of suitability assessments "would be desirable within the Banking Union but could not be achieved in the current circumstances due, among other things, to the existing fragmented national frameworks." Critically, however, CRD VI introduces specific convergence measures for large entities in ex post jurisdictions: these entities must now submit an ex ante suitability application for members of the management body in its management function or the chair of the management body in its supervisory function at least 30 working days before the prospective member takes up their position. Where regulators have concerns regarding suitability, they must engage in an enhanced dialogue with the entity to address identified concerns before the member assumes the role. The supervisory powers also differ by timing: in ex ante assessments, regulators can prevent individuals from taking up their position, whereas in ex post assessments, regulators can remove such persons or require the entity to remove them. Regulators should complete their assessment within four months, with a possible two-month extension where concerns exist.

Firms subject to the RTS and/or the revised Guidelines should consider the following action points in anticipation of these requirements:

1. Conduct a gap analysis of existing suitability policies, questionnaires and assessment processes against the minimum content requirements of the RTS and the enhanced criteria in the Guidelines. This should encompass the assessment criteria for all in-scope individuals, including KFHs such as heads of internal control functions and the CFO, who may not have been subject to equivalent scrutiny under the existing regime.
2. Review and update training and induction programmes to ensure they cover ESG risks and impacts, ICT-related risks, AI technologies applied within the entity, and AML/CFT matters. Entities must allocate sufficient human and financial resources for this purpose, with newly appointed members receiving induction within one month and completing it within six months.
3. Review succession planning and appointment processes to accommodate the enhanced dialogue timeline for large entities (four months, with possible two-month extension), the three-year cooling-off period for former CEOs transitioning to supervisory roles, and the requirement for pre-appointment assessments. Succession planning should set out plans, policies and processes for dealing with sudden or unexpected absences or departures of management body members, including interim arrangements. When establishing succession plans, the management body should ensure continuity of decision-making and prevent, where possible, too many members having to be replaced simultaneously. Nominations for re-appointment should only take place after considering the assessment result regarding performance during the last term.
4. Establish or refine diversity policies with quantitative gender targets where required. When selecting management body members, aspects such as professional and educational background, age, gender and geographical provenance should be included in the selection process. Entities should have policies ensuring no discrimination based on gender, race, colour, ethnic or social origin, genetic features, religion or belief, membership of a national minority, property, birth, disability, age, or sexual orientation. Significant entities must include specific timeframes for achieving gender targets and document non-compliance with reasons and remedial steps. Listed entities will also be subject to requirements under Directive (EU) 2022/2381 on improving gender balance among directors of listed companies. The diversity policy should promote a broad set of qualities and competences to move away from the risk of 'groupthink' towards a diverse approach.
5. Ensure group-wide consistency of suitability policies across all subsidiaries within the consolidated group (i.e., all entities included in the group's consolidated prudential supervision), including third-country subsidiaries. The parent institution must ensure that internal governance arrangements, processes and mechanisms are consistent and well-integrated.
6. For large entities in Member States with ex post assessment regimes, prepare for the new ex ante suitability application process and enhanced dialogue mechanism. Applications should be submitted at least 30 working days before prospective members take up their position.
7. Consider submitting consultation responses by 25 May 2026 to contribute to the final form of these instruments, particularly for industry associations and larger institutions with significant supervisory engagement.

The action points above address immediate compliance priorities. The following section examines the substantive requirements of the revised framework in greater detail, providing the analytical foundation for these recommendations.

Key changes proposed

The Guidelines introduce significant changes across several domains. The following analysis addresses each in turn, distinguishing between RTS documentation requirements and Guidelines assessment criteria where relevant.

• Expanded scope to key function holders (Title II, Section 3): CRD VI explicitly extends suitability requirements to heads of internal control functions and the CFO under Article 91a CRD, with competent authority oversight for large entities. This materially expands the governance perimeter. All entities must ensure KFH suitability at all times, applying the same reputation, honesty and integrity criteria as for management body members. Large entities must inform competent authorities of assessment results. The responsible function should assess KFHs before appointment and periodically, reporting results to the appointing function and the management body. Where competent authority assessment is also required, entities should implement appropriate safeguards-such as probationary periods, suspensive contract conditions, or acting appointments-to enable removal if a KFH is assessed as unsuitable.
• Proportionality principle: Entities should take into account their size, internal organisation and the nature, scale and complexity of their activities when developing and implementing suitability policies and processes. Significant entities should have more sophisticated policies and processes, while small and less complex entities may implement simpler policies. Criteria for proportionality include: (a) balance sheet total, client assets and transaction volume; (b) legal form and group membership; (c) listing status; (d) type of authorised activities; (e) geographical presence; (f) business model and organisational structure; (g) risk strategy and profile; (h) use of internal models; (i) type of clients; and (j) complexity of products and instruments.
• Assessment criteria for management body members: The Guidelines specify comprehensive criteria for individual and collective suitability assessments:
  • Knowledge, skills and experience: The assessment must establish whether the individual's education and professional experience are relevant and sufficient for the position. The assessment considers: (a) the role, responsibilities and duties; (b) the individual's education and professional experience; and (c) the nature and duration of functions performed. Where non-material weaknesses are identified, the entity must specify mitigating measures, including training to be completed within six months of appointment. Subject areas include: banking and financial markets; legal and regulatory requirements; strategic planning; risk management (including environmental, social and governance (ESG) risks and information and communications technology (ICT) risks); anti-money laundering and counter-terrorist financing (AML/CFT) obligations; accounting; auditing; and data protection. Entities issuing asset-referenced tokens or providing crypto-asset services must additionally comply with the suitability guidelines under the Markets in Crypto-Assets Regulation (MiCAR).
  • Reputation, honesty and integrity: The assessment follows a rebuttable presumption-meaning the person is assumed to be of good repute unless there is objective evidence to the contrary. The assessment must consider: criminal records from the last 10 years across all relevant jurisdictions; civil, administrative and disciplinary decisions; insolvency proceedings; regulatory investigations and sanctions; licence refusals or revocations; dismissals from employment or positions of trust; and financial soundness. The cumulative effect of minor incidents must also be assessed.
  • Independence of mind and independent members: All management body members must demonstrate independence of mind-a behavioural standard distinct from formal "independence" applicable to certain non-executive directors. Under Article 6 RTS, the assessment must evaluate: (a) the ability to present views and critically discuss strategies; (b) the ability to independently assess and challenge proposed decisions; and (c) the capacity to ask probing questions. Conflicts of interest that could impede independent judgement must be assessed, and material conflicts must be documented with mitigation measures. Regarding formal independence, significant and listed entities should have sufficient independent members in the supervisory function; non-significant, non-listed entities should have at least one (with exemptions for wholly-owned subsidiaries and certain small investment firms). A three-year cooling-off period applies where a former CEO transitions to a supervisory role.
  • 'Being independent' criteria: A member should not be considered independent if any of the following situations apply: (a) current or former employee of the entity within the past 5 years; (b) material business relationship with the entity in the past 3 years; (c) receipt of additional significant remuneration beyond director fees; (d) qualifying shareholder of the entity; (e) close family member of a management body member or qualifying shareholder; (f) former CEO or executive director with less than 3 years' cooling-off; (g) former auditor, professional adviser or material consultant in the past 3 years; (h) material supplier, customer or business relationship in the past year; (i) member of the management body for 12 consecutive years or longer; (j) receiving significant fees or other benefits beyond remuneration for the role. Meeting one or more situations does not automatically disqualify independence if the entity can demonstrate the member's ability to exercise objective and balanced judgement is not affected.
  • Time commitment and directorship counting: The assessment must detail: (a) minimum annual time for the role; (b) all directorships held, including any that qualify for 'privileged counting' (explained below); (c) size of companies where mandates are held; (d) additional responsibilities such as committee chairmanships; (e) meetings per mandate; and (f) time commitment for other relevant activities. A directorship involving both executive and non-executive responsibilities counts as executive. Directorship counting rules allow certain multiple roles to count as a single directorship: all directorships within the same corporate group count as one; directorships within an institutional protection scheme (a mutual support arrangement between banks) count as one; and qualifying shareholding positions (excluding subsidiaries) count as a separate single directorship. Travel time must also be considered.
  • Collective suitability requirements: Under Article 8 RTS, the collective assessment must establish how each individual fits within the overall management body composition. The assessment must describe how the composition reflects an adequately broad range of skills and experience, identify any gaps, and specify remedial measures with timelines. Entities must use either the suitability matrix template in Annex I of the Guidelines or their own methodology consistent with the Guidelines. Under Article 9 RTS, the conclusion must clearly confirm individual suitability. Re-assessment is required: (a) upon material changes to management body composition; (b) upon material change to business model, risk appetite, strategy or structure; (c) as part of internal governance review; (d) where ML/TF suspicion arises; and (e) upon any event materially affecting.
  • Areas of collective knowledge, skills and experience: The management body must collectively have appropriate understanding of and skills in: (a) the business of the entity and main risks; (b) each material activity; (c) financial and capital markets, solvency and risk factors; (d) financial accounting and reporting; (e) risk management, compliance and internal audit; (f) information and communication technology and security, including AI requirements under the EU AI Act; (g) local, regional and global markets; (h) the legal and regulatory environment; (i) managerial skills and experience; (j) experience in implementing a culture of probing and challenging decisions; (k) strategic planning ability; (l) management of international groups and group structure risks; (m) ESG factors and risks and their impacts; and (n) digital operational resilience requirements under the Digital Operational Resilience Act (DORA), which sets IT security and resilience standards for financial firms).
  • Authorisation implications: Under Article 13 of CRD, competent authorities shall refuse to grant authorisation as a credit institution if members of the management body do not meet suitability requirements. Similarly, under Article 9(4) of MiFID II, competent authorities shall refuse authorisation as an investment firm if not satisfied that management body members are of good repute, possess sufficient knowledge, skills and experience, and commit sufficient time, or if there are objective grounds to believe the management body may pose a threat to effective management or market integrity.
  • Exceptional circumstances for post-appointment assessment: In exceptional cases where the requirement for at least two persons effectively directing the business cannot otherwise be met, the assessment of newly appointed members may be completed after they take up position, subject to consultation with the competent authority. Such exceptions should be limited to sudden or unexpected needs to replace members (e.g., death or removal for unsuitability). In these cases, entities should assess suitability as soon as practicable and at latest within one month of appointment.
  • Shareholder information requirements: Where members are appointed by the general shareholders' meeting, entities should provide appropriate information on assessment results to shareholders before the meeting. Entities should ensure that shareholders have full access to relevant information about the obligation that management body members must at all times be suitable. The information provided should enable shareholders to take informed decisions and address any shortcomings in composition.
  • Suitability policy requirements: Entities must adopt and maintain a comprehensive suitability policy, approved by the management body, that should include or refer to the diversity policy. The policy must be clear, well documented and transparent to all staff and should set out: (a) the process for selection, appointment, re-appointment and succession planning of management body members; (b) the criteria to be used in the assessment; (c) how diversity and gender balance targets are to be taken into account; (d) the communication channel with competent authorities; and (e) how the assessment should be documented. Internal control functions should provide effective input to the development of the suitability policy. The compliance function should analyse how the policy affects compliance with legislation and report identified risks to the management body.
  • Skills assessment (Annex II to the Guidelines): When assessing management body members, entities should consider a non-exhaustive list of relevant skills including: (a) authenticity and openness; (b) language and communication abilities; (c) decisiveness in taking timely and well-informed decisions; (d) judgement and breadth of vision; (e) customer and quality orientation; (f) leadership and ability to provide direction; (g) loyalty and sense of involvement; (h) external awareness of developments affecting the undertaking; (i) negotiating and consensus-building; (j) persuasiveness and ability to influence views; (k) teamwork and contribution to common results; (l) strategic acumen and scenario analysis; (m) stress resistance and consistent performance under pressure; (n) sense of responsibility for stakeholder interests; and (o) chairing meetings efficiently and effectively.

Further areas of particular focus in the revised framework include:

• Training and induction requirements: Entities must provide for induction of newly appointed management body members, with key information to be provided within one month of taking up position and induction to be completed within six months. Training must cover ICT-related risks, ESG factors and risks (including their transmission channels and prudential and strategic impacts), AI technologies applied within the entity, and the benefits of diversity. Entities must allocate sufficient human and financial resources for this purpose. Management body members must collectively demonstrate understanding of ESG risks in the short, medium and long term.
• ICT and AI competence: In light of DORA and the EU AI Act, members must have an appropriate understanding of IT systems, digital operational resilience, and AI applications used within the entity. Training should cover IT-related risks and how AI technologies are applied within the institution.
• Anti-money laundering dimension: The Guidelines strengthen the AML/CFT lens in suitability assessments, requiring consideration of money laundering and terrorist financing (ML/TF) risks at appointment and on an ongoing basis. Where ML/TF suspicion arises, regulators must assess the extent to which management body members or KFHs contributed and whether they remain suitable. Regulators may consult AML/CFT supervisors and access the Central AML/CFT database under the EU's Anti-Money Laundering Authority Regulation (AMLAR). The management body member responsible for AML/CFT implementation must have adequate knowledge of ML/TF risk identification. ML/TF risk factors include: (a) vulnerable sectors (mining, energy, international trade, precious metals, defence, gaming); (b) high-risk ownership structures (trusts, non-transparent corporate structures); (c) associations with designated persons; (d) links to high-risk jurisdictions (FATF-listed, EU high-risk third countries, sanctioned jurisdictions, offshore centres); and (e) politically exposed person (PEP) status.
• Enhanced dialogue mechanism: For large entities in ex post (after-the-fact assessment) Member States, the new ex ante (before-the-fact) suitability application and enhanced dialogue mechanism will require earlier engagement with supervisors and more robust internal pre-screening before appointments are proposed. Competent authorities should set a four-month assessment period, with a possible two-month extension where concerns exist regarding the prospective member's suitability.

Draft RTS on minimum content of suitability documentation

Companies falling within the scope of Article 91(1d) CRD (large entities) are required to provide certain information to competent authorities as part of the suitability assessment. The draft RTS specify the content of the documents that must be submitted:

• Internal suitability assessment (Articles 2-3 RTS): For management body members, the entity must submit an assessment covering individual knowledge, skills and experience, reputation, honesty and integrity, independence of mind, time commitment, collective suitability, and the entity's conclusion. For heads of internal controls and the CFO, a parallel but more limited assessment is required, covering individual knowledge, skills and experience and the entity's conclusion regarding individual suitability.
• Suitability questionnaire (Article 10 RTS): The questionnaire must provide comprehensive information including the entity's contact person, the individual's identity and residence history (including countries where the individual has lived over the past 10 years), previous supervisory suitability assessments, the role description and reporting lines, planned start date and term of office, professional experience in banking/financial sector over the last 10 years, assessment of banking experience including any induction or training to be undertaken within six months, reputation information, personal/business/professional relations with other management body members, qualifying shareholders and suppliers/competitors, financial obligations towards the entity, time commitment details, and the individual's contribution to collective suitability.
• Curriculum vitae (Article 11 RTS): The CV must cover personal details (surname, first names, date and place of birth, residence and nationality), details of education including academic qualifications and relevant training, and professional experience highlighting banking and management experience. However, the entity is not required to submit a separate CV if the information is already provided in the suitability questionnaire.

The draft RTS are largely based on existing practices of competent authorities and the ECB's Single Supervisory Mechanism (SSM). No significant changes are therefore expected as a result of the RTS, and the EBA has adopted a "flexible maximum harmonisation" approach allowing competent authorities some flexibility to request additional information or to dispense with certain requirements where information is already available.

Beyond individual and collective suitability criteria, the consultation papers address broader governance and procedural requirements that will shape how firms implement the framework.

Additional governance considerations

The consultation papers raise the following additional considerations:

• Primary responsibility and ongoing monitoring: The instruments reinforce that entities – not competent authorities – bear primary responsibility for ensuring suitability at all times. This means ongoing monitoring, documentation, and re-assessment obligations fall squarely on the firm. Entities must assess suitability before appointment (unless exceptional circumstances apply) and periodically update information on suitability. Entities should keep up to date the information on suitability and review it at least annually, informing competent authorities about material changes. Assessment (or re-assessment) is required at authorisation, upon new appointments, re-appointments where the position requirements have changed, and on an ongoing basis.
• Documentation requirements for large entities: Large entities must prepare and submit standardised suitability questionnaires, CVs, and internal suitability assessments in the RTS-prescribed format. For detailed content requirements, see the Draft RTS section above (Articles 2-11 RTS).
• Third country branches (TCBs): Branches of non-EU banks operating in the EU are explicitly within scope and must assess both persons directing the business and KFHs, applying criteria no less stringent than for comparable EU entities. TCBs must have at least two persons effectively directing business in the relevant Member State. Larger TCBs (Class 1) may be required to establish a local management committee. TCBs should assess suitability before appointment and submit documentation in line with the RTS. The specific regulatory requirements depend on the TCB's classification and the applicable CRD provisions.
• Cooling-off periods: Where a cooling-off period is not always possible to implement, entities should take other steps to manage potential conflicts effectively. (For the three-year cooling-off requirement, see Independence of mind and independent members in Key changes proposed above.)
• Nomination committee requirements: Significant entities must establish a nomination committee responsible for identifying and recommending suitable candidates for the management body, assessing the structure, size, composition and performance of the management body, and setting targets for the representation of the under-represented gender. Where a nomination committee is not established, the management body in its supervisory function should have these responsibilities. Members of the nomination committee should have adequate collective knowledge, expertise and experience relating to the business of the institution. The nomination committee should have access to all necessary information and be able to involve relevant internal control functions.
• Safeguards for appointments by elected bodies: Where regional or local bodies appoint management members (Article 91(14) CRD), the entity must establish safeguards to verify suitability. The entity should assess suitability as soon as the member is appointed, identify any concerns, and propose remedial measures.
• Notification requirements: Entities must notify competent authorities of newly appointed members and any vacant positions without undue delay. For ex ante jurisdictions, notifications should be made after the entity decides to propose the member or at latest after appointment but before taking up position. For ex post jurisdictions, notifications must be made within two weeks after appointment.
• Competent authority powers: Corrective measures available to competent authorities range from requiring training or changes to the division of tasks, through to removing members from the management body or, ultimately, withdrawing the entity's authorisation. Where suitability requirements are not met, competent authorities have the power to prevent members from taking up positions (ex ante) or remove them (ex post). Competent authorities should take into account the information provided in the EBA and ESMA databases on administrative penalties under Article 69 CRD and Article 71 MiFID II, identifying any penalties in the last ten years against entities where the assessed person was a management body member or KFH.
• Resolution context: The suitability of newly appointed management body members and the management body collectively is also relevant during bank resolution and early intervention measures under the Bank Recovery and Resolution Directive (BRRD). Regulators assess whether temporary administrators have the qualifications, ability and knowledge required. However, assessment of special managers falls exclusively within the competence of resolution authorities (i.e., the authorities responsible for managing failing banks). Regulators should aim to complete assessments in urgent situations within one month of receiving the notification of appointment.
• Entities' corrective measures: If an entity's assessment concludes that a person is not suitable, that person should not be appointed or, if already appointed, the entity should replace that member, unless easily remediable shortcomings are identified and corrective measures are taken. Appropriate corrective measures may include: (a) adjusting responsibilities between members; (b) replacing certain members; (c) recruiting additional members; (d) measures to mitigate conflicts of interest; and/or (e) training single members or the management body collectively. Entities must inform competent authorities without delay of any material shortcomings identified, including the measures taken or envisaged and the timeline for implementation.
• Re-assessment frequency: Significant entities should perform a periodic suitability re-assessment at least annually or as soon as any new facts affecting suitability become known. Non-significant entities should perform a suitability re-assessment at least every two years or as soon as any new facts affecting suitability become known.
• Assessment tools: For large entities, competent authorities should use interviews where appropriate for suitability assessments. Interviews may also be performed for other entities on a risk-based approach. Competent authorities may attend or conduct meetings with the entity, including with management body members or KFHs, or participate as observers in management body meetings to assess effective functioning.
• Cooperation between competent authorities: The revisions emphasise that Competent authorities “should” (read as “must”, whether that is an absolute will depend largely on NCAs) provide each other with any information they hold about a management body member or KFH for suitability assessments, including justification for decisions taken. Information regarding withdrawn applications or negative assessments should” also be shared. Where a competent authority reaches a decision that differs from any previous assessment by another authority, it should inform the other competent authorities. Where a negative decision is based on ML/TF risks, findings should be shared with the competent AML/CFT supervisor.

The following tables summarise the key governance and substantive assessment implications of the revised framework.

Governance and Operational Implications

Substantive Assessment Implications

Taking stock of these requirements, firms should now consider the practical implications of the revised framework.

Practical steps for firms – immediate legal and documentation priorities

The action points set out in the sections above provide a high-level roadmap for compliance. This section addresses implementation from a legal and documentation perspective, identifying the specific workstreams that will likely require attention.

From a legal and documentation perspective, regulated firms should, with their professional advisers, prioritise the following workstreams:

1. Employment and appointment documentation: Firms should review and update letters of appointment, employment contracts and job descriptions for management body members and KFHs to ensure they: (a) include clear statements of roles, responsibilities and reporting lines; (b) incorporate suitability undertakings requiring the individual to notify the entity of any changes affecting their suitability; (c) include probationary periods or suspensive conditions enabling the entity to remove KFHs if assessed as unsuitable by the competent authority; (d) specify time commitment expectations with annual estimates; (e) incorporate directorship counting obligations under Article 91(3) CRD; and (f) include provisions for induction within one month and training completion within six months.
2. Suitability policy framework: The suitability policy should be reviewed to ensure it sets out: (a) documentation standards and record retention requirements; and (b) processes for KFH selection and appointment. Documentation evidencing management body approval and any amendments must be maintained (e.g., board minutes). (For core policy content requirements, see Suitability policy requirements in Key changes proposed above.)
3. Governance charters and internal organigrams: Firms should update governance charters, internal organigrams and role mapping documents to clearly allocate duties and responsibilities in accordance with Article 88(3) CRD individual statements. These documents are critical for re-assessment purposes, as they establish whether any material fact or finding should be allocated to one or more responsible members of the management body.
4. Conflict of interest policies: The entity's conflict of interest policy must be reviewed to ensure it captures the conflicts assessment required under Article 6 RTS. Where material conflicts are identified, the policy should prescribe bespoke conflict management or mitigation arrangements and require documentation of how conflicts have been satisfactorily mitigated or remedied.
5. Standardised assessment templates: Large entities must adopt standardised templates aligned with the RTS minimum content requirements, including collective suitability matrices in accordance with Annex I or an equivalent methodology. (For detailed template content requirements, see Draft RTS on minimum content of suitability documentation in Key changes proposed above.)
6. Training and induction policies: Firms should ensure training policies specify the content, timeline and duration of training plans to address identified knowledge gaps and document the allocation of sufficient human and financial resources. (For mandatory topics and timing requirements, see Key action points item 2 above.)
7. Group-wide policy coordination: The suitability policy should be adjusted to the specific situation of group entities and subsidiaries not themselves subject to Article 91 and 91a CRD, whilst accounting for differences in national company law and other regulatory requirements across relevant jurisdictions. (For core group-wide consistency requirements, see Key action points item 5 above.)
8. Notification and record-keeping procedures: Firms should establish or update internal procedures for: (a) notifying vacant positions without undue delay; (b) maintaining annual suitability information reviews; (c) documenting assessment results, including any weaknesses identified and measures to address them; and (d) informing competent authorities of material changes and shortcomings. (For notification timeframes, see notification requirements in Additional governance considerations above.)
9. Diversity policy with quantitative targets: The diversity policy should take into account professional and educational background, age, gender and geographical provenance when selecting management body members. (For gender target and non-discrimination requirements, see Key action points item 4 above.)
10. Succession planning documentation: Re-appointment nominations should be documented with reference to performance assessments from the preceding term. (For succession planning process requirements, see Key action points item 3 above.)

Outlook

The consultation on the revised Guidelines and draft RTS marks a significant step in harmonising the EU's fit-and-proper framework under CRD VI. These instruments address divergent national practices, establish a level playing field across Member States, and strengthen governance standards for credit institutions and investment firms.

The EBA has adopted a "flexible maximum harmonisation" approach to the RTS, drawing on existing ECB-SSM practices whilst allowing competent authorities limited flexibility to request additional information or dispense with certain requirements where information is already available.

Notwithstanding these harmonisation efforts, certain procedural divergences across NCAs will (frustratingly) continue to apply. Accordingly, the fundamental distinction between ex ante and ex post assessment jurisdictions remains unharmonised, with differing notification timelines, supervisory powers (prevention versus removal), and procedural requirements applying across Member States. The Guidelines also defer to national company law regarding board structures (unitary, dual, or otherwise) and do not interfere with social, company or labour law, which Member States may have implemented divergently. Competent authorities retain discretion in several key areas: whether to require suitability assessments for entities other than large entities; whether to apply credit institution requirements to TCBs under Article 48a (4) CRD; whether to require independent directors for wholly-owned subsidiaries; and the form of positive decisions (including tacit approval by silence where permitted by national law). Group-wide policies must therefore account for differences between national company laws and other regulatory requirements across relevant jurisdictions. Firms operating across multiple Member States should anticipate continued variation in NCA expectations and procedural requirements, notwithstanding the common substantive assessment criteria that the proposed RTS and Guidelines seek to harmonise.

Following the consultation, the EBA and ESMA will finalise the Guidelines and submit the draft RTS to the European Commission. Given the targeted go-live of 31 December 2026 and the short consultation period, firms should take three immediate steps: (i) submit consultation responses by 25 May 2026 to influence the final requirements; (ii) conduct a gap analysis against the draft instruments as set out in the key action points above; and (iii) commence workstreams on the legal and documentation priorities identified in this Client Alert. Early engagement will be critical to ensuring operational readiness by year-end.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business. 

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.  

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.