ESAs Set Out 2026 Agenda with Focus on DORA Oversight, Consumer Protection, & Sustainability Simplification

Key Takeaways

• DORA Oversight Begins: 2026 marks the first full cycle of oversight under the Digital Operational Resilience Act (DORA), including the designation and supervision of critical third-party ICT providers.
• Cyber and Crisis Coordination: The ESAs will operationalize the EU Systemic Cyber Incident Coordination Framework (EU-SCICF) to enhance coordination during systemic cyber events.
• Sustainability Simplification: The ESAs will pause publication of their annual SFDR principal adverse impact (PAI) report as part of a simplification agenda aimed at reducing reporting burdens.
• Consumer Protection and Literacy: Joint work will advance retail investor disclosures under the PRIIPs framework and support the EU’s Savings and Investment Union through new financial education initiatives.
• Cross-Sector Risk and Convergence: The ESAs will deliver a joint risk and vulnerability report while promoting convergence in supervision across financial conglomerates, securitization, and ESG stress testing.

Deep Dive

The European Supervisory Authorities are preparing to enter 2026 with one of their most consequential joint programs to date, a year that will test the strength of the EU’s new digital resilience architecture while reshaping how consumer protection, sustainability, and supervision converge across sectors.

Unveiled on 16 October 2025, the Joint Committee of the European Supervisory Authorities (EBA, EIOPA, and ESMA) outlined its 2026 Work Program, defining how the three bodies will coordinate to safeguard the financial system amid geopolitical uncertainty, regulatory reform, and accelerating digital transformation.

At the heart of the plan is a simple but ambitious goal to ensure Europe’s financial ecosystem remains secure, transparent, and stable as it transitions into the DORA era.

Digital Resilience Takes Center Stage

Next year marks the first full cycle of oversight under the Digital Operational Resilience Act (DORA), a framework that gives the ESAs sweeping authority to supervise critical third-party ICT providers serving financial institutions across the EU.

By the end of 2025, the Oversight Forum is expected to complete its designation of these critical providers, setting the stage for comprehensive risk assessments, annual oversight plans, and the first series of examination activities in 2026. The process will test how effectively Europe can coordinate the supervision of major technology suppliers, from cloud giants to cybersecurity firms, that underpin the continent’s financial stability.

The ESAs also plan to advance their work on incident reporting and crisis coordination, strengthening the EU Systemic Cyber Incident Coordination Framework (EU-SCICF). This cross-sector mechanism, designed to manage large-scale cyber incidents, will be further developed and tested next year in cooperation with entities such as CERT-EU, G7 CEG, and EU Cyclone.

In many ways, 2026 will be DORA’s proving ground, a year where resilience moves from regulatory text to operational reality.

Simplification and Supervision: A Balancing Act

While digital resilience dominates the agenda, the ESAs are also tackling what they call a “simplification agenda”, a response to mounting concerns that the EU’s regulatory machinery has grown too complex for smaller firms and national authorities to implement efficiently.

This theme cuts across the Sustainable Finance Disclosure Regulation (SFDR) review, where the ESAs will support the European Commission’s efforts to streamline disclosure obligations and reduce administrative burdens. In line with that shift, the ESAs will suspend publication of their annual report on principal adverse impact (PAI) disclosures in 2026, marking a temporary pause in the data-heavy reporting cycle.

At the same time, work will continue on new guidelines for ESG stress testing, mandated under CRD6 and Solvency II, to ensure climate and environmental risks are consistently embedded in financial stress test methodologies.

The balancing act is delicate, promoting simplification without diluting the integrity of Europe’s sustainable finance framework.

Protecting Consumers and Building Trust

Consumer protection and education also remain a pillar of the ESAs’ joint strategy. The authorities plan to advance their role in the European Commission’s Savings and Investment Union (SIU) initiative, developing measures that improve financial literacy and consumer confidence across banking, insurance, and investment products.

This will include a workshop series on financial education, as well as renewed work on the PRIIPs Key Information Document (KID), a critical but often-criticized disclosure tool for retail investors. If legislative negotiations conclude as expected, the ESAs will draft new technical standards to simplify how performance and costs are presented in the KID, a long-standing friction point between regulators and the industry.

These moves reflect the ESAs’ broader push to rebuild consumer trust in financial services at a time when digitalization, product complexity, and misinformation continue to widen the gap between regulators and retail investors.

Monitoring Systemic Risk and Market Integrity

The Joint Committee will continue to serve as a central forum for identifying cross-sectoral risks to financial stability, a mission made more urgent by persistent geopolitical tensions, inflationary pressure, and cyber threats.

Throughout 2026, the ESAs will deliver joint risk analyses to the EU’s Economic and Financial Committee and Financial Stability Table, complemented by an annual report on risks and vulnerabilities spanning the banking, insurance, and securities sectors.

Meanwhile, work on the securitization framework will intensify following the Joint Committee’s 2025 report on the regulation’s functioning. The Securitization Committee will conduct follow-up analysis, monitor market trends such as third-party risk financing for collateralized loan obligations (CLOs), and address potential regulatory divergence with the US and UK, which could impact cross-border investment flows.

In parallel, the ESAs will continue their efforts to strengthen supervision of financial conglomerates, updating the EU-wide list of identified groups and refining reporting templates for intra-group transactions, risk concentrations, and capital adequacy.

Innovation, AI, and the Road Ahead

The European Forum for Innovation Facilitators (EFIF) will continue its mapping work on BigTech and mixed activity groups offering financial services, while promoting greater coordination between national regulatory sandboxes and the AI regulatory sandboxes that Member States must launch under the EU AI Act.

This cross-pollination between financial and AI governance marks a growing recognition that innovation and risk supervision can no longer be treated in isolation. The ESAs’ role is shifting from merely regulating to orchestrating, ensuring that supervision keeps pace with technology, and that resilience is woven into innovation from the start.

A Cohesive, Cross-Sector Effort

With a mandate spanning DORA, SFDR, securitization, and retail investor protection, the 2026 Work Program is less about launching new rules and more about making Europe’s regulatory framework work together. The emphasis on convergence, cooperation, and simplification reflects a system entering a new phase, one focused on implementation quality and operational coordination rather than legislative expansion.

2026 will be a year defined by execution. The ESAs’ success in aligning supervisory practices, managing systemic cyber risks, and simplifying sustainability disclosures will help determine how resilient, and how unified, the EU’s financial oversight architecture truly is.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.