Nos derniers articles

Le rapport 2024 sur la convergence de la supervision de l’EBA fait de la mise en œuvre de DORA une priorité stratégique européenne pour 2024–2026. L’Autorité renforce les capacités des superviseurs via la Supervisory Digital Finance Academy, soutenue par la Commission européenne. La hausse des questions liées à DORA révèle les défis du secteur : gestion des prestataires TIC, incidents, prestataires critiques et registre d’informations. Les institutions financières doivent s’attendre à une supervision plus technique et rigoureuse, et renforcer leurs dispositifs de résilience opérationnelle numérique pour répondre à des autorités mieux formées et plus exigeantes.

EBA has designated the development of supervisory capacity for DORA as a top-tier Union-wide strategic supervisory priority for the 2024-2026 cycle. Underscoring this priority are pressing industry concerns, evidenced by the submission of 28 new Q&As focused on 𝗗𝗢𝗥𝗔’𝘀 𝗽𝗿𝗶𝗺𝗮𝗿𝘆 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝗵𝘂𝗿𝗱𝗹𝗲𝘀: 𝗜𝗖𝗧 𝘁𝗵𝗶𝗿𝗱-𝗽𝗮𝗿𝘁𝘆 𝗿𝗶𝘀𝗸 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁, 𝘁𝗵𝗲 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗮𝗻𝗱 𝗿𝗲𝗽𝗼𝗿𝘁𝗶𝗻𝗴 𝗼𝗳 𝗜𝗖𝗧-𝗿𝗲𝗹𝗮𝘁𝗲𝗱 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁𝘀, 𝘁𝗵𝗲 𝗼𝘃𝗲𝗿𝘀𝗶𝗴𝗵𝘁 𝗼𝗳 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗽𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀, 𝗮𝗻𝗱 𝘁𝗵𝗲 𝗺𝗮𝗶𝗻𝘁𝗲𝗻𝗮𝗻𝗰𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗿𝗲𝗴𝗶𝘀𝘁𝗲𝗿 𝗼𝗳 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻. In response, the EBA is executing a significant capacity-building initiative, delivering intensive, advanced training to supervisors through the Supervisory Digital Finance Academy (SDFA)—a multi-year effort coordinated with and backed by the European Commission. This convergence of strategic prioritization, targeted industry queries, and comprehensive supervisory training signals a new era of heightened and more sophisticated regulatory scrutiny. In consequence the digital operational resilience frameworks must be prepared to withstand proactive, in-depth, and increasingly specialized reviews from better-equipped competent authorities.

Le cadre juridique global de l’UE en matière de LBC/FT, aligné sur les normes internationales du GAFI, est centré sur l’Approche basée sur les risques (ABR). Ce principe impose une double application, définissant les responsabilités tant des autorités de supervision que des institutions financières. Les Autorités nationales compétentes (ANC) sont tenues de mener une supervision adaptée aux risques, garantissant que leur contrôle soit proportionné aux menaces identifiées. Parallèlement, les banques doivent mettre en œuvre des systèmes internes, des contrôles et des mesures de vigilance à l’égard de la clientèle efficaces, fondés sur leurs propres évaluations des risques. L’objectif stratégique de l’ABR est de veiller à ce que les efforts de supervision et les ressources institutionnelles soient alloués de manière proportionnée et efficace aux risques de BC/FT les plus élevés.

The EU's comprehensive AML/CFT legal framework, aligned with international FATF standards, is centered on the Risk-Based Approach (RBA). This principle mandates a dual application, defining responsibilities for both supervisory bodies and financial institutions. National Competent Authorities (NCAs) are mandated to conduct risk-sensitive supervision, ensuring their oversight is proportionate to identified threats. Concurrently, banks must implement effective internal systems, controls, and customer due diligence based on their own risk assessments. The strategic purpose of the RBA is to ensure that both supervisory efforts and institutional resources are allocated proportionately and effectively against the greatest ML/TF risks.

En 2026, l’Autorité Bancaire Européenne (EBA) intensifie la mise en œuvre du règlement DORA face aux cybermenaces croissantes et à la dépendance aux fournisseurs tiers. Les priorités incluent la surveillance directe des fournisseurs tiers critiques (CTPPs) via un cadre conjoint avec l’ESMA et l’EIOPA, des inspections ciblées et des analyses thématiques. L’EBA renforcera l’analyse des incidents TIC et publiera un rapport annuel sur les cybermenaces. Les institutions financières devront améliorer leurs cadres de gestion des risques TIC et leur résilience interne, sous une supervision accrue, pour assurer conformité et robustesse dans un environnement numérique complexe.

The EBA, alongside ESMA and EIOPA, plans 𝗷𝗼𝗶𝗻𝘁 𝗼𝘃𝗲𝗿𝘀𝗶𝗴𝗵𝘁 𝗼𝗳 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗖𝗧 𝗧𝗵𝗶𝗿𝗱-𝗣𝗮𝗿𝘁𝘆 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 (𝗖𝗧𝗣𝗣𝘀) from 2026, following their 2025 designation. Measures include direct engagement on governance, thematic contract reviews, and 𝗼𝗻𝘀𝗶𝘁𝗲 𝗶𝗻𝘀𝗽𝗲𝗰𝘁𝗶𝗼𝗻𝘀 𝗼𝗳 𝗵𝗶𝗴𝗵-𝗿𝗶𝘀𝗸 𝗮𝗿𝗲𝗮𝘀, with recommendations passed to financial entities. Supervisors will assess institutions’ 𝗜𝗖𝗧 𝘁𝗵𝗶𝗿𝗱-𝗽𝗮𝗿𝘁𝘆 𝗿𝗶𝘀𝗸 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁, 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, 𝗮𝗻𝗱 𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀, 𝗶𝗻𝗰𝗹𝘂𝗱𝗶𝗻𝗴 𝗹𝗲𝗴𝗮𝗰𝘆 𝘀𝘆𝘀𝘁𝗲𝗺 𝗿𝗶𝘀𝗸𝘀. The EBA will analyze major ICT incidents, contribute to a pan-European coordination framework for systemic events, collect new datasets via EUCLID, and support supervisory convergence to ensure 𝗰𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗗𝗢𝗥𝗔 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝗮𝗰𝗿𝗼𝘀𝘀 𝘁𝗵𝗲 𝗘𝗨.

On 12 August 2025, the European Banking Authority (EBA) published a report on the use of supervisory technology (SupTech) in anti-money laundering and counter-terrorist financing (AML/CFT) oversight. It draws on a November 2024 survey of 31 competent authorities across 25 EU member states (plus three outside) and a January 2025 workshop with the European Commission’s AMLA Task Force.
Global Regulation Tomorrow
. The report notes that 47 % of SupTech tools are already in production, 38 % are under development, and 15 % are exploratory. Benefits include improved data quality, analytics, efficiency and collaboration, while challenges involve limited resources, governance issues, legal uncertainties and organizational readiness.
.

The draft strengthens governance arrangements, clarifies management body roles, and enhances oversight of internal control, risk management, and compliance functions. It incorporates ICT and security risk management in line with DORA, requiring institutions to integrate digital operational resilience into governance frameworks. The revisions also address anti-money laundering, conflicts of interest, and gender-neutral remuneration. Stakeholders can submit feedback until October 2025, with final guidelines to replace the 2017 version.

This Final Report (EBA/RTS/2025/03) presents draft Regulatory Technical Standards (RTS) under the Capital Requirements Regulation (CRR) III. It addresses three mandates:
• An operational risk taxonomy with Level 1 event types, Level 2 categories and supplementary attributes (including ESG and ICT risks), to standardise how institutions classify loss events.
• Criteria for deeming the annual‑operational‑risk loss calculation “unduly burdensome” for certain institutions, allowing temporary waivers.
• Rules for adjusting loss‑data sets when firms merge or acquire entities, including currency conversion, re‑classification and fallback proxies.

This opinion and accompanying report from the 𝗘𝗕𝗔 provides a comprehensive overview of 𝗺𝗼𝗻𝗲𝘆 𝗹𝗮𝘂𝗻𝗱𝗲𝗿𝗶𝗻𝗴 (𝗠𝗟) 𝗮𝗻𝗱 𝘁𝗲𝗿𝗿𝗼𝗿𝗶𝘀𝘁 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗻𝗴 (𝗧𝗙) 𝗿𝗶𝘀𝗸𝘀 across the EU's financial sector from 2022 to 2024. The EBA, mandated to issue such an opinion biennially, identifies evolving threats driven by technological innovation, including vulnerabilities in FinTech, RegTech, and crypto assets, alongside the 𝗶𝗻𝗰𝗿𝗲𝗮𝘀𝗶𝗻𝗴 𝘀𝗼𝗽𝗵𝗶𝘀𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝗳𝗿𝗮𝘂𝗱 𝗮𝗻𝗱 𝗰𝘆𝗯𝗲𝗿𝗰𝗿𝗶𝗺𝗲 𝘀𝗰𝗵𝗲𝗺𝗲𝘀. While acknowledging positive developments like reduced tax crime risks and improved supervisory engagement in certain areas, the EBA highlights persistent challenges such as 𝗶𝗻𝗰𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗮𝗻𝘁𝗶-𝗺𝗼𝗻𝗲𝘆 𝗹𝗮𝘂𝗻𝗱𝗲𝗿𝗶𝗻𝗴 𝗮𝗻𝗱 𝗰𝗼𝘂𝗻𝘁𝗲𝗿-𝘁𝗲𝗿𝗿𝗼𝗿𝗶𝘀𝘁 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗻𝗴 (𝗔𝗠𝗟/𝗖𝗙𝗧) 𝘀𝘆𝘀𝘁𝗲𝗺 𝗲𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝘁𝗵𝗲 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗲𝗱 𝗽𝗿𝗼𝗺𝗶𝗻𝗲𝗻𝗰𝗲 𝗼𝗳 𝗰𝘂𝘀𝘁𝗼𝗺𝗲𝗿 𝗱𝘂𝗲 𝗱𝗶𝗹𝗶𝗴𝗲𝗻𝗰𝗲 (𝗖𝗗𝗗) 𝘀𝗵𝗼𝗿𝘁𝗰𝗼𝗺𝗶𝗻𝗴𝘀. The report underscores the critical need for regulatory clarity and a more unified application of risk-based approaches throughout the EU's financial landscape.