Guidelines on internal governance

European Banking Authority (EBA)

The revised European Banking Authority (EBA) Internal Governance Guidelines align with recent legislative changes under the Capital Requirements Directive (CRD VI), strengthening supervisory expectations and further harmonizing governance mechanisms across the European Union (EU).


Guidelines on internal governance

Watch video

Executive summary

The revision of the Guidelines on internal governance under CRD VI will update the 2021 framework, consolidating a more demanding and consistent governance framework at the European level, aligned with regulatory priorities on sustainability, digital resilience and internal control.

The new text reinforces the role of management bodies by introducing individual statements of functions and a responsibilities map, while strengthening independence and diversity requirements. In addition, it integrates environmental, social and governance (ESG) risks and ICT-related risks, aligning business continuity planning with the Digital Operational Resilience Regulation (DORA). It also tightens the rules on conflicts of interest and whistleblowing and introduces explicit references to the governance of complex structures and branches in third countries.

Main content

This Technical Note outlines the highlights from the revision of the Internal Governance Guidelines:

  • Proportionality. The principle of proportionality is reinforced, so that obligations are applied more flexibly depending on the nature, complexity and size of the institution. In addition, the revised Guidelines extend the considerations to external service providers, ICT systems and branches in third countries.
  • Role and composition of the management body and committees. The obligations of the management body are extended, requiring it to establish, approve and monitor the implementation of the following elements: (i) governance and control frameworks, including ESG risk management processes and information systems and networks managed in accordance with DORA; (ii) risk monitoring and assessment plans; (iii) plans and quantifiable objectives for managing concentration risk arising from systemic central counterparties.
  • Governance framework. The governance framework should include a comprehensive and up-to-date map of roles, reporting lines and responsibilities at all levels of the entity, ensuring clarity of governance structures. The new guidelines clarify that organizational structures must be transparent to prevent the use of shell companies or entities and to ensure consistent governance across all third-country groups and branches.
  • Risk culture and business conduct. The Guidelines broaden the scope of conduct rules by extending provisions on conflicts of interest and strengthening reporting channels to ensure accountability and whistleblower protection. They also reinforce equality, diversity and inclusion requirements, including monitoring gender and pay indicators, alongside broader rules on conflicts of interest and improved reporting mechanisms aligned with the General Data Protection Regulation (GDPR).
  • Internal control framework and mechanisms. The independence and coordination of key functions are reinforced, with greater emphasis on controls for new financial products and strengthened anti-money laundering and counter-terrorist financing (AML/CFT) obligations. The risk management framework is extended to cover ESG and ICT risks, significantly broadening the scope compared to the previous version.
  • Business continuity. More detailed continuity requirements are introduced in line with DORA, particularly for ICT risk management. Greater depth is required in impact analysis, the design of recovery tests and the development of specific plans, including the possible designation of a function responsible for business continuity within the institution.
  • Transparency. The revised Guidelines improve transparency by requiring institutions to clearly document governance arrangements and responsibilities and to communicate policies and significant changes in a timely manner to the competent authorities and relevant internal parties. 

Download the technical note on the Guidelines on internal governance.