Horizon Scanning · EBA · ESMA · EIOPA
Horizon scanning the EU regulatory agenda Q2–Q4 2026: consultations, RTS, and level-2 measures
A curated list of the consultations, regulatory technical standards, and level-2 measures to pre-commit reviewers for, by topic: DORA, PSD3 / PSR, MiCA, AMLR, CSRD, and CRR3.
Horizon scanning is the boring twin of regulatory change operations. It is also the thing that decides whether your team spends Q4 2026 calmly reviewing pre-briefed text or in a panic after a consultation closes. This article lists — by topic — the consultations, regulatory technical standards (RTS), and level-2 measures we think EU banks, payment institutions, asset managers, and insurers should pre-commit reviewer capacity for between April and December 2026. It is not exhaustive; it is curated for relevance to the lean compliance teams RegRadar typically serves.
Dates in this article reflect publicly available plans as of 2026-04-22. Consultation windows shift, and final dates slip; always cross-check against the European Commission's regulatory agenda, the EBA / ESMA / EIOPA work programmes, and the official journals of the supervisors most relevant to your perimeter.
How to use this list
- Each item carries our best estimate of the decision window (when comments are open) and the target date (expected final publication).
- “Reviewer commitment” is our suggestion for which RegRadar LOB queue (or equivalent in your tool) should own the review, and an order-of-magnitude capacity.
- Items marked hot are the ones we think move the needle for lean compliance teams in 2026.
DORA (Digital Operational Resilience Act)
The level-1 text applied 17 January 2025. The remaining work is the level-2 and level-3 package around third-party oversight, classification, reporting, and testing.
| Item | Decision window | Target | Reviewer commitment |
|---|---|---|---|
| Joint ESAs Guidelines on major-incident reporting (GL under Art. 20) — final — hot | Consultation Q1 2026 | Final Q3 2026 | Op Risk — 2 reviewers × 3 days |
| RTS on subcontracting of ICT services (Art. 30) — final | Closed 2025-Q4 | Final Q2 2026 | Op Risk — 1 reviewer × 2 days |
| TLPT framework updates (Art. 26) | Rolling | Q3 2026 | Op Risk + CISO — 1 reviewer × 2 days |
| Register of information on contractual arrangements — ITS template v2 | Consultation Q2 2026 | Final Q4 2026 | Op Risk + Procurement — 1 reviewer × 3 days |
| Critical ICT TPP designation decisions | Ongoing publications | Continuous | Op Risk — 0.5 day per publication |
PSD3 / PSR — payments and safeguarding
See also our separate article on PSD3 safeguarding deltas.
| Item | Decision window | Target | Reviewer commitment |
|---|---|---|---|
| PSD3 / PSR final text publication in OJ — hot | Political agreement mid-2025 | H2 2026 | Reg Affairs — 1 reviewer × 5 days on publication |
| RTS on safeguarding methods and low-risk asset basket | Consultation Q4 2026 | Final mid-2027 | Reg Affairs + Finance — 2 × 3 days |
| ITS on quarterly safeguarding reporting templates | Consultation Q4 2026 | Final mid-2027 | Finance — 1 × 2 days |
| RTS on fraud data sharing under PSR | Consultation H2 2026 | Final 2027 | Fin Crime — 1 × 3 days |
| Guidelines on conduct of business for card-based payment instruments | Rolling | Continuous | Compliance — ad hoc |
MiCA (Markets in Crypto-Assets)
| Item | Decision window | Target | Reviewer commitment |
|---|---|---|---|
| ESMA Guidelines on market abuse in MiCA scope — final | Closed Q1 2026 | Q3 2026 | Compliance — 1 × 2 days |
| RTS on white papers for asset-referenced tokens | Consultation Q2 2026 | Final Q4 2026 | Reg Affairs + Legal — 1 × 3 days |
| EBA Guidelines on prudential requirements for issuers of EMTs | Consultation H2 2026 | Final 2027 | Reg Affairs — 1 × 2 days |
MiCA is primarily a concern for crypto-native entities, but traditional banks holding EMT-related exposures or offering custody must track the EBA Guidelines.
AMLR / AMLA (Anti-Money-Laundering Regulation and Authority)
| Item | Decision window | Target | Reviewer commitment |
|---|---|---|---|
| AMLR level-2 package: RTS on CDD, beneficial ownership, and group-wide programmes — hot | Consultation Q2–Q4 2026 | Final 2027 | Fin Crime — 2 × 4 days each |
| AMLA operational readiness milestones (selection of supervised entities) | Ongoing | 2026–2027 | Fin Crime + Governance — ad hoc |
| Transition guidance on AMLD5 → AMLR for Member States | Rolling | Continuous | Fin Crime — ad hoc |
CSRD / SFDR / Taxonomy — sustainability reporting
| Item | Decision window | Target | Reviewer commitment |
|---|---|---|---|
| ESRS simplification — phase 2 exposure drafts | Consultation Q2 2026 | Final Q4 2026 | ESG / Sustainability — 2 × 3 days |
| SFDR RTS amendments post-review | Consultation H2 2026 | Final 2027 | Reg Affairs / ESG — 1 × 3 days |
| Taxonomy delegated acts — DNSH technical screening updates | Rolling | Continuous | ESG — ad hoc |
| CSRD assurance standards — final | Q3 2026 | Q4 2026 | ESG + Audit — 1 × 2 days |
CRR3 / CRD6 — prudential framework
| Item | Decision window | Target | Reviewer commitment |
|---|---|---|---|
| EBA Guidelines on IRRBB under CRD6 — final | Q2 2026 | Q3 2026 | Reg Affairs + Risk — 1 × 3 days |
| RTS on output floor under CRR3 — technical specifications | Consultation Q3 2026 | Final Q1 2027 | Reg Affairs — 1 × 2 days |
| Basel IV-linked market risk framework updates | Rolling | Continuous | Risk — ad hoc |
National-authority priorities to watch
Beyond EU-level items, each national supervisor publishes its own 2026 priorities. The ones that carry the heaviest operational weight for the 2026 pilots we run:
- ACPR (France) — 2026 priorities. Digital-asset service providers, AML governance for neobanks, wind-down readiness for EMIs, CSRD assurance maturity.
- BaFin (Germany) — MaRisk and BAIT updates. Cloud outsourcing deep-dives, DORA third-party register quality reviews, crypto-custody permissions, ESG risk in credit-risk models.
- Banca d'Italia and CONSOB (Italy). IVASS coordination on insurance-bancassurance ICT resilience, MiFID II product-governance conduct audits.
- DNB and AFM (Netherlands). DORA ICT third-party register audits, PSD2 strong-customer-authentication maturity reviews ahead of PSR.
- CSSF (Luxembourg). UCITS ICT risk reviews, AIFMD ESG disclosure verification.
- FINMA (Switzerland, non-EU but material for EU-facing groups). Operational-risk Circular 23/1 and cross-border financial-services expectations.
What to put on your team's radar this month
- If you are a bank with DORA in scope, block 3 days for the EBA major-incident Guidelines final text between August and October 2026.
- If you are a PI or EMI, block a week in H2 2026 for the PSR final text plus first level-2 consultations.
- If you are a Fin Crime team, add one reviewer to AMLR RTS consultations quarterly through end-2027 — plan for four major reading loads.
- If you have CSRD in scope, plan two reviewer-days in Q4 2026 for the ESRS simplification phase-2 final.
- If you are a crypto-touching entity, the MiCA white-paper RTS will land late Q4 2026 and will affect issuer processes.
How RegRadar handles this
The items above are what we pre-seed into the Horizon module for every RegRadar pilot: each appears as a forthcoming obligation with a regime tag, an expected deadline, and a reviewer assignment. When the final text publishes, the Horizon item collapses into an impact with a pre-assigned owner; the team does not need to re-remember what they were meant to be watching. See the iCal subscription on the Horizon calendar for a direct feed into your team calendar.
Next step
Scope an 8-week paid pilot for your perimeter.
One topic, one team, one jurisdiction pack. €15k, 50% credited on annual conversion.