As 2026 approaches, this article launches a practical, forward-looking horizon-scan of what truly matters in the coming year for ESG, GRC and financial regulation across the European Union. It focuses on rules newly applying or reaching decisive milestones, cutting through noise to highlight what boards, compliance teams and risk leaders must prepare for now, from sustainability reporting to digital resilience and supervisory enforcement in the context of intensifying geopolitical and regulatory pressure.
- EU Taxonomy: Expansion of Alignment Reporting
Jurisdiction: European Union
Type: Regulation and delegated acts on sustainable finance and ESG reporting.
Changes in 2026: From the 2026 reporting year, companies in scope of the Corporate Sustainability Reporting Directive (CSRD) must disclose taxonomy alignment not only for climate mitigation and adaptation, but also for water and marine resources, circular economy, pollution prevention and control, and biodiversity and ecosystems, completing coverage of all six environmental objectives.
What action should be taken: 2026 is the year taxonomy shifts from “climate-first” to fully environmental. Finance, risk and sustainability teams should expand data capture across water, waste, emissions and nature, stress-test financing portfolios, and embed new KPIs into controls and assurance plans now. Early supplier and data-partner engagement will be critical to avoid last-minute compliance risk.
- CSRD / ESRS: Sector and Third-Country Standards
Jurisdiction: European Union
Type: Delegated acts and reporting standards
Changes in 2026: The European Commission must adopt sector-specific European Sustainability Reporting Standards and standards for third-country companies by 30 June 2026, following a formal delay to allow more proportionate rule-making. This will shape how banks, insurers, energy, transport, textiles and other sectors report under the CSRD.
What action should be taken: Expect intensive consultations through 2025–26. Begin mapping which sector standards are likely to apply, assess data gaps now, and plan systems upgrades and assurance models early to avoid compressed implementation timetables and late-stage compliance risk.
- EPR and Circular Economy Rules: First Big Textile Dates
Jurisdiction: European Union Member States
Type: National laws under EU waste and circular-economy directives
Changes in 2026: 2026 marks the first major real-world deadlines for textile Extended Producer Responsibility (EPR). Italy plans to launch mandatory textile EPR in early 2026, ahead of the EU-wide requirement for all Member States to have schemes in place by 2028 under the revised Waste Framework regime. Producers will face new obligations on collection, recycling, reporting and eco-modulated fees linked to product sustainability.
What action should be taken: Fashion, retail and manufacturing groups should map national roll-out timetables now, model future EPR costs, upgrade product data on materials and durability, and tighten supplier contracts to support take-back, reporting and recycling compliance.
- CRD6: ESG Embedded in Bank Governance
Jurisdiction: European Union
Type: Capital Requirements Directive (CRD6 – Basel III finalisation)
Changes in 2026: From 11 January 2026, Member States must apply CRD6, hard-wiring ESG risk into banks’ governance, strategy and risk-management frameworks. Boards will be explicitly accountable for identifying, managing and overseeing environmental, social and governance risks within business models, risk appetite and internal controls. CRD6 also tightens rules on third-country branches, fit and proper assessments, capital planning and supervisory intervention powers.
What action should be taken: Banks should update board mandates, risk appetite statements and ICAAP frameworks to reflect ESG risk formally, train senior management, and test controls against supervisory expectations well ahead of 2026.
- EBA Guidelines on ESG Risk Management – Live from January 2026
Jurisdiction: EU (supervisory guidelines for banks and investment firms)
Type: EBA Guidelines (“comply or explain” soft law)
Changes in 2026: The final European Banking Authority (EBA) Guidelines on the management of ESG risks, published in January 2025, will apply from 11 January 2026. They require firms to integrate ESG risks across strategy, governance, risk appetite, ICAAP, ILAAP and day-to-day risk management. Small and non-complex institutions benefit from a one-year deferral to January 2027. Supervisors are expected to assess compliance through SREP from 2026 onwards.
What action should be taken: Banks should test ESG risk frameworks against the Guidelines now, align capital and liquidity planning, refresh board reporting, and prepare for supervisory challenge.
- Market Risk (FRTB) & CRR3 – Go-Live Reset to 1 January 2026
Jurisdiction: EU
Type: Capital Requirements Regulation (CRR3) and delegated acts
Changes in 2026: The European Commission has confirmed it will delay application of the new market-risk framework (FRTB) to 1 January 2026, aligning it with the wider Basel III “finalisation” package under CRR3. This gives banks temporary relief on capital volatility and modelling demands, but also compresses final implementation timelines for internal models, standardised approaches and reporting. National authorities are already signalling close supervisory scrutiny during the final run-up.
What action should be taken: Use the deferral to complete model approvals, strengthen data and valuation controls, embed FRTB governance in trading risk frameworks, and dry-run capital impacts through 2025 to avoid a cliff-edge in 2026.
- EU AI Act – Major Obligations from August 2026
Jurisdiction: EU (with extraterritorial reach)
Type: Horizontal technology regulation
Changes in 2026: The EU AI Act applies in stages, with full effect by August 2027. Crucially, from August 2026, strict obligations bite for general-purpose and systemic-risk AI models, including model evaluation, risk mitigation, incident reporting, cybersecurity controls, transparency and training-data summaries. At the same time, key high-risk AI system and transparency rules also start to apply, with some phased extensions into 2027.
What action should be taken: Organisations should build an enterprise-wide AI governance framework now: map AI use cases, classify risk, embed controls, testing and documentation, and integrate AI compliance into enterprise risk management (ERM), third-party risk and data governance.
- EBA ESG Risk Management Guidelines – A 2026 GRC Cornerstone
Jurisdiction: EU
Type: Supervisory guidelines (“comply or explain” soft law)
Changes in 2026: The EBA Guidelines on the management of ESG risks, finalised in January 2025, apply from 11 January 2026 (with a deferral to January 2027 for small and non-complex institutions). They set detailed expectations for governance, strategy, risk appetite, policies, data, methodologies and climate/ESG scenario analysis. From 2026, supervisors are expected to embed these directly into SREP, ICAAP and ILAAP reviews.
What action should be taken: Firms should now align ESG risk policies with the Guidelines, upgrade data and scenario analysis, refresh board reporting and ensure ESG is fully embedded in capital, liquidity and risk appetite frameworks.
Turning insight into action
Treat the regimes above as a practical programme, not a reading list. Build a simple 2026 readiness grid for each: confirm scope (direct or indirect), identify the first affected financial year, name an owner, run a green/amber/red gap assessment across policy, data, controls and governance, then lock in the 2025–26 actions needed before FY2026 opens and before reporting begins.
Anchor interpretations in primary sources such as the EU CSRD on EUR-Lex, the ESRS guidance from EFRAG, and supervisory expectations from ESMA. Review quarterly in ExCo and budget early for data and systems. If you share your sector, size and UK/EU footprint, I will translate this into a one-page, board-ready roadmap.
