ESMA/EBA Suitability Assessment Guidelines: What the 2026 Consultation Means for Luxembourg Boards
Last updated: April 2026
Get a board appointment wrong in Luxembourg and the CSSF will tell you to fix it. That conversation is not one any institution wants to have, and under the proposed updated suitability guidelines, the scope of what “wrong” looks like just got wider. The joint ESMA-EBA consultation paper (ESMA35-243228190-8034 / EBA/CP/2026/03), published on 25 February 2026, revises the fit-and-proper framework for management bodies and key function holders. The consultation closes on 25 May 2026.
This is not a cosmetic update. The revised guidelines incorporate the changes introduced by CRD VI (Directive (EU) 2024/1619), which amended the suitability provisions of CRD (Directive 2013/36/EU). That means new obligations around key function holder assessments, enhanced dialogue procedures for large entities, explicit AML/TF risk checks during suitability reviews, and expanded knowledge requirements covering ICT and ESG risks. If your institution files fit-and-proper assessments with the CSSF, this consultation paper is required reading.
Related reading: DORA Register of Information – A Practical Guide for Financial Entities
What These Guidelines Cover
The guidelines set out how credit institutions, investment firms, and third-country branches should assess the suitability of members of their management body and key function holders. They also prescribe how competent authorities (in Luxembourg, the CSSF) should conduct their own supervisory assessments.
The legal basis sits in Article 91(11) and Article 91a(8) of CRD, as amended by CRD VI, and Article 9(1) of MiFID II (Directive 2014/65/EU). Once finalised, the updated guidelines will repeal the current version from July 2021 (EBA/GL/2021/06 and ESMA35-36-2319).
The guidelines apply across all governance structures. Luxembourg uses both SA (dual board) and SARL structures. The consultation paper is explicitly neutral on structure, referring instead to “management body in its management function” and “management body in its supervisory function.” That distinction matters for how you map the guidelines onto your own board.
Who Is in Scope
The scope is tiered. Large entities get the full set of requirements. Smaller institutions and investment firms get carve-outs on specific sections. Here is the breakdown:
Credit institutions that qualify as large entities under Articles 91(1d) and 91a(5) of CRD face the broadest obligations. That includes the enhanced dialogue provisions, full key function holder assessments, and nomination committee requirements.
Other credit institutions (not classified as large) still fall under the core guidelines but are exempt from certain sections, including the enhanced dialogue with competent authorities and the most prescriptive nomination committee rules.
Investment firms are divided into three classes. Class 1- firms (those subject to CRD via Article 2(2) of IFD) get treated like credit institutions. Class 2 firms are exempt from directorship-counting rules (where no significant entity directorship is held), independent member requirements for significant entities, group suitability policies, and nomination committees. Class 3 firms (small and non-interconnected under Article 12(1) of IFR) get the lightest treatment, exempted from key function holder assessments, directorship calculations, independence provisions, and nomination committees entirely.
Third-country branches are also in scope. Where the competent authority applies the same requirements as for credit institutions (under Article 48a(4) CRD), the full guidelines apply. Otherwise, a reduced set applies.
What Changed from the 2021 Guidelines
The revision is driven primarily by CRD VI. I have worked through the consultation paper and the track-changes version. The key changes fall into six areas.
Key Function Holders Are Now Explicitly In Scope
The 2021 guidelines already covered management body members. The updated version adds Article 91a of CRD, which introduces formal suitability requirements for key function holders. That term covers the heads of internal control functions (compliance, risk, internal audit) and the CFO, where those individuals are not already members of the management body.
For institutions, this means you need a documented suitability assessment process for these roles, not just board members. I have seen firms in Luxembourg where the CFO assessment was treated as a standard HR hire. That approach will not hold under the revised framework. The guidelines specify that entities must assess knowledge, skills, experience, and reputation for key function holders, using criteria analogous to those for management body members.
Competent authorities, for large entities, should also assess the heads of internal control functions and the CFO. The CSSF may extend this to other key function holders on request.
Enhanced Dialogue for Large Entities
CRD VI introduced a new enhanced dialogue mechanism under Articles 91(1d) and 91a(5). This applies to large entities in Member States that use ex-post suitability assessments. Luxembourg is one of those jurisdictions. The CSSF assesses suitability after the appointee has taken up the position, not before.
Under the enhanced dialogue procedure, large entities must submit an ex-ante application before appointing a new member of the management body in its management function, or the chair of the management body in its supervisory function. The competent authority then has a window to raise concerns, and if it does, there is a structured dialogue process before the appointment proceeds.
This is a significant operational change for large Luxembourg credit institutions. It adds a pre-appointment step to what was previously a purely post-appointment notification. Boards need to build this lead time into their succession planning and appointment timelines.
AML/TF Risk Checks During Suitability Assessments
The guidelines now specify, under Section 26, how entities and competent authorities should handle reasonable grounds to suspect money laundering or terrorist financing risks in connection with management body members. This draws on Article 91(11)(f) and 91a(8)(c) of CRD.
In practice, the competent authority may consult the AML/CFT supervisory authority (in Luxembourg, that is also the CSSF for most entities) and request information about management body members during suitability verifications. This is a risk-based check, not a blanket requirement, but it formalises something that was previously handled more informally.
Entities themselves should factor AML/TF risks into their ongoing monitoring. If reasonable grounds emerge, a re-assessment of the affected member’s suitability should follow.
Expanded Knowledge Requirements: ICT, ESG, and AI
The consultation paper reflects the regulatory push toward digital and sustainability competence at board level. Management body members are now expected to collectively possess knowledge of ICT risks (aligned with DORA), environmental and sustainability risks (including biodiversity), and the implications of artificial intelligence in financial services.
This does not mean every board member needs to be a cybersecurity expert. The collective suitability assessment uses a competency matrix (Annex I of the guidelines provides a template) to ensure the board as a whole covers these areas. But it does mean that boards stacked entirely with finance and legal backgrounds may show gaps under the revised framework.
For Luxembourg entities already grappling with DORA compliance, this adds another reason to map board-level ICT knowledge formally. I have been through the collective suitability matrix exercise with reporting teams, and the most common gap is exactly here: ICT and digital risk are listed as “covered” because someone on the board once attended a cybersecurity conference. The guidelines expect something more structured than that.
Cooling-Off Periods for Board Transitions
The guidelines address the risk of a former CEO becoming chair of the supervisory function. Because that person would be overseeing decisions they previously made in an executive role, the guidelines recommend a cooling-off period before such transitions.
Where a cooling-off period is not possible (the consultation paper acknowledges practical constraints), entities should implement alternative safeguards as specified in the EBA internal governance guidelines (EBA/GL/2021/05). This is already common practice at larger Luxembourg banks, but the guidelines now make it an explicit expectation rather than a governance best practice.
Diversity and Gender Balance
The diversity provisions are strengthened. Entities are required to take measures to ensure diversity and gender balance when selecting management body members. This includes setting objectives in a diversity policy and tracking progress against them.
The guidelines do not set hard quotas. But they do require that the diversity policy addresses gender, age, educational and professional background, and geographical provenance. The nomination committee (where required) must actively use these criteria in candidate selection.
The Suitability Assessment Process: What Entities Must Do
The guidelines prescribe a structured assessment process covering individual suitability, collective suitability, and ongoing monitoring.
Individual Suitability
Each member of the management body must be assessed for:
Reputation, honesty, and integrity. This includes criminal record checks, regulatory sanction history, and any pending proceedings. The guidelines are specific: a conviction does not automatically disqualify someone, but the nature, severity, and relevance of the offence must be considered.
Knowledge, skills, and experience. Assessed against the specific role. A member of the management function needs different competencies than a non-executive supervisory member. The guidelines reference individual statements under Article 88(3) of CRD, which set out each member’s specific roles and duties.
Time commitment. Can this person actually dedicate enough time? For significant entities, there are hard limits on the number of directorships under Article 91(3) CRD: one executive plus two non-executive, or four non-executive directorships. The guidelines specify how to count directorships within a group and how to assess time commitment beyond the directorship count.
Independence of mind. All members must have this, regardless of whether they are formally “independent.” The guidelines distinguish independence of mind (the ability to challenge and assess decisions objectively) from the formal status of being an independent member of the supervisory function.
Collective Suitability
The board as a whole must collectively possess adequate knowledge across the entity’s activities and main risks. The guidelines provide a competency matrix template in Annex I. Entities should map each member’s knowledge against required areas and identify gaps.
Required knowledge areas include, at minimum: the entity’s markets and regulatory environment, strategic planning, risk management and internal controls, financial analysis and accounting, governance frameworks, and (now explicitly) ICT/digital risk, ESG/climate risk, and AML/CFT frameworks.
Where gaps exist, the entity must have a plan to fill them. That can mean targeted recruitment, training programmes, or the use of external advisors. But the gap must be documented and addressed, not simply noted and forgotten.
Ongoing Monitoring and Re-Assessment
Suitability is not a one-time check. The guidelines require continuous monitoring and re-assessment when certain triggers occur: material reputational events, changes in an entity’s risk profile, new information about a member’s conduct, or suspected AML/TF connections.
Entities must also re-assess time commitment when a member takes on additional external roles. I have seen this trigger missed repeatedly. A board member joins an advisory board elsewhere, nobody updates the directorship count, and the next supervisory review flags it as a suitability gap. The guidelines make the monitoring obligation explicit.
What This Means for Luxembourg Specifically
Luxembourg operates an ex-post suitability assessment regime. The CSSF assesses management body members after they have taken up their position, based on notifications submitted by the entity. The enhanced dialogue provisions in CRD VI add a new ex-ante layer for large entities, but only for specific appointments (management function members and the supervisory function chair).
The CSSF has historically been thorough in its fit-and-proper assessments. The questionnaire process is detailed, and rejections or requests for additional information are not uncommon. The revised guidelines will likely result in the CSSF updating its own circular and notification forms to reflect the expanded scope (key function holders, AML/TF checks, ICT/ESG knowledge criteria).
For Luxembourg entities, the practical impact falls into several categories:
Governance documentation. Suitability policies need updating to cover key function holders explicitly, incorporate AML/TF risk criteria, and reflect the expanded knowledge expectations. If your current suitability policy only addresses board members, it needs widening.
Board competency mapping. The collective suitability matrix needs to include ICT, ESG, and AI knowledge areas. This is not optional under the revised guidelines. Entities should run this mapping exercise now rather than waiting for the final guidelines.
Succession planning for large entities. The enhanced dialogue adds lead time to the appointment process. Boards of large credit institutions should factor in a pre-notification window when planning executive transitions. The exact timeline will depend on CSSF implementation, but the guidelines envisage a structured exchange before the appointment is confirmed.
Training budgets and policies. The guidelines require entities to devote adequate human and financial resources to board induction and training. They specify that entities should have a formal training policy, with objectives set by the management body. This goes beyond the informal “board members attend relevant conferences” approach that some smaller entities currently rely on.
Common Mistakes to Expect
Based on the current 2021 guidelines and what I see in practice, several areas will trip firms up under the revised framework.
Treating key function holder assessments as a formality. The CFO and heads of compliance, risk, and internal audit now need documented suitability assessments using criteria parallel to board members. Repurposing an HR job interview as a suitability assessment will not pass scrutiny. These assessments need to cover knowledge, experience, reputation, and honesty using the same structured approach.
Running a collective suitability check that exists only on paper. I have reviewed competency matrices where every cell was marked “adequate” with no supporting evidence. The guidelines expect a genuine gap analysis, not a compliance checkbox. If your board has no member with meaningful ICT risk expertise, the matrix should show that gap and your policy should document how you plan to address it.
Missing the ongoing monitoring requirement. Suitability is not a file you complete at appointment and archive. When a board member faces a legal proceeding, joins another board, or when the entity’s risk profile changes materially, a re-assessment is required. Entities that lack a process for capturing these trigger events will find themselves explaining the gap to the CSSF.
Timeline and Next Steps
The consultation is open until 25 May 2026. Responses must be submitted through the EBA consultation page. The current expectation is that the finalised guidelines will enter into force six months after publication of all EU language translations. The consultation paper leaves the exact date blank (“not later than XXX”), which means the precise effective date will be set in the final version.
Entities should not wait for finalisation to start preparing. The broad direction is clear: wider scope, more documentation, explicit coverage of key function holders, and higher expectations for board-level knowledge of ICT, ESG, and AML/TF risks. Reviewing your suitability policy, updating your competency matrix, and assessing your key function holder documentation now will save time when the final guidelines drop.
Industry associations in Luxembourg (ABBL, ALFI, and others) will likely submit responses to the consultation. If your institution has specific concerns about proportionality, implementation timelines, or the enhanced dialogue mechanism, the consultation window is the time to raise them.
Sources and References
ESMA/EBA Consultation Paper – Draft Joint Guidelines on the Assessment of the Suitability of Members of the Management Body and Key Function Holders (ESMA35-243228190-8034 / EBA/CP/2026/03), 25 February 2026: ESMA consultation page
Directive 2013/36/EU (CRD) – on access to the activity of credit institutions and the prudential supervision: EUR-Lex
Directive (EU) 2024/1619 (CRD VI) – amending Directive 2013/36/EU as regards supervisory powers, sanctions, third-country branches, and ESG risks: EUR-Lex
Directive 2014/65/EU (MiFID II) – on markets in financial instruments: EUR-Lex
Current Joint ESMA/EBA Guidelines on Suitability (EBA/GL/2021/06 / ESMA35-36-2319), 2 July 2021: EBA guidelines page
EBA Guidelines on Internal Governance (EBA/GL/2021/05): EBA internal governance guidelines
Related Articles
DORA Register of Information – A Practical Guide for Financial Entities – The ICT governance and third-party risk management framework that feeds into the board-level knowledge requirements referenced in the suitability guidelines.
DORA ICT Incident Reporting – How to Classify, Escalate, and Report Major Incidents – ICT risk management at the operational level, relevant to the expanded knowledge expectations for management bodies.
AMLR – What Changes for Luxembourg Firms Under the New EU AML Regulation – The AML/TF dimension now explicitly integrated into suitability assessments under the revised guidelines.
Pillar 3 Disclosure Requirements for Luxembourg Banks – Governance disclosures that intersect with the suitability framework, including board composition and diversity reporting.
CSSF AML/CFT Standardised Data Collection – The CSSF’s data collection requirements that reflect the broader AML/CFT governance expectations now linked to suitability assessments.
Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.