2
By Dr. Sabine Dittrich, Head of EU Financial Regulation, Senior Counsel, and Arnaud Caillat, Visiting Lawyer, Slaughter & May
The year 2025 has brought an even more rapid pace of change and heightened uncertainty than the preceding two to three years. Banks operating in the European Union (EU) weathered these headwinds well in the past, particularly showing remarkable prudential resilience compared to banking sectors in other regions. These same banks continue to face risks stemming from fast‑evolving technologies, such as information communications technology (ICT) and artificial intelligence (AI), as well as from environmental, social and governance (ESG) risks. What is new is the context of geopolitical tension in which these risks must be managed.
From a policymaking perspective, approaches to these risks are diverging globally. Over the past five years, the EU has defined its stance on both technological and ESG risks in the banking sector. The European Commission (EC) is, however, reopening discussions, partly in response to pressure from EU Member States, to assess whether existing solutions warrant reconsideration. The European Commission is driven by its goal to reduce the regulatory burden, making the EU and banks operating in the EU stronger, more competitive and more resilient against political headwinds from outside the EU.
Boards of directors and senior executives of international banks are held accountable for finding the right responses to these risks.
Boards of directors and senior executives of international banks are held accountable for finding the right responses to these risks. This means navigating change, finding innovative approaches and maintaining an operationally stable core that meets the expectations of supervisors and fosters stakeholder confidence.
ICT and AI are now strategic board risks
Over the past decade, international banks have invested significant resources in the deployment of their digital capabilities, recognising that ICT systems are more than back-office enablers. The accelerating possibilities of AI and increasingly flexible ICT architectures mean that they cannot stop now but need to keep up with the pace of technological development to remain competitive. The European Banking Authority (EBA) recently noted that 92 percent of EU banks are now using AI, with 55 percent of surveyed banks already using AI in consumer-facing processes. Some of this technology is developed internally, particularly in large banks. However, most technological infrastructure is sourced from a few tech companies dominating the market. This concentration bears efficiency but also risks.
The EU’s framework for addressing ICT and AI risks is laid down in the Digital Operational Resilience Act (DORA) and the EU’s Artificial Intelligence Act (AI Act).
Under DORA, boards of banks operating in the EU are ultimately accountable for managing ICT risk. They must define an ICT strategy and risk tolerance, receive meaningful resilience reporting and evidence how they challenged proposals from the control function to which the day-to-day management of ICT risk is assigned. Banks must also map dependencies from ICT service providers, report incidents, test resilience and manage third-party ICT risks through structured oversight and credible exit plans.
For significant eurozone banks, the European Central Bank (ECB) directly supervises ICT-risk management and resilience frameworks under DORA. In its supervisory priorities for 2025-27, the ECB has emphasised that it considers the strengthening of banks’ digitalisation strategies and the mitigation of underlying risks as strategic objectives. The ECB and the EBA have recently published detailed expectations on this topic, including the EBA’s guidelines on ICT and security-risk management and the ECB’s guide on outsourcing cloud services. In practice, the ECB assesses ICT risk as part of its Supervisory Review and Evaluation Process (SREP). This assessment may result in the imposition of a bank-specific Pillar 2 capital add-on.
DORA also addresses the concentration risk arising from banks’ reliance on a limited number of external ICT service providers. It establishes an EU-wide oversight regime for third‑party ICT service providers, with one of the European Supervisory Authorities (ESAs) responsible for acting as lead overseer. This regime may apply to service providers both within and outside the EU if they are considered “critical” for the EU financial sector. The designation of about 20 to 25 of these service providers as critical is expected by the end of 2025.
The AI Act takes a different approach than DORA by categorising AI applications and addressing human accountability for AI. It imposes risk‑based duties both on providers and users of AI, agnostic to the industry sector to which these providers and users belong. Many use cases for banks (for example, in the context of credit decisions) classify as high‑risk. These high-risk AI use cases require strong governance, data integrity, oversight and resilience. For international banks, the implications are clear: They must adapt their governance around AI to accommodate the requirements under the AI Act for high‑risk use cases, while remaining interoperable with other technologies and regimes addressing general technological risk.
Banks must consider fostering strong ICT and AI governance, not another compliance exercise. Good governance improves reliability, reduces downtime, strengthens cyber resilience and builds customer trust. It also fosters a culture of safe innovation: Clearer guardrails enable firms to deploy new technology faster, with less rework and reputational risk. It has the potential to provide significant rewards to institutions, customers and regulators alike, for instance, in the area of AML/CFT (anti-money laundering/combatting the financing of terrorism) and fraud prevention.
EU banking supervision now embeds ESG at its core
The ECB and the EBA continue to push ESG risk into the core of EU banks’ prudential supervision. The ECB has specified in its supervisory priorities for 2025-27 that banks’ management of climate-related and environmental risks will remain a priority. And for good reason: Recent EBA data shows a substantial exposure (above 70 percent in most countries) of European banks to corporates from sectors that are highly contributing to climate change.
This supervisory focus may seem at odds with the trend in the EU to reduce the burden and complexity of ESG reporting for corporates under the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD). However, the newly introduced rules on the management, reporting and disclosure of ESG risks under the Third Capital Requirements Regulation (CRR3) and the Sixth Capital Requirements Directive (CRD6) package remain unaffected by this challenge to the ESG rules, except perhaps for introducing more proportionality for small banks (in consultation).
On January 11, 2026, the CRD6 and the EBA’s guidelines on the management of ESG risks will introduce important changes to the rules on governance and supervisory reviews of ESG risks in EU banks. Every two years, boards must approve and review strategies and policies considering ESG factors and will have to possess adequate collective knowledge, skills and experience to address ESG issues. Banks must also take ESG risks into account in their remuneration policies, internal capital-adequacy assessment processes and prudential transition planning. These plans go beyond marketing pledges. They are risk‑based, forward‑looking plans that set timelines, targets and milestones to monitor and address financial risks arising from ESG factors, aligned to EU objectives and proportionate to materiality. For international banks, the message is clear: Treat climate and environmental risks as core risks that drive credit, market, operational and liquidity outcomes. The ECB started conducting informal dialogues with banks on transition planning in 2025 and will continue in 2026, then begin carrying out more formal assessments in 2027.
What is changing amid the global headwinds against ESG is that banks are applying a more cautious communication approach to their ESG pledges. Where once market leadership in ESG strategy was seen as a competitive advantage, the same goals are now pursued in a more muted way, often re-embedded under banks’ general approach to governance.
The bottom line for executives and board members
Europe is making ESG, ICT and AI risks part of its core prudential supervision. For international banks, a winning approach is to build upon EU-specific requirements to create strong and resilient ICT and ESG strategies for their entire organisations, using global building blocks to avoid fragmentation, and anchoring strategies in robust governance. Boards and executives that do this will not only meet risk-management expectations, they will also build durable resilience, accelerate safe innovation and strengthen the trust that is the currency of modern banking.
ABOUT THE AUTHORS
Dr. Sabine Dittrich is Head of EU Financial Regulation and Senior Counsel at Slaughter and May. She advises international banks, market infrastructure operators, and asset managers on EU prudential and conduct-related regulatory matters. Before joining the firm, Sabine held senior roles at UBS, including Global Head of Regulatory Intelligence, and previously worked in the Financial Institutions Group of a leading international law firm in Germany. She is a member of one of the Consultative Working Groups for ESMA. Sabine is admitted at the German bar and holds a PhD in Law and an MBA from HEC Paris.
Arnaud Caillat is an Associate at Bredin Prat, where he is part of the Corporate and Financial Services & Insurance Regulation teams. He advises clients on mergers and acquisitions, private equity transactions, securities law, and banking and financial regulation. Arnaud is currently seconded to the Financial Regulation group at Slaughter and May. Admitted to the Paris Bar, he holds master’s degrees in law from the University of Paris 1 Panthéon-Sorbonne and Sciences Po Law School.