Commission Delegated Regulation (EU) 2025/2180 of 12 September 2025 supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the conditions for the registration of external reviewers, the criteria for assessing the sound and prudent management of external reviewers, the appropriateness of the knowledge, experience and training of the external reviewers’ employees, and the conditions under which external reviewers can outsource their assessment activities

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds (1), and in particular Article 23(6), third subparagraph, Article 27(2), third subparagraph, Article 28(3), third subparagraph and Article 33(7), third subparagraph thereof,

Whereas:

(1) The good repute of the senior management and the members of the board of an external reviewer is of paramount importance to ensure that the external reviewer meets its regulatory obligations. An assessment of good repute should be based on information on the prior activities of those persons, including information on potential relevant criminal convictions, past misconduct, gross negligence, mismanagement of conflicts of interest or impairments to independence and objectivity, and information on their honesty, integrity and reputation.

(2) Given that the senior management and the members of the board are accountable for the external reviewer’s activities, they should have sufficient skills, professional qualifications and experience. An assessment of whether those skills, professional qualifications and experience are sufficient should take into account the curriculum vitae of all members of the senior management and of the board, including up-to-date information on education, training, and employment history. The assessment should also take into account the overall composition and diversity of the senior management and of the board and the collective skills, professional qualifications and experience of their members, as relevant to the activities of the external reviewer and the risks to which that external reviewer is exposed.

(3) To safeguard the continuity and regularity of external reviews, an external reviewer should employ an appropriate number of analysts, employees and persons who are directly involved in assessment activities. In that regard, information on the staffing arrangements of an external reviewer for analysts, employees and persons directly involved in assessment activities should be taken into account. That information should include the number of permanent and temporary contracts, likely future assessment activities, and the reasons why the external reviewer considers the analytical resources to be sufficient.

(4) To ensure the quality of external reviews, analysts, employees and other persons directly involved in assessment activities should have adequate levels of knowledge, experience, and training. The assessment should take into account the education, training, and employment history of those persons. Furthermore, external reviewers should put in place training and development plans for all employees directly involved in assessment activities.

(5) To ensure that decision-making structures provide for the sound and prudent management of the external reviewer, external reviewers should have corporate governance arrangements that specify the organisation, scope, purpose and functioning of their governance bodies, such as the board, supervisory body and relevant committees.

(6) Maintaining a transparent and effective organisational structure is also a key component of sound and prudent management. To ensure transparency and effectiveness of their organisational structure, external reviewers should have clear reporting lines, responsibilities, and communication channels that encourage accountability and decision-making. For the same reason, external reviewers should implement and properly document appropriate policies and procedures as regards their governance structures, internal controls, business continuity, information processing systems, recordkeeping, administration, and accounting.

(7) Given the importance of the internal control functions to the sound and prudent management of an external reviewer, external reviewers should put in place an internal control framework that ensures that the persons responsible for performing that function are appropriately empowered and that there is a clear segregation from the business lines they are overseeing.

(8) To ensure sound and prudent management of compliance with their obligations under Regulation (EU) 2023/2361, external reviewers should ensure that the policies and procedures needed to comply with that Regulation are approved by their board.

(9) The conflicts of interest management framework of an external reviewer should contain a comprehensive conflicts of interest policy approved by the board, and an inventory of conflicts of interests. The conflicts of interest policy should contain risk management procedures and controls to identify, eliminate, or manage and disclose in a transparent manner actual or potential conflicts of interest. That policy should also identify which conflicts of interest the external reviewer considers are to be managed or disclosed in a transparent manner and which conflicts of interest are to be eliminated. In addition, that policy should provide for appropriate an oversight and management of situations where professional judgement or decision-making may be compromised.

(10) External reviewers should assess whether third-party service providers have the capacity to perform assessment activities reliably and professionally. In that regard, external reviewers should consider whether the expertise and availability of the third-party service provider are appropriate to the outsourced activities. For that purpose, external reviewers should take into account key elements relating to the third-party service provider and the outsourcing arrangement, such as its business model, the qualifications of its staff, the control framework, the use of automation and technology in the outsourced assessment activities, and its regulatory compliance.

(11) External reviewers should ensure that the outsourcing of assessment activities does not materially impair the quality of their internal control. In that regard, external reviewers should evaluate the extent of their reliance on the third-party service provider and should monitor and control activities that address the risks arising from the outsourcing, in particular with regard to third countries. External reviewers should apply internal controls to ensure that adequate arrangements are in place in relation to the quality of service provided by the third-party service provider. External reviewers should put in place adequate practices in relation to documentation and recordkeeping by third-party service providers. That should ensure that an external reviewer and the European Securities and Markets Authority (ESMA) have access to all necessary information and that the outsourcing of assessment activities does not impair ESMA’s ability to supervise the external reviewer’s compliance with Regulation (EU) 2023/2631.

(12) To ensure a sufficient degree of oversight over outsourced activities, external reviewers should carry out regular assessments.

(13) The regulatory technical standards to be adopted on the basis of the empowerments laid down in Article 23(6), third subparagraph, Article 27(2), third subparagraph, Article 28(3), third subparagraph and Article 33(7), third subparagraph of Regulation (EU) 2023/2631 should be bundled into a single Commission Delegated Regulation to ensure that all provisions specifying registration of external reviewers are consolidated into one Regulation.

(14) Information submitted to ESMA may contain information on the identity of the senior management and members of the board of an applicant external reviewer, as well as analysts, employees and other persons directly involved in assessment activities on their suitability. Such information includes personal data. In compliance with the principle of data minimisation enshrined in Article 4(1), point (c), of Regulation (EU) 2018/1725 of the European Parliament and of the Council (2), only personal data that is necessary to enable ESMA to assess the ability of the senior management, members of the board of an applicant external reviewer, as well as analysts, employees and other persons directly involved in assessment activities, to comply with the requirements laid down in Regulation (EU) 2023/2631 should be requested.

(15) This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, and notably the right to protection of personal data. The processing of personal data for the purposes of this Regulation should be carried out in accordance with Union law on the protection of personal data. In that regard, any processing of personal data performed by ESMA in application of this Regulation should be carried out in accordance with Regulation (EU) 2018/1725. Any processing of personal data performed by entities applying for external reviewer within application of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (3) and national requirements on the protection of natural persons with regard to the processing of personal data.

(16) To enable ESMA to conduct the assessment for the purposes of the registration and the ongoing supervision, while ensuring appropriate safeguards, personal data relating to the good repute of senior management and members of the board of an external reviewer should be kept by external reviewers and ESMA for no longer than five years after that member has ceased to perform its function or, in the event of the withdrawal of the registration of the external reviewer concerned.

(17) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 7 July 2025.

(18) This Regulation is based on the draft regulatory technical standards submitted to the Commission by ESMA.

(19) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4),

HAS ADOPTED THIS REGULATION:

Article 1

Criteria to determine sufficiently good repute of senior management and the members of the board of an applicant external reviewer

(a) proof of the absence of criminal records relating to money laundering, terrorist financing, provision of financial services or data services, acts of fraud or embezzlement, notably through an official certificate, or, where such a certificate is not available in the relevant Member State, a self-declaration of good repute and the authorisation to ESMA to request such information from the relevant authorities on whether that member has been convicted of a criminal offence in connection with money laundering, terrorist financing, the provision of financial services or data services or in relation to acts of fraud or embezzlement;

(c) the applicant external reviewer shall ensure that only persons responsible for the application have access to the information referred to in paragraph 2, point (a).. That information shall be stored separately from other information regarding the senior management and the members of the board of an external reviewer. Access to that information shall be recorded. That information shall not be stored where it concerns candidate members of the senior management and the members of the board of an applicant external reviewer that have not been appointed;

(d) ESMA shall ensure that only persons responsible for the assessment of the suitability of the senior management and the members of the board of an applicant external reviewer have access to the information referred to in paragraph 2, point (a). That information shall be stored separately from other information regarding the senior management and the members of the board of an external reviewer. Access to that information shall be recorded. That information shall not be stored where it concerns candidate members of the senior management and the members of the board of an applicant external reviewer that have not been appointed;

(e) personal data relating to the good repute of senior management and members of the board of an external reviewer shall be kept by external reviewers and ESMA for as long as it is necessary for the assessment of the initial registration and the ongoing supervision, as applicable and no longer than five years after that member has ceased to perform its function or in the event of the withdrawal of the registration of the external reviewer concerned.

Article 2

Criteria to determine sufficient skill, professional qualifications and relevant experience of senior management and the members of the board of the applicant external reviewer

(b) the relevance of the knowledge attained through education and training to financial or sustainability-related services for the business of external reviewers;

(c) the relevance of professional experience gained in activities related to the tasks to be performed by the external reviewer, such as quality assurance, quality control, the performance of pre-issuance, post-issuance and impact report reviews, and the provision of second-party alignment opinions or of financial services;

(d) the collective and up-to-date skills, professional qualifications, and experience of the senior management and the members of the board relevant to the tasks required of external reviewers pursuant to Regulation (EU) 2023/2631 and related risks.

Article 3

Criteria to determine the sufficient number of analysts, employees and other persons directly involved in assessment activities

(a) the total number of analysts, employees and other persons directly involved in assessment activities, their seniority, their job descriptions, the permanent or temporary nature of their employment contracts, and the reasons why the external reviewer considers the numbers and roles to be appropriate;

(b) the expected number and duration of external reviews to be provided in the next 24 months, and the reasons why the external reviewer considers that the number of employees and other persons directly involved in assessment activities is commensurate to the number and duration of future external reviews.

Article 4

Criteria to determine the sufficient level of knowledge, experience and training of analysts, employees and other persons directly involved in assessment activities

(a) the type of assessment activities that the persons directly involved in assessment activities are expected to provide in the next 24 months;

(b) the employment history of the persons referred to in point (a), including the nature and length of services provided in previous posts and responsibilities held;

(c) the experience of the persons referred to in point (a) that is related to quality assurance, quality control, the performance of pre-issuance, post-issuance and impact report reviews, and the provision of second-party alignment opinions or financial services;

(d) the educational background of the persons referred to in point (a) and any relevant professional certifications or qualifications obtained;

(e) other professional and academic achievements of the persons referred to in point (a) that are relevant for the nature of their functions;

(f) the training and development plan for the persons referred to in point (a);

(g) where applicable, the use of automation technology in the assessment activities.

Article 5

Criteria for assessing sound and prudent management by external reviewers