ESMA’s record fine on governance and control failings signals new era of supervision

RegCORE Client Alert | Capital Markets Union + Savings and Investment Union

Quick Take

On 17 February 2026, the European Securities and Markets Authority (ESMA) imposed a total fine of EUR 1,374,000 on REGIS-TR S.A. for seven infringements under Regulation (EU) No 648/2012 on OTC derivatives, central counterparties and trade repositories (EMIR) and Regulation (EU) 2015/2365 on transparency of securities financing transactions and of reuse (SFTR) – the highest fine ESMA has levied on a trade repository (TR) and the first enforcement case involving SFTR breaches.Details and full access to underlying documents available here.Show Footnote The infringements concerned inadequate policies and procedures, deficient organisational structures, failures to identify and minimise operational risk, and breaches of confidentiality and data misuse prevention obligations. All were found to have resulted from negligence, not intent.

These fines were imposed for failures of organisational control. As AI increasingly enters production environments within legally enforceable information and communication technology (ICT) frameworks – and as governance frameworks for AI continue to develop across the UK, EU, US, Singapore and elsewhere – the REGIS-TR case offers an early and instructive signal of the standard to which firms may be held.

This Client Alert first sets out what the ESMA enforcement documents establish, then considers the broader implications for regulated firms as supervisory expectations continue to evolve.

From policy review to operational scrutiny

Whilst the concept of "real-time" supervisory monitoring of production systems is not what occurred in this case – ESMA conducted a traditional investigation through an Independent Investigating Officer (IIO), followed by Board adjudication – the enforcement methodology nonetheless reflects a significant shift. ESMA examined actual operational outcomes rather than stated policy intentions: incident patterns, access control practices, resourcing decisions, testing adequacy and system development lifecycle (SDLC) governance were all scrutinised against the standard of what a professional firm in the financial services sector should have done.

The seven breaches specifically related to: deficiencies in policies and procedures under both EMIR and SFTR; shortcomings in organisational structure affecting continuity and orderly functioning; failure to identify and minimise operational risk; failure to ensure confidentiality, integrity and protection of EMIR-reported information; and failure to prevent misuse of information. All breaches were found to have resulted from negligence.

As ESMA's Chair, Verena Ross, stated: "REGIS-TR failed to comply with its obligations under EMIR and SFTR. Data on trades made available to public authorities is essential for market surveillance, enabling early detection of exposure concentrations, cross-border risks, and changes in liquidity and leverage. Today's decision highlights ESMA's commitment to enforcing essential requirements that ensure transparency and contribute to well-functioning markets."

Critically, ESMA characterised these failures as stemming from "long-lasting serious overarching issues". Aggravating factors applied in nearly every instance included that the infringements had been committed for more than six months and that they had revealed systemic weaknesses in the organisation of the trade repository, particularly in its procedures, management systems and internal controls. 

The ESMA Decision in detail

What is striking is that the penalties in the ESMA Decision were not imposed for deliberate wrongdoing or market abuse, but for an inability to evidence adequate organisational control – a finding of negligence.

Procedural history

The case stems from long-standing, serious and overarching issues at REGIS-TR identified over a significant period and through numerous incident notifications and supervisory engagements. The procedural timeline reveals the depth and duration of ESMA's engagement:

Between 2018 and 2022, ESMA engaged extensively with REGIS-TR on governance, information security and incident trends, including letters to senior management and review of remediation plans. On 14 June 2024, ESMA Supervisors identified serious indications of possible infringements, and on 17 June 2024 an IIO was appointed. The IIO issued an initial Statement of Findings on 8 April 2025; REGIS-TR made written submissions on 6 June 2025; the Statement was amended on 10 July 2025 and sent to ESMA's Board of Supervisors. The Board discussed the case on 7–8 October 2025, adopted and notified its initial findings, and REGIS-TR responded on 6 November 2025. The Board adopted its final Decision on 17 February 2026, finding seven infringements and imposing fines and supervisory measures.

Appeal rights and next steps

REGIS-TR may appeal the Decision to the ESMA Board of Appeal within two months of notification, and thereafter to the Court of Justice of the European Union. As at the date of this Client Alert, REGIS-TR has not publicly indicated whether it intends to appeal. Readers should note that, pending any appeal, the Decision remains in force and the fine is payable. An appeal does not automatically suspend the operation of the Decision, though REGIS-TR could apply for interim measures. The outcome of any appeal – and the reasoning of the Board of Appeal or the Court – may further clarify the standard of control expected of TRs and, by extension, other regulated financial market infrastructure.

Comparative enforcement context

The EUR 1,374,000 fine imposed on REGIS-TR is the largest penalty ESMA has levied on a TR to date. For context, prior ESMA enforcement actions against TRs have typically resulted in fines in the range of EUR 56,000 to EUR 640,000. The scale of the REGIS-TR fine reflects both the number and duration of the infringements and the application of multiple aggravating factors. The Decision also marks ESMA's first enforcement action under SFTR, signalling that the Authority's supervisory focus now extends fully across both reporting regimes. Firms should anticipate that ESMA will continue to pursue enforcement action where systemic governance failings are identified, and that the fine levels established in REGIS-TR may serve as a reference point for future cases.

REGIS-TR's market footprint

The scale of REGIS-TR's operations is relevant context for the Decision. REGIS-TR has been registered as a trade repository under EMIR since 14 November 2013 and extended to SFTR on 29 April 2020, effective 7 May 2020. In 2024, it was the leading EU-based TR by EMIR trade volumes with approximately 42% market share, and second under SFTR with approximately 13% market share; it was also second by reporting counterparties under both regimes. Its 2024 annual turnover was in the range of EUR 25–30 million.

The seven infringements

ESMA established the following seven infringements:

1. EMIR Article 78(3): failure to establish adequate policies and procedures.
2. EMIR Article 78(3) in conjunction with SFTR Article 9(1): the same failure extended to SFTR activities. 
3. EMIR Article 78(4) in conjunction with SFTR Article 9(1): inadequate organisational structure to ensure continuity and orderly functioning under SFTR. 
4. EMIR Article 79(1): failure to identify and minimise operational risks under EMIR. 
5. EMIR Article 79(1) in conjunction with SFTR Article 9(1): the same operational risk failures extended to SFTR activities. 
6. EMIR Article 80(1): failure to ensure confidentiality, integrity and protection of reported information under EMIR. 
7. EMIR Article 80(6): failure to take all reasonable steps to prevent misuse of information under EMIR.

Factual foundations of the infringements

• Policies and procedures (EMIR and SFTR)
  Multiple SDLC, product and project documents overlapped without clarifying scope or inter-relationships; inconsistencies and contradictions existed on roles and responsibilities of key bodies including the Board of Directors, Group Executive Management (GEM) and CEO; gaps and ambiguities were found in key procedural steps such as project planning, testing and crisis management; and effective dates were ambiguous. ESMA found these deficiencies existed from at least November 2015 and extended into SFTR activities from 7 May 2020.
• Organisational structure and business continuity (SFTR)
  From 13 July 2020 to 20 September 2022, REGIS-TR notified 158 SFTR incidents, representing 49% of all reported SFTR incidents in that period against an approximate 15% market share. Internal reports and Board minutes reflected resourcing and expertise constraints and late or incomplete testing. ESMA linked incident root causes predominantly (78%) to SDLC failures and found insufficient systems, procedures and resources to ensure orderly functioning. 
• Operational risk (EMIR and SFTR)
  Post-Brexit, access to the EU inter-TR Secure File Transfer Protocol (SFTP) folder for certain UK TRs was not promptly disabled; checklists focused on UK Financial Conduct Authority (FCA) and Bank of England oversight but omitted disabling procedures for TRs no longer registered in the EU, which ESMA found failed to minimise confidentiality risk. Significant delays and risk management gaps also arose in processes to handle Legal Entity Identifier (LEI) changes following corporate actions and in the development of port-out functionality (i.e., the ability for reporting counterparties to transfer their trade data from one TR to another), where ESMA emphasised that portability risk was foreseeable and must be mitigated.
• Confidentiality and misuse (EMIR)
  The failure to revoke access for UK TRs post-Brexit constituted breaches of EMIR Articles 80(1) and 80(6). ESMA underlined that "reasonable steps" implies a high diligence standard for TRs safeguarding sensitive data.

Sanctions and Supervisory Measures

The total fine of EUR 1,374,000 was allocated across the seven infringements as follows: 

• Policies and procedures (EMIR and SFTR): EUR 594,000. 
• Organisational structure and business continuity (SFTR): EUR 320,000. 
• Operational risk (EMIR and SFTR): EUR 350,000 (with the EMIR-side operational risk fine not imposed due to factual overlap under Article 65(4) EMIR).

ESMA also imposed supervisory measures under Article 73 EMIR, comprising public notices and requirements to bring ongoing infringements to an end where continuing deficiencies were found. 

Legal analysis highlights

The Decision contains several points of broader legal significance for trade repositories and regulated financial market infrastructure:

• EMIR/SFTR interplay
  ESMA treats EMIR and SFTR as distinct legal frameworks. Cross-references in SFTR are for efficiency, not merger of regimes. Overlapping facts can support separate infringements under both. 
• Anti-duplication (EMIR Article 65(4))
  This provision applies to multiple infringements based on the same act or omission within a single regime; it does not eliminate parallel fines across EMIR and SFTR. 
• Standard of care
  "Adequate" and "appropriate" systems, resources and procedures are assessed on design and clarity. ESMA does not require crystallised harm to establish policy and procedure infringements. 
• No legitimate expectation from registration or supervision
  Successful registration and ongoing supervisory dialogue do not preclude later enforcement on the same structural topics. 
• Turnover basis for fines
  EMIR requires use of a TR's total annual turnover – not regime-specific turnover – for basic amounts and the 20% cap. 
• Non-retroactivity and DORA
  The repeal of EMIR Article 80(1) by Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), effective 17 January 2025, had no effect on facts predating that amendment.
• Interaction with other regulatory frameworks
  The Decision was brought under EMIR and SFTR, but the governance standard it applies has implications under other EU regulatory frameworks. DORA, which entered into force on 17 January 2025, imposes comprehensive ICT risk management and incident reporting obligations across the financial sector. The NIS2 Directive (Directive (EU) 2022/2555) establishes cybersecurity obligations for essential and important entities, with potential overlap for financial market infrastructure. For firms deploying AI in regulated processes, the EU AI Act (Regulation (EU) 2024/1689) will impose risk management and governance obligations that align with the standard of demonstrable control adequacy applied here. The GDPR (Regulation (EU) 2016/679) remains relevant where, as in REGIS-TR, confidentiality and data protection failings are identified. Firms should assess their governance arrangements holistically across these frameworks.
• Individual accountability
  The REGIS-TR Decision was directed at the entity rather than individuals. However, readers should note that ESMA has powers under Article 73(1)(c) of EMIR to require the temporary prohibition of members of a TR's management body from exercising management functions. Whilst these powers were not exercised in this case, the findings of systemic governance failings – attributed to negligence – may inform supervisory expectations regarding senior management accountability. In jurisdictions with individual accountability regimes, similar failings could expose individuals to personal liability. Boards and senior managers should ensure that their oversight of governance and control matters is documented and capable of evidencing the exercise of reasonable care.

The above sends a number of signals for regulated firms. 

What the ESMA Decision signals for regulated firms

The REGIS-TR enforcement establishes that supervisory authorities will penalise firms for inadequate governance and control design, assessed on the basis of actual operational outcomes rather than stated intentions, and that negligence – not intent – is a sufficient basis for material fines. The Board of Supervisors found that REGIS-TR failed to take the "special care expected of a TR as a professional firm in the financial services sector", underscoring that regulated firms operating critical infrastructure must take special care in assessing the risks their acts or omissions entail.

This standard has implications extending well beyond trade repositories to the governance expectations now emerging across AI and ICT frameworks in the EU, UK, US and APAC and elsewhere. As AI and ICT is deployed more widely within regulated processes, accountability for AI-driven systems will be tested against similar standards.

Implications for other categories of regulated entity

Whilst the REGIS-TR enforcement concerned a TR directly supervised by ESMA,See also Client Alert on ESMA’s direct supervision mandate as it currently stands (here) and on how it may evolve pursuant to the EU Savings and Investment Union’s Market Integration and Supervision Package (here).Show Footnote the governance standard articulated in the Decision is framed in terms applicable across the regulated financial services sector. Investment firms, credit institutions, asset managers, central counterparties (CCPs), central securities depositories (CSDs) and payment service providers all operate under frameworks that impose comparable obligations regarding policies and procedures, organisational structure, operational risk management and data protection. The finding that "adequate" and "appropriate" systems are assessed on design, clarity and operational coherence – not merely existence – is of general application. Firms in these sectors should review their governance arrangements against the standard applied in REGIS-TR, particularly where they rely on complex or layered policy documentation.

National competent authority enforcement

ESMA exercises direct supervisory authority over TRs, but (currently) national competent authorities (NCAs) supervise the majority of regulated financial services firms. The REGIS-TR Decision may influence NCA enforcement posture in two respects. First, NCAs participating in ESMA's Board of Supervisors have endorsed the governance standard articulated in the Decision; they may apply similar expectations in their own supervisory and enforcement activities. Second, DORA – which applies across the financial sector and is supervised by NCAs (with ESMA, EBA and EIOPA coordinating through the Joint Committee) – imposes ICT risk management obligations that align with the control adequacy standard applied here. Firms should anticipate that NCAs will increasingly assess governance and operational resilience by reference to actual outcomes rather than stated policy.

The evolving legislative landscape reinforces this trajectory. The REGIS-TR enforcement was brought exclusively under EMIR and SFTR, but DORA – which entered into force on 17 January 2025 – has since amended Article 79(1) of EMIR to require that trade repositories minimise operational risk "through the development of appropriate systems, controls and procedures, including ICT systems managed in accordance with [DORA]". That amendment post-dates the facts at issue in the REGIS-TR enforcement, but it draws ICT governance and operational risk management into a single, integrated supervisory framework - a direction of travel that gives the enforcement's findings added resonance.

For boards and senior management, the implication is that control literacy – particularly with respect to ICT systems and, increasingly, AI – is becoming a core competence rather than a delegable function.

The adequacy of control documentation

The REGIS-TR enforcement underscores that the mere existence of policies and procedures is insufficient. What matters is whether those documents are coherent, consistent, operationally usable and capable of demonstrating a clear chain of control. The findings illustrate a practical reality: where a firm's own records cannot evidence a coherent governance framework, the firm is unable to reconstruct – and therefore to defend – the basis on which decisions were taken.

The Board found that REGIS-TR's policies and procedures "covered the same topics, complemented, or supplemented each other, but without clarifying their respective scopes and relationships to one another" and that "some procedures were inconsistent with others covering the same topics, including regarding the roles and responsibilities of important bodies such as the Board of Directors and CEO". In other words, the firm could not demonstrate, through its own documentation, a coherent chain of control.

ESMA went further, noting that "a new staff member would struggle to comply with the policies and procedures (and the regulations) further to reading and analysing the documents". The REGIS_TR's own internal audit identified a "lack of sound system development framework", and the 2020 Annual Compliance Report stated that "the lack of effective control framework and the errors in the definition, development and testing of SFTR solution are the reason for the high number of incidents and bugs" reported.

The lesson is clear: the existence of documentation, in and of itself, does not constitute governance. What matters is whether policies and procedures are internally consistent, operationally coherent and capable of guiding actual behaviour. ESMA assessed the adequacy of REGIS-TR's controls by reference to their design and clarity, without requiring evidence of crystallised harm.

Implications for RegTech architecture

The REGIS-TR enforcement was not directed at RegTech as such, but the standard of control it applies raises a practical question for the industry: can compliance technology credibly remain separate from core production infrastructure when supervisory authorities assess control adequacy by reference to actual operational outcomes?

The Board found that REGIS-TR did not employ "appropriate and proportionate systems, resources and procedures" and that 78% of incidents following SFTR deployment related to system development lifecycle failures. Where SDLC governance is itself the source of operational failures, a compliance layer that sits apart from core infrastructure may be unable to detect or prevent the deficiencies that supervisors will examine.

This suggests that, over time, control logic may need to be more deeply integrated into production technology stacks rather than maintained as a parallel reporting function – particularly as supervisory expectations of demonstrable, end-to-end control adequacy continue to sharpen.

The cost of inadequate control

The REGIS-TR decision illustrates the material financial consequences that flow from governance and control failings, even in the absence of deliberate misconduct or crystallised harm.

The Decision applied multiple aggravating coefficients – 1.5 for infringements lasting more than six months, 2.2 for systemic weaknesses in procedures, management systems or internal controls, and 1.1 for repeated infringements. Where senior management could not demonstrate they had taken all necessary measures to prevent infringements, mitigating factors were deemed inapplicable.

The sanctions in this case comprised fines and supervisory measures – public notices and requirements to remediate – rather than direct capital consequences. But for firms that cannot justify the adequacy of their current operating model, the risk profile extends beyond the immediate fine: reputational consequences, heightened supervisory attention and potential implications for operational resilience assessments all follow from the type of systemic governance failings identified here.

As expectations around AI and ICT governance continue to sharpen, this standard of demonstrable control adequacy is likely to become the baseline against which firms are assessed. Some of the lessons from this ESMA Decision can translate into wider reaching considerations for all types of regulated firms that are subject to direct or indirect ESMA supervision. 

What firms should consider doing now

Key considerations for trade repositories and regulated infrastructure

• Policies and SDLC governance
  Consolidate and align policies and procedures; remove contradictions, clarify scope and inter-relationships, and ensure unambiguous effective dates. Define roles and responsibilities consistently across governance and procedural documentation; reflect Board of Directors and GEM decision rights accurately. 
• Operational risk controls
  Validate access de-provisioning and reconciliation controls for all external entities – including inter-TR SFTP connections – following regulatory boundary changes. Evidence end-to-end governance for LEI update processes and portability (port-out) arrangements. Ensure incident root-cause analysis feeds SDLC improvements where integrity, availability or confidentiality are affected. 
• Organisational structure and resourcing
  Demonstrate adequate, skilled resources and testing coverage ahead of go-lives; document quality gates and remediation timelines. Maintain Board-level visibility on project risk, incident trends and remediation progress. 
• Sanctions methodology awareness
  Recognise ESMA's use of whole-entity turnover for fine calibration and the confined scope of Article 65(4) anti-duplication within a single regime.

Immediate action checklist for boards and senior management

• Policy and procedure gap assessment
  Commission a gap assessment of policies and procedures focusing on SDLC, product and project management, crisis management and business continuity, ensuring internal consistency and clear accountability maps.
• Access rights and de-provisioning
  Re-perform access rights reviews and de-provisioning playbooks for all third-party interfaces, including inter-TR data exchanges, with evidence of timely revocation protocols following authorisation changes.
• Portability and LEI governance
  Validate SFTR portability and LEI update capabilities and governance; document scenario testing and fallback procedures.
• Incident management and board reporting
  Strengthen incident management with root-cause trend analysis tied to policy and process redesign and resourcing plans; ensure regular reporting to the Board of Directors and subcommittees.
• Management oversight trails
  Document senior management oversight and decision-making trails for remediation activities to evidence diligence against negligence standards.

Broader strategic actions

• Policy coherence and operational adequacy
  Assess the coherence and operational adequacy of existing policies, procedures and controls –s not only for completeness, but for internal consistency, clarity of accountability and usability. The REGIS-TR case demonstrates that supervisors will assess controls by reference to their design and practical operability, not merely their existence.
• Third-party compliance technology
  Evaluate third-party and overlay compliance technology arrangements. Consider whether compliance controls that sit apart from core production infrastructure would withstand scrutiny focused on actual operational outcomes.
• DORA and ICT supervisory convergence
  The amendment to Article 79(1) of EMIR now requires ICT systems to be managed in accordance with DORA; firms should ensure that their operational risk frameworks are integrated rather than siloed. Note that DORA did not form the legal basis for the REGIS-TR enforcement, which concerned pre-amendment facts, but the legislative direction of travel is clear.
• AI and ICT governance
  As AI and ICT governance frameworks continue to develop, firms deploying AI and other ICT within regulated processes should consider whether their governance arrangements meet the standard of demonstrable control adequacy applied in this case.

Lastly there are two further overarching considerations that are relevant now but equally over the further outlook ahead:

Remediation costs

Beyond the fine itself, firms facing enforcement for systemic governance failings should anticipate significant remediation costs. These include the direct costs of engaging external advisers (legal, compliance, technology and audit) to assess and rectify deficiencies; the cost of implementing new or enhanced systems, controls and procedures; and the opportunity cost of diverting management attention and internal resources to remediation activities. Indirect costs may also be material: heightened supervisory engagement (including potential on-site inspections and increased reporting requirements), reputational damage affecting client relationships and business development, and potential implications for regulatory capital or liquidity assessments where operational resilience is called into question. Firms should factor these broader costs into their assessment of the return on investment in robust governance and control frameworks.

Insurance and indemnification considerations

Boards and senior management may wish to consider the extent to which directors' and officers' (D&O) liability insurance or professional indemnity policies would respond to fines and associated costs arising from enforcement action of this nature. Coverage varies by policy, but regulatory fines are often excluded or subject to sub-limits. The finding of negligence (as opposed to wilful misconduct) may be relevant to coverage analysis, as some policies exclude liability arising from intentional acts but cover negligent conduct. Defence costs and costs of internal investigations may be covered separately. Firms should review their insurance arrangements with their brokers and insurers to understand the scope of coverage and any gaps that may exist. Indemnification arrangements for directors and officers under the firm's constitutional documents should also be reviewed.

Outlook

ESMA's Decision underscores the centrality of coherent, operable governance frameworks for trade repositories under both EMIR and SFTR, the high diligence standard expected for safeguarding and controlling access to reported data, and the separate, cumulative nature of compliance obligations – and sanctions – across the two regimes. TRs should evidence that policy design, organisational structure and operational risk controls are not only documented but functionally coherent and capable of withstanding supervisory examination that assesses actual operational adequacy.

Whilst the REGIS-TR enforcement did not involve AI directly, the governance standard it establishes – demonstrable adequacy of systems, controls and procedures, assessed by reference to outcomes rather than intentions – is likely to define the supervisory approach to AI-driven processes as dedicated frameworks mature.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business. 

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.  

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.