How EU Regulations Are Reshaping Compliance Strategies in 2025

1. Output Floor

A new cap ensures internal models cannot reduce capital requirements below 72.5% of what standardized approaches would dictate. This boosts consistency and limits regulatory arbitrage.

2. Credit Risk Reporting

• Enhanced granularity across exposure types (e.g., retail, commercial real estate, defaulted exposures).

• New exposure classes like "Subordinated Debt" and refinements in mortgage-related reporting.

• Revised treatment of unconditionally cancellable commitments (UCCs) and off-balance-sheet items.

3. Operational Risk

• Replacement of all legacy methods (BIA, TSA, AMA) with the Business Indicator Component (BIC) approach.

• Introduction of new templates (C16.01) to reflect the revised capital calculation methodology.

• Existing operational loss templates (C17.01 & C17.02) will remain temporarily, ensuring continuity until full implementation.

4. Market Risk and CVA

• Delayed implementation of FRTB (Fundamental Review of the Trading Book) until 2026.

• Updated templates to capture new CVA calculation methods and risk components.

• Additional data now required on reclassifications between the trading and banking book.

5. Crypto Assets

• Transitional reporting introduced ahead of full Basel-aligned crypto prudential rules in 2026.

• Institutions must disclose exposure details as per Article 501d of CRR3.

6. Leverage Ratio

• Minor updates including treatment of institutional protection schemes (IPS) and exposures to shareholders.

• Adjustments reflect new credit risk frameworks and exclude certain exposures from the leverage denominator.

1. Unified ICT Risk Management Standards

All financial entities must implement robust ICT risk frameworks that cover:

• Identification and prevention of ICT risks.

• Detection, response, and recovery procedures.

• Backup, continuity, and contingency plans.

Proportionality applies: obligations scale based on the size, nature, and complexity of the institution.

2. Mandatory Incident Reporting

DORA introduces a streamlined, pan-European incident reporting system:

• All major ICT-related incidents must be reported to the relevant competent authority.

• Standardised templates, taxonomies, and timeframes will be defined by the European Supervisory Authorities (ESAs).

• A central EU incident hub may be established to coordinate reports and responses.

3. Digital Operational Resilience Testing

Institutions must regularly test their digital defense:

• Requirements include everything from vulnerability assessments to Threat-Led Penetration Testing (TLPT).

• Advanced TLPT is mandatory only for large/systemic entities.

• Smaller firms may apply lighter testing based on their profile.

4. ICT Third-Party Risk Oversight

DORA imposes strict governance on third-party ICT providers, including:

• Mandatory contractual clauses for audit rights, service levels, data protection, and exit strategies.

• Institutions must maintain a detailed register of all ICT service contracts.

• Critical ICT providers (e.g., major cloud vendors) will fall under a new EU Oversight Framework supervised by ESAs.

5. Oversight of Critical ICT Providers

• DORA allows ESAs to designate and supervise “critical ICT third-party service providers”.

• These providers must maintain an EU legal presence and cooperate with Lead Overseers appointed by the ESAs.

• Non-compliance may lead to penalties and operational restrictions.

1. Mandatory Instant Payments Offering

• PSPs offering traditional euro credit transfers are now expected to also offer instant credit transfers to all customers.

• Applies to all payment accounts reachable for regular credit transfers.

• Instant payments must be available 24/7, every day of the year.

• This includes all channels: online banking, mobile apps, ATMs, physical branches.

  
  

2. Execution Speed and Reliability

• Funds must be credited to the recipient’s account within 10 seconds.

• If a transaction fails or times out, the payer’s account must be restored immediately.

• Batch (package) submissions of instant transfers are allowed and must be unpacked and processed individually in real time.

  
  

3. Pricing Rules

• Charges for instant credit transfers must not exceed those for regular credit transfers.

• Applies to per-transaction fees and bundled services, regardless of the payment channel or customer type.

  
  

4. Payee Verification Service

• PSPs must provide a free service to confirm that the payee’s name matches the IBAN before the transaction is authorized.

• This aims to reduce fraud and misdirected payments, with no added cost to the user.

• Applies across all channels and also to bulk transactions, unless a non-consumer PSU opts out.

  
  

5. Sanctions Compliance: Streamlined Screening

• Real-time sanctions screening during transaction execution is replaced by daily verification of customer records.

• This reduces false positives and transaction rejections while preserving regulatory compliance.

  
  

6. Wider Access for Non-Bank PSPs

• Payment institutions and electronic money institutions are now included in the scope of participation in designated payment systems.

• Requirements introduced around fund safeguarding, governance, and continuity planning for these entities to ensure stability and fair competition.

  
  

7. Data Transparency and Reporting

• PSPs must submit annual reports to competent authorities on:

  • Fees for credit and instant transfers

  • Rejection rates due to sanctions screening

  • Volume and value of instant payments

• Reporting is expected to support ongoing evaluation and standardisation at EU level.