ESMA, EBA, EIOPA: who does what in EU financial supervision

ESMA, EBA, EIOPA: who does what in EU financial supervision

A foundational explainer on the EU's supervisory architecture for financial services. Who writes the technical standards, who enforces them, how national competent authorities fit in, and where the new Anti-Money Laundering Authority changes the picture.

10 min read

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

Three acronyms, one supervisory system

Compliance professionals refer to “the regulator” as though EU financial supervision had one address. It does not. ESMA, EBA, and EIOPA are three separate legal entities with distinct mandates, distinct sectors, and in a handful of cases, the power to directly supervise specific firms rather than merely write the rules that national supervisors enforce. A fourth body, the new Anti-Money Laundering Authority (AMLA), has just taken on a slice of this landscape that used to belong to EBA.

Knowing which authority does what is not a trivia exercise. It determines where a Q&A request goes, whose guidelines a national supervisor is expected to follow, which body’s publications a compliance team needs to monitor for a given regulation, and, for a small number of firms, who is actually going to show up for an on-site inspection.

This article maps the structure. For how the regulations and technical standards these bodies produce fit together, see how EU financial regulation actually works. For why the regulatory technical standards they write often matter more than the headline regulation, see what are regulatory technical standards.

Where the system came from

The European System of Financial Supervision (ESFS) was established in 2010 and became operational on 1 January 2011, following the recommendations of the de Larosière expert group on strengthening Europe’s supervisory arrangements after the 2007 to 2008 financial crisis. The crisis exposed two specific weaknesses: national supervisors had no shared culture or coordination mechanism, and the pre-crisis system focused almost entirely on individual institutions while paying too little attention to risks building up across the financial system as a whole.

The ESFS addressed both problems by splitting supervision into two layers. Macro-prudential oversight, monitoring system-wide risk, sits with the European Systemic Risk Board (ESRB), established under Regulation (EU) No 1092/2010 and chaired by the President of the European Central Bank. Micro-prudential oversight, the day-to-day regulation of individual firms and sectors, sits with the three sectoral authorities: the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), each established by its own founding regulation in November 2010 (Regulations (EU) No 1093/2010, 1094/2010, and 1095/2010 respectively).

Each authority is an independent EU agency with its own legal personality, represented by its own chairperson, and accountable to the European Parliament and the Council rather than to any single member state.

ESMA: capital markets and investment services

ESMA covers securities markets, investment services, and increasingly, crypto-assets. It develops technical standards under MiFID II, the Prospectus Regulation, the Market Abuse Regulation, EMIR, SFDR, AIFMD, and MiCA, and it issues the supervisory convergence guidance, opinions, and Q&As that, while not formally binding in the way a technical standard is, carry real weight: national competent authorities are expected to follow ESMA guidelines or explain to ESMA why they have not.

ESMA is also one of the few EU financial authorities with genuine direct supervisory powers over named entities rather than purely standard-setting and convergence functions. ESMA directly supervises credit rating agencies, trade repositories, securitisation repositories, certain data reporting service providers (approved publication arrangements and approved reporting mechanisms), certain benchmark administrators, and systemically important third-country central counterparties recognised under EMIR’s Tier 2 regime. As of early 2026, this direct supervisory population spans more than fifty entities across more than twenty countries. For all other market participants, supervision sits with national competent authorities, and ESMA’s role shifts to promoting consistent practice across them.

ESMA is headquartered in Paris.

EBA: banking, payments, and prudential standards

EBA covers credit institutions, payment institutions, and electronic money institutions. It develops technical standards under the Capital Requirements Regulation and Directive, PSD2 and PSD3, and DORA, jointly with ESMA and EIOPA through the Joint Committee. EBA is the primary source of prudential standards for banks and the principal supervisory convergence body for payment institution oversight.

Unlike ESMA, EBA’s day-to-day role has historically been almost entirely standard-setting and convergence rather than direct supervision of individual firms. The significant exception sits under MiCA: where an asset-referenced token (ART) or e-money token (EMT) is classified as significant, based on quantitative thresholds and qualitative criteria set out in the regulation and its delegated acts, EBA takes over direct supervision of the issuer at EU level for significant ARTs, and shares supervision with the relevant national competent authority for significant EMTs. EBA’s Crypto Asset Standing Committee supports this mandate, and EBA runs supervisory colleges for each significant issuer it oversees.

For systemically important banks, direct prudential supervision sits not with EBA but with the European Central Bank, through the Single Supervisory Mechanism (SSM). EBA’s relationship to the largest banks is therefore standard-setting, not supervisory: it writes the rules and contributes to the SREP methodology, while the ECB applies that methodology directly to the roughly 110 banking groups it classifies as significant.

EBA is headquartered in Paris, having relocated from London in 2019 as a consequence of the UK’s withdrawal from the EU.

EIOPA: insurance and occupational pensions

EIOPA covers insurance and reinsurance undertakings, insurance intermediaries, financial conglomerates, and institutions for occupational retirement provision (IORPs). Its core rulebook contribution runs through Solvency II for insurers and the IORP Directive for pension institutions.

Of the three sectoral authorities, EIOPA has the narrowest direct supervisory footprint. It does not directly supervise individual insurers or pension funds; that remains a national competent authority function. EIOPA’s influence operates through technical standards, guidelines, EU-wide stress testing of insurers and pension funds, and its role within DORA’s joint oversight framework for critical ICT third-party providers, where EIOPA can be assigned as lead overseer for providers whose primary client base sits in insurance and pensions.

EIOPA is headquartered in Frankfurt am Main.

The Joint Committee: where the three authorities meet

EBA, EIOPA, and ESMA do not operate in isolation from one another. Cross-sectoral issues, financial conglomerates, securitisation, and major frameworks that span all three sectors such as DORA, are coordinated through the Joint Committee of the ESAs. DORA’s regulatory and implementing technical standards were developed by the Joint Committee precisely because ICT risk does not respect the boundary between banking, insurance, and securities markets. The Joint Committee also issues joint Q&As and joint guidelines where a question genuinely cuts across all three authorities’ remits, rather than leaving firms to reconcile three separate, potentially inconsistent answers.

National competent authorities: where supervision actually happens for most firms

For the substantial majority of regulated financial entities, the body that authorises, supervises, and enforces is not an EU-level authority at all. It is the national competent authority (NCA) in the member state where the firm is established: BaFin in Germany, the Autorité de Contrôle Prudentiel et de Résolution (ACPR) and Autorité des Marchés Financiers (AMF) in France, the Central Bank of Ireland, the Commissione Nazionale per le Società e la Borsa (CONSOB) and Banca d’Italia in Italy, and equivalent bodies in every other member state.

NCAs conduct the authorisation process for crypto-asset service providers under MiCA, run the supervisory reviews and on-site inspections that determine whether a firm’s DORA framework is operationally embedded rather than merely documented, and issue their own jurisdiction-specific guidance that supplements EU-level technical standards. A firm operating in multiple member states should expect not only to track ESA-level output, but the specific interpretive guidance of each NCA where it holds an authorisation.

The ESAs hold certain powers over the NCAs themselves, including the ability to investigate alleged breaches of EU law by a national supervisor, to mediate disagreements between NCAs on cross-border cases, and to act in emergency situations where coordinated EU-level action is required. These powers are used sparingly, but they exist precisely because the system relies on national-level enforcement of EU-level rules, and that arrangement only works if there is a mechanism to address inconsistent application.

AMLA: the newest addition, and what it took from EBA

For most of the past decade, EBA carried a standalone mandate, added in the 2019 review of the ESAs, for coordinating anti-money laundering and counter-terrorist financing (AML/CFT) supervision across the EU. That arrangement ended on 1 January 2026, when EBA and the newly established Anti-Money Laundering Authority (AMLA) completed the formal transfer of all AML/CFT mandates and functions from EBA to AMLA.

AMLA is now the central authority for harmonising AML/CFT rules and supervisory practice across both the financial and non-financial sectors, and it has taken over EBA’s tools in this area, including the EuReCa database used to track material weaknesses identified by national supervisors. EBA continues to address money laundering risk from a prudential perspective and cooperates with AMLA under a formal memorandum of understanding, but it is no longer the EU-level AML/CFT coordination body.

The more significant change is still ahead. From 2028, AMLA will directly supervise around forty of the EU’s most complex and highest-risk financial institutions and groups, selected by a risk-based methodology AMLA is currently finalising. This will be the first instance of genuine EU-level direct supervision for AML/CFT compliance, replacing what has until now been an entirely national-level function for even the largest cross-border banking groups. AMLA is headquartered in Frankfurt.

For compliance teams at firms that may fall within AMLA’s eventual direct supervision population, the practical implication is to begin tracking AMLA’s published work programme now rather than waiting for the 2028 transition, since the supervisory methodology AMLA adopts is being developed through 2026 and 2027.

A quick reference

BodyPrimary sectorDirect supervision of firmsSeat
ESMACapital markets, investment services, MiCAYes: CRAs, trade and securitisation repositories, certain DRSPs and benchmark administrators, Tier 2 third-country CCPsParis
EBABanking, payments, e-moneyLimited: significant ARTs and EMTs under MiCAParis
EIOPAInsurance, occupational pensionsNo (national supervisors retain direct supervision)Frankfurt
AMLAAML/CFT across financial and non-financial sectorsFrom 2028: around 40 highest-risk institutionsFrankfurt
ECB (SSM)Significant credit institutionsYes: roughly 110 significant banking groupsFrankfurt
ESRBSystem-wide macro-prudential riskNo (monitoring and recommendation only)Frankfurt

National competent authorities supervise everything not listed above as a direct ESA, AMLA, or ECB mandate, which remains the large majority of regulated financial entities in the EU.

Why this structure matters for monitoring

A firm trying to track everything relevant to its activity needs to monitor several distinct publication streams: the technical standards and guidelines of whichever sectoral authority covers its activity, the Joint Committee output for any framework that spans sectors, its own NCA’s jurisdiction-specific guidance, and, for AML/CFT purposes, AMLA’s emerging rulebook. None of these bodies publishes on a shared calendar, and a development relevant to a firm’s specific situation can originate from any one of them with little advance warning.

This is the same structural monitoring problem that recurs throughout EU financial regulation: the rules are produced by multiple bodies, on independent timelines, and the firm bears the burden of assembling a coherent picture from scattered sources. Understanding who produces what is the first step. Building a system that tracks all of it continuously is the next one.

For the broader picture of how regulations, directives, and technical standards interact across this supervisory structure, see how EU financial regulation actually works. For an overview of the current EU financial regulatory landscape these authorities are implementing, see EU financial regulation in 2026.

Frequently asked questions

What is the difference between EBA, ESMA, and EIOPA?

EBA, ESMA, and EIOPA are the EU’s three sectoral financial supervisory authorities, each covering a different part of the financial system. EBA covers banking, payments, and electronic money. ESMA covers capital markets, investment services, and crypto-assets under MiCA. EIOPA covers insurance, reinsurance, and occupational pensions. Each develops technical standards and guidelines for its sector and works with national competent authorities to promote consistent supervision.

Do ESMA, EBA, and EIOPA directly supervise financial firms?

In most cases, no. The large majority of regulated financial entities are supervised directly by their national competent authority, with the EU-level authorities setting standards and promoting convergence rather than supervising firms themselves. The exceptions are narrow: ESMA directly supervises credit rating agencies, trade and securitisation repositories, certain data reporting service providers and benchmark administrators, and systemically important third-country CCPs. EBA directly supervises issuers of significant asset-referenced and e-money tokens under MiCA. Significant credit institutions are supervised directly by the European Central Bank rather than EBA.

What does the Joint Committee of the ESAs do?

The Joint Committee coordinates EBA, EIOPA, and ESMA on issues that cut across all three sectors, including financial conglomerates, securitisation, and cross-sectoral frameworks such as DORA. It issues joint technical standards, guidelines, and Q&As so that firms operating across sectors are not left reconciling inconsistent answers from three separate authorities.

What happened to EBA’s anti-money laundering mandate?

EBA held a standalone EU-level coordination mandate for anti-money laundering and counter-terrorist financing supervision from 2019. On 1 January 2026, that mandate was formally transferred to the newly established Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt. AMLA will also directly supervise around forty of the EU’s highest-risk financial institutions from 2028, a function neither EBA nor any EU-level body previously held.

Where are EBA, ESMA, and EIOPA based?

ESMA and EBA are both headquartered in Paris. EBA relocated there from London in 2019 following the UK’s withdrawal from the EU. EIOPA is headquartered in Frankfurt am Main, as is the newly established AMLA.

Who actually enforces EU financial regulation against my firm?

For almost all firms, enforcement sits with the national competent authority in the member state where the firm is authorised: for example BaFin in Germany, the ACPR or AMF in France, or the Central Bank of Ireland. The EU-level authorities set the standards those NCAs apply and can intervene in specific circumstances, such as breaches of EU law by an NCA or disagreements between NCAs on a cross-border case, but day-to-day enforcement against an individual firm is a national function.

Forseti monitors EU financial regulation continuously, delivering personalised alerts and source-anchored answers matched to your firm’s regulatory profile. Start for free.

Stay in the know!

Subscribe for news updates.

CSRD and CSDDD have changed what EU procurement teams ask for, what they put in supplier contracts, and what happens when suppliers cannot provide it. This article explains what EU buyers are now requiring, why, and what it means for non-EU suppliers who want to stay in those supply chains.