Escolha as funcionalidades experimentais que pretende experimentar

Este documento é um excerto do sítio EUR-Lex

Documento 32025R2180

Commission Delegated Regulation (EU) 2025/2180 of 12 September 2025 supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the conditions for the registration of external reviewers, the criteria for assessing the sound and prudent management of external reviewers, the appropriateness of the knowledge, experience and training of the external reviewers’ employees, and the conditions under which external reviewers can outsource their assessment activities

C/2025/2301

OJ L, 2025/2180, 30.12.2025, ELI: http://data.europa.eu/eli/reg_del/2025/2180/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Estatuto jurídico do documento Em vigor

ELI: http://data.europa.eu/eli/reg_del/2025/2180/oj

European flag

Official Journal
of the European Union

EN

L series


2025/2180

30.12.2025

COMMISSION DELEGATED REGULATION (EU) 2025/2180

of 12 September 2025

supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the conditions for the registration of external reviewers, the criteria for assessing the sound and prudent management of external reviewers, the appropriateness of the knowledge, experience and training of the external reviewers’ employees, and the conditions under which external reviewers can outsource their assessment activities

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds (1), and in particular Article 23(6), third subparagraph, Article 27(2), third subparagraph, Article 28(3), third subparagraph and Article 33(7), third subparagraph thereof,

Whereas:

(1)

The good repute of the senior management and the members of the board of an external reviewer is of paramount importance to ensure that the external reviewer meets its regulatory obligations. An assessment of good repute should be based on information on the prior activities of those persons, including information on potential relevant criminal convictions, past misconduct, gross negligence, mismanagement of conflicts of interest or impairments to independence and objectivity, and information on their honesty, integrity and reputation.

(2)

Given that the senior management and the members of the board are accountable for the external reviewer’s activities, they should have sufficient skills, professional qualifications and experience. An assessment of whether those skills, professional qualifications and experience are sufficient should take into account the curriculum vitae of all members of the senior management and of the board, including up-to-date information on education, training, and employment history. The assessment should also take into account the overall composition and diversity of the senior management and of the board and the collective skills, professional qualifications and experience of their members, as relevant to the activities of the external reviewer and the risks to which that external reviewer is exposed.

(3)

To safeguard the continuity and regularity of external reviews, an external reviewer should employ an appropriate number of analysts, employees and persons who are directly involved in assessment activities. In that regard, information on the staffing arrangements of an external reviewer for analysts, employees and persons directly involved in assessment activities should be taken into account. That information should include the number of permanent and temporary contracts, likely future assessment activities, and the reasons why the external reviewer considers the analytical resources to be sufficient.

(4)

To ensure the quality of external reviews, analysts, employees and other persons directly involved in assessment activities should have adequate levels of knowledge, experience, and training. The assessment should take into account the education, training, and employment history of those persons. Furthermore, external reviewers should put in place training and development plans for all employees directly involved in assessment activities.

(5)

To ensure that decision-making structures provide for the sound and prudent management of the external reviewer, external reviewers should have corporate governance arrangements that specify the organisation, scope, purpose and functioning of their governance bodies, such as the board, supervisory body and relevant committees.

(6)

Maintaining a transparent and effective organisational structure is also a key component of sound and prudent management. To ensure transparency and effectiveness of their organisational structure, external reviewers should have clear reporting lines, responsibilities, and communication channels that encourage accountability and decision-making. For the same reason, external reviewers should implement and properly document appropriate policies and procedures as regards their governance structures, internal controls, business continuity, information processing systems, recordkeeping, administration, and accounting.

(7)

Given the importance of the internal control functions to the sound and prudent management of an external reviewer, external reviewers should put in place an internal control framework that ensures that the persons responsible for performing that function are appropriately empowered and that there is a clear segregation from the business lines they are overseeing.

(8)

To ensure sound and prudent management of compliance with their obligations under Regulation (EU) 2023/2361, external reviewers should ensure that the policies and procedures needed to comply with that Regulation are approved by their board.

(9)

The conflicts of interest management framework of an external reviewer should contain a comprehensive conflicts of interest policy approved by the board, and an inventory of conflicts of interests. The conflicts of interest policy should contain risk management procedures and controls to identify, eliminate, or manage and disclose in a transparent manner actual or potential conflicts of interest. That policy should also identify which conflicts of interest the external reviewer considers are to be managed or disclosed in a transparent manner and which conflicts of interest are to be eliminated. In addition, that policy should provide for appropriate an oversight and management of situations where professional judgement or decision-making may be compromised.

(10)

External reviewers should assess whether third-party service providers have the capacity to perform assessment activities reliably and professionally. In that regard, external reviewers should consider whether the expertise and availability of the third-party service provider are appropriate to the outsourced activities. For that purpose, external reviewers should take into account key elements relating to the third-party service provider and the outsourcing arrangement, such as its business model, the qualifications of its staff, the control framework, the use of automation and technology in the outsourced assessment activities, and its regulatory compliance.

(11)

External reviewers should ensure that the outsourcing of assessment activities does not materially impair the quality of their internal control. In that regard, external reviewers should evaluate the extent of their reliance on the third-party service provider and should monitor and control activities that address the risks arising from the outsourcing, in particular with regard to third countries. External reviewers should apply internal controls to ensure that adequate arrangements are in place in relation to the quality of service provided by the third-party service provider. External reviewers should put in place adequate practices in relation to documentation and recordkeeping by third-party service providers. That should ensure that an external reviewer and the European Securities and Markets Authority (ESMA) have access to all necessary information and that the outsourcing of assessment activities does not impair ESMA’s ability to supervise the external reviewer’s compliance with Regulation (EU) 2023/2631.

(12)

To ensure a sufficient degree of oversight over outsourced activities, external reviewers should carry out regular assessments.

(13)

The regulatory technical standards to be adopted on the basis of the empowerments laid down in Article 23(6), third subparagraph, Article 27(2), third subparagraph, Article 28(3), third subparagraph and Article 33(7), third subparagraph of Regulation (EU) 2023/2631 should be bundled into a single Commission Delegated Regulation to ensure that all provisions specifying registration of external reviewers are consolidated into one Regulation.

(14)

Information submitted to ESMA may contain information on the identity of the senior management and members of the board of an applicant external reviewer, as well as analysts, employees and other persons directly involved in assessment activities on their suitability. Such information includes personal data. In compliance with the principle of data minimisation enshrined in Article 4(1), point (c), of Regulation (EU) 2018/1725 of the European Parliament and of the Council (2), only personal data that is necessary to enable ESMA to assess the ability of the senior management, members of the board of an applicant external reviewer, as well as analysts, employees and other persons directly involved in assessment activities, to comply with the requirements laid down in Regulation (EU) 2023/2631 should be requested.

(15)

This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, and notably the right to protection of personal data. The processing of personal data for the purposes of this Regulation should be carried out in accordance with Union law on the protection of personal data. In that regard, any processing of personal data performed by ESMA in application of this Regulation should be carried out in accordance with Regulation (EU) 2018/1725. Any processing of personal data performed by entities applying for external reviewer within application of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (3) and national requirements on the protection of natural persons with regard to the processing of personal data.

(16)

To enable ESMA to conduct the assessment for the purposes of the registration and the ongoing supervision, while ensuring appropriate safeguards, personal data relating to the good repute of senior management and members of the board of an external reviewer should be kept by external reviewers and ESMA for no longer than five years after that member has ceased to perform its function or, in the event of the withdrawal of the registration of the external reviewer concerned.

(17)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 7 July 2025.

(18)

This Regulation is based on the draft regulatory technical standards submitted to the Commission by ESMA.

(19)

ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4),

HAS ADOPTED THIS REGULATION:

Article 1

Criteria to determine sufficiently good repute of senior management and the members of the board of an applicant external reviewer

1.   For the purposes of Article 23(2), point (a)(i), of Regulation (EU) 2023/2631, the good repute of the senior management and the members of the board of an applicant external reviewer shall be considered sufficient where the prior activities, relative to the field of sound and prudent management, of those persons demonstrate that they are able to carry out their functions with honesty and integrity.

2.   For the purposes of paragraph 1, ESMA shall take into account the following information:

(a)

proof of the absence of criminal records relating to money laundering, terrorist financing, provision of financial services or data services, acts of fraud or embezzlement, notably through an official certificate, or, where such a certificate is not available in the relevant Member State, a self-declaration of good repute and the authorisation to ESMA to request such information from the relevant authorities on whether that member has been convicted of a criminal offence in connection with money laundering, terrorist financing, the provision of financial services or data services or in relation to acts of fraud or embezzlement;

(b)

a self-declaration from each of the members of the senior management and of the board of whether that member:

(i)

where proof of the absence of criminal records is not available, has been convicted of any criminal offence;

(ii)

has been subject to an adverse decision in any proceedings of a disciplinary nature in connection with the provision of financial or sustainability-related services brought by a regulatory authority or government body;

(iii)

has been subject to an adverse judicial finding in civil proceedings before a court in connection with the provision of financial or sustainability-related services, or for impropriety or fraud in the management of a legal entity;

(iv)

has been part of the senior management or the board of an undertaking which was subject to an adverse decision or penalty by a regulatory authority or whose registration or authorisation was withdrawn by a regulatory authority;

(v)

has been refused the right to carry out activities which require registration or authorisation by a regulatory authority;

(vi)

has been subject to a fitness and propriety assessment by a regulatory body that has resulted in a negative decision, or a positive assessment subject to specific conditions;

(vii)

has been part of the senior management or board of an undertaking which has gone into insolvency, liquidation or administration while the person was employed by the undertaking or within a year of the person ceasing to be employed by the undertaking;

(viii)

has been fined, suspended, disqualified, or been subject to any other sanction by a professional body related to financial or commercial activities;

(ix)

has been disqualified from acting as a director, disqualified from acting in any managerial capacity, dismissed from employment or other appointment in an undertaking as a consequence of misconduct or malpractice;

(x)

has or has had any relationships, positions or involvement that could, directly or indirectly, affect the interests of an external reviewer and the integrity of its assessment activities;

(c)

the applicant external reviewer shall ensure that only persons responsible for the application have access to the information referred to in paragraph 2, point (a).. That information shall be stored separately from other information regarding the senior management and the members of the board of an external reviewer. Access to that information shall be recorded. That information shall not be stored where it concerns candidate members of the senior management and the members of the board of an applicant external reviewer that have not been appointed;

(d)

ESMA shall ensure that only persons responsible for the assessment of the suitability of the senior management and the members of the board of an applicant external reviewer have access to the information referred to in paragraph 2, point (a). That information shall be stored separately from other information regarding the senior management and the members of the board of an external reviewer. Access to that information shall be recorded. That information shall not be stored where it concerns candidate members of the senior management and the members of the board of an applicant external reviewer that have not been appointed;

(e)

personal data relating to the good repute of senior management and members of the board of an external reviewer shall be kept by external reviewers and ESMA for as long as it is necessary for the assessment of the initial registration and the ongoing supervision, as applicable and no longer than five years after that member has ceased to perform its function or in the event of the withdrawal of the registration of the external reviewer concerned.

Article 2

Criteria to determine sufficient skill, professional qualifications and relevant experience of senior management and the members of the board of the applicant external reviewer

1.   ESMA shall determine the skills, professional qualifications, and relevant experience of the senior management and members of the board of an applicant external reviewer to be sufficient as referred to in Article 23(2), points (a)(ii) to (a)(iv), of Regulation (EU) 2023/2631 where those skills, qualifications and that experience are appropriate to the nature and scale of the external reviews to be carried out by the applicant external reviewer and the tasks required of external reviewers pursuant to that Regulation.

2.   For the purposes of paragraph 1, ESMA shall take into account the following information:

(a)

an up-to-date curriculum vitae of each member of the senior management and the board of an external reviewer setting out detailed information relevant to the tasks required of external reviewers pursuant to Regulation (EU) 2023/2631, including:

(i)

details of education, including academic and professional certifications, and other relevant training;

(ii)

employment history, including the scope and duration of the functions performed, highlighting any activities relevant to the business of external reviewers;

(b)

the relevance of the knowledge attained through education and training to financial or sustainability-related services for the business of external reviewers;

(c)

the relevance of professional experience gained in activities related to the tasks to be performed by the external reviewer, such as quality assurance, quality control, the performance of pre-issuance, post-issuance and impact report reviews, and the provision of second-party alignment opinions or of financial services;

(d)

the collective and up-to-date skills, professional qualifications, and experience of the senior management and the members of the board relevant to the tasks required of external reviewers pursuant to Regulation (EU) 2023/2631 and related risks.

Article 3

Criteria to determine the sufficient number of analysts, employees and other persons directly involved in assessment activities

1.   ESMA shall determine the number of analysts, employees and other persons directly involved in assessment activities of an external reviewer to be sufficient as referred to in Article 23(2), point (b), of Regulation (EU) 2023/2631 where the number is appropriate to the nature and scale of the external reviews to be carried out by the external reviewer and the tasks required of external reviewers pursuant to that Regulation.

2.   For the purposes of paragraph 1, ESMA shall take into account the following information:

(a)

the total number of analysts, employees and other persons directly involved in assessment activities, their seniority, their job descriptions, the permanent or temporary nature of their employment contracts, and the reasons why the external reviewer considers the numbers and roles to be appropriate;

(b)

the expected number and duration of external reviews to be provided in the next 24 months, and the reasons why the external reviewer considers that the number of employees and other persons directly involved in assessment activities is commensurate to the number and duration of future external reviews.

Article 4

Criteria to determine the sufficient level of knowledge, experience and training of analysts, employees and other persons directly involved in assessment activities

1.   ESMA shall determine the knowledge, experience and training of the analysts, employees and other persons directly involved in assessment activities to be sufficient as referred to in Article 23(2), point (a), of Regulation (EU) 2023/2631, where the knowledge, experience and training are appropriate to the nature and scale of the external reviews to be carried out by the external reviewer and the tasks required of external reviewers pursuant to that Regulation.

2.   For the purposes of paragraph 1, ESMA shall take into account the following information:

(a)

the type of assessment activities that the persons directly involved in assessment activities are expected to provide in the next 24 months;

(b)

the employment history of the persons referred to in point (a), including the nature and length of services provided in previous posts and responsibilities held;

(c)

the experience of the persons referred to in point (a) that is related to quality assurance, quality control, the performance of pre-issuance, post-issuance and impact report reviews, and the provision of second-party alignment opinions or financial services;

(d)

the educational background of the persons referred to in point (a) and any relevant professional certifications or qualifications obtained;

(e)

other professional and academic achievements of the persons referred to in point (a) that are relevant for the nature of their functions;

(f)

the training and development plan for the persons referred to in point (a);

(g)

where applicable, the use of automation technology in the assessment activities.

3.   External reviewers shall ensure that they take into account the information referred to in paragraph 2 of this Article to determine the knowledge, experience and training of the analysts, employees and other persons whose services are placed at their disposal or under their control and who are directly involved in assessment activities to be sufficient as referred to in Article 28(1) of Regulation (EU) 2023/2631.

Article 5

Criteria for assessing sound and prudent management by external reviewers

1.   When assessing their sound and prudent management, external reviewers shall ensure that the following criteria are fulfilled:

(a)

the corporate governance arrangements specify at least the organisation, scope, purpose, and functioning of the governance bodies of the external reviewer, including clear reporting lines, responsibilities of roles and communication channels;

(b)

there is an internal control framework;

(c)

the organisational arrangements ensure continuity and regularity in the performance of assessment activities, safeguarding of the confidentiality and security of records of the services provided, sound administrative and accounting procedures, and adequate information processing systems;

(d)

the anonymity of whistleblowers is safeguarded and reprisals are prohibited;

(e)

transactions with related parties, employee personal account dealing, outside business activities and the acceptance of gifts and hospitality are reviewed consistently;

(f)

the independence of the employees subject to variable compensation arrangements is ensured;

(g)

the board of the external reviewer adopts the policies and procedures in compliance with this Regulation.

2.   For the purposes of paragraph 1, point (b), external reviewers shall ensure that the internal control framework fulfils the following criteria:

(a)

the internal control mechanisms are adapted to the nature, scale and complexity of the external reviewer;

(b)

the persons responsible for internal controls are able to obtain the information necessary to perform their function and report their findings to the board of the external reviewer;

(c)

the internal control functions are independent and clearly segregated from the business lines performing the assessment activities.

3.   The external reviewer shall evaluate the criteria referred to in paragraphs 1 and 2 prior to providing external review activities and thereafter at least once every 24 months, or as soon as the external reviewer becomes aware of significant deviations from the criteria.

Article 6

Criteria for assessing the management of conflicts of interest

1.   When assessing the management of conflicts of interest, external reviewers shall ensure that the following criteria are fulfilled:

(a)

there is a conflicts of interest policy;

(b)

there is an effective compliance process that is appropriate for monitoring the implementation of the conflicts of interest policy, including board oversight;

(c)

there are procedures for training and raising awareness of the content of the conflicts of interest policy to senior management, members of the board, analysts, employees, and any other natural person whose services are placed at the disposal or under the control of the external reviewer, including before those persons first take up their duties;

(d)

an inventory of actual or potential conflicts of interest relevant to the external reviewer is kept, including proposed mitigation measures;

(e)

risk management procedures and preventative and detective controls with respect to the identification, elimination, management, and disclosure of conflicts of interest are in place;

(f)

the conflicts of interest to be eliminated or managed and disclosed in a transparent manner are identified;

(g)

the independence of analysts, employees and other persons directly involved in assessment activities is ensured.

2.   The external reviewer shall evaluate the criteria referred to in paragraph 1 prior to providing external review activities and thereafter at least once every 24 months, or as soon as the external reviewer becomes aware of significant deviations concerning the management of conflicts of interests.

Article 7

Criteria for assessing the ability and capacity of third-party service providers to perform assessment activities

1.   When assessing whether third-party service providers are able and have the capacity to perform assessment activities reliably and professionally, external reviewers shall ensure that the following criteria are fulfilled:

(a)

the third-party service provider has expertise in the subject matters of the outsourced activities;

(b)

the third-party service provider is available to provide the outsourced activities for the duration of the planned outsourcing;

(c)

the third-party service provider has in place an internal control framework to ensure the adequate performance of the outsourced activities.

2.   The assessment referred to in paragraph 1 shall take into account the following information in relation to the third-party service provider:

(a)

the business model, services offered, ownership, group structure and status as a regulated or supervised entity;

(b)

the qualifications of the staff involved in the outsourced assessment activities;

(c)

the policies and procedures in place for the performance of the outsourced activities, including the use of accurate and reliable information and data;

(d)

the controls and monitoring activities in place to ensure the effective application of the policies and procedures for the performance of the outsourced activities;

(e)

where applicable, the use of automation technology in the assessment activities;

(f)

legal and regulatory requirements applicable to the activities of the third-party service provider.

Article 8

Criteria for ensuring that outsourcing assessment activities does not materially impair the quality of the internal control of the external reviewer

When ensuring that outsourcing of assessment activities does not materially impair the quality of their internal control, external reviewers shall ensure that the following criteria are fulfilled:

(a)

the expected number and type of assessment activities to be outsourced do not give rise to an over-reliance on the third-party service provider;

(b)

safeguards are in place to manage the risks involved in the outsourcing, including dependency risks for the provision of the outsourced assessment activities;

(c)

arrangements are in place for the continuity of service, including contingency plans and periodic testing of back-up facilities;

(d)

arrangements are in place for the security of data and systems, including any use of cloud technology;

(e)

safeguards are in place to ensure that the external reviewer is capable of monitoring and overseeing the outsourced assessment activities;

(f)

where the third-party service provider is contractually permitted to further outsource the performance of the assessment activities, those activities fulfil the criteria set out in points (a) to (e).

Article 9

Criteria for ensuring that outsourcing assessment activities does not materially impair ESMA’s ability to supervise compliance of external reviewers

When ensuring that outsourcing does not materially impair ESMA’s ability to supervise external reviewers’ compliance with Regulation (EU) 2023/2631, external reviewers shall ensure that the following criteria are fulfilled:

(a)

an appropriate level of documentation and recordkeeping of all the names and positions of the persons responsible for approving and monitoring the outsourcing is maintained;

(b)

the third-party service provider is capable of providing the external reviewer with all the necessary information concerning outsourced assessment activities required by the external reviewer to demonstrate the external reviewer’s compliance with Regulation (EU) 2023/2631;

(c)

where assessment activities are outsourced to a third-country third-party service provider, the external reviewer and the third-party service provider have in place procedures ensuring the management of risks arising from the following:

(i)

diverging regulatory requirements or legal systems;

(ii)

absence or untimely execution of exit strategies in the event of service interruptions or failures;

(iii)

information and data security incidents;

(iv)

breach of confidential information;

(v)

lack of prompt access for ESMA and the external reviewer to the third-party records, including where those records are maintained in third-country jurisdictions.

Article 10

Evaluation of criteria of outsourcing of assessment activities

External reviewers shall evaluate compliance with the criteria set out in this Regulation prior to the start of the outsourced assessment activity and thereafter, at least once every 24 months, or as soon as the external reviewer becomes aware of significant deviations in the ability of third-party service providers to perform the assessment activities reliably and professionally.

Article 11

Entry into force

This Regulation shall enter into force and apply on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 12 September 2025.

For the Commission

The President

Ursula VON DER LEYEN


(1)   OJ L, 2023/2631, 30.11.2023, ELI: http://data.europa.eu/eli/reg/2023/2631/oj.

(2)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(3)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(4)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).


ELI: http://data.europa.eu/eli/reg_del/2025/2180/oj

ISSN 1977-0677 (electronic edition)


Início