EBA Gives Banks Breathing Room on New Operational Risk Reporting Rules

Key Takeaways

• Deadline Pushed Back: New operational risk reporting requirements will apply from the end of June 2026, not March 2026, following Regulation (EU) 2025/2475.
• COREP Framework Maintained: Banks should continue using the COREP Operational Risk module under release 4.2.
• Templates Phased In: Templates C 16.02, C 16.03, and C 16.04 become mandatory in June 2026, with voluntary early reporting permitted from March.
• March 2026 Still Matters: Template C 16.01 must still be reported in March 2026, but without data on other operating expenses.
• Guidance Updated: Revised instructions, IT solution overviews, and mapping tools are now available to support implementation.

Deep Dive

The European Banking Authority said that it has published new guidance to help institutions manage enhanced operational risk reporting, following a formal delay to the first reference date under the amended Implementing Technical Standards. The move follows the European Commission’s adoption of Regulation (EU) 2025/2475, which pushes the application of the new reporting obligations back to the end of June 2026.

Originally scheduled to take effect in March 2026, the revised timeline gives banks at least six additional months to adapt their systems and processes once the regulation enters into force. The EBA said the postponement is intended to support a smoother transition while preserving consistency across the EU’s supervisory framework.

Alongside confirming the delay, the EBA used the guidance to spell out how institutions should handle operational risk reporting during the transition period. Other reporting obligations remain in place. Institutions must still submit template C 16.01 for March 2026 using the updated technical tables in release 4.2. That said, the EBA confirmed that information relating to “other operating expenses” will not be required at that stage, easing the immediate reporting burden.

Updated Instructions and Technical Tools

To reduce ambiguity, the EBA has also published amended instructions covering both operational risk reporting and disclosure. These updates correct cross-references and ensure alignment across the revised framework and will apply from the end-June 2026 reference date.

The updated instructions are available on the EBA’s website in all official EU languages. In parallel, the authority has revised its “Overview of the IT solutions” document, which links the relevant articles of the ITS to the reporting templates banks are required to submit. The update is intended to help institutions better navigate what has changed and what has not.

Additional implementation tools are also being refreshed. The EBA said it will shortly update its signposting tool to reflect the amended obligations, while the existing mapping tool that links reporting and disclosure templates has already been updated.

While the revised timeline offers welcome breathing room, the EBA has been clear that the delay does not signal a softening of supervisory expectations. Banks are being encouraged to review the updated instructions and tools now to ensure they are ready well ahead of the June 2026 reference date.

As operational risk continues to sit high on supervisory agendas, particularly amid digitalization, outsourcing, and growing cyber threats, the EBA said it remains committed to providing clear and timely guidance as institutions transition to the enhanced reporting regime.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.