Road to CRD 6 – the harmonisation of red tape: EBA’s Draft RTS on Qualifying Holding Procedures

Directive (EU) 2024/1619 (commonly referred to as CRD 6) is part of the so-called EU Banking Package. It introduces, among other things, requirements in relation to the establishment of third-country branches (see separate blog), ESG-related requirements (see separate blog) and new approval and notification requirements in the context of M&A in the financial services sector (see separate blog).

An often overlooked aspect of CRD 6 is the instruction to the European Banking Authority (EBA) to develop draft regulatory technical standards to specify the list of minimum information to be provided in the context of qualifying holding procedures. Against this background, on 20 June 2025, EBA has published a consultation of draft Regulatory Technical Standards (RTS), the aim of which is to ensure a European harmonised approach of the prudential assessment of acquirers of qualifying holding in credit institutions. 

This blogpost provides an overview of the key aspects of the draft RTS and compares it to the existing Joint Guidelines on the prudential assessment of acquisitions and increases in qualifying holdings in the financial sector (Joint Guidelines).

1. Increased relevance of Anti-Money Laundering (AML)

The prevention of money laundering in the context of an acquisition of the qualifying holding has always been a key assessment criteria of qualifying holding procedures. In line with current regulatory initiatives, AML now seems to take a more prominent role in the assessment of qualifying holding assessments for credit institutions – even though the ECB is not an AML supervisor. Examples of this increased focus on AML include:

• A trust must disclose the identity of all trustees and beneficiary, as well as settlor’s identity and the trustee’s AML controls;
• Acquirers that are obliged entities must provide their AML policies and procedures;
• Acquirers that are natural persons must provide to the competent authority  information on any position of responsibility within an entity held at the time of, among others, on-going investigations in respect money laundering, terrorist financing and in respect of failure to put in place adequate policies and procedures to prevent such events;
• Acquirers must provide a description of the activity that generated the funds or assets for the acquisition, supported by relevant documents; and
• The business plan must include any action envisaged to be implemented in the target institution to ensure compliance with AML requirements, including to monitor and mitigate ML/TF risks or to remedy any material deficiency or breach of the AML/CFT framework.

2. Focus on cybersecurity and IT infrastructure

In addition, a new focus of the assessment is on whether the acquisition impacts cybersecurity and the IT infrastructure at the target institution. Examples of this trend include:

• Acquirers must describe planned changes to cybersecurity architecture, backup systems, and digital resilience (including compliance with Regulation (EU) 2022/2554, DORA);
• Information on ICT third-party outsourcing (e.g., cloud providers) must also be disclosed, reflecting growing concerns around digital operational risk; and
• CVs of acquirers that are natural persons as well as of management body members of acquirers that are legal persons have to include information on professional experience in the area of cybersecurity, digital innovation and, where relevant, distributed ledger technology. What may appear as a simple formalistic requirement may in practice be understood as a notable increase of knowledge requirements for acquirers of qualifying holdings.

The new focus on cybersecurity and IT infrastructure underscores a regulatory expectation that acquirers should play a proactive role in reinforcing digital resilience post-acquisition. A high degree of transparency, risk awareness, and control is required, whereby compliance with DORA requirements is considered essential.

3. Trusts face expanded information requirements

The Joint Guidelines already require the submission of information on the identity of (i) all trustees who will manage assets under the terms of the trust document and (ii) all persons who are beneficial owners or settlors of the trust property. The draft RTS now extend these requirements and require a significant amount of additional information, including:

• The identity of each person that is a settler or a protector of the trust property;
• A copy of any document establishing and governing the trust – often a document containing highly sensitive information;
• A description of the main features of the trust and its functioning;
• An overview of its business activities; and
• A description of its investment policy.

4. UCITS and AIFs are generally treated like hedge funds and private equity firms

Hedge funds and private equity firms already face detailed disclosure rules requiring among others the submission of details of the investment policy and a description of the performance of other qualifying holdings of the acquirer. The EBA now proposes expanding these requirements also to AIFs, UCITS, and their management companies. 

While the stricter requirements for hedge funds and private equity firms appear to be due to a greater distrust of these type of acquirers by the regulators, this certainly cannot be said for all types of AIFs and UCITS (such as ETFs) where a negligible influence on the target can often be expected. This overregulation of AIFs and UCITS is only offset to a limited extent by a reduced set of information for AIFs and UCITS that belong to the group of the proposed acquirer and are subject to the control of the same ultimate beneficial owner as the proposed acquirer. Especially in the case of ETFs it seems questionable whether the requirements of this exemption will ever be met.

5. More transparency of acquisition financing

The RTS contain more detailed information requirements on how acquisitions are financed, including the disclosure of financing structures, agreements, terms and conditions, and impact on financial strength. In line with current supervisory trends, the EBA seems to pay particular attention to shadow banks as providers of acquisition financing. Where the lender is not a credit institution or financial institution authorised to grant credit, acquirers shall provide, among others, comprehensive information and supporting evidence on the origin of the funds borrowed and the lender’s activities. 

6. Expanded business plan requirements

The regulatory business plan is a key part of every qualifying holding procedure. In particular where credit institutions are the target of an acquisition, these documents can easily run into three digit page counts – and the draft RTS will further add to their length, at least in those cases where the acquirer will hold more than 50 % in the target. The additional requirements include:

• All business plan information has to consider a baseline and a stress scenario;
• A description of (i) the policies governing third-party service providers of critical or important functions, (ii) the data aggregation capabilities, and (iii) any actions envisaged to be implemented to ensure compliance with AML requirements has to be provided;
• The business plan must outline any updates of the recovery plan that may be necessary following the proposed acquisition. That the recovery plan – often considered to be one of the most sensitive documents of an institution – will typically not be disclosed pre-acquisition is not reflected in the draft RTS;
• Moreover, the business plan must provide for a detailed integration plan in case the target becomes part of a group following the acquisition; and
• The acquirer must also submit the due diligence report on the target, where available. 

Conclusion

The EBA presents the draft RTS as a step towards greater harmonisation of qualifying holdings procedures in the EU. Since the draft RTS will apply directly across all Member States, this aim will surely be fulfilled. However, harmonisation will only occur with respect to credit institutions and not other types of regulated targets such as investment firms or payment institutions. In addition, only the content-related information requirements will be harmonised but not the form requirements, which in practice have a considerable impact on the duration and complexity of filings.

It also seems worth noting that the draft RTS will set aside any exemptions and facilitations under national law that are not provided for in the draft RTS. For example, the German BaFin only recently proposed simplifications and facilitations of the German qualifying holding rules (see separate blog), at least some of which would not be available if the draft RTS were enacted as currently proposed. Considering that the draft RTS does not provide for any (particularly relevant) new exemptions and facilitations, the draft RTS will in practice therefore reduce the extent to which acquirers can rely on such exemptions.

Overall, the EBA therefore seems to have chosen a path of even more red tape for FIG M&A in the EU, all under the pretext of greater harmonisation. The EBA has, at least so far, missed the chance to simplify qualifying holding procedures in the EU and thereby promote the European FIG M&A sector.

The consultation phase is open until 18 September 2025. For specific queries please feel free to reach out.