EBA Expands Oversight Role as DORA & MiCA Reshape European Banking Supervision

Key Takeaways

• EBA's Role Is Expanding Beyond Traditional Banking Supervision: The authority's responsibilities under DORA and MiCA mark a significant shift from rulemaking toward direct oversight of critical technology providers and parts of the crypto-asset ecosystem.
• Regulatory Simplification Became a Core Priority: The EBA advanced Basel III implementation while proposing 21 recommendations aimed at reducing complexity and improving the efficiency of the EU's supervisory and regulatory framework.
• European Banks Remain Financially Resilient: The 2025 EU-wide stress test found banks could maintain capital levels above minimum regulatory requirements even under a severe adverse scenario, supported by strong capital, liquidity and profitability.
• Technology and Cyber Risks Are Moving to the Forefront: The designation of 19 critical ICT providers under DORA reflects growing concern over the systemic risks created by the financial sector's dependence on shared technology infrastructure and third-party providers.
• Data, ESG and Climate Risk Capabilities Continue to Mature: The launch of the Pillar 3 Data Hub, expansion of the European Data Access Portal, publication of the first ESG Risk Dashboard and work on climate stress testing underscore the EBA's increasing focus on data-driven supervision.

Deep Dive

The European Banking Authority spent much of last year preparing to oversee companies that are not banks. That may sound like an administrative detail, but it isn't. For most of its existence, the EBA's job was largely to write rules, refine standards and help build the regulatory architecture that emerged after the global financial crisis. The institution became one of the principal architects of Europe's banking framework, translating political agreements into thousands of pages of technical requirements.

Its 2025 Annual Report, published Tuesday, suggests that phase is beginning to give way to something else.

The authority is still writing rules. It is still implementing Basel III reforms and updating requirements covering credit, market and operational risk. But increasingly, it is also supervising technology providers, preparing for oversight of crypto-assets and building the infrastructure needed to monitor risks that sit outside traditional banking balance sheets.

The Simplification Agenda

Regulators rarely publish annual reports celebrating fewer requirements. The EBA came surprisingly close. Simplification was one of the authority's defining themes in 2025. The effort extended beyond technical adjustments and into a broader attempt to make the European regulatory framework less cumbersome for firms and supervisors alike.

The authority delivered key elements of the Basel III package while revisiting requirements across several major risk categories. It adjusted environmental, social and governance disclosure timelines, refined proportionality measures for smaller institutions and continued supporting legislative initiatives including PSD3, the Payment Services Regulation, reforms to the Central Securities Depositories Regulation and updates to the EU securitization framework.

In October, the EBA published 21 recommendations aimed at improving the efficiency of Europe's supervisory and regulatory system. Notably, some of those proposals do not require new legislation. They can simply be implemented.

That may prove more consequential than another round of rulemaking. Brussels has spent years discussing simplification. The harder task is finding changes that institutions can actually execute.

A Banking Sector That Remains Well Capitalized

The report arrives at a moment when European banks continue to benefit from strong capital positions and healthy profitability. The EBA's 2025 stress test, released last August, found that banks across the European Union and European Economic Area would remain above minimum capital requirements even under a severe adverse scenario. Asset quality also remained broadly stable as labor markets held up and financial conditions eased.

The findings offer another reminder of how different today's banking sector looks from the one regulators inherited after 2008. That does not mean the EBA sees the risk environment as benign. The authority pointed to continuing pressure in commercial real estate, geopolitical instability and a cyber threat landscape that is becoming more complex as financial institutions deepen their dependence on digital infrastructure and third-party technology providers.

Those concerns appear repeatedly throughout the report. They also help explain why the EBA's priorities are changing.

From Bank Supervision to Technology Oversight

The most significant development described in the report has little to do with traditional banking regulation. Under the Digital Operational Resilience Act, or DORA, nineteen critical information and communication technology providers were designated as systemically important to the European financial sector. The EBA became the lead overseer for those firms. That represents a notable expansion of the authority's reach.

Banks have always relied on outside vendors. What has changed is the concentration of critical services within a relatively small group of technology providers. A disruption affecting one of those firms can quickly become a problem for dozens or even hundreds of financial institutions.

The designation process triggered the start of ongoing oversight activities designed to identify and reduce those risks before they become systemic events. The authority also continued implementing the Markets in Crypto-Assets Regulation, better known as MiCA. During 2025, it finalized supervisory procedures for issuers of significant asset-referenced tokens and e-money tokens while preparing national regulators for a more consistent supervisory approach across the bloc.

DORA and MiCA are pushing the EBA into territory that barely existed when the organization was created. The institution was designed in the aftermath of a banking crisis. Increasingly, it is preparing for risks associated with cloud infrastructure, operational resilience and digital assets.

Building the Data Layer

Another theme running through the report is data. The EBA launched its Pillar 3 Data Hub during 2025, creating a centralized platform for prudential disclosures from hundreds of European banks. The project is intended to give supervisors, investors and market participants a single location for information that was previously fragmented across institutions.

The authority also expanded the European Data Access Portal and continued investing in analytical capabilities. One result was the publication of the EBA's first ESG Risk Dashboard. Another was further work toward a recurring climate stress-testing framework.

Neither initiative received the same attention as DORA or MiCA. Both point to the same objective: giving supervisors more usable information and faster ways to identify emerging vulnerabilities.

The Consumer Protection Question

The report also reflects a regulator paying closer attention to how financial innovation reaches consumers. The EBA supported implementation of the Instant Payments Regulation, published its latest Consumer Trends Report and launched awareness campaigns focused on crypto-assets and digital finance fraud.

That focus is not difficult to understand. The same technologies promising faster payments and new financial products are also creating new opportunities for scams, fraud and consumer harm.

For supervisors, the challenge increasingly extends beyond ensuring institutions remain safe and sound. It includes understanding how rapidly changing technology affects the people using financial services.

An Authority in Transition

Annual reports often read like inventories of completed projects. This one reads more like a progress report on an institutional transformation. The EBA remains responsible for maintaining and refining the Single Rulebook that underpins European banking regulation. That work is not going away.

But the report makes clear that the authority's future is being shaped by a different set of questions than the ones that dominated the decade after the financial crisis. The challenge is no longer simply whether banks have enough capital. It is whether regulators can effectively oversee a financial system increasingly dependent on cloud providers, digital infrastructure, shared technology platforms and crypto-asset markets that operate very differently from traditional banking.

That is a much broader brief than the EBA was originally created to handle. It is also becoming the job.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.