Joint Committee of the ESAs’ Annual Report 2025 – Key Implications for Regulated Firms

EU RegCORE Client Alert | Capital Markets Union + Savings and Investment Union

QuickTake

On 24 April 2026, the Joint Committee (JC) of the three European Supervisory Authorities (ESAs)—comprising the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)—published its Annual Report for 2025. The JC, chaired in 2025 by EIOPA,Available here.Show Footnote continued to serve as the central coordinating forum facilitating dialogue and information exchange among the ESAs, the European Commission and the European Systemic Risk Board (ESRB). The headline points for regulated firms are summarised below.

• As explored in this Client Alert, the 2025 Annual Report from the JC of the ESAs highlights a number of key considerations for regulated firms and markets. This includes:
  
  
  • What. The JC’s 2025 work focused on (i) implementing the Digital Operational Resilience Act (DORA)—including the designation of nineteen critical third-party providers (CTPPs) and operationalisation of the EU-level cyber coordination framework; (ii) cross-sectoral risk assessment in an environment of heightened geopolitical and macro-financial uncertainty; (iii) sustainable finance, with further work on the Sustainable Finance Disclosure Regulation (SFDR) and environmental, social and governance (ESG) stress testing; (iv) retail investor and consumer protection, including crypto-asset warnings and education on digital fraud and AI-enabled scams; and (v) cross-cutting initiatives on securitisation, FinTech and BigTech, the European Single Access Point (ESAP) and financial conglomerates.
  • When. Core DORA application commenced on 17 January 2025. Key milestones during 2025 included the April-November designation of CTPPs and publication of the CTPP list on 18 November 2025, the operationalisation of the European Systemic Cyber Incident Coordination Framework (EU-SCICF), and the adoption (in January 2026) of Joint Guidelines on ESG stress testing finalised in 2025.
  • Who. The JC’s work is relevant to credit institutions, investment firms, insurers, reinsurers, asset managers and other financial market participants, as well as critical information and communication technology (ICT) third-party service providers, BigTech and mixed-activity groups providing financial services, entities in scope of SFDR, securitisation market participants, financial conglomerates, and national competent authorities (NCAs).
• Immediate action. Firms should: (i) assess their positioning under DORA, including dependencies on the designated CTPPs, and monitor the emerging CTPP oversight framework—CTPP concentration is now a board-level risk factor; (ii) review SFDR PAI disclosures and ESG stress testing approaches in light of the JC’s findings and forthcoming Guidelines—disclosure quality is becoming a competitive differentiator; (iii) reassess crypto-asset offerings, client communications and fraud-prevention measures against the ESAs’ consumer-facing outputs—enforcement risk in this space is rising; and (iv) for groups with cross-border or conglomerate structures, track the evolution of ESAs’ information exchange and cooperation with AMLA—supervisory silos are closing.

This Client Alert analyses the JC’s 2025 Annual Report and its practical implications for regulated firms. For a complete picture, this Client Alert should be read together with our standalone coverage on individual developments raised in the report, as well as similar annual reports published by the individual European Supervisory Authorities (EBA, ESMA and EIOPA) and the Banking Union supervisory authorities (ECB-SSM and SRB)—a full list of coverage is also available in “Navigating 2026”.