Part II – Management

Download PDF

Management Board and Board of Supervisors

Board of Supervisors

The Board of Supervisors is the EBA’s main decision-making body and guides the work of the Authority. In addition to the EBA’s Chairperson, the Board of Supervisors is composed of the heads of banking supervision or their representatives in 30 national EU and EEA-EFTA supervisory authorities, who are sometimes accompanied by a representative of the national central bank. It also includes representatives from the European Commission, the European Systemic Risk Board, the European Central Bank, the Single Supervisory Mechanism, the Single Resolution Board, the European Securities and Markets Authority, the European Insurance and Occupational Pensions Authority and the EFTA Surveillance Authority.

As of 10 July 2023, the Board of Supervisors appointed Mr Helmut Ettl, Executive Director of the Austrian Financial Market Authority, as Vice-Chairperson for a 2.5-year term, succeeding Mr Jo Swyngedouw, Head of Financial Stability, AML Supervision and Banking Prudential Policy of the National Bank of Belgium.

In 2023, the Board of Supervisors met 10 times and twice with the EBA’s Banking Stakeholder Group. All the minutes of the Board of Supervisors, Management Board and Banking Stakeholder Group are available on the EBA website under the section Governance structure and decision making.

Board of Supervisors composition at the end of 2023

Voting members
CountryInstitutionType of membershipName
AustriaÖsterreichische FinanzmarktaufsichtMemberHelmut Ettl
Alternate  Michael Hysek
BelgiumNationale Bank van België/Banque Nationale de BelgiqueMemberJo Swyngedouw
Alternate  Kurt Van Raemdonck
BulgariaBulgarian National BankMemberRadoslav Milenkov
Alternate  Stoyan Manolov
CroatiaHrvatska Narodna BankaMemberTomislav Ćorić
Alternate  Sanja Petrinić Turković
CyprusCentral Bank of CyprusMemberConstantinos Trikoupis
Alternate  Kleanthis loannides
Czech RepublicČeská Národní BankaMemberZuzana Silberová
Alternate  Marcela Gronychová
DenmarkFinanstilsynetMemberLouise Caroline Mogensen
Alternate  Thomas Worm Andersen
EstoniaFinantsinspektsioonMemberAndres Kurgpõld
Alternate  Kilvar Kessler
FinlandFinanssivalvontaMemberMarko Myller
Alternate  Jyri Helenius
FranceAutorité de Contrôle Prudentiel et de RésolutionMemberNathalie Aufauvre
Alternate  François Haas
GermanyBundesanstalt für FinanzdienstleistungsaufsichtMemberRaimund Röseler
Alternate  Adam Ketessidis
GreeceBank of GreeceMemberHeather Gibson
Alternate  Kyriaki Flesiopoulou
HungaryMagyar Nemzeti BankMemberCsaba Kandrács
Alternate  László Vastag
IrelandCentral Bank of IrelandMemberGerry Cross
Alternate  Mary-Elizabeth McMunn
ItalyBanca d’ItaliaMemberAndrea Pilati
Alternate  Francesco Cannata
Latvia Latvijas BankaMemberKristine Černaja-Mežmale
Alternate  Ludmila Vojevoda
LithuaniaLietuvos BankasMemberSimonas Krėpšta
Alternate  Renata Bagdonienė
LuxembourgCommission de Surveillance du Secteur FinancierMemberClaude Wampach
Alternate  Nele Mayer
MaltaMalta Financial Services AuthorityMemberChristopher P. Buttigieg
Alternate  Anabel Armeni Cauchi
NetherlandsDe Nederlandsche BankMemberSteven Maijoor
Alternate  Willemieke van Gorkum
PolandKomisja Nadzoru FinansowegoMemberKamil Liberadzki
AlternateArtur Ratasiewicz
PortugalBanco de PortugalMemberRui Pinto
AlternateJose Rosas
RomaniaBanca Naţională a RomânieiMemberAdrian Cosmescu
Alternate  Cătălin Davidescu
SlovakiaNárodná Banka SlovenskaMemberTatiana Dubinová
Alternate  Linda Šimkovičová
SloveniaBanka SlovenijeMemberPrimoz Dolenc
Alternate  Damjana Iglič
SpainBanco de EspañaMemberÁngel Estrada
Alternate  Agustín Pérez Gasco
SwedenFinansinspektionenMemberHenrik Braconier
Alternate  Magnus Eriksson
EEA and EFTA members
CountryInstitutionType of membershipName
IcelandFjármálaeftirlitiðMemberBjörk Sigurgísladóttir
AlternateGísli Óttarsson
LiechtensteinFinanzmarktaufsicht Liechtenstein (FMA)MemberMarkus Meier
AlternateElena Seiser
NorwayFinanstilsynetMemberPer Mathis Kongsrud
AlternateAnders Sanderlien Hole
EFTA Surveillance AuthorityMemberStefan Barriga
AlternateJonina Sigrun Larusdottir
Observers
InstitutionName
SRBSebastiano Laviola
Other non-voting members
InstitutionName
ECBKatrin Assenmacher
ECB Supervisory BoardStefan Walter, Sofia Toscano Rico
EIOPAFausto Parente
ESMANatasha Cazenave
ESRBFrancesco Mazzaferro
European CommissionMartin Merlin, Almorò Rubin de Cervin

Management Board

In accordance with the EBA Founding Regulation, the Management Board ensures that the EBA carries out its mission and performs the tasks assigned to it. It is composed of the EBA Chairperson and six other members of the Board of Supervisors elected by and from its voting members. The Executive Director, the EBA Vice-Chairperson and a representative of the Commission also participate in its meetings.

Four new members joined the Management Board in 2023. Two members were elected by the Board of Supervisors in January 2023 from Spain and Greece, and two other members representing Hungary and Latvia were elected in July 2023.

The Management Board met five times in 2023, out of which two meetings were held at the EBA premises, and the remaining meetings were held as videoconferences. The Management Board steers the preparation and revisions of the EBA’s Annual Work Programme and the development of the Draft Single Programming Document which were approved in 2023 before their submission to the final approval of the Board of Supervisors.

It monitors the execution of the EBA’s tasks and activities, the budget planning process and the allocation of human and financial resources. To guarantee the transparency of its decision making, minutes of the Management Board’s meetings are published on the EBA website.

As a follow-up to the adoption of the EBA Enterprise Risk Management (ERM) policy in 2022, the management Board has reviewed and supported the EBA strategic risk register and risk appetite statement in 2023. While a number of risks were monitored closely, no significant risk or control issues were highlighted to the Management Board in 2023.

Management Board composition at the end of 2023

CountryInstitutionType of membershipName
GermanyBundesanstalt für FinanzdienstleistungsaufsichtMemberRaimund Röseler
AlternateAdam Ketessidis
GreeceBank of GreeceMemberHeather Gibson
AlternateEkatrini Korbi
HungaryMagyar Nemzeti BankMemberCsaba Kandrács
AlternateLászló Vastag
LatviaLatvijas BankaMemberKristīne Černaja-Mežmale
Alternate 
PolandKomisja Nadzoru FinansowegoMemberKamil Liberadzki
AlternateArtur Ratasiewicz
SpainBanco de EspañaMemberÁngel Estrada
AlternateAgustín Pérez Gasco
 European Banking Authority José Manuel Campa

Major developments

In 2023, the EBA was confronted with some important external challenges, namely the geopolitical tensions and ongoing conflicts as well as the macroeconomic developments, such as inflationary pressures and rising interest rates. The organisation was also positively impacted by some major internal developments described in the sub-sections below.

Mission statement and values

After a decade of activity and with the perspective of taking on new staff, in 2023 a task force made up of senior management and staff worked on developing the EBA mission statement and values.

Our mission is to contribute to the stability and effectiveness of the European financial system through simple, consistent, transparent and fair regulation and supervision that benefit all EU citizens.

The mission statement communicates the purpose of the organisation and is based on the EBA Founding Regulation.

Our values define us, guide our organisation and shape our actions at all levels of our work.

Public service at our core

We act independently, in the sole interest of the European Union. We are committed to strengthening the financial sector and protecting consumers through sound regulation.

 

 

 

Excellence in everything we do

We pride ourselves on the work that we do. We promote simplicity, objectivity, transparency and proportionality. We learn from successes and failures and continue improving what we do.

 

 

 

Trust in our relationships  

We build relationships based on trust, respect and transparency. We are open and responsible for our actions, promises and commitments. We care about people. We should resemble the society in which we live. And we will abide by high ethical and environmental principles.

 

 

 

Creativity to deal with challenges

We strive to innovate and make a difference, with the belief that change is possible. We pioneer new ways of working to make a difference, and that makes us unique. We have the energy, imagination and courage to lead.

 

 

 

Collaboration is our approach  

We value team spirit and cultural diversity. We encourage, seek and value input and feedback. By having a collaborative mindset, we can work and grow together with each other and our stakeholders.

 

 

 

Gender, diversity and inclusion (D&I)

The EBA continued to be very active in embedding gender, D&I as a core pillar of its corporate culture.

D&I and gender equality are among the EU institutions’ priorities as illustrated by the EU 2020–2025 Gender Equality Strategy.

The EBA strives for gender equality in professional and cultural development, ensuring women and men have equal opportunities to thrive both within the Authority and across the financial services sector.

Since the end of 2020, the EBA has been advancing on the issue of gender balance for its own organisation, in different phases: first, through embedding gender equality in our culture and values leading to the milestone of achieving gender-equal leadership. The numbers say it all: the women in senior leadership (Director level) have raised from 25% to 60% and is at 43% at all Management level (Chair, Executive Director, Directors, Heads of Unit). 

Figure 13: Proportion of women in EBA Management and Team Leader roles

Proportion of women in EBA Management and Team Leader roles

But this is just the beginning. Fostering gender equality makes EBA teams stronger in working towards common values and goals, and inclusion is actively pursued to harvest the advantages of a diverse work force.

The EBA’s staff survey has shown that it has strengthened a sense of belonging, with an overall satisfaction rate of 72%, up from 65% in the previous survey. In that regard, the EBA has mainstreamed gender issues through its organisation with concrete initiatives such as training on unconscious bias. It has started working towards mechanisms and policies to promote gender equality in its own governance bodies. It has also launched a mentoring project to foster talent of staff of all genders, but with a majority of female attendees.

The EBA continued to invest in awareness campaigns for gender balance, both in-house and beyond. It held two conferences for EU agency staff featuring speakers from the European Parliament, other agencies and authorities, and the private sector. The EBA also spoke at conferences organised by other groups about its diversity efforts, thus broadening its coalition with EU agencies and stakeholders.

Additionally, the EBA is working towards creating an accessible and inclusive workplace, in particular by removing potential obstacles and shaping a collaborative barrier-free environment.

The EBA commissioned an assessment audit of the EBA offices’ compliance with French law, which proved that the premises are compliant with applicable national legislation.

Additionally, a Commission expert from the Diversity and Inclusion Office of DG HR and Security was invited to check the accessibility of the EBA premises. Following this visit, numerous recommendations were identified concerning the following processes and areas: accessibility of premises and digital accessibility, recruitment and onboarding, inclusive missions and events, training and awareness raising, and tendering and procurement. The EBA is liaising with relevant stakeholders to address the recommendations.

Cloudification programme

The EBA completed a strategic initiative to migrate our IT landscape into the public cloud. The primary goals were to enhance agility, reduce operational costs, and improve scalability to build a secure and futureproof IT infrastructure. Over the past year, our dedicated team has successfully executed this migration, and is now operating our cloud-native environment.

As key achievements the project team has successfully delivered the following.

  • In close cooperation with the three European Supervisory Agencies, two major tender procedures were executed, with the signature of multi-million-euro contracts.
  • The migration process was executed with minimal disruption to the EBA’s business operations. Critical applications and services were seamlessly moved to the cloud, ensuring continuity.
  • With the robust security features offered by the cloud, the EBA’s security posture has greatly increased. Its data are better protected against cyber threats by using EBA controlled encryption keys (EC’s standard for SNC information) and advanced features such as 24/7 Security monitoring and defences based on Azure Sentinel SOC.
  • Thanks to the dynamic scalability of the cloud, the EBA IT unit has gained in flexibility, enhancing the ability to respond to changing business needs.
  • All the EBA services are now operated in the cloud and, thanks to close cooperation between the EBA, EIOPA, ESMA and the ECHA (the European Chemical Agency), our data protection compliance is ensured through the delivery of a baseline Data Protection Impact Assessment.

The execution of the project has been an exciting but challenging journey. In June, the EBA turned a corner when a revised plan was put in place, impacting its initial timeline and budget.

The EBA Office Managed Network Services and the EBA Azure Cloud Managed Services have been taken over by the new FWC Operators since June 2023, respectively November 2023, with some non-critical scope elements remaining to be delivered during the post-migration stabilisation period.

External communication strategy

The EBA external communication strategy is revised every few years to ensure that the Authority is communicating to the right audience in the most effective way and using the most appropriate channels. An important part of the process, finalised in the second half of 2023, was the refresh of the visual identity and EBA logo, which is now more minimalistic, modern and fit for the digital age.

The revision of the communication strategy culminated in the introduction of a new website, which has been redesigned with different stakeholders in mind – from representatives of competent authorities to members of the press – for a more engaging experience. In line with its new strategy, the EBA made use of a number of interactive data visualisation tools, such as Flourish and Power BI, thus enabling the creation of captivating data stories and making its data sources more accessible and appealing for all its stakeholders.

Budgetary and financial management

Budget execution

The initial voted budget for a total amount of EUR 52 677 553 was adopted by the BoS on 21 December 2022. This budget was amended three times during 2023. It was amended twice to increase the budget for the employer’s pension contribution by a total amount of EUR 150 000, stemming from the increase in the pension contributions and salaries indexation rates. The third budget amendment was to align the budget with the actual contribution received in 2023 from the Directorate General for Structural Reform Support (DG REFORM) in respect of a service level agreement (SLA) for training services rendered to the EU Supervisory Digital Finance Academy (EU SDFA), and to take account of the final actual pension contribution cost, leading to a total reduction of EUR 155 552. Taken together, these amendments resulted in a final voted budget of EUR 52 672 001[1].

2023 budget amendments and transfers

In 2023, 27 budget transfers were authorised in accordance with Article 26 (paragraph 1) of the EBA Financial Regulations. The Management Board was not required to authorise any transfers.

Title

Voted budget

(A)

Amendments

(B)

Transfers

(C)

Final budget

(D = A + B + C)

I: Staff expenditure33 515 23723 080704 61334 242 930
II: Administrative expenditure12 319 866-18 318-224 82712 076 721
III: Operational expenditure6 842 450-10 314-479 7866 352 350
Total52 677 553-5 552-52 672 001
Execution of 2023 voted budget[2]

The EBA achieved a budget execution rate of 98.1% (or EUR 51 666 912) on the 2023 commitment appropriations and 91.4% (or EUR 48 118 318) on payment appropriations.

Title

Voted budget

A

Committed

B

%

C=B/A

Paid

D

%

E=D/A

Carry Forward

F

%

G=F/B

I: Staff expenditure34 242 93034 082 85799.5%33 800 71998.7%282 1380.8%
II: Administrative expenditure12 076 72111 775 87797.5%10 494 13386.9%1 281 74410.9%
III: Operational expenditure6 352 3505 808 17891.4%3 823 46660.2%1 984 71234.2%
TOTAL52 672 00151 666 91298.1%48 118 31891.4%3 548 5946.9%

The total amount of 2023 commitment appropriations carried over to the next year was 
EUR 3 548 594 (or 6.9% of the appropriations committed at the end of 2023), which is EUR 2 783 765 less than the 2022 carry-overs. This decrease of almost 44% in commitment appropriations carried over in 2023 as compared to 2022 was a result of significant efforts made by the EBA to bring the carry forward amounts within the thresholds recommended by the European Court of Auditors.

Consumption of 2023 internally assigned revenue (C4)

In addition to its voted budget, the EBA had EUR 401 041 in appropriations arising from internally assigned revenue received during the year. These are the funds paid to the EBA by other EU agencies for the rendered services or by the staff and suppliers as reimbursement of undue costs.

Title

Budget

A

Committed

B

%

C=B/A

Paid

D

%

E=D/A

Carry Forward

F=A-D

%

G=F/A

I: Staff expenditure172 6021 9391.11 9391.1170 66398.9
II: Administrative expenditure50 26415 10030--50 264100
III: Operational expenditure178 175----178 175100
TOTAL401 04117 0394.21 93991.4399 10199.5
Budgetary execution on 2022 carry-overs

By the end of 2023, the EBA had executed 99.0 % of commitment appropriations carried over from 2022.

AR2023

Voted budget (C8)

Assigned revenue (C5)

Total

 
 

Carry over

A

Paid

B

%

C=B/A

Carry over

D

Paid

E

%

F=E/D

Carry over

G=A+D

Paid

H=B+E

%

I=H/G

I: Staff expenditure

140 783

122 180

86.8

140 082

140 082

100

280 865

262 262

93.4

II: Administrative expenditure

2 779 074

2 728 399

98.2

1 721

1 721

100

2 780 795

2 730 120

98.2

III: Operational expenditure

3 402 502

3 399 791

99.9

595 307

595 307

100

3 997 809

3 995 097

99.9

TOTAL

6 322 359

6 250 370

98.9

737 110

737 110

100

7 059 468

6 987 479

99.0

Procurement

2023 was a busy year in terms of EBA-led procurement procedures. As framework contracts usually expire after four years, many framework contracts had to be awarded again.

Other aspects worth highlighting:

  • organisation of six training courses for EBA colleagues;
  • implementation of the Public Procurement Management Tool (PPMT);
  • phasing out of eNotices and eTendering, and transition to the EU Funding and Tenders Portal;
  • improvements to the EBA´s procurement procedures and documentation;
  • reduction in the direct award of direct contracts, and related increase in the use of framework contracts;
  • no complaints and no legal challenges related to procurement activities.

This table contains the number of procurement procedures completed in 2023, classified by kind of procedure.

Kind of procedureThresholdNumber of procedures
NegotiatedVery low value (≤ €15 000)18
NegotiatedMid value (€60 000 – €140 000)2
Negotiated under a FWCIrrelevant1
OpenPublication (≥ €140 000)7
RestrictedPublication (≥ €140 000)1
Total number of procedures29

This table contains the number of procurement procedures launched in 2023 and ongoing at the end of the year, also classified by kind of procedure.

Information on late payments and late interest

The EBA paid 869 supplier invoices in 2023, of which two were paid late. On one of these invoices (from the European Commission) the EBA was required to pay late-payment interest of EUR 607. This is the first late-payment interest paid by the EBA since 2013.

Grant, contribution, and service level agreements

In 2022, the three ESAs (the EBA, EIOPA and ESMA) each signed a service level agreement (SLA) with DG REFORM, whereby the ESAs provide training services to the EU Supervisory Digital Finance Academy (EU SDFA) and DG REFORM provides funding to the ESAs for staff, missions and sundry other costs. In 2023, the EBA received EUR 214 772 from DG REFORM under this SLA. The SLA will run for four years from September 2022. However, given the success of the SDFA, the possibility of an extension is being discussed.

Control results

Overall budget implementation tables are shown in Annex II, including tables of financial statistics, which also includes KPI related to legality and regularity. KPIs applicable to budget implementation are listed in the table below. Further indicators are shown in Annex II.

KPIMeasureTarget20232022
Commitment implementation rate (voted budget)%> 9598.199.6
Payment implementation rate (C8 carry forward)%> 9598.998.3
Late payments (supplier invoices)Count025
Carry forward to next year, by title (C1)
     - Title 1
     - Title 2
     - Title 3		%



 
10
20
30
0.8
11.5
34.2
0.4
26.5
44.2

These performance indicators are important measurements of the EBA’s budget management. Failure to meet the targets for the implementation of appropriations (KPIs 1 and 2) can have consequences for the EU contribution to the EBA’s budget in the subsequent year, with DG BUDG reducing the EU subsidy by 2% in budget year N+2. The ceilings for KPI 4 are those applied by the European Court of Auditors for its audit work and are for guidance only.

The legality and regularity of transactions is ensured by ex ante and ex post controls carried out by the EBA on all financial transactions: recovery orders, commitments, payments and budget transfers. The financial aspects of each operation are verified by members of the Finance & Procurement unit, who have the necessary competence and training to effectively prevent and detect errors or irregularities. This centralisation of control of financial aspects strengthens the capacity of the EBA to ensure a systematic application of the rules.

Ex ante verification is carried out on all financial transactions. It is supplemented by periodic ex post control exercises. In 2023, EBA staff members conducted one ex post control exercise on financial transactions, taking a risk-based sample that amounted to 7% of payment transactions by volume and 3% by value for the period July to December 2022. All transactions controlled were found to be legal and regular. No monetary errors were found. Some areas of improvement were identified and improvements implemented.

Through the year the agency carries out different control activities and assessments, and the results support the assurance on the achievement of the internal control objectives stipulated under Article 30(2) of the EBA’s Financial Regulation. The Executive Director and the Management Board are informed of the results of the control activities and assessments, which comprise the following:

  • annual internal control self-assessment of the EBA’s Internal Control Framework, checking if all the components and principles are present and functioning;
  • status of the implementation of open actions resulting from the control activities and assessments;
  • analysis of exceptions reporting;
  • results and analysis of ex post and ex ante controls on financial transactions;
  • status of implementation of audit recommendations and observations issued by the internal and external auditors of the EBA;
  • status of implementation of actions resulting from the comments and requests issued by the Discharge Authority;
  • verification of access rights for the financial system;
  • sensitive functions assessment and monitoring of the inventory.

Cost and benefits of controls

Control activities ensure that risks related to the achievement of the organisation’s objectives are mitigated at all levels. Consequently, they include a variety of checks and approaches to mitigate risks, through manual and automated controls, both preventive and detective. To be cost-effective, the EBA’s controls are designed to achieve the right balance between effectiveness, efficiency and economy.

The calculation method follows the approach used by the European Commission and the guidelines provided by the Performance Network of EU agencies.

In 2023, the EBA allocated 8.8 FTEs for control activities (A) in the areas of audit, anti-fraud, data protection, ethics, risk management, financial verification and self-assessment, which together with the direct costs (B) amounts to 3.51% of the 2023 executed budget. This cost estimation includes Chapter 11 costs, meaning pensions and salary weighting, excluding costs arising when staff join/leave (daily subsistence allowance, installation allowance, travel and relocation allowance). 

Control activities costs (A)
  1. Area of activity
  1. TOTAL FTEs
Financial management including procurement, budget and accounting4.7
Governance, risk and compliance4.0
Adequate, safe and secure work environment0.1
TOTAL8.8
(3.04% of executed budget)

The direct costs (B) refer to the costs which are incurred in support of the control activities and include the external audit.

Direct control costs (B)
ItemAmount in EUR
Data protection, Business Continuity Management Programme (consultancy)171,343
ABAC, Treasury Services45,100
External audit27,876
TOTAL

244,319

(0.47% of the executed budget)

In terms of the effectiveness of the controls, the European Court of Auditors has given the EBA an unqualified opinion on the 2023 accounts. In addition, given the overall conclusion on the maturity of the internal control system, the EBA has assessed the effectiveness, efficiency and economy of its control system and reached a positive conclusion on the cost-effectiveness of the controls.

With a special focus on compliance while ensuring performance, the EBA has implemented a set of controls aiming to bring benefits to the Agency. These can be demonstrated by the following elements:   

  • compliance with regulatory requirements;
  • reliable reporting that supports the decision-making process on items related to resources allocation and budget implementation;
  • clean accounts, reliable recordkeeping and integrity of data;
  • increased efficiency among the functions and processes;
  • prevention of conflicts of interest;
  • the European Parliament granting annual discharge on the implementation of the budget to the Executive Director;
  • continuous unqualified ECA opinion on the accounts;
  • reduced number of audit observations and recommendations, as well as the implementation of the agreed actions within short timelines.

Delegation and sub-delegation

The controls in place are considered adequate and proportionate to the risks they serve to mitigate. They provide reasonable assurance that the budget has been effectively executed in compliance with the regulations. The Agency reviews its internal control procedures and policies on a continuous basis, to implement improvements, manage risk and ensure a proportionate balance between the costs and benefits of controls.

As per Article 64(1) of the EBA Founding Regulation (Regulation (EU) No 1093/2010), the Executive Director of the EBA ‘shall act as Authorising Officer and shall implement the Authority’s annual budget’. The Executive Director delegated Authorising Officer powers to six staff members, via permanent delegations:

  • Director of Operations: all budget lines, all transactions, with no monetary limit;
  • Head of Finance & Procurement: all budget lines, all transactions, without monetary limit on Chapter 11 budget lines and with an EUR 60 000 limit per transaction on all other budget lines;
  • two members of the Finance & Procurement team, all budget lines, payment transactions up to EUR 15 000 only;
  • two corporate support staff members: missions purchase orders only, with no monetary limit.

Human resources management

The delegations are valid for the remaining duration of the employment contracts of the staff members in question, when they are revoked.

On two occasions, due to planned absences, the Executive Director also delegated Authorising Officer powers without monetary limit for short periods to the Head of Finance & Procurement.

All sub-delegated authorising officers provided declarations of assurance regarding the transactions for which they exercised their budgetary powers.

The Authorising Officer also delegates budgetary powers to staff to act as operational initiators, operational verifiers, financial initiators, financial verifiers and neutral verifiers.

In 2023, the EBA identified an issue with the set-up of some rights in ABAC, as a result of which the EBA is running a project to review the ABAC rights to ensure alignment with the current financial circuit and to facilitate future changes. Further training will also be provided in a workshop format to the local access managers. This initiative should also assist with the transition to SUMMA.

People being the main asset of the organisation, the focus is on the development of a fully fledged HR strategy as part of its three-year HR Transformation and rolling Matrix Strategy including 10 modules:

The HR infrastructure

(the foundations)

Module 1

Module 2

Module 3

Complying with all rules

Having the right sensors

Optimising the HR function

The ‘R’ of HR

(the organisation’s perspective)

Module 4

Module 5

Module 6

Module 7

Attracting staff

Managing staff

Deploying staff

Assessing staff

The ‘H’ of HR

(the staff’s perspective)

Module 8

Module 9

Module 10

Talent development

Talent engagement

Talent care

As a result, 2023 main outcomes were:

Module 1 – following the adoption by analogy of Commission Decision C(2022)1788 on working time and hybrid working, a second staff survey piloted by the EBA Staff Committee took place in October 2023, the result of which was that 95% of staff considered that they were familiar with the rules. Also, the outcome showed that the EBA is applying the working time and hybrid working regime in line with the evaluation report of September 2023 from the European Commission on the implementation of the decision.

Module 2 – new HR metrics relating to staff presence (e.g. annual leave, sick leave, flexi leave, etc.) were developed.

Module 3 – as part of HR Digitalisation, a new tool (‘Allegro’ system) was put in place allowing standardised and automated Job Descriptions, and the new eRecruitment tool entered the testing phase for a targeted go-live in Q1 2024.

Module 4 – talent attraction and selection were further strengthened with the adoption of new recruitment guidelines, a revised scoring methodology and new processes for publishing and disseminating calls. A new SNE rolling call was launched, optimising selection and hiring. New initiatives as part of talent leveraging were launched as the conclusion of more than 60 partnerships with universities and  the launch of an EUAN ICT Academy task force identifying the skills of the future in the IT area.  The focus was also on offering new measures for accommodating candidates with disabilities in selections.

Module 5 – a new Internship policy and a new Interim services management policy were adopted, and pilot cases were launched with a view to developing a Guest expert programme policy.

Module 6 – focal points were to provide staff with mobility opportunities with the development of a new ESAs staff exchange programme, and the implementation of the internal mobility policy with the successful conclusion of two Career Development Opportunities calls for acting managerial positions.

Module 7 – talent performance was redesigned as a management cycle. The 2023 Performance Management Cycle was completed on 26 June 2023. It started with the appraisal exercise (January to March) aiming at assessing staff’s efficiency, ability and conduct; this was followed by Talent Review meetings (April and May) identifying the ‘talent production line’ moving forward and evaluating staff expressions of interest for internal and external mobility; the reclassification exercise was the last step (May to June).

Module 8 – as part of Talent development, the Team leaders (TL) programme was adjusted based on lessons learnt, providing an opportunity for staff skills development. The mentoring programme pilot was confirmed as a permanent feature of staff career development. A wide range of blended Learning and Development (L&D) was offered, including e-learning, tailored programmes, language courses, coaching sessions, inspirational talks, hybrid courses, workshops, etc. Mandatory sessions were organised on harassment prevention, cybersecurity awareness, ethics and integrity, etc.

Module 9 – several initiatives supporting talent engagement took place with the successful completion of the three dimensions of the 2022 SES action plan (EBA values, career development and wellbeing at work), the adoption of the EUAN D&I Charter and the ESAs’ high-level conference on 7 March 2023 entitled ‘Are we on the right track with gender equality’, etc.

Module 10 – staff wellbeing remained a key priority, with the adoption of a new Social and sports clubs policy, the adoption of Team building events policy and toolkit, the conclusion of a new SLA with the Commission for psychosocial services, the adoption of new Staff Committee rules of procedure, the organisation of Flu campaign, new wellbeing courses, etc.

2023 key indicators:

  • Temporary Agents (TAs) execution rate of the Establishment Plan: 99% (without MiCAR/DORA);
  • Contract Agents (CAs) occupancy rate: 98% (without SDFA);
  • Seconded National Expert (SNE) positions filled: 74% – 14 paid SNEs and 13 cost-free SNEs (DE, ES, FR, IT, MT, NL, RO);
  • Trainees: 25;
  • Interns (ages 14–19 years): 15;
  • Time to hire (= average length of the recruitment procedure between the publication of the vacancy notice and the establishment of the reserve list): 3.4 months;
  • Statutory staff (TAs and CAs) turnover rate: 6%;
  • Staff with children up to 18 years old: 93;
  • Staff with recognised disability: 1.
Brief description of the results of the screening / benchmarking exercise:

In 2023, the EBA continued to apply the benchmarking exercise following the methodology of the European Commission. The table in Annex IV depicts the results of the exercise based on the type of post: Administrative support and Coordination, Operational and Neutral. The increase in the share of job allocated to “operational” role (from 82.5% in 2022 to 84.6% in 2023) and corresponding decrease in the “administrative support and Coordination” role (from 12.3% in 2022 to 11.6% in 2023) confirms the shift towards greater efficiency, enabling more resources to deliver on the EBA’s strategic operational priorities. 

Strategy for efficiency gains

The driver of the strategy for efficiency gains is to ensure organisational agility through internal structural adjustments when needed, increased alignment with higher-level strategies and goals, people development, increased shared services and digitalisation.

Internal structural adjustments

The 2021 reorganisation has increased EBA efficiency and effectiveness through a better alignment of the Agency’s internal structure to the achievement of its key priorities, and the EBA will continue to foster internal synergies in its wake. It was completed in 2022.

The activities portfolio has been streamlined to 19 (compared to 37 in 2021 and 25 in 2022) with a systematic analysis of all the tasks contributing to those activities. A separate activity was introduced to capture the oversight and supervision at this juncture, although this may be further considered going forward, including with the changes in relation to AML-related activities.

A reorganisation of EBA Standing Committees helped to improve efficiency and to support the focus on EBA strategic objectives. Further rationalisation is ongoing to reinforce the EBA work programme monitoring and workforce planning with the development of a new tool, which resulted in the migration of data from an Excel-based solution to an Access Database, providing for an improved and more user-friendly environment for task and resource planning functionalities. The Team Leaders role introduced in 2021 is entering into its second wave as a strong staff career development tool. The action plan developed following the Staff Engagement Survey of 2021-2022 is almost completed. Active synergies have been actioned with the ESAs and beyond with other EU Agencies through the EUAN (such as the staff swap programme between the EBA / ESMA / EIOPA, the Task Force on Shared Services on the attractiveness of EU employers, the ICT Academy aiming at identifying ways to attract young talent, and, in particular, more women in ICT, etc.). Besides the effective implementation of the EBA internal mobility, external mobility is to be adopted soon, completing the basis for staff deployment and career development.

The EBA’s strategy for efficiency gains benefits from the implementation of new technology in line with its IT strategy and the objective therein of becoming a digital agency. While these changes represent a substantial effort for the EBA ex ante, it is expected that these initial investment costs will be fully recouped and will allow the EBA to reap positive efficiency gains over a multi-year horizon. For instance, the implementation of a collaboration platform has reduced email exchanges by 30-50% and has created more efficient processes. Development of an eRecruitment tool, discussions around automation of the Interactive Single Rulebook and the use of electronic workflow tools in Finance and HR are other examples.

Compared to the 2019 situation, in this ‘new normal’ the EBA organises 50% fewer meetings with externals at its premises (thus also benefiting its members’ own environmental footprints) and 50% fewer staff missions to external meetings.

Joint procurements and external synergies

In the area of procurement, the EBA systematically seeks to include other agencies in its procurement procedures. In 2023, the EBA was lead agency on four interinstitutional procurement procedures, with a total value estimated at EUR 6 260 232, in which a total of two other agencies participated. The EBA also participates in many interinstitutional procedures led by other EU entities, predominantly those run by the Commission. Interinstitutional procurement is particularly strong with ESMA and the other Paris-based EU entities. In 2023, 73% of the EBA’s 177 framework contracts in force (resulting from 74 procurement procedures) were procured by other EU entities – see table below.

 EBACOMOther agenciesOtherTotal
Competitive procurement procedures completed in 2023 that resulted in the award of an FWC8219139
Framework contracts49803711177

The EBA also continued its close cooperation with the other ESAs. Cross-cutting work and issues of common interest are discussed in regular ESA meetings at senior management and technical levels, with a view to reaping all possible synergies. The EBA attends ESMA and EIOPA BoS meetings and cooperates in different workstreams and task forces at working level. The EBA’s Directors and Heads of Units, especially in the area of Admin/Resources/Legal, have regular discussions with their peers at the other two ESAs and the SRB.

The Joint Committee of the EBA, EIOPA and ESMA with the Commission and the ESRB is a key forum to discuss common regulatory issues and agree joint initiatives. Since its inception, the Joint Committee has successfully worked on numerous mandates. This will be taken to the next level with DORA.

A shared accounting services arrangement that was established with ESMA in 2021 to enhance the synergies between the two Paris-based authorities has been further complemented by extending it to EIOPA, whereby EIOPA’s accounting officer can act as a backup for the EBA/ESMA accounting officer and vice versa.

The EBA successfully onboarded a new Security Officer (SO) and was supported by the EIOPA SO who was ad interim covering for both agencies. The collaboration continued very closely as both Agencies jointly embarked on their Cloud Transformation programmes to migrate to the public cloud. This has further brought together the three ESA SOs to align and work together to collectively raise the level of security assurance and protection in very similar circumstances and with very similar tooling in the Azure Public Cloud. The three SOs continue to work together to best prepare their organisations for the cCloud and for the upcoming security framework changes (i.e. the Cybersecurity Regulation, SNC in the Cloud policies, etc.). The three ESAs continue to evaluate a shared security services approach to optimise resource usage and synergise investments.

Finally, in the context of DORA, the ESAs explored the possibility of joint procedures and pooling of resources – possibly in the form of a joint oversight venture (JOV).

Other cross-efficiencies

The EBA and EIOPA are currently working on a ‘Data Point Model (DPM) Refit’ and ‘Digital Regulatory Reporting’ tooling. The authorities have found that they face similar problems and challenges with the expanding reporting framework and both are already using very similar Data Point Models. These projects share resources and work together with the aim of improving technical tools to support supervisory reporting and address issues.

On the technology front, the FinTech Knowledge Hub, established by the EBA in 2018, enhances the monitoring of financial innovation and knowledge sharing, and fosters technological neutrality in regulatory and supervisory approaches. The Hub has hosted a series of events on a wide spectrum of topics, including AI, RegTech and SupTech, and complements similar EU and national initiatives (e.g. the European Commission's FinTech Lab).

In the same vein, the ESAs established the European Forum for Innovation Facilitators (EFIF) in 2019 as a platform for supervisors to share experiences from engagement with firms through innovation facilitators (regulatory sandboxes and innovation hubs), to share technological expertise, and to reach common views on the regulatory treatment of innovative products, services and business models, overall boosting bilateral and multilateral coordination. The EBA chaired the EFIF in 2023 and continues to contribute to the EFIF as a joint-ESA initiative.

The Supervisory Digital Finance Academy is another cross-institutional initiative and a perfect example of how to maximise resources and avoid duplication. This initiative strengthens supervisory capacity in the area of innovative digital finance by providing a systematic training programme for the ESAs and for National Competent Authorities (NCAs).

Created in 2020, the Advisory Committee on Proportionality (ACP) provides recommendations to the EBA on how to foster proportionality in its activities and missions.

While forming an integral part of the EBA, the ACP is an independent committee. Specifically, it advises the EBA on its annual work programme and puts forward proposals on how its work may take into account specificities of financial institutions.

In 2023, proportionality remained a key driving principle of the EBA in its regulatory work. The ACP recommended that the EBA pay particular attention to proportionality in its activities in 2023 in the areas of the Supervisory Review and Evaluation Process (SREP), recovery and resolution, ESG, and reporting and transparency. The EBA took the recommendations into account in the preparation of these activities, recognising the value of enhancing proportionality where possible.

Assessment of audit and ex post evaluation results during the reporting year

Internal Audit Service (IAS)

In line with international professional auditing standards, the IAS established a multi-annual audit plan (Strategic Audit Plan 2022-2024), which is being reviewed annually taking into account important organisational and/or external developments that may have impacted the risk profile of the EBA.

 Audit topics (2022-2024)
Audit
  1. Internal Control Framework and strategic risk management (validated)
  2. HR management and ethics (to be finalised in Q1 2024)
  3. IT governance and portfolio management (planned for Q4 2024)
Follow-up
  • Continuous desk review of the recommendations reported as implemented
  • On-the-spot follow up as required

Following this audit plan, the IAS added an additional horizontal topic to its Strategic Audit Plan for the years 2023-2024: ‘Multi-entity audit on coordination between DG FISMA and the decentralised agencies the EBA, EIOPA and ESMA’. As a result, planned IT governance and portfolio management audit will be postponed until Q4 2024.

All observation and recommendations are taken into the account and appropriate action plans are developed. The implementation of these actions is regularly followed-up.

In January 2023, the IAS issued the audit report on Internal Control Framework (ICF). The objective of the audit was to assess the effectiveness and efficiency of the design and implementation of the ICF in achieving the Authority’s objectives. The IAS acknowledged that over the last two years the EBA has made considerable efforts to design its internal control framework and to effectively implement the internal control principles. The IAS concluded that overall, the design and implementation of the internal control framework is effective and efficient in order to allow achievement of the Agency’s objectives, but there was one very important weakness related to the way the EBA conducted the annual self-assessment. The IAS also issued three other Important recommendations.

The EBA replied to the audit report confirming the acceptance of the recommendations and the action plan prepared by the EBA was considered adequate by the auditors.

Internal Audit Capability (IAC)

The EBA’s internal audit function is ensured by the Commission’s Internal Audit Service (IAS), which remains the official internal auditor of the Authority.

European Court of Auditors (ECA)

The European Court of Auditors (ECA) transmitted its draft report on the EBA’s 2023 financial accounts on 24 May 2024.

As the reporting year is 2023, the official ECA report published during the year 2023 is the Audit Report on the annual accounts of the European Banking Authority (EBA) for the financial year 2023.

In this report, the ECA gave the opinion that ‘the EBA’s accounts for the year ended 31 December 2023 present fairly, in all material respects, the EBA’s financial position at 31 December 2023, the results of its operations, its cash flows, and the changes in net assets for the year then ended, in accordance with its Financial Regulation and with accounting rules adopted by the Commission’s Accounting Officer. These are based on internationally accepted accounting standards for the public sector.’ The Court also gave its opinion that the revenue and payments underlying the accounts for the year ended 31 December 2023 are ‘legal and regular in all material respects.’

The ECA made one observation on legality and regularity of transactions (in italics below). This observation does not call into question the ECA’s previously stated opinions. The EBA’s draft reply to the observation is shown immediately after the observation.

  • 3.5.10. We audited a procurement procedure for “blockchain analytics services and crypto-assets markets data”, with an estimated value of €360 thousand, which resulted in multiple framework contracts. We found that three tenderers that did not meet the financial capacity requirements – because they could only provide two years of financial statements instead of three as required – were nevertheless allowed to participate in the procedure. One of the three was awarded a contract as the second-ranked tenderer in the cascade. This breached Article 167(1) of the Financial Regulation, as well as the principle of transparency and equal treatment. In 2023 the EBA did not make any payments to this contractor, because so far it has only used the services of the first-ranked contractor.
  • EBA draft reply: The procurement procedure concerned a nascent industry, in which the majority of the companies operating are newly established. In taking the decision to allow the three tenderers in question to participate in the procedure, the EBA relied on Article 19.3 Annex I to the Financial Regulation, and paragraph 4.3.1.19 of the procurement vade mecum, which allow for the EBA to take the approach that it did. The vade mecum, in particular, states: “For instance, a company created less than two years before the procedure may only provide financial statements for the past year instead of past two years and a business plan for the current year.”. The EBA understands that the position of the Court is that the EBA, to ensure transparency, should have stated this possibility in the call for tender documentation. The EBA received 23 tenders for this procedure, including from industry leaders identified in the EBA’s market analysis. In 2024, the EBA will not make any payments to the contractor in question.

Actions taken by the EBA on the Court’s 2022 observations are shown in section 2.8.a).

Follow-up of recommendations and action plans for audits and evaluations

Internal Audit Service (IAS)

The EBA continued implementation of audit recommendations stemming from the audit on Supervisory Reporting and Data Quality carried out in 2019, out of 5 recommendations issued only two important recommendations remained open: Validation rules and Reporting Framework development. The action plan has been implemented in 2023 and both recommendations have been subsequently closed in January 2024.

In January 2023 the IAS also issued the audit report on Internal Control Framework and Risk Management. Overall, there were four recommendations stemming from this audit: one very important on the process of the annual self-assessment and three important. All the recommendations have been accepted by the EBA and the action plan have been considered by the IAS as adequate.

The IAS concluded that overall, the design and implementation of internal control framework set up by EBA is effective and efficient, in order to allow achievement of the Agency’s objectives, giving the EBA certainty for the assurance-building process.

During the year there was no follow up of outstanding recommendations performed by the IAS and there were no significant delays in implementation of the action plans, of which, all are set to be completed in 2024. 

The status of all open recommendation is as follows:

SourceNo. of recommendations issuedDeadline
IAS Audit Data Quality
  • Validation rules and the EBA’s website on supervisory reporting
  • (Severity: Important)
Closed 30.01.2024
  • The EBA reporting framework development process

(Severity: Important)

Closed 30.01.2024
Audit on Internal Control Framework and Risk Management

 

  • Objectives setting (Severity: Important)

 

 

 

Under IAS review since 09.2023 (Deadline: 30 September 2023)

  • Risk management

        (Severity: Important)

Under IAS review since 12.2023 (Deadline: 31 December 2023)
  • Annual Self-Assessment of the Internal Control System
  • Severity: Very important)
(Deadline: 30 April 2024)
Deadline: 30 April 2024
Internal Audit Capability (IAC)

Not applicable

European Court of Auditors (ECA)

In the Annex to its 2023 draft report, the Court listed one observation that it followed up from previous years. This is shown below, along with the status of corrective action taken by the EBA.

Year Corrective actionStatus
2022The EBA sought to procure services in two open tenders, one for market research for financial services and another for consultation on data protection. In one tender there was an overlap between award and selection criteria. In both cases, the EBA overestimated the maximum value of the contracts because of shortcomings in its research on market prices prior to launching the tenders.One section in the EBA’s newly developed guidance for selection committees relates specifically to the distinction between award and selection criteria. The EBA conducts market research by publishing “prior information notices” in the Official Journal in which it invites companies to respond to a questionnaire (public consultation) and asks for indicative prices to help it estimate contract value.Closed

Follow-up of recommendations issued following investigations by OLAF

The EBA received a recommendation from OLAF following an investigation which did not concern the EBA but related to a framework agreement to which the EBA is also a party. The recommendation concerned the contractual obligation of outsourced IT service providers to justify their price offers for fixed-price contracts by using the daily rates agreed in the framework contracts in order to achieve a sufficient degree of price transparency that allows later for meaningful audits as foreseen in the framework agreements. The EBA reviewed its approach and confirmed that conformity of financial offers with the daily rates specified in the framework contract is verified very early at the service request step and any deviation from the framework contract is rejected, requiring the contractor to ensure their price offer is in full compliance.

Follow-up of observations from the discharge authority

On 10 May 2023, the European Parliament (EP) granted discharge to the Executive Director of the European Banking Authority (EBA) for the 2021 financial year and approved the closure of the accounts for the said financial year. In that context, the EP also set out its observations in a resolution.

As in previous years, the EBA welcomed the feedback received from the EP as part of the discharge process, which provides essential input on the Authority’s organisation and performance. It provides an external point of view on the actions undertaken by the Authority during the year as well as on current practices.

The 30 observations issued by the discharge authority in the 2021 report, while the same in terms of number as in 2020 (which had been significantly lower than the 40 observations in the 2019 discharge), represented a further marked improvement in terms of substance.

The EBA published an Opinion on the European Parliament 2021 discharge report[3] in September 2023 with responses to the observations received in the Parliament’s resolution, in particular on those with a call for follow-up action.

Overall, the EBA considered that for 26 of the 30 observations follow-up actions were not applicable or needed, or have already been implemented. For four observations the follow-up was deemed to be an ongoing consideration.

This is further specified hereafter for the areas of procurement; prevention and management of conflicts of interest, and transparency; internal control; and digitalisation.

Procurement

With regard to the discharge authority’s concern about an observation from the Court in relation to procurement of services to access market data, and the related call on the Authority to ensure that all procurement procedures follow the procedural steps set out in the Financial Regulation, the EBA acknowledged an error and noted that it had taken necessary remedial follow-up actions.

Since receiving the ECA observation, the EBA has complemented its internal processes and followed all necessary procedural steps for these kinds of procedures.

The EBA further noted that in its 2022 Audit the ECA reviewed two procurement procedures run according to the adjusted processes and had no remarks. In addition, the ECA marked the status of this observation as closed as part of its follow-up on observations from previous years.

Prevention and management of conflicts of interest, and transparency

The discharge authority’s observation called on the EBA to take the necessary steps to avoid any suspicion of conflict of interest with regard to its Board members, all the while welcoming the steps taken by the Authority to strengthen the independence of members of the Board of Supervisors, Management Board and certain Board committees by ensuring that members with a conflict of interest do not attend discussions or voting on agenda items on which they are conflicted.

In response, the EBA noted that the Board of Supervisors adopted in its meeting of 21 June 2022 an amendment of its Rules of Procedure, also applying to the Management Board and to the mandates of the Standing Committee on Resolution (ResCo) and the Standing Committee on Anti-Money Laundering and Countering Terrorist Financing (AMLSC), whereby a member that has declared a conflict of interest is required in all cases to be absent from discussion and votes.

The EBA also noted that it will continue to be vigilant about this matter.

In relation to the discharge authority’s call on the EBA to reinforce the rules to guarantee the independence of panel members during their deliberations and report to the discharge authority on the actions taken on this matter, the EBA set out a number of follow-up actions.

  • On 1 January 2020, the ESAs review introduced additional conflict of interest requirements. The EBA extended those requirements to breach of Union law (BUL) panel members. At the time of the deliberative process in question, the EBA’s policies and procedures on conflicts of interest and BUL investigations did not make provision in relation to contact with BUL panel members. Nevertheless, when necessary, panel members had been advised against accepting attempts to influence them in their role as a panel member.
  • Furthermore, in December 2021 the Board of Supervisors adopted revised rules of procedure for breach of Union law investigations which set out timeframes for investigating cases and put in place specific rules to ensure the independence of panels and of members of other decision-making bodies.

The EBA was of the view that these actions address the concerns and the call for action of the discharge authority and noted that in its draft 2022 audit report the ECA marked the status of this observation as closed. This notwithstanding, the EBA will continue to be vigilant in keeping its measures under review.

With respect to the discharge authority’s call to strengthen internal control mechanisms, including the setting up of an internal anti-corruption mechanism, the EBA noted that it had taken all necessary follow-up actions. In particular, in 2021 it:

  • accepted and implemented the European Ombudsman’s findings on revolving doors and conflicts of interest;
  • extended conflicts of interest policies to certain Board committees and panels which prepare decisions for the BoS;
  • reorganised the Legal and Compliance unit to consolidate and further strengthen steps already taken;
  • published meetings of staff with lobby organisations (fortnightly for executive level, and quarterly for other staff).

Subsequently, in 2022, the EBA also took steps to strengthen the independence of BoS and MB members so those with conflicts cannot be present for discussions or voting.

Internal control

As regards the concerns the discharge authority expressed about a weakness identified by the Court in two recruitment procedures, the EBA stressed its commitment to ensuring the principles of transparency and equal treatment in all selection procedures and noted that it had since addressed the aspects in question in its procedures. The EBA can furthermore note that the ECA marked the status of these points as closed as part of the follow-up of previous years’ observations.

In relation to a call to keep the discharge authority informed on the follow-up on the implementation of actions to further mitigate fraud risks, the EBA noted that its 2022 anti-fraud risk assessment showed further reductions in risk levels through continuous enhancement of measures taken to tackle risks identified in previous risk assessments, with over two-thirds of scenarios carrying a low level of fraud risk, no scenarios having a risk level above ‘medium’ (the third of five levels) and scenarios carrying a ‘medium’ level of risk reduced from one-third of scenarios to just over one-fifth.

Moreover, the EBA was called on to keep the discharge authority informed about the result of external assessments on risk management and related progress, as well as on the implementation of the Internal Control Framework.

In response the EBA noted the following.

  • Regarding the COSO Enterprise Risk Management (ERM) Framework, work started in 2021 with Deloitte to enhance the compatibility of the EBA’s current risk management programme with the COSO ERM Framework, and continued until November 2022. The following elements of the risk management framework were finalised:
  • the risk register, including 15 strategic risks identified;
  • an ERM policy, defining the overall ERM practices, as well as a risk appetite / risk tolerance statement, summarising the EBA’s appetite for risk in each of a whole range of activities;
  • an ERM lifecycle document explaining in detail the different steps/phases to be considered during the course of one year, including detailed indications of the different stakeholders and lines of defences involved in each step. The ERM lifecycle exists to generate and maintain a stream of data and information, recorded in the EBA’s risk register, on the basis of which the EBA’s personnel can make risk-informed decisions;
  • awareness sessions for Directors and Heads of Units, as well as other staff;
  • finally, a Risk Toolkit as well as an ERM Power BI tool to centralise and manage the risks / progress made.

Five out of the 15 risks were identified as needing extra mitigation measures, which are being developed from the beginning of 2023. In addition, the EBA:

  • has developed an updated iteration of the risk register via application of the ERM lifecycle;
  • has piloted integrating existing local risk registers into the ERM framework;
  • plans to develop local risk assessments further as resources permit.
  • Regarding the internal control systems, it was noted that the framework, adopted in 2019 and in line with the model of the Commission and the Committee of Sponsoring Organisations (COSO), consists of 5 internal control components and 17 principles, further developed in 49 characteristics.

The EBA assessed the presence and proper functioning of each principle (17 principles) and aggregated all the results at the component level (5 components) and ultimately at the level of the Internal Control Framework as a whole. The assessment of each principle was also considered in the light of the strengths and deficiencies identified in other principles within or outside the same component.

Following the assessment of internal controls, it was noted that several principles would benefit from some adjustments and improvements that would enhance the efficiency and effectiveness of the principle and its elements. While compliance remains an important requirement, the EBA will focus on assessment, monitoring of the activities and optimisation of controls.

With a view to upholding and enhancing the internal controls as a whole, an enhancement in the integration of the EBA’s current risk management programme with the COSO ERM Framework, intensification of the activities in the ethics area and provision of tailored internal controls training have been taken forward in 2023.

Digitalisation

The discharge authority raised a concern that in 2021 the EBA was one of thousands of organisations that were subjects of a state actor’s cyberattack exploring zero day vulnerability in Microsoft Exchange, and in that context the discharge authority encouraged working in close cooperation with ENISA (European Union Agency for Cybersecurity) and CERT-EU (Computer Emergency Response Team for the EU institutions, bodies and agencies) as well as offering regularly updated cybersecurity-related training programmes for all staff within the Authority.

In response the EBA highlighted the fact that it took significant measures (aligned and in close cooperation with CERT-EU, ENISA, DIGIT and the ESAs) to improve its security posture in the long term, including its cybersecurity monitoring, risk assessment and management, cyber awareness and training, security-minded investments and upgrades in its next-generation IT infrastructure hosting:

  • in 2021: Security Operation Centre (SOC) implementation with subsequent (2022) testing and optimisation;
  • continuous risk assessment (yearly penetration testing, CERT-EU Red Team exercise (2022)) and management, for which EBA implemented an IT Security Risk Register process (2022);
  • yearly cybersecurity training and testing with all staff at the EBA;
  • strategic choice to transition to top-tier infrastructure service provider (Microsoft Azure) providing next-generation security capabilities integrated in its hosting services (2022-2023).

Environmental management

In the same context, the discharge authority recalled the importance of increasing the digitalisation of the EBA in terms of internal operation and management but also in order to speed up the digitalisation of procedures; it stressed the need for the Authority to continue to be proactive in this regard in order to avoid a digital gap between the agencies at all costs; however, it drew attention to the need to take all the necessary security measures to avoid any risk to the online security of the information processed.

In response, the EBA noted that it is fully engaged in increasing digitalisation in terms of internal operation, management and procedures, and in the need to remain proactive all the while taking the necessary security measures.

It was furthermore highlighted that with its 2020-2025 ‘Digital Agency’ IT strategy the EBA has made a strong commitment to digitalising its infrastructure, its business products and services, its workplace environments and its services, with a core commitment to security and privacy. Via business-steered investments, the EBA has now already executed large transformation programmes for digitalisation, including deploying a new Collaboration Platform (2022), new workplace solutions (that also support hybrid and virtual ways of working) (2020-2022) and new digital workflows and transformed business products, while in 2023 it just completed a full migration and transformation of its infrastructure to the public cloud (‘Cloudification Programme’).

Furthermore, it was noted that the EBA has forward plans to further the digitalisation of its estate of applications and services, including new Enterprise Identity and Access Management, new business digital products and services, and new corporate solutions (SYSPER2, MIPS, ServiceNow, SUMMA), for which it also counts on the support of the Commission when they are providing/enabling these services.

In its Cloudification Programme, the EBA has diligently evaluated and managed risks associated with the transition to the public cloud, starting with its Cloud Risk Assessment (part of the EBA Cloud Strategy) and security-by-design requirements incorporated into its procurement for cloud services, and has implemented a wide range of security solutions, such as SOC, Azure native cyber defences, EBA-controlled HSM appliances to encrypt and protect EBA data according to its security needs, hardened and immutable infrastructure, a dedicated DPIA for Azure services, dedicated BCP/DRP capabilities, etc. The EBA used a risk assessment and mitigation stream in its Cloudification Programme that ensures security by design throughout the entire programme and at the end it concluded that it has achieved satisfactory security in online operations at this moment.

In 2023, the EBA maintained its EMAS registration. The 2023 environmental statement (with data from 2021 and 2022) was positively verified and validated by independent external auditors and is now available on the EBA website.

The EBA response to the climate and energy crises and its reporting on its climate and energy performance were positively evaluated in the European Court of Auditors’ annual report on EU agencies for the financial year 2022.

Within the framework of the inter-agency EMAS Twinning Programme, the EBA supported eight European agencies in their process of establishing and implementing EMAS: Cedefop, Cepol, the European Union Agency for Asylum, the European University Institute, Frontex, Fusion for Energy, Translation Centre and Berec.

The EBA, together with ESMA and EIOPA, participated for the first time in the Interinstitutional EMAS Days in November 2023, the annual event of EMAS-registered organisations. The ESAs’ experts presented Introduction to sustainable finance: greenwashing, financing the transition to a sustainable economy, and financial education.

The EMAS e-learning programme was developed in-house. Throughout 2023, more than 175 people completed this obligatory EMAS training.

The EBA adopted a circular economy policy, in which it commits to: a) minimising purchases of physical items so as to limit our material impact, b) buying to keep, c) maximising the life cycle of products, d) minimising the generation of waste, e) disposing of items in an environmentally friendly manner and f) introducing and promoting environmental best practices.

The EBA actively promoted EMAS sustainability and environmental management through, among other things, an EMAS social media campaign, an inter-agency spin-off session on communicating EMAS, and Interinstitutional EMAS Days. To learn more about the EBA’s EMAS journey, please refer to this video: EMAS at the EBA.

Assessment by management

Overall budget implementation rate

The EBA reached a high level of budget execution in 2023: 98.1% execution on a total voted 2023 budget (after amendments) of EUR 52 672 002. Execution was impacted by having a slightly lower-than-planned number of temporary and contract agents impacting the budget over the entire year (despite a very high level of execution of the Establishment Plan by year-end – 99% for temporary agents), by a lower number of guidelines being sent for translation than had been planned for and by several IT projects that were either cancelled or postponed to 2024.

Execution of the appropriations carried forward from 2022 was 98.9%.

Legality and regularity

The control activities carried out on 2023 financial transactions and on the 2023 accounts included ex ante and ex post controls conducted by EBA staff, and the annual audit carried out by the ECA and Baker Tilly. Overall, these showed that verified transactions were in all material aspects legal and regular. In its 2023 annual report, ECA made one observation on legality and regularity of transactions, which is covered in more detail in section 2.7.3.

Validation of the accounting system

Since June 2011, the EBA has been using the accounting systems provided by the European Commission, which include ABAC Workflow for budgetary accounting, ABAC Accounting for financial reporting and ABAC Assets for the management of fixed assets. The ABAC system is the property of and is regularly validated by the Accounting Officer of the European Commission.

In December 2023, the financial systems of the EBA were validated by the Accounting Officer in compliance with Article 49(e) of the EBA Financial Regulation on the basis of work carried out by an independent accounting firm.