The Joint Committee of the European Supervisory Authorities publishes its Annual Work Programme 2026
Written by
RegCORE Client Alert | Capital Markets Union + Savings and Investment Union
QuickTake
On 16 October 2025, the Joint Committee (JC) of the European Supervisory Authorities (ESAs)—comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA)—published its 2026 Annual Work Programme (AWP). The AWP sets out the JC’s cross-sectoral priorities for the coming year, with a continued focus on digital operational resilience, consumer protection, financial innovation, sustainable finance, risk assessment, securitisation, financial conglomerates, innovation facilitation and external credit assessment institutions. The 2026 agenda is shaped by ongoing geopolitical tensions, the EU’s simplification agenda, and the need for supervisory convergence and regulatory consistency across the financial sector.
This Client Alert examines the relevant issues and key legal and regulatory considerations for market participants. It should be read alongside other thematic deep dives on reforms and developments, as well as our standalone analysis of all relevant 2026 AWPs from the European Commission, the ESAs and Banking Union authorities (ECB-SSM and SRB), AMLA,Available here.Show Footnote and as well as the EBA’s and ESMA’s efficiency, simplification and burden reduction reports published in October 2025. Readers may also find value in consulting publications from PwC’s Risk Network and PwC Legal’s “Navigating 2026," a comprehensive playbook offering a detailed annual outlook from PwC Legal’s EU RegCORE on the upcoming regulatory policymaking agenda, supervisory cycle and an assessment of commonalities and trends for 2026 and beyond.
Key takeaways from JC of the ESAs’ 2026 AWP
As in previous years the JC of the ESAs’ have outlined an ambitious and comprehensive work programme for 2026, aimed at enhancing regulatory consistency, supervisory convergence and consumer protection across the European financial sector. The ESAs are committed to fostering cross-sectoral regulatory consistency and supervisory convergence. This involves regular coordination of activities within their respective responsibilities to ensure uniformity in practices.
The JC’s 2026 agenda consolidates cross sector supervisory convergence while operationalising new structures created by recent legislation. Four themes dominate: (i) the first full oversight cycle under the Digital Operational Resilience Act (DORA) for Critical ICT Third-Party Providers (CTPPs) and a more mature Pan-European Systemic Cyber Incident Coordination Framework (EU-SCICF); (ii) consumer protection under the EU’s Savings and Investments Union (SIU), including potential Packaged Retail and Insurance-based Investment Products Key Information Document (PRIIPs KID) Regulatory Technical Standards (RTS), sanctions reporting and financial education; (iii) sustainable finance, with Sustainable Finance Disclosure Regulation (SFDR) Level 1 review preparations, possible Environmental, Social, and Governance (ESG) ratings disclosure RTS and cross sector ESG stress testing guidelines; and (iv) supervisory coherence on securitisation, financial conglomerates, innovation facilitators and model dependencies (External Credit Assessment Institutions (ECAIs), European Market Infrastructure Regulation (EMIR) 3 margining). Firms should expect more structured EU level coordination, clearer expectations on third party, cyber and model risk, and tighter, more consistent enforcement across Member States. In particular the ESAs will focus on the following priorities:
Digital operational resilience (DORA): full CTPP oversight and crisis playbooks
The JC will run the first complete CTPP oversight cycle in 2026. Through the Oversight Forum, each designated CTPP will have a lead overseer and Joint Examination Teams undertaking risk assessments, setting annual and multi annual oversight plans, conducting initial examinations and issuing recommendations with follow ups. Alongside this, the JC will advance supervisory convergence on DORA implementation with competent and resolution authorities, the ECB and ESRB, and ramp up incident reporting analytics culminating in an annual report on major ICT incidents.
A major operational priority is the EU-SCICF. 2026 will focus on operationalising and testing procedures, protocols and taxonomies, and on establishing practical cooperation with other EU and international frameworks (including EU Cyclone, the G7 Cyber Experts Group and CERTEU). Expected outputs include the annual Union level CTPP list, oversight plans, an Oversight Forum activity report, a report on major ICT incidents, and updated EU-SCICF documents and playbooks.
Implications for firms include more robust demands on ICT concentration risk management, exit/substitutability planning, and incident classification and root cause analysis aligned with supervisory taxonomies. Contractual repapering pressures may arise as CTPP recommendations cascade down to access, audit, data portability, sub outsourcing and termination/exit provisions. Firms should also expect heightened expectations around participation in cross border cyber exercises and timely situation reporting.
Consumer protection and financial innovation: PRIIPs KID, sanctions reporting and financial education
Consumer protection remains central in the Commission’s SIU. Subject to co legislators’ outcomes on the Retail Investment Strategy, the ESAs expect to draft RTS to streamline the PRIIPs KID—particularly performance and cost disclosures—while continuing supervisory convergence work and providing guidance on practical application. The ESAs will also publish annual reporting on administrative sanctions and measures imposed under PRIIPs. In parallel, they will run a workshop to exchange good practices in financial education and continue sectoral education projects with national competent authorities (NCAs).
Manufacturers and distributors should plan for a possible KID update cycle (methodology recalibrations, templates, governance approvals and distributor communications) and anticipate tighter, more consistent supervisory expectations on fair, comprehensible presentation of performance and costs. Enforcement data will be used to inform risk based supervisory targeting.
Sustainable finance: SFDR review readiness, ESG ratings disclosures and cross sector stress testing
The JC will continue to monitor the SFDR Level 1 review and prepare for potential empowerments (including consumer testing if required). In line with the simplification agenda, the ESAs will not issue the Article 18 SFDR report on principal adverse impact (PAI) disclosure quality in 2026, but they will continue supervisory convergence and practical guidance on existing obligations. Depending on legislative progress, work may commence on RTS for website disclosures where firms use ESG ratings in marketing, pursuant to the ESG Ratings Regulation. Crucially, by January 2026 the ESAs will deliver joint guidelines setting high level principles for ESG risk stress testing under Capital Requirements Directive (CRD VI) and Solvency II, to foster consistent approaches across sectors.
Firms should sustain current SFDR controls while preparing for definitional or template changes following the Level 1 review. Where ESG ratings are referenced in marketing, firms should design durable, standardised disclosures and strengthen governance around rating use. Banks and insurers will need to align scenarios, model governance and board oversight to the new cross sector ESG stress testing principles, with conglomerates expected to demonstrate coherence across banking and insurance entities.
Cross sector risk assessment: supervisory “signal function”
The JC will continue to provide joint analyses of risks and vulnerabilities to financial stability, with regular presentations to the Council’s Economic and Financial Committee and Financial Stability Table, alongside publication of the annual joint Risks and Vulnerabilities report. These outputs act as early indicators of coordinated supervisory priorities, including liquidity, interest rate and credit migration risks, market structure stresses, operational resilience and sustainability transition risks.
Securitisation: follow up to the Article 44 review, convergence and third country monitoring
Following the second JCSC report (31 March 2025), the JCSC will undertake follow up tasks including technical advice/opinions and support implementation of SIU actions to revitalise securitisation on a sound basis. The committee will intensify supervisory convergence on SECR implementation and enforcement via concrete case discussions, common understandings, best practices and supervisory tools. It will also conduct market monitoring—particularly third party risk financing for collateralised loan obligations (CLOs)—and track regulatory developments in the US and UK to identify divergence risks. Addressing data limitations for risk monitoring may form part of the 2026 workplan.
Originators, sponsors and institutional investors should expect tighter consistency in supervisory expectations on due diligence, risk retention, STS criteria and reporting completeness/accuracy. Market participants in CLOs should prepare for deeper scrutiny of funding dependencies and risk transfer mechanics, with potential data remediation.
Financial conglomerates: reporting architecture and stress testing coherence
The ESAs will maintain cross sectoral consistency under the Financial Conglomerates Directive (FICOD), updating the annual list of identified conglomerates and operationalising reporting templates for intragroup transactions and risk concentrations. They will progress development of capital adequacy reporting templates and map current stress testing practices to identify gaps—particularly interconnectivity risks not captured by sectoral tests—culminating in an analytical note with potential recommendations.
Conglomerates should advance group data models and reconciliations across banking and insurance ledgers, prepare for capital adequacy templates, and develop coherent, group wide stress testing scenarios that articulate contagion channels and credible, board approved management actions.
Innovation facilitation: BigTech/MAG mapping and sandbox coordination with AI Act
Under the European Forum for Innovation Facilitators (EFIF), the JC will continue the 2025 initiatives mapping and collecting data on BigTechs and Mixed Activity Groups (MAGs) providing financial services in the EU. It will also support coordination between financial sector regulatory sandboxes and the new Artificial Intelligence (AI) regulatory sandboxes that Member States must establish under the AI Act, to strengthen communication and consistency among national innovation facilitators.
Traditional firms can expect supervisory benchmarking against BigTech/MAG operating models in data governance, explainability and AI model risk. Participants in sandboxes should prepare for clearer, multi authority testing objectives, consumer safeguards and exit/scale up conditions.
ECAIs and model dependencies: ongoing mappings and potential Implementing Technical Standards (ITS)
Pursuant to Capital Requirements Regulation (CRR) Article 136 and Solvency II Article 109a(1), the ESAs will continue producing mappings for newly registered ECAIs and monitoring existing mappings, preparing draft implementing technical standards as needed. Banks and insurers should monitor capital impacts from mapping changes, ensure timely policy/system updates, and maintain robust change management and validation routines.
Other joint work with near term operational effects
The ESAs will organise the 13th Joint Consumer Protection Day in 2026. They will support ESMA on European Single Access Point implementation, looking beyond phase 1 to subsequent phases. Further guidance on EMIR bilateral margining may follow the EMIR 3 amendments on initial margin model authorisation/validation, with EBA mandates to develop technical standards and guidelines in cooperation with EIOPA and ESMA. The fit and proper assessments database will be finalised with the addition of legal persons and then enter regular change management. A joint assessment of competent authority independence will proceed based on 2023 criteria, potentially influencing NCA supervisory approaches and resourcing.
Further implications for firms
In addition to the implications stemming from the above, the JC of the ESA’s AWP has a number of key implications that regulated firms will need to prepare for.
Boards and senior management should reinforce governance over operational resilience, sustainability risk and cross sector risk themes, ensuring that DORA implementation, forthcoming ESG stress testing principles and emerging macro financial risks are embedded in board agendas, risk appetite statements and clearly owned management action plans. Firms should be prepared for more coordinated supervisory interactions across the EU and for participation in exercises under the EU SCICF. Decision useful management information must track progress on remediation, incident trends and third party dependencies to evidence effective oversight.
Third party risk management and contractual frameworks will require proactive attention ahead of the first full CTPP oversight cycle. Firms should review and, where necessary, re paper audit and access rights, data portability provisions, sub outsourcing controls and termination/exit clauses to align with DORA expectations and potential recommendations issued to CTPPs. Demonstrable management of ICT concentration risk, credible substitutability assessments and executable exit runbooks tied to defined impact tolerances will be scrutinised. Incident management disciplines should also be harmonised with DORA taxonomies, thresholds and timelines, strengthening root cause analysis, lessons learned processes and linkage to risk appetite, while maintaining readiness for EU SCICF notifications and coordinated crisis exercises.
Product manufacturers and distributors need to maintain disclosure readiness across retail and sustainability regimes. In anticipation of potential RTS to streamline the PRIIPs KID, firms should plan for methodology recalibrations, template updates and end to end governance approvals, alongside clear distributor communications. Under SFDR, firms must sustain disclosure quality and controls during the Level 1 review and should establish standardised, well governed website disclosures wherever ESG ratings are referenced in marketing, with robust oversight of rating use and update processes. Conduct focused supervisory convergence and sanctions reporting will increasingly inform risk based targeting, making consistency and clarity in consumer facing materials more critical.
Risk models and capital methodologies will be a focal point of supervisory expectations. Banks and insurers should align climate and broader ESG stress testing frameworks to the ESAs’ joint guidelines, including scenario design, model risk governance and board oversight, while conglomerates ensure coherence across banking and insurance entities and capture interconnectivity risks. Derivatives participants must enhance initial margin model governance and validation pipelines in light of EMIR 3, ensuring comprehensive documentation, back testing and change controls. In parallel, firms should monitor ECAI mapping changes and promptly operationalise any capital impacts through policy and system updates.
Group wide data architecture and reporting will need to mature to meet new templates and convergence work under FICOD. Conglomerates should advance data models capable of producing high quality intra group transactions and risk concentration reports and prepare for capital adequacy reporting templates, supported by rigorous cross entity reconciliations. Stress testing methodologies should be coherent at group level, articulating contagion channels and credible management actions, and ensuring assumptions are consistent across banking and insurance businesses.
In respect of the ongoing securitisation reforms, originators, sponsors and institutional investors should conduct gap analyses against converging supervisory expectations under the Securitisation Regulation, with particular focus on due diligence documentation, risk retention evidence and reporting completeness and accuracy. Firms active in CLOs should anticipate deeper supervisory interest in funding dependencies and risk transfer mechanics and be prepared to address data limitations identified in market monitoring. Ongoing tracking of the Securitisation Regulation review outcomes and potential divergence with third country regimes, notably the US and UK, remains essential for cross border issuance and investment strategies.
Finally, regulatory monitoring and engagement will be increasingly data driven and coordinated. Firms should track the JC’s annual Risks and Vulnerabilities report and regular Economic and Financial Committee (EFC)/Financial Stability Table (FST) presentations as early indicators of thematic supervisory priorities and align internal narratives accordingly. Internal Capital Adequacy Assessment Process (ICAAP), Internal Liquidity Adequacy Assessment Process (ILAAP) and Own Risk and Solvency Assessment (ORSA) disclosures should reflect those risk themes and demonstrate credible, board approved management actions and resilience posture, ensuring consistency across group entities and regulatory regimes.
Outlook and next steps
The 2026 AWP underscores the JC of the ESAs’ commitment to deepening supervisory convergence, strengthening risk monitoring and advancing targeted regulatory development across the EU financial sector. Set against ongoing legislative reviews and the EU’s simplification agenda, the year ahead will prioritise digital operational resilience, sustainable finance and innovation facilitation, with consumer protection and group wide coherence increasingly supported by sharper supervisory tools. Market participants should expect greater consistency in supervisory approaches, more structured cross border coordination and a clearer “signal function” from joint risk assessments, and should calibrate their programmes accordingly throughout 2026.
Operationally, supervision is moving decisively from framework build out to active, data driven scrutiny. DORA enters a maturity phase with tangible oversight of systemic ICT dependencies via CTPP examinations, formal oversight plans and EU level incident and crisis coordination under the EU SCICF. In parallel, the supervisory perimeter around retail disclosures, sustainability and model risk will tighten, with potential new PRIIPs KID technical standards, continued SFDR monitoring, emerging ESG ratings disclosures and cross sector ESG stress testing guidelines mandated by CRD6 and Solvency II. For conglomerates, securitisation and innovation facilitators, the JC of the ESAs’ work will crystallise in more coherent reporting architectures, convergence in enforcement and clearer expectations on data, methodology and governance.
Firms should approach 2026 as a year of execution. Those investing early in third party resilience, model governance, data integrity and clear, consumer facing disclosures will be best placed to navigate coordinated, outcome focused EU supervision. In practical terms, boards should maintain close oversight of DORA readiness and ESG stress testing, ensure alignment of disclosure controls across PRIIPs and SFDR, and embed robust governance over any use of ESG ratings in marketing. At the same time, groups should mature their data architectures for conglomerate reporting, reinforce securitisation controls and prepare for more formalised model validation and margin requirements under EMIR 3, while monitoring ECAI mappings for capital impacts.
About us
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.
Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.
Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.
The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” as well as the “2025 Regulatory, Governance and Compliance Technology Award”.
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.
