The European Banking Authority (EBA) has drawn a line in the sand. With the publication of its final Guidelines on the Management of ESG Risks in June 2024, EBA ESG risk became one of the most consequential regulatory mandates European banks have ever received: embed environmental, social and governance risks into the very core of how you identify, measure, and manage risk. Or face the consequences.
For many institutions, this is no longer a question of ambition or ESG strategy. It is a question of compliance.
The Regulatory Paradox: Less Reporting for Companies, More Scrutiny for Banks
The CSRD was designed to require approximately 50,000 companies across the EU to publish sustainability reports. Then came the Omnibus package in early 2025, which slashed that number to roughly 5,000–8,000 — a reduction of 80–90%. Many SMEs and mid-market firms were effectively let off the hook.
But for banks and institutional investors, the direction of travel is the exact opposite. While corporate reporting obligations shrank, EBA ESG risk demands tightened. Banks must still assess the ESG risks embedded in their portfolios; they simply now have far less counterparty data to work with. The message from regulators is clear: even if companies are not required to report, financial institutions are required to know.
What Are the EBA ESG Risk Guidelines?
The EBA ESG risk guidelines establish a common framework for how banks and financial institutions across the EU must integrate ESG-related risks into their internal risk management processes, governance structures, and business strategies.
The new guidelines set binding expectations covering everything from board-level oversight to loan-book transition planning. At their core, they reflect a straightforward regulatory logic: climate change, biodiversity loss, social disruption, and governance failures are not abstract sustainability concerns. They are financial risks. Banks that fail to manage them are carrying unpriced exposures on their balance sheets.
”ESG risks, and in particular environmental risks, may have a material impact on the safety and soundness of institutions… These guidelines aim to ensure that institutions develop robust and comprehensive approaches to the management of ESG risks.”
Source: EBA Final Guidelines on ESG Risk Management, June 2024
Who Do the EBA ESG Risk Requirements Apply To?
The guidelines apply to all credit institutions and investment firms subject to EU prudential regulation under the Capital Requirements Directive (CRD). This broadly covers:
- Large universal banks and systemically important institutions (SIIs)
- Mid-size and regional banks operating across EU member states
- Investment firms subject to CRD V/CRR2
- EU subsidiaries of international banking groups
A proportionality principle applies, meaning smaller, non-complex institutions (SNIs) face a lighter burden, but no institution is exempt. Across the EU there are approximately 6,000 credit institutions in scope. Of these, roughly 2,000–2,500 large and medium-sized institutions face the most demanding requirements from January 2026, with a further 3,500 smaller institutions following by January 2027. Including investment firms, well over 5,000 institutions across the EU must build EBA ESG risk management capabilities.
Key Timelines
The guidelines entered into force in January 2025, with a phased implementation approach:
| Milestone | Date |
|---|---|
| Guidelines published (final) | June 2024 |
| Entry into force | January 2025 |
| Large institutions: full compliance | January 2026 |
| Small and non-complex institutions (SNIs): compliance | January 2027 |
| Full transition plan integration (all institutions) | 2025–2030 |
By 2025–2026, large institutions must have documented transition plans aligned with Paris Agreement goals — not aspirational documents, but strategies integrated into credit policy and risk appetite.
What Do the EBA ESG Risk Guidelines Demand?
The guidelines are structured around five core pillars:
1. Governance and Strategy
Institutions must embed ESG risk considerations at the highest levels. This means:
- Board and senior management must have defined ESG risk responsibilities
- Risk appetite frameworks must explicitly address ESG risk dimensions
- Business strategies must be assessed for alignment with EU sustainability goals (including the Paris Agreement and the EU Taxonomy)
2. Internal Risk Management Integration
ESG risks must be integrated into existing risk categories, not treated as a standalone silo. Credit risk, market risk, operational risk, and liquidity risk frameworks must all be updated to capture ESG risk drivers.
For example: a loan to a carbon-intensive industrial company must be assessed not just on traditional creditworthiness, but also on how physical climate risks (flooding, drought) and transition risks (carbon pricing, stranded assets) affect repayment probability.
3. Transition Plans
Institutions must develop credible, time-bound transition plans showing how their balance sheets align with a 1.5°C pathway. These must cover:
- Scope 1, 2 and 3 financed emissions
- Sector-by-sector decarbonisation trajectories
- Milestones at 1-year, 3-year and 10-year horizons
- Client engagement strategies for high-emission counterparties
4. Materiality Assessment
Institutions must conduct structured double materiality assessments, identifying where ESG risks are material to their own financial health, and where their activities have a material impact on the environment and society.
5. Disclosure and Reporting
ESG risk findings must feed into both internal reporting (boards and risk committees) and external disclosures, aligned with CSRD and the Pillar 3 ESG disclosure framework.
What Data Does EBA ESG Risk Management Require?
Meeting the EBA ESG risk guidelines is fundamentally a data problem. Banks need granular, reliable ESG data on their counterparties, borrowers, and investee companies. The key categories include:
Environmental Data
- GHG emissions: Scope 1, 2 and 3 (including financed emissions via PCAF methodology)
- Carbon intensity: revenue-weighted and asset-weighted
- Energy consumption and efficiency: across counterparty operations
- Physical risk exposure: flood zones, heat stress, sea level rise, wildfire risk at asset and facility level
- Transition risk indicators: carbon price sensitivity, fossil fuel dependency, regulatory exposure
- Taxonomy alignment: EU Taxonomy eligibility and alignment ratios
- Biodiversity footprint: land use, water stress, deforestation linkage
Social Data
- Workforce metrics: employee turnover, gender pay gap, diversity ratios
- Health and safety: accident rates and fatalities
- Supply chain labour standards: particularly for high-risk sectors
Governance Data
- Board composition and independence
- Executive remuneration linked to ESG targets
- Anti-corruption and anti-bribery policies
- Controversy and sanctions screening
Loan-Book Specific Data
- Counterparty ESG scores and ratings
- Sector classification and NACE codes linked to ESG risk profiles
- Real estate energy performance certificates (EPCs) for mortgage portfolios
- SME ESG proxies: a major challenge, given that most SMEs do not report ESG data
Why the EBA ESG Risk Data Gap Is So Hard to Close
Many banks are discovering that the data they need simply does not exist in structured, accessible form, particularly for smaller and mid-market borrowers.
Large listed corporates increasingly publish ESG data in line with CSRD, TCFD, and GRI standards. But the loan books of most European banks are dominated by SMEs, private companies, and international counterparties that either do not report ESG data voluntarily or report it inconsistently.
”The quality and availability of ESG data remains one of the most significant obstacles to implementing robust ESG risk management… Institutions should use best-effort approaches and proxies where data is unavailable, while continuing to improve data collection over time.”
Source: EBA Final Guidelines on ESG Risk Management, June 2024
The EBA acknowledges this challenge but does not remove the obligation. Institutions must develop credible methodologies for estimating ESG risk exposure even where primary data is absent.
Why Traditional (Legacy) ESG Data Collection Cannot Solve This
Manual collection — questionnaires, relationship manager outreach, analyst research — works for a portfolio of 50 companies. It breaks down completely at 5,000 or 50,000. Response rates from SMEs are low, quality is inconsistent, and the data is outdated by the time it is gathered. The operational cost is simply not viable at scale.
The major global providers (Bloomberg, MSCI, Refinitiv, Sustainalytics) cover large listed companies well, but their models were built for equity investors, not bank lending desks. Their universe of 10,000–15,000 companies leaves the bulk of a typical bank’s loan book — private, unlisted, regional, international — completely uncovered. And their reliance on company-reported disclosures means that gap will not close on its own.
That is exactly what Cleartraced has built around.
Our AI pipeline actively finds, extracts, and structures ESG-relevant data from across the open web: regulatory filings, company websites, news sources, public procurement records, environmental permits, and more. Any company, anywhere, at scale.
Three Additional Areas to Watch
The Omnibus rollback worsens the data problem. Fewer counterparties will now publish structured sustainability data, hitting the mid-market and international borrowers that banks depend on most. The regulatory obligation on banks did not shrink with CSRD. The data supply did.
Climate stress testing is becoming mandatory. Banks must model how orderly transition, disorderly transition, and physical risk scenarios affect their capital adequacy. The data inputs are extensive and the methodologies are still maturing, meaning institutions that start building data infrastructure now will have a significant head start.
Supervisory pressure is rising. NCAs across the EU are already factoring EBA ESG risk management into SREP assessments. Weak data capabilities, missing transition plans, or underdeveloped governance can result in Pillar 2 capital add-ons. The EBA has signalled ESG risk will be a standing SREP component from 2026 onwards.
The Bottom Line: Act Now
The window for treating EBA ESG risk compliance as a future problem is gone. Large institutions face full compliance from January 2026. Supervisors are already asking questions. And building reliable ESG data coverage across tens of thousands of counterparties takes time.
Banks that begin now will have better risk models, cleaner loan books, lower regulatory capital pressure, and stronger client relationships. Those that delay risk regulatory sanction and being caught flat-footed when the next climate-related credit event hits their portfolio.
How Cleartraced Can Help
This is precisely the challenge Cleartraced was built to solve.
We have developed an AI-powered ESG data pipeline capable of finding and extracting ESG data on any company globally, including the SMEs, private companies, and international counterparties that traditional data providers cannot reach. Our platform delivers:
- Custom data collection built around your specific portfolio. We collect ESG data on the exact companies that matter to your institution, not a generic universe that may or may not overlap with your loan book or investment portfolio.
- Structured ESG data aligned with EBA ESG risk requirements, EU Taxonomy, CSRD, and PCAF
- Continuous updating so your data stays current as regulatory requirements evolve
- Full source traceability on every data point. Every piece of data Cleartraced delivers is linked back to its exact origin: the URL it was found on, the specific page within a document, and the precise position within a PDF. Sources are archived so links do not die over time. This means your compliance and audit teams can verify any data point at any time, with a clear, documented evidence trail that satisfies regulatory scrutiny.
- Full API integration for seamless delivery. Receive ESG data directly into your systems via API, and submit new company requests via API as well, so when a new counterparty enters your portfolio, you can trigger data collection instantly without any manual process.
Whether you are building your first ESG risk framework or upgrading an existing capability for EBA compliance, Cleartraced can give you the data foundation you need.
Get in touch today to see how Cleartraced can help your institution meet its EBA ESG risk obligations and turn ESG data into a competitive advantage.
📧 Contact Cleartraced | Request a data sample or book a demo
Further reading:
- EBA Final Guidelines on the Management of ESG Risks (full text)
- Grant Thornton: Why banks must act now on EBA ESG risk expectations
Cleartraced is an AI-powered ESG data company providing structured sustainability data for financial institutions, lenders, and corporates globally.
