Final Report on Technical Standards under European Green Bonds Regulation

15 October 2025 ESMA84-858037815-684 ESMA - 201-203 rue de Bercy - CS 80910 - 75589 Paris Cedex 12 - France - Tel. +33 (0) 1 58 36 43 21 - www.esma.europa.eu 2 Final Report Technical Standards on the European Green Bonds Regulation

15 October 2025 ESMA84-858037815-684 2 Table of Contents 1 Executive Summary ....................................................................................................3 2 Overview of the Final Report .......................................................................................4 2.1 Background..........................................................................................................4 2.2 Public consultation process ..................................................................................4 2.3 Feedback statement.............................................................................................5 3 Annexes ....................................................................................................................22 3.1 Annex I – Summary of questions........................................................................22 3.2 Annex II – Legislative mandate to develop technical standards..........................23 3.3 Annex III – Cost-benefit analysis ........................................................................26 3.5 Annex V – Final draft technical standards ..........................................................30

15 October 2025 ESMA84-858037815-684 3 1 Executive Summary Reasons for publication Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds (EuGB Regulation) was published in the Official Journal of the European Union on 30 November 2023 and entered into application on 21 December 2024. The Regulation empowers the European Securities and Markets Authority (ESMA) to develop regulatory technical standards (RTS) and implementing technical standards (ITS) specifying certain of its provisions for external reviewers. On 7 April 2025, ESMA published a Consultation Paper (CP) on the proposed draft technical standards on systems, resources and procedures; the compliance function; internal policies and procedures; information used for assessment activities; the form and content of applications for recognition; and the forms, templates and processes for providing material changes to registration. This Final Report includes the revised draft RTS and ITS developed taking into account the feedback received. Further information on the rationale for the draft technical standards can be found in the CP. Contents The main body of this Final Report (section 2) summarises the contributions received to the consultation conducted by ESMA and explains how this feedback has been considered in developing the revised technical standards. Annex I sets out the list of questions contained in the CP. Annex II displays the legislative mandates to develop the draft technical standards. Annex III presents the cost-benefit analysis related to the draft technical standards. Annex IV lays out the full text of the final draft RTS and ITS. Next Steps ESMA has submitted the draft regulatory and implementing standards to the European Commission for adoption by means of a Commission Delegated Regulation (for RTS) and a Commission Implementing Regulation (for ITS).

15 October 2025 ESMA84-858037815-684 4 2 Overview of the Final Report 2.1 Background

1. This Final Report contains the technical standards for delivery to the European Commission by 21 December 2025. These technical standards cover the empowerments for ESMA to develop regulatory technical standards under Articles 26(3), 29(4), 30(3), 31(4), 42(9) and the implementing technical standards under Article 24(2) of the EuGB Regulation.
2. These technical standards relate to various aspects of the external reviewer regime, notably to the: (i) criteria for assessing the appropriateness, adequacy and effectiveness of the systems, resources and procedures; (ii) criteria for assessing whether the compliance function has the authority to discharge its responsibilities properly and independently and for assessing the necessary resources, expertise and access to relevant information; (iii) criteria for assessing the soundness of administrative and accounting procedures and internal control mechanisms and the effectiveness of control and safeguard arrangements for information processing systems; (iv) criteria for assessing whether the information used when providing reviews is of sufficient quality and from reliable sources; (v) information, form and content of applications for recognition; and (vi) standard forms, templates and procedures to notify ESMA of material changes in the information provided at registration. 2.2 Public consultation process
3. On 7 April 2025, ESMA published a CP on 5 draft RTS and one draft ITS in order to explain the rationale underlying its proposals and gather input from stakeholders. The 8-week public consultation closed on 30 May 2025.
4. ESMA received a total of 15 responses (7 of which confidential) from audit, accounting and assurance service providers, sustainability consultancies and second-party opinion providers, credit rating agencies, testing, inspection and certification assessment bodies and respective associations, as well as from one banking institution. The 8 non-confidential contributions are available on ESMA’s website.
5. In line with Article 10 of the ESMA Founding Regulation1 , ESMA consulted the SMSG on the proposed draft technical standards. The SMSG deliberated not to provide technical advice to ESMA on the draft RTS/ITS. 1 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority).

15 October 2025 ESMA84-858037815-684 5 6. The feedback statement summarises the main aspects raised in responses to the CP and demonstrates how these contributions have been taken into account in developing the final draft technical standards. 2.3 Feedback statement 7. Respondents to the CP were broadly in support of ESMA’s proposals to specify the criteria set out in the provisions of the EuGB Regulation on the external reviewer regime. 8. Proposals for amendments to the draft technical standards were mainly focused on reducing perceived high costs of compliance, with respondents asking for a more proportionate, flexible and outcome-oriented approach in line with the nascent state of the market and the size and risk profile of external reviewers. Several participants in the consultation also sought further guidance from ESMA on how to implement or comply with certain provisions of the RTS/ITS. 9. Based on this feedback, ESMA has made a number of refinements to the content of the draft RTS/ITS, while keeping to the extent possible the substance and concepts contained in the CP and fulfilling the legal empowerments in Level 1. 2.3.1 RTS on systems, resources and procedures [Article 26(3)] Q1: Do you agree with ESMA’s proposals for the assessment of the appropriateness, adequacy and effectiveness of systems, resources and procedures? 10. ESMA received several comments on its proposals for the assessment of the appropriateness, adequacy and effectiveness of the systems, resources and procedures employed by external reviewers. 11. One respondent, in the context of Article 1(c)(iii), raised a question regarding how ESMA expects to approach the potential variations in minimum quality definitions (“minimum requirements to determine the quality of the information and the reliability of sources”) between external reviewers. 12. On the sources of information for the performance of assessment activities, one contribution highlighted that it is excessively costly for external reviewers to be required to obtain direct access to third-party information sources. 13. One respondent submitted a recommendation for a drafting amendment to the RTS incorporating certain elements of Article 1(c)(i), (iii), (v) and (vii) into a single, simpler provision ("all quantitative and qualitative information inputs are collated according to a rigorous and a standardised process and subject to appropriate controls, oversight and review").

15 October 2025 ESMA84-858037815-684 6 14. Regarding Article 2, several respondents pointed out that the requirement for ongoing and real-time checks in point (a) goes significantly beyond the requirements of Article 26(2) of the EuGB Regulation. 15. One contribution pointed out that Article 2(b) introduces a substantially new requirement vis-à-vis Level 1 (“the monitoring and evaluation is carried out by a function that is independent of the business lines”), with a significant impact on resources. 16. One respondent suggested amending Article 2(c) to require only the recording, remediating and reporting of “material” breaches and deficiencies. The same response suggested an amendment to point (iii) of the same provision to make reporting to the supervisory function and to the management body alternative and not cumulative (“or” instead of “and”). 17. In Article 2(c)(iv), one respondent recommended replacing the obligation of the management body “to monitor” with “to oversee the timely implementation of corrective actions”, as this is more reflective of the board’s role with regard to deficiencies. 18. Finally, ESMA received several questions on the potential adequacy of specific tools or actions to demonstrate compliance with certain provisions of the RTS. 19. ESMA Response: ESMA would like to clarify that external reviewers have the discretion to define their methodologies for performing assessment activities but should take all necessary steps to provide independent and substantiated reviews, in line with the requirements of the EuGB Regulation, including obtaining the necessary information to perform the external review (if warranted, with recourse to a third-party). ESMA has further set out its expectations on methodological-related aspects in its response to contributions received to the draft RTS under Article 31 of the EuGB Regulation (Section 2.3.4). 20. ESMA has decided to simplify Article 1(c) by eliminating four subpoints. ESMA is of the view that the revised formulation preserves the intended regulatory outcome of ensuring objective and consistent assessment methodologies, while streamlining the text, thereby reducing its length and complexity. 21. By way of example, the provisions imposing “minimum requirements to determine the quality of information and reliability of sources” and “controls to ensure the consistent application of the criteria for the quality of information and the reliability of sources (...)” were removed due to their redundancy and the resulting compliance costs relative to the criteria on information and sources used for assessment activities already specified by ESMA under its mandate for an RTS under Article 31(4) of the EuGB Regulation. In this regard, ESMA would like to point to Recitals 1 and 4 of the RTS on information used for reviews (Section 3.4.4) which acknowledge the interplay with Article 1(c) of the present RTS. 22. ESMA considers that a clear and effective separation between front office personnel and the function responsible for overseeing quality assurance is a fundamental principle of

15 October 2025 ESMA84-858037815-684 7 sound governance and internal control and a necessary prerequisite for carrying out the monitoring exercise set out in Article 26(2) of the EuGB Regulation. Without such separation, it is difficult to conceive how front office staff could reasonably be expected to carry out an objective and independent assessment of the adequacy and effectiveness of the very systems, resources and procedures for which they are directly responsible. This lack of functional independence could give rise to an inherent conflict of interest and may ultimately undermine the credibility and reliability of any such assessments. 23. ESMA disagrees with the proposed narrowing down of relevant deficiencies for the purposes of Article 2 by introducing a materiality threshold (“material deficiencies”, “material breaches”), as this would mean deviating from Article 26(2) of the EuGB Regulation, which refers to the obligation to address “any deficiencies”. 24. ESMA accepts that ongoing and real-time checks may not be fully relevant to the activity of external reviewers (who do not, for example, engage in financial transactions), consisting of issuing opinions only when contracted by issuers to do so. As such, it has deleted point (a) of Article 2 entirely, as “periodic (at least annual) monitoring” would already be covered by Article 26(2) of the EuGB Regulation. 25. In the spirit of embedding further flexibility into Article 2, ESMA has replaced "and" by "or" in point (c)(iii) to allow for reporting of deficiencies either to the supervisory function or to the management body, but not mandatorily to both. Additionally, ESMA agrees to replace "to monitor implementation" with "oversee” in point (c)(iv), while removing the reference to senior management to more accurately reflect the board’s oversight role. 26. Finally, on the basis that questions received on the appropriateness of specific tools or actions to demonstrate compliance with the RTS are not policy-relevant contributions on the suitability of the technical standards or the questions raised in the CP, ESMA remains at the disposal of entities to discuss these in the course of its supervisory activities. 27. As a result of the above, the following changes have been made to the text: • Article 1(c): o “…including for the assessment of the sufficient quality of information and reliability of sources…” has been removed from point (c). o “effective (application)” has been replaced with “objective and consistent” in point (c). o The term “steps” has been replaced by “processes” in subpoint (i). o Subpoints (ii) (“quantitative and qualitative methods to perform assessment activities in an objective and consistent manner”), (iii) (“minimum requirements to determine the quality of information and the reliability of sources”) and (iv) (“controls

15 October 2025 ESMA84-858037815-684 8 to ensure the consistent application of the criteria for the quality of information and the reliability of sources, including their measurability per criterion and per sources and their periodic review”) have been removed. o Subpoints (v) and (vii) have been merged. The new formulation is as follows: “measures to address potential shortcomings in the collection and assessment of information and processes governing the review and reporting of errors in assessment methodologies or in their application”. • Article 2: o Point (a) (“periodic monitoring is complemented with ongoing and real-time checks”) has been removed in its entirety. o Subpoint (iii) of point (b) has been revised to read: “reporting the progress in addressing identified deficiencies to senior management, the supervisory body or the management body”. o Subpoint (iv) of point (b) has been revised to read: “ensuring that the management body oversees the timely implementation of corrective actions”. 2.3.2 RTS on the compliance function [Article 29(4)] Q2: Do you agree with ESMA’s proposals for the assessment of whether the compliance function has the authority to discharge its responsibilities properly and independently, the necessary resources and expertise and access to all relevant information? 28. Respondents largely agreed with ESMA’s proposals on the specification of criteria related to the compliance function of external reviewers. Very few proposals for amendments to the RTS were received. 29. One respondent questioned the need for the Article 1(a) requirement for a specific compliance policy, seeing as aspects of the compliance function can be covered by different policies. 30. One contribution raised the concern of the requirement of Article 1(b) of formal inclusion of an employee of the compliance function in the senior management body of the external reviewer being too rigid and possibly conflicting with certain organisational models. 31. One respondent described the list of information set out in Article 3 as giving the inappropriate impression that compliance should monitor the full range of activities conducted by the external reviewer on an ongoing basis. 32. ESMA Response: ESMA understands that the reference to “senior management” can be misleading without a corresponding Level 1 definition. In this regard, it has amended the

15 October 2025 ESMA84-858037815-684 9 RTS to refer simply to the appropriate level of seniority of the Chief Compliance Officer/Head of Compliance role, as a prerequisite for having direct and unfiltered access to decision-makers and the authority to challenge business decisions. 33. ESMA accepts that elements of the compliance function can be reflected in one or more policies or internal governance documents (e.g. code of conduct, internal control framework, risk management policy) and has amended the language of Article 1(b) accordingly to provide more flexibility to external reviewers. 34. ESMA would like to emphasize that the mandate to specify the criteria for assessing whether the compliance function has access to all relevant information stems from Article 29 of the EuGB Regulation, which ESMA must deliver on. Moreover, the RTS should not be seen as prescribing the contents of the compliance monitoring plan – which can be risk￾based – but rather as indicating the relevant information sources compliance should always have access to in order to perform its tasks, when needed. 35. As a result of the above, the following changes have been made to the text: • Article 1: o The wording “(compliance function) policy” in point (a) has been amended to “policies that enable the compliance function…”. o “At least one member of the compliance function is integrated as a member of senior management and the structures of an external reviewer tasked with overseeing risk management and regulatory compliance” in point (b) was replaced by “...is of an appropriate level of seniority and participates in the structures...”. • The language in Article 2(b) has been revised to read: “the persons carrying out the compliance function collectively possess the necessary skills and experience in risk management, audit, legal or compliance”. 2.3.3 RTS on internal policies and procedures [Article 30(3)] Q3: Do you agree with ESMA’s proposals for the assessment of the soundness of administrative and accounting procedures and of internal control mechanisms and the effectiveness of control and safeguard arrangements for information processing systems? 36. Overall, respondents welcomed the approach of the RTS on the criteria for assessing internal policies and procedures. 37. In relation to Article 1(a), one respondent pointed out that the management of the risk of conflicts of interest, fraud and error does not necessarily require the segregation of duties.

15 October 2025 ESMA84-858037815-684 10 38. One respondent expressed confusion as to whether the accounting procedures mentioned in Article 1 refer to the external reviewer’s own accounting systems or solely to those supporting external review engagements. Similarly, another response sought ESMA’s clarification as to whether the scope of the transactions referred to in Article 1(b) included only those related to external reviews of European Green Bonds or also other operations conducted by the external reviewer. 39. One respondent saw the segregation of duties and audit trail requirements of Article 1 as excessively prescriptive, in particular for smaller entities. Another response claimed that the rationale to require external reviewers to comply with “accounting standards and rules” was unclear. 40. One participant recommended that Article 2 focus more on internal controls relevant to the execution of external reviews, as opposed to general corporate-wide arrangements. 41. One contribution pointed out that the term “internal control functions” is unclear and undefined and that the term “business lines” would appear to be more relevant for traditional financial services than the external review sector. 42. A few contributions questioned the need for the RTS to contain specific rules on ICT risk management, given the low systemic risk of the external reviewer industry in this field. In particular, one participant stated that Article 3 should allow for more flexible and scalable approaches based on the size and risk of each external reviewer. 43. A few respondents opposed the reference in the Consultation Paper to the potential inclusion of external reviewers within the scope of DORA in the future. 44. One respondent sought clarity as to whether the requirements of Article 3 relate only to the ICT systems directly used for external reviews or to all systems used by the legal entity. 45. ESMA Response: ESMA has removed point (a) of Article 1 on the basis that the segregation of duties serves a broader purpose than ensuring the “soundness of administrative and accounting procedures”. Furthermore, it has revised the wording of the new point (b) to better reflect the importance of the accounting system in accurately depicting the entity’s financial position. 46. ESMA notes that journal entries, reconciliations and adjustments related to ancillary services instrumental to external reviews or preparatory work should also be captured and recorded. To enhance clarity and market-relevance, ESMA has replaced the term "transactions" with "relevant (accounting) events". 47. ESMA notes that, although respondents may view the record-keeping obligation as prescriptive, its related audit trail requirements primarily originate in Article 34 of the EuGB Regulation. Additionally, ESMA disagrees that the reference to accounting rules should not apply to external reviewers, as they may be subject to national accounting frameworks

15 October 2025 ESMA84-858037815-684 11 (local GAAP, transposed Accounting Directive rules, IFRS), depending on legal form and jurisdiction. 48. ESMA would like to point out that entity-wide systems and ledgers should be in scope of Article 1, insofar as they record and process information related to the activity of external reviews. 49. ESMA takes a holistic view to risk management, according to which the internal control system of an external reviewer should be firm-wide, rather than limited to a single service, because risks, compliance obligations and operational dependencies span across all functions and processes within the organization. A siloed or service-specific approach can lead to blind spots, inconsistent controls and increased vulnerability to operational, financial and reputational risks. Additionally, ESMA considers that the typical core independent functions of internal control, according to a three lines of defence model, are risk management, compliance and internal audit2 . 50. ESMA sees “business lines” in this context as referring to the client-facing and revenue￾generating part of the external reviewer — i.e. the front office teams that originate, negotiate or manage the delivery of external reviews. This may include employees who engage with issuers or who are involved in marketing and selling external review services. 51. With regard to Article 3 and the reason for enacting specific rules on ICT risk management, ESMA would like to point out that it is bound by the legal mandate of Article 30(3) of the EuGB Regulation to specify the criteria for assessing the “effectiveness of control and safeguard arrangements for information processing systems”. 52. In response to calls for more a more measured approach, ESMA has introduced wording to incorporate the principle of proportionality into the obligation to implement a control and safeguard structure for ICT risk management in Article 3(a). Equally, ESMA has revised the language of Article 3(b)(i) to move from a mandatory annual assessment of ICT and information security to a minimum frequency of once every 2 years. 53. ESMA would like to take this opportunity to clarify that the requirements of Article 3 relate to IT systems, both service-specific and shared (e.g. corporate email infrastructure), as long as related to the authorised and supervised activity of external reviews of European Green Bonds. 54. Finally, ESMA accepts that the qualification of external reviewers as ICT third-party service providers within the scope of DORA is a policy and legislative consideration for the future, 2 Putting in place an internal audit function is not a specific requirement of the EuGB Regulation.

15 October 2025 ESMA84-858037815-684 12 once and if that Regulation undergoes a revision. As such, the consulted-on version of Article 3 has been adjusted to allow for more flexibility. 55. As a result of the above, the following changes have been made to the text: • Article 1: o Point (a) (“duties are appropriately segregated to manage risks of conflicts of interest, fraud and human error”) has been removed from the RTS. o The term “transactions” in point (b) has been replaced by “relevant events”. o “(The account system) allows for a fair and precise reflection of the financial position of the external reviewer” has been added to point (c). • The term “continued evaluation” in Article 2(e) was replaced by “continuous evaluation”. • Article 3: o “(A control and safeguard structure) appropriate to the nature, scale and complexity of the external reviewer” has been added to point (a). o The required frequency of the assessment in subpoint (i) of point (b) has changed from “annual” to “at least once every 24 months”. 2.3.4 RTS on information used for reviews [Article 31(4)] Q4: Do you agree with ESMA’s proposals to specify the criteria to assess whether the information used when providing reviews is of sufficient quality and from reliable sources? 56. ESMA received several comments on its proposals specifying the criteria that external reviewers should use for assessing the sufficient quality of information and reliability of sources when providing external reviews. 57. Commenting on Recital 1, one respondent claimed that, as drafted, the concepts of “sufficient quality” and reliability of information could be mistakenly confused with simply having large quantities of data. 58. Noting the link between ESMA’s proposals on methodologies of external reviewers set out in Article 1(c) of the RTS under Article 26 and the present RTS, one respondent sought confirmation that Article 1 and 2 of the current RTS are sufficiently broad to comply with the minimum methodological requirements of Article 1(c) of the RTS on systems, resources and procedures.

15 October 2025 ESMA84-858037815-684 13 59. A number of respondents called for guidance on how firms can demonstrate compliance with Article 1 and 2, including examples on the potential appropriateness of specific measures or controls. 60. Several responses focused on specific issues related to Article 1, such as the possible lack of historical data or unaudited information. One respondent proposed the addition of “where available” to Article 1(c), for cases where historical data is unavailable. Similarly, another participant highlighted that references to “historical data” and “computations, ratios and estimates” might not be reflective of the methodological approach of all external reviewers. 61. In relation to Article 1(d), one contribution asked ESMA to provide examples of what would constitute “reasonable assertions” or acceptable forecasting methodologies, especially for sectors where forward-looking data are inherently uncertain. 62. One contribution raised the question of whether the criteria set out in the RTS apply equally to issuer-published information and to information collected by the external reviewer through the course of its assessment activities. 63. In relation to Article 2(a), one response noted that not all external reviewers perform audits, due diligence or independent verification, instead relying on the accuracy, timeliness and completeness of the information provided by issuers. A similar contribution mentioned that many external reviewers approach the issuer only when additional information is needed and investigate further if material risks of non-compliance are identified. Another response proposed that the RTS further acknowledges the use of context-appropriate sources and assessment approaches such as expert judgment or proxy indicators, particularly in markets where audited datasets may not be readily available. 64. Respondents also asked for clarification concerning the expected requirements for “information that is unbiased and objectively supported by evidence”, as stated in Article 2(a). 65. A few participants proposed that when evaluating the credibility of sources of information, the RTS recognises internal management reports or policy documents shared on a confidential basis by the issuer and unaudited data as acceptable, if accompanied by detailed supporting documentation and, where possible, external validation or cross￾checks. 66. In relation to Article 2(d), one respondent claimed that external reviewers should not have to conduct checks on whether the issuer abides by confidentiality requirements. 67. One response asked for clarity on the meaning of “relevant internationally recognised standards” in the context of information that is not subject to audit or legal disclosure. 68. ESMA Response: ESMA notes that both the quality and quantity of data are key components of the information used for external reviews of European Green Bonds.

15 October 2025 ESMA84-858037815-684 14 However, ESMA agrees that more information does not necessarily equate to higher￾quality information. For this reason, it has revised the wording in Recital 1 to avoid the unintended interpretation that the volume of information is the sole reliable indicator of its quality. 69. ESMA acknowledges the interplay between Article 1(c) of the RTS under Article 26 of the EuGB Regulation and the present RTS. However, the former adopts a wider focus on the appropriateness, adequacy and effectiveness of methodologies – that should specify how and based on what assumptions assessments activities are carried out –, while preserving an element of the assessment of the information underlying the external review in subpoint (i). Therefore, adherence to the requirements of the present RTS should only be regarded as one aspect of broader compliance with Article 1(c) of the RTS on systems, resources and procedures. 70. In response to requests for clarification on the application of the criteria set out in the RTS, ESMA has specified in Article 1 that the proposed criteria pertain to the information used only as relevant in external reviews (“used in their analysis”), in line with Article 31(1) of the EuGB Regulation. In other words, external reviewers are only expected to apply their data quality and reliability checks to the parts of the available information that are deemed relevant under their methodology. 71. ESMA would like to stress that neither the RTS nor the Final Report are intended to prescribe the precise measures or tools to be implemented for demonstrating compliance with the Level 1 and Level 2 requirements. As methodologies are expected to evolve alongside European Green Bond market developments and emerging risks, external reviewers should ensure the soundness of their approach on a continuous basis and remain engaged in ongoing supervisory dialogue. 72. ESMA expects external reviewers to establish sound procedures to conduct their assessment activities and to address limitations potentially affecting the quality of external reviews, such as unaudited information or the unavailability of historical data. ESMA would like to highlight that, under Article 1(c), historical data should be used in a manner that supports and enhances the information needed to carry out the external review, when and if necessary. For instance, it may be that external reviewers only need to resort to a one￾year lookback period when justified by the specific project. In this regard, ESMA has introduced the term “where required by their methodologies” to the relevant provision of the RTS. 73. ESMA reiterates that it is not its intention to prescribe the specific content of methodologies or forecasting tools to be applied by external reviewers through the RTS – pursuant to Article 31(1) of the EuGB Regulation, this is left to the discretion of external reviewers. Similarly, the Article 1(d) reference to “computations and estimates”, given the use of “such as”, should be understood as merely indicative. Based on this rationale, ESMA has

15 October 2025 ESMA84-858037815-684 15 removed the reference to “possible forecasting limitations” in order to avoid confusion and over-prescriptiveness. 74. ESMA would like to clarify that the RTS covers both information disclosed by the issuer and that obtained independently by the external reviewer in the course of conducting its assessment activities in accordance with the criteria defined in its methodologies. 75. ESMA stresses that it is external reviewers who are best placed to define, according to their individual methodologies, which information and sources are fit-for-purpose in order to provide reliable external reviews. These are indeed expected to be context-appropriate – taking into account, for instance, the specific context around a particular bond issuance (e.g. smaller issuers or projects with inherent data limitations, geographical considerations, etc). 76. While external reviewers are encouraged to use information stemming primarily from regulated, audited or other verifiable sources, they should ensure that all information used in assessment activities is objective, reliable and drawn from credible sources. Additionally, the information should be supported by compelling evidence, such as observable, measurable and documented datasets, models, reports or third-party checks. In this regard, ESMA has reformulated point (b) of Article 2 by removing the reference to “level of information” and the term “substantiated”, in order to avoid redundancy vis-à-vis point (a). ESMA has also revised the drafting of point (b) to clarify that the source of information should be able to concretely prove that it can deliver credible information when required in the assessment process (e.g. upon request by the external reviewer), rather than simply demonstrate the capacity or potential to produce such information. 77. ESMA would like to refer to Article 31(1) of the EuGB Regulation, according to which external reviewers should consider all available information relevant to their assessment. As such, ESMA acknowledges that external reviewers may have recourse to a wide range of sources of information to formulate an informed opinion, including but not limited to confidential issuer documentation or written clarifications, external sources and independent verification. Additionally, ESMA wishes to clarify that the RTS neither references nor mandates the assessment of the issuer’s adherence to confidentiality obligations. 78. In the context of Article 2(d), internationally recognised standards refer to principles and best practices developed by credible international bodies that guide how sustainability￾related information should be prepared, presented or evaluated, even if not legally required or subject to statutory audit. However, ESMA would like to clarify that this criterion only requires the prioritisation of particular sources relevant to the external review, when these are available to external reviewers or the general public. 79. As a result of the above, the following changes have been made to the text of the RTS: • Article 1:

15 October 2025 ESMA84-858037815-684 16 o “the (information) used in their analysis” has been added to the end of the main provision. o “where required by their methodologies” been added to point (c) prior to “sufficient historical data”. o “…considering possible forecasting limitations” was removed from point (d). • Article 2: o The terms “a level of information” and “substantiated” were removed from point (b) and “shall demonstrate the capability (to provide)” has been replaced by “shall be able to prove its ability...”. o The word “issues” was added to the end of point (c) to clarify that the provision refers to traceability issues. o In point (d), “audit” has been changed to plural (“audits”), “and” and “relevant” replaced by “or” and “applicable" and “information” inserted in between “where not available” and “subject to...” 2.3.5 RTS on application for recognition [Article 42(9)] Q5: Do you agree with ESMA’s proposals to specify the information, form and content of applications for recognition? 80. Respondents widely supported ESMA’s proposals on the information, form and content for third-country external reviewer’s applications for recognition. Limited proposals for amendments to the RTS were received. 81. One respondent asked for the deletion of several information points in Annex V-VI of the draft RTS that were seen as going beyond the requirements of Level 1. 82. One participant called for the RTS to include a requirement for applicants to submit a declaration of methodological consistency with the framework of the EU Taxonomy and EuGB Regulation, as well as full disclosure of their financial, technical and political relationships with other market actors. 83. One respondent stated that greater clarity was needed on ESMA's assessment criteria for reviewing applications. Similarly, another response called for ESMA to provide implementation guidance to reduce procedural complexity for applicants. 84. ESMA Response: ESMA notes that the content of Annexes V and VI of the draft RTS simply mirrors information contained in the ITS on registration, which has already been

15 October 2025 ESMA84-858037815-684 17 consulted on and finalised. This streamlined approach has been retained due to the absence of negative feedback. 85. In relation to the proposals for additional requirements, ESMA is not keen on significantly increasing entry costs for third-country applicants, given the need for issuers to have access to the widest possible pool of external reviewers, ensuring efficient market functioning and supporting investor activity. Furthermore, ESMA is already able to assess the necessary compliance with the Regulation from the required submission of documentation on its methodological arrangements and independence and conflicts of interest. 86. ESMA notes that while the assessment set out in Article 42(5) of the EuGB Regulation is conducted at its own discretion, it will roll out a dedicated webpage in due time with an application template and guidance for third-country applicants. 87. As a result of the above, no changes have been made to the text of the RTS, other than targeted amendments to bring the provisions and Annexes in line with the final version of the ITS on registration adopted by the European Commission3 . 2.3.6 ITS on material changes to registration [Article 24(2)] Q6: Do you agree with ESMA’s proposals to specify the standard forms, templates and procedures to notify ESMA of material changes in the information provided at registration? 88. Respondents supported ESMA’s proposals on the standard forms, templates and procedures for external reviewers to notify ESMA of material changes to registration information. 89. However, a majority of contributions pointed out that more clarity around the definition of a material change, including materiality thresholds and concrete examples, would be helpful to understand which specific events should trigger a notification to ESMA. 90. A few respondents suggested that ESMA implements an automated system or digital platform to facilitate submissions. In this regard, one respondent claimed that the use of a machine-readable format for the notification required under Article 1(2) could involve a significant technical effort for external reviewers. 3 Commission Implementing Regulation C(2025)2300 12/09/2025 - Directorate-General for Financial Stability, Financial Services and Capital Markets Union).

15 October 2025 ESMA84-858037815-684 18 91. Another respondent questioned the added value of the senior management attestation under Article 1(5) when the accuracy and completeness of regulatory reporting to ESMA does not depend on such attestation. 92. One participant expressed confusion as to how to fill out Annex I together with Annex II, suggesting the combination of both into a single form. 93. ESMA Response: ESMA notes that, under the empowerment of Article 24(2) of the EuGB Regulation, it was not granted a legal mandate to define “material changes”. However, it expects to issue further guidance in this regard in the future. 94. Pursuant to the second subparagraph of Article 24(2) of the Regulation, ESMA’s empowerment for the ITS includes the need to consider digital means of registration. Moreover, ESMA is of the view that it would not be burdensome for entities to notify material changes to registration in a machine-readable way. In this instance, “machine-readable” simply means that the notification should be structured in a way that computers can easily process, without human intervention. This can include a number of formats, from Excel or CSV to XML. An example of a format not complying with this requirement would be a scanned set of documents or images of documents. 95. While ESMA does not expect the launch of a dedicated IT platform, it will consider how to optimise the process for the submission of material changes in a user-friendly manner. 96. For the purposes of Article 1(5), ESMA notes that “a member of senior management” simply refers to the person in charge of the respective area the material changes relate to (e.g. Head of Human Resources for staffing matters). As such, while this written confirmation is important for accountability and transparency purposes, it does not require a high level of formality. 97. As a result of the above, no changes have been made to the text of the ITS, other than targeted amendments to bring the provisions and Annexes in line with the final version of the ITS on registration adopted by the European Commission4 . ESMA is of the view, in relation to the table in Annex I, that these changes will contribute to enhanced clarity for applicants. Finally, in order to reduce complexity, ESMA has merged the two tables in Annex II into a single table for both EU-based and recognised external reviewers. 4 Commission Implementing Regulation C(2025)2300 12/09/2025 - Directorate-General for Financial Stability, Financial Services and Capital Markets Union).

15 October 2025 ESMA84-858037815-684 19 2.3.7 Cost-benefit analysis Q7: Do you have comments or quantitative information to provide on the CBA and options considered by ESMA? 98. Respondents endorsed ESMA’s cost-benefit analysis and the choice to follow Option 2, as per para. 7 of Annex II of the CP. Few proposals for amendments to the preliminary CBA were received. 99. One response urged ESMA to recognise the nascency and small size of the external reviewer market and how excessively burdensome implementing rules could risk limiting the number of applicants. A similar contribution suggested an explicit assessment of the potential impact of ESMA’s proposals on smaller or specialised external reviewers. 100. One participant recommended that the CBA explicitly quantifies the expected avoided losses (e.g. related to climate damage) due to the increased market trust and stronger ESG outcomes that the technical standards seek to achieve. 101. One respondent remarked that some of the baseline costs may already be absorbed by entities complying with international market standards for external reviewers, such as ICMA or CBI. 102. ESMA Response: ESMA acknowledges that the market for external reviews of European Green Bonds is in a nascent stage and it does not seek to discourage potential new entrants by imposing unnecessarily burdensome requirements. ESMA notes that while it is bound by the legal empowerments for very specific technical standards under Articles 24, 26, 29, 30, 31 and 42 of the EuGB Regulation, these will only be applicable from 21 June 2026 and it intends its supervision to be proportionate and risk-based. 103. No quantitative information on estimated costs or benefits was shared by respondents during the consultation. Thus, ESMA is unable to quantify avoided losses as a result of its proposals given the uncertainty involved in conducting a complex technical modelling exercise without substantiated input from market players. 104. ESMA agrees to add to the CBA a reference to the fact that providers adhering to internationally recognised and widely used market standards may benefit from potential cost savings, given their ability to leverage on an existing compliance apparatus. 105. As a result of the above, the following changes have been made to the text of the CBA: • A reference has been added to the “Costs” column of 4 RTS to the mitigating factor for external reviewers already adopting best practices contained in market or professional standards for external reviewers or analogous legislation.

15 October 2025 ESMA84-858037815-684 20 • The reference to the costs associated with the machine-readable format has been removed to address the points raised in para. 94 (Section 2.3.6). 2.3.8 Additional comments 106. Many respondents from the audit, assurance and accounting sector called for ESMA to recognise compliance with internationally recognised standards and with legislation supervised by NCAs to gain exemptions from requirements of the draft technical standards. 107. In the case of external reviewers integrating a wider corporate structure, various respondents called for the possibility of a group-level function to be able to carry out compliance, accounting or IT functions on behalf of the external reviewer. 108. One contribution proposed a phased-in implementation plan to allow external reviewers adequate time to adapt to the Level 2 requirements without compromising their operational stability. 109. ESMA Response: ESMA would like to refer to para. 118 of its previous Final Report5 on the first batch of technical standards under the EuGB Regulation to reinforce that it is not appropriate to address the proposed interoperability between domestic legislation, voluntary standards and the EuGB regulatory framework through its present legal empowerments for RTS/ITS. ESMA expects entities who intend to align their practices to existing standards or legislation, to carry out an assessment to verify if this adherence is sufficient to meet the requirements of the EuGB Regulation and of the proposed technical standards. However, ESMA notes that it intends to factor in sector and entity-specific attributes of external reviewers, such as the existence of an established compliance apparatus for complying with similar requirements, into its risk-based supervisory approach, which can indeed result in lighter-touch supervision. 110. While ESMA cannot tackle the subject of intragroup outsourcing arrangements through its legal empowerments for technical standards, it recommends careful consideration of the requirements set out in Article 33 of the EuGB Regulation, which does not allow for the full externalisation of the analytical or compliance functions. 111. ESMA considers that no further implementation or adjustment time is required in addition to the 18-month period set out in Articles 69 and 70 of the EuGB Regulation, where compliance on a “best efforts basis” with the provisions of the Regulation is expected for external reviewers providing their services during the transitional regime. ESMA notes that 5 ESMA84-858037815-195 Final Report - Technical Standards on the European Green Bonds Regulation (14 February 2025).

15 October 2025 ESMA84-858037815-684 21 the technical standards consulted on will only apply to ESMA-registered external reviewers from 21 June 2026.

15 October 2025 ESMA84-858037815-684 22 3 Annexes 3.1 Annex I – Summary of questions Q1: Do you agree with ESMA’s proposals for the assessment of the appropriateness, adequacy and effectiveness of systems, resources and procedures? Q2: Do you agree with ESMA’s proposals for the assessment of whether the compliance function has the authority to discharge its responsibilities properly and independently, the necessary resources and expertise and access to all relevant information? Q3: Do you agree with ESMA’s proposals for the assessment of the soundness of administrative and accounting procedures and of internal control mechanisms and the effectiveness of control and safeguard arrangements for information processing systems? Q4: Do you agree with ESMA’s proposals to specify the criteria to assess whether the information used when providing reviews is of sufficient quality and from reliable sources? Q5: Do you agree with ESMA’s proposals to specify the information, form and content of applications for recognition? Q6: Do you agree with ESMA’s proposals to specify the standard forms, templates and procedures to notify ESMA of material changes in the information provided at registration? Q7: Do you have comments or quantitative information to provide on the CBA and options considered by ESMA?

15 October 2025 ESMA84-858037815-684 23 3.2 Annex II – Legislative mandate to develop technical standards 3.2.1 RTS on systems, resources and procedures Article 26(3) of the EuGB Regulation Article 26 – General principles

1. External reviewers shall employ appropriate systems, resources and procedures to comply with their obligations under this Regulation.
2. External reviewers shall monitor and evaluate the adequacy and effectiveness of their systems, resources and procedures established in accordance with this Regulation at least annually and take appropriate measures to address any deficiencies in that regard.
3. ESMA shall develop draft regulatory technical standards specifying the criteria for assessing the appropriateness, adequacy and effectiveness of the systems, resources and procedures of external reviewers referred to in paragraphs 1 and 2. 3.2.2 RTS on the compliance function Article 29(4) of the EuGB Regulation Article 29 – Compliance function
4. External reviewers shall ensure that the compliance function complies with the following: (a) it has the authority to discharge its responsibilities properly and independently; (b) it has the necessary resources and expertise and access to all relevant information;
5. ESMA shall develop draft regulatory technical standards specifying the criteria for assessing whether the compliance function has the authority to discharge its responsibilities properly and independently as referred to in paragraph 2, point (a), and the criteria for assessing whether the compliance function has the necessary resources and expertise and has access to all relevant information as referred to in paragraph 2, point (b). 3.2.3 RTS on internal policies and procedures Article 30(3) of the EuGB Regulation Article 30 - Internal policies and procedures

15 October 2025 ESMA84-858037815-684 24 2. External reviewers shall adopt and implement sound administrative and accounting procedures, internal control mechanisms and effective control and safeguard arrangements for information processing systems. 3. ESMA shall develop draft regulatory technical standards specifying the criteria for assessing the soundness of the administrative and accounting procedures and of the internal control mechanisms as well as the effectiveness of the control and safeguard arrangements for information processing systems referred to in paragraph 2. 3.2.4 RTS on information used for reviews Article 31(4) of the EuGB Regulation Article 33 – Assessment methodologies and information used for reviews 3. External reviewers shall use information of sufficient quality and from reliable sources when providing reviews. 4. ESMA shall develop draft regulatory technical standards specifying the criteria for assessing whether the information referred to in paragraph 3 is of sufficient quality and whether the sources referred to in that paragraph are reliable. 3.2.5 RTS on application for recognition Article 42(9) of the EuGB Regulation Article 42 – Recognition of a third-country external reviewer

1. Until the adoption of a decision pursuant to Article 40(1), a third-country external reviewer may provide its services in accordance with this Regulation provided that the third-country external reviewer acquires recognition from ESMA in accordance with this Article.
2. A third-country external reviewer who intends to obtain recognition as referred to in paragraph 1 of this Article (the ‘third-country external reviewer seeking recognition’) shall comply with the requirements laid down in Articles 23 to 38 and Articles 54 to 56.
3. A third-country external reviewer seeking recognition shall have a legal representative established in the Union. That legal representative shall: (a) be responsible, together with the third-country external reviewer seeking recognition, for ensuring that the provision of services under this Regulation by the third-country external reviewer seeking recognition fulfils the requirements referred to in paragraph 2 and shall in that respect be accountable to ESMA for the conduct of the third-country external reviewer seeking recognition in the Union;

15 October 2025 ESMA84-858037815-684 25 (b) act on behalf of the third-country external reviewer seeking recognition as the main point of contact with ESMA and any other person in the Union with regard to the external reviewer’s obligations under this Regulation; and (c) have sufficient knowledge, expertise and resources to fulfil its obligations under this paragraph. 4. An application for recognition from ESMA as referred to in paragraph 1 shall contain all information necessary to satisfy ESMA that the third-country external reviewer seeking recognition has implemented all necessary arrangements to fulfil the requirements referred to in paragraphs 2 and 3 and shall, where applicable, indicate the competent authority responsible for supervision of the third￾country external reviewer seeking recognition in the third country. 9. ESMA shall develop draft regulatory technical standards specifying the information and the form and content of the application referred to in paragraph 4. 3.2.6 ITS on material changes to registration Article 24(2) of the EuGB Regulation Article 24 – Material changes relevant for the registration

1. An external reviewer shall notify ESMA of any material changes in the information provided in accordance with Article 23(1) before such changes are implemented. Where ESMA objects to such material changes, it shall inform the external reviewer within 45 working days of the notification of those changes and shall state the reasons for its objection. The changes referred to in the first subparagraph of this paragraph shall not be implemented if ESMA objects within that period.
2. ESMA shall develop draft implementing technical standards to specify the standard forms, templates and procedures for the provision of the information referred to in paragraph 1. When developing the draft implementing technical standards ESMA shall take into account digital means of registration.

15 October 2025 ESMA84-858037815-684 26 3.3 Annex III – Cost-benefit analysis 112. ESMA has consulted market participants on its preliminary CBA and individual impact assessments in relation to the draft technical standards. 113. Due to the large support for the preliminary CBA, as well as the lack of substantial evidence presented in the CP for the incorporation of additional costs or benefits, it has been retained in its original drafting. 114. In the absence of meaningful input on the quantitative impact of the proposals, the CBA remains qualitative in nature, as ESMA was not able to quantify a monetary value for benefits or costs of the envisaged technical options from the input received during the consultation. Option 1 115. The baseline scenario for this CBA would be the application of the requirements in the Level 1 Regulation without any further specification. This would leave discretion to ESMA and external reviewers to determine the necessary specificities, leading to a lack of harmonisation in the application of key provisions of the EuGB Regulation. Moreover, for ESMA, this baseline scenario would mean that a high level of resources could be required for supervisory activities. This is due to the level of bilateral engagement expected to communicate or clarify ESMA’s expectations and to address market queries or remedy concerns on registration and supervision matters, in the absence of Level 2 acts. Option 2 116. The option to develop RTS and ITS gives ESMA, in its role as gatekeeper of financial markets, an opportunity to further specify the formulation of the Level 1 provisions, enhancing clarity for market participants and avoiding regulatory arbitrage and undue burden on its registration and supervision tasks. Furthermore, ESMA was able to receive feedback from relevant stakeholders through the public consultation, ensuring the technical standards are sufficiently tailored to market reality. 117. This option has been retained. Final CBA Costs Costs to regulator Benefits RTS on systems, resources and procedures The proposed draft RTS will result in external reviewers incurring initial costs ESMA is expected to incur costs from the need to actively allocate supervisory ESMA considers that the proposed draft RTS ensure that external reviewers put

15 October 2025 ESMA84-858037815-684 27 RTS on the compliance function RTS on internal policies and procedures when implementing the elements therein, including the potential need for external consultants or legal advice to interpret and implement the criteria set out in the RTS. There will then be an ongoing and recurring cost (time, resources) of undertaking compliance assessments against the prescribed criteria. Some of the baseline costs may already be partially or fully absorbed by providers aligned with standards and legislation with similar requirements to those of the RTS. resources to monitor compliance of ESMA￾registered external reviewers with the provisions set out in the draft RTS. in place a robust process for determining and demonstrating compliance with the requirements of Articles 26, 29 and 30 of the EuGB Regulation. It is also ESMA’s view that requiring external reviewers to perform an assessment against the criteria set out by ESMA (e.g. as laid down in Article 26(2) of the EuGB Regulation) encourages a culture of proactive compliance and accountability, while allowing ESMA’s supervision to focus on higher-risk areas, optimising resource allocation in line with its risk-based and outcome-focused approach to supervision. RTS on information used for reviews External reviewers may need to develop or upgrade systems, resources and procedures to ensure they meet the criteria set out in the draft RTS. This could involve IT investments, access to certain data sources and staff training costs. In this ESMA is expected to incur costs from the need to actively allocate supervisory resources to monitor compliance of ESMA￾registered external reviewers with the provisions set out in the draft RTS. The main benefits of the approach taken in the draft RTS is providing legal certainty for external reviewers to comply with the provisions of Article 31(3) of the EuGB Regulation. This is also expected to enhance their data quality and reliability

15 October 2025 ESMA84-858037815-684 28 regard, SMEs may face higher compliance costs compared to larger, more established players with more resources. Some of the baseline costs may already be partially or fully absorbed by providers aligned with standards and legislation with similar requirements to those of the RTS. processes, thus contributing to higher￾quality external reviews and, through increased market comparability, a better functioning European green bonds market. RTS on application for recognition The main cost that is expected to be incurred by third￾country external reviewers as a result of the draft RTS is the one-off allocation of resources (notably, time and personnel) to meet the information requirements of the application for recognition. This can be especially onerous vis-à-vis the legal representative, for whom applicants are expected to assess the sufficiency of knowledge, expertise and resources. The proposed approach will lead to additional costs for ESMA in the form of deploying supervisory efforts for the assessment of the conditions for registration of third￾country external reviewers under the RTS, such as evaluating the information set out in Annex VIII to establish whether the legal representative meets the requirements of Article 42(3). The draft RTS is expected to contribute to a standardised application framework for third-country applicants, reducing ambiguity and contributing to a level playing field. At the same time, by harmonising and streamlining the application process, ESMA expects to process submissions faster. By meaningfully screening third-country entities authorised to provide external reviews, ESMA also expects to provide a safer space for issuers and investors in the EU.

15 October 2025 ESMA84-858037815-684 29 ITS on material changes to registration ESMA took the view that the proposed approach in the draft ITS was unlikely to lead to additional costs to the extent that it provides clarifications on the Level 1 provisions and does not impose additional obligations, other than form, beyond those already set by Article 24 of the EuGB Regulation. The proposed draft RTS will lead to the need to allocate supervisory resources to process additional flows of information and assess whether or not to object to a material change in the information provided by external reviewers at registration. The main benefit of the option proposed is the standardisation and user-friendliness of the information and procedural requirements for external reviewers by providing a harmonised set of forms, templates and procedures for the submission of notifications of material changes to the information provided at registration. This way, it is easier for ESMA to assess and compare material changes across different registrants. In turn, external reviewers are provided with more clarity on their notification obligations, strengthening ESMA’s ability to adequately perform a gatekeeping role.

15 October 2025 ESMA84-858037815-684 30 3.4 Annex IV – Final draft technical standards 3.4.1 RTS on systems, resources and procedures COMMISSION DELEGATED REGULATION (EU) 2025/… of XXX supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for assessing the appropriateness, adequacy and effectiveness of the systems, resources and procedures of external reviewers (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds 6 , and in particular Article 26(3), third subparagraph, thereof, Whereas: (1) To ensure the appropriateness, adequacy and effectiveness of their systems, resources and procedures, external reviewers should comprehensively consider their internal arrangements, from the robustness of information systems to the sufficiency of human, technical and material resources. External reviewers should develop a robust assessment framework as part of their procedures, which should encompass the minimum criteria to be applied for assessing the quality of information and the reliability of sources used in assessment activities. (2) Any deficiencies identified when monitoring and evaluating the adequacy and effectiveness of systems, resources and procedures should be adequately recorded, remediated, reported and have their corrective actions overseen by members of the management body of the external reviewer. (3) The assessment should be independent and comprise periodic checks in line with the requirements of Regulation (EU) 2023/2631. 6 OJ L, 2023/2631, 30.11.2023.

15 October 2025 ESMA84-858037815-684 31 (4) This Regulation is based on the draft regulatory technical standards submitted by ESMA to the European Commission in accordance with Article 10 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council7 . (5) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) 1095/2010 of the European Parliament and of the Council, HAS ADOPTED THIS REGULATION: Article 1 Criteria for assessing the appropriateness, adequacy and effectiveness of systems, resources and procedures External reviewers shall ensure that the following criteria are fulfilled for the appropriateness, adequacy and effectiveness of the systems, resources and procedures put in place by an external reviewer: (a) the systems that are in place safeguard the security, integrity and confidentiality of information and ensure the continuity and regularity in the performance of external reviews; (b) the human, technical and material resources deployed are sufficient to identify, manage, monitor and report the risks that an external reviewer is or might be exposed to, or the risks that it poses or might pose to others; (c) the procedures that are in place for the objective and consistent application of assessment methodologies comprise at least the following elements: (i) processes to collect quantitative and qualitative information for the performance of assessment activities, including from the issuer or originator, public sources and information provided by third parties; (ii) measures to address potential shortcomings in the collection and assessment of information and processes governing the review and reporting of errors in assessment methodologies or in their application; (iii) techniques, methods and protocols for designing, periodically testing and reviewing assessment activities, key assumptions and measurement data. 7 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

15 October 2025 ESMA84-858037815-684 32 Article 2 Criteria for assessing the appropriateness, adequacy and effectiveness of the monitoring and evaluation of systems, resources and procedures External reviewers shall ensure that the following criteria are fulfilled for the monitoring and evaluation of the adequacy and effectiveness of the systems, resources and procedures put in place by an external reviewer referred to in Article 26(2) of Regulation (EU) 2023/2631: (a) the monitoring and evaluation is carried out by a function that is independent of the business lines; (b) appropriate measures to address deficiencies identified in the monitoring assessments include: (i) recording breaches, errors, complaints, incidents and near misses in an electronically stored medium; (ii) determining remediation actions and attributing an owner to each deficiency; (iii) reporting the progress in addressing identified deficiencies to senior management, the supervisory body or the management body; (iv) ensuring that the management body oversees the timely implementation of corrective actions. Article 3 Entry into force This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, For the Commission The President

15 October 2025 ESMA84-858037815-684 33 3.4.2 RTS on the compliance function COMMISSION DELEGATED REGULATION (EU) 2025/…  of XXX supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for assessing whether the compliance function of external reviewers has the authority to discharge its responsibilities properly and independently and the criteria for assessing whether the compliance function has the necessary resources and expertise and has access to all relevant information (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds 8 , and in particular Article 29(4), third subparagraph, thereof, Whereas:  (1) To allow the compliance function to have the authority to discharge its responsibilities properly and independently, external reviewers should ensure the existence of a board-approved compliance function policy or policies and the presence of the compliance function in relevant organisational structures of the external reviewer, such as committees. (2) To guarantee the necessary resources of the compliance function, external reviewers should arrange sufficient human and technical resources, from a proportionate number of employees to sufficiently robust IT tools allowing the compliance function to effectively perform its monitoring tasks. (3) To establish the necessary expertise of the compliance function, external reviewers should ensure the collective and up-to-date skill and experience of persons carrying out the compliance function, including through appropriate employment history, professional qualifications or levels of in-house training. 8 OJ L, 2023/2631, 30.11.2023.

15 October 2025 ESMA84-858037815-684 34 (4) To allow the compliance function to have access to all relevant information, external reviewers should ensure the compliance function is able to obtain information from all sources it requires to adequately perform its tasks, including at least corporate and control function records, audit reports, whistleblowing reports and customer complaints. Given the need to ensure third-party service providers and other business units adhere to the same standards as the external reviewer itself, access to information on any outsourced functions or other business lines of the external reviewer should also be granted. (5) This Regulation is based on the draft regulatory technical standards submitted by ESMA to the European Commission in accordance with Article 10 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council9 . (6) ESMA conducted open public consultations on the draft regulatory technical standards on which this Regulation is based and analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) 1095/2010 of the European Parliament and of the Council, HAS ADOPTED THIS REGULATION: Article 1 Criteria for assessing the authority of the compliance function External reviewers shall ensure that the following criteria are fulfilled for the compliance function to have the authority to discharge its responsibilities properly and independently: (a) the adoption by the management body of policies that enable the compliance function to assess adherence to laws, regulations and internal policies and procedures and to carry out compliance activities objectively and effectively without undue influence from other departments or employees of an external reviewer or any other persons; (b) at least one member of the compliance function is of an appropriate level of seniority and participates in the structures of an external reviewer tasked with overseeing risk management and regulatory compliance, to ensure compliance considerations are incorporated into the strategy and decision-making procedures of the external reviewer. Article 2 Criteria for assessing the resources and expertise of the compliance function 9 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

15 October 2025 ESMA84-858037815-684 35 External reviewers shall ensure that the following criteria are fulfilled for the compliance function to have the necessary resources and expertise: (a) the number of persons carrying out the compliance function is suitable for the nature, scale and complexity of the business of the external reviewer; (b) the persons carrying out the compliance function collectively possess the necessary skills and experience in risk management, audit, legal or compliance; (c) the compliance function has systems enabling it to analyse data for the purposes of monitoring and investigating the compliance of the external reviewer and recording, reporting and remediating compliance findings. Article 3 Criteria for assessing the ability of the compliance function to access relevant information External reviewers shall ensure that the following criteria are fulfilled for the compliance function to have access to all relevant information: (a) the compliance function has physical and digital access rights to the necessary information to perform its tasks effectively at all times, including but not limited to: (i) information systems, databases, books and records from corporate and control functions, such as legal, finance, human resources and IT; (ii) meeting minutes of governance bodies; (iii) internal and external audit reports and other reports to senior management, the management body or the supervisory body; (iv) whistleblower reports; (v) customer complaints; (vi) information on functions outsourced to a third-party service provider; (vii) information on all business units of an external reviewer providing services other than assessment activities; (b) the compliance function has physical access to the business premises and facilities of the external reviewer. Article 4 Entry into force

15 October 2025 ESMA84-858037815-684 36 This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, For the Commission The President

15 October 2025 ESMA84-858037815-684 37 3.4.3 RTS on internal policies and procedures COMMISSION DELEGATED REGULATION (EU) 2025/…  of XXX supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for assessing the soundness of the administrative and accounting procedures and of the internal control mechanisms as well as the effectiveness of the control and safeguard arrangements for information processing systems of external reviewers (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds 10 , and in particular Article 30(3), third subparagraph, thereof, Whereas:  (1) In order to ensure the soundness of their administrative and accounting procedures, external reviewers should maintain adequate records of relevant accounting events and comply with applicable accounting standards and rules. (2) In order to maintain sound internal control mechanisms, external reviewers should implement a comprehensive system of internal control focused on creating a strong and proportionate control environment, effectively managing risks, implementing necessary control activities, ensuring clear information flow and communication and continuously monitoring activities. (3) In order to guarantee the effectiveness of the control and safeguard arrangements for information processing systems, external reviewers should implement a proportionate control framework for ICT risk management that includes IT and information security assessments and the testing of backup ICT systems to ensure business continuity. 10 OJ L, 2023/2631, 30.11.2023.

15 October 2025 ESMA84-858037815-684 38 (4) This Regulation is based on the draft regulatory technical standards submitted by ESMA to the European Commission in accordance with Article 10 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council11 . (5) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) 1095/2010 of the European Parliament and of the Council, HAS ADOPTED THIS REGULATION: Article 1 Criteria for assessing the soundness of administrative and accounting procedures External reviewers shall ensure the following criteria are fulfilled for the soundness of their administrative and accounting procedures: (a) the records kept by the external reviewer in accordance with Article 34 of Regulation (EU) 2023/2631 ensure a clear audit trail is maintained of all relevant events; (b) the accounting system allows for a fair and precise reflection of the financial position of the external reviewer and is compliant with the applicable accounting standards and rules. Article 2 Criteria for assessing the soundness of internal control mechanisms External reviewers shall ensure the following criteria are fulfilled for the soundness of their internal control mechanisms: (a) the control environment put in place is effective and adequate for the nature, scale and complexity of the business to safeguard the independence of internal control functions from the business lines; (b) the risk management framework put in place establishes the external reviewers’ mechanisms for the effective identification, assessment, monitoring, mitigation and reporting of all risks that could materially impact an external reviewer’s ability to meet its obligations under Regulation (EU) 2023/2631; 11 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

15 October 2025 ESMA84-858037815-684 39 (c) preventive and detective control measures are established; (d) appropriate internal and external information and communication procedures are in place; (e) appropriate monitoring procedures for the continuous evaluation of the adequacy and effectiveness of the internal control mechanisms are in place. Article 3 Criteria for assessing the effectiveness of control and safeguard arrangements for information processing systems External reviewers shall ensure the following criteria are fulfilled for the effectiveness of control and safeguard arrangements for information processing systems: (a) the implementation of a control and safeguard structure appropriate to the nature, scale and complexity of the external reviewer that ensures an effective and prudent management of ICT risks; (b) the effective and prudent management of ICT risks includes: (i) conducting ICT and information security assessments at least once every 24 months; (ii) maintenance and testing of redundant ICT capacities to ensure continuity of the business; (iii) risk assessments of third-party ICT integration, where applicable. Article 4 Entry into force This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, For the Commission The President

15 October 2025 ESMA84-858037815-684 40 3.4.4 RTS on information used for reviews COMMISSION DELEGATED REGULATION (EU) 2025/…  of XXX supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the assessment of sufficient quality of information and reliability of sources used for external reviews (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds 12 , and in particular Article 31(4), third subparagraph, thereof, Whereas:  (1) External reviewers should apply specific criteria for assessing whether the information they use when providing reviews is of sufficient quality and from reliable sources. These criteria should, as a minimum, be taken into account in their assessment methodologies. (2) To evaluate the quality of the information used, external reviewers should ensure that it is complete, relevant, timely and based on reasonable assumptions. For instance, the information should provide a comprehensive representation of the bond-funded project considering the type and sector of economic activities. It should have a direct connection with the bond's characteristics, offer an accurate reflection of the funded project, be up-to-date and consider forecasting limitations and inherent uncertainties. (3) To evaluate the reliability of sources, external reviewers should ensure that those sources provide objective and substantiated information. Sources should be credible and accompanied by documentation outlining the steps for information collection and processing, a policy for revising historical data and any limitations affecting the source. External reviewers should give due prominence to information stemming from regulatory requirements or information subject 12 OJ L, 2023/2631, 30.11.2023.

15 October 2025 ESMA84-858037815-684 41 to independent assurance or certification, as well as to relevant internationally recognised standards, where available. (4) External reviewers are expected to apply the criteria for assessing the sufficient quality of information and the reliability of sources of information in a measurable way, for example at review and source level, in order to promote comparability in their approach. Establishing a documented and periodically monitored framework for each criterion supports the consistent application of these criteria. (5) This Regulation is based on the draft regulatory technical standards submitted by ESMA to the European Commission in accordance with Article 10 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council13 . (6) ESMA conducted open public consultations on the draft regulatory technical standards on which this Regulation is based and analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) 1095/2010 of the European Parliament and of the Council, HAS ADOPTED THIS REGULATION: Article 1 Criteria for assessing the sufficient quality of information External reviewers shall ensure that the following criteria are fulfilled for the sufficient quality of the information used in their analysis: (a) the information shall be complete and provide a comprehensive representation of the project funded by the bond, including sufficient details in relation to the type and sector of the relevant economic activities; (b) the information shall have a direct and clear relation with the characteristics of the bond and shall provide an accurate representation of the project funded; (c) the information shall be in line with the latest available data and, where required by their methodologies, include sufficient historical data; (d) any related information, such as computations, ratios and estimates, shall be based on reasonable assertions. 13 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

15 October 2025 ESMA84-858037815-684 42 Article 2 Criteria for assessing the reliability of sources of information External reviewers shall ensure that the following criteria are fulfilled for the reliability of sources of information: (a) the source of information shall provide information that is unbiased and objectively supported by evidence; (b) the source of information shall be able to prove its ability to provide credible information; (c) the source of information shall be accompanied by supporting documents covering at least the steps taken for the collection and processing of the information, a comprehensive set of documentation for the revision of historical data, a description of any limitations that may affect the use of the source of information, including potential data gaps and traceability issues; (d) the source of information shall privilege information that is subject to a disclosure requirement by law, audits, conformity assessments, independent assurance or recognised certifications or, where not available, information subject to applicable internationally recognised standards. Article 3 Entry into force This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, For the Commission The President

15 October 2025 ESMA84-858037815-684 43 3.4.5 RTS on application for recognition COMMISSION DELEGATED REGULATION (EU) 2025/… of XXX supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information and the form and content of the application for recognition to ESMA of third-country external reviewers (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds14, and in particular Article 42(9), third subparagraph, thereof, Whereas: (1) The way that information in an application for registration as an external reviewer is provided should enable the European Securities and Markets Authority (ESMA) to assess whether the conditions referred to in Article 23(2) and 42(3) of Regulation (EU) 2023/2631 are fulfilled, including the conditions laid down in Commission Delegated Regulation (EU) 2025/… supplementing Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to regulatory technical standards specifying the conditions for the registration of external reviewers, the criteria for assessing the sound and prudent management of external reviewers, the appropriateness of the knowledge, experience and training of the external reviewers’ employees, and the conditions under which external reviewers can outsource their assessment activities. (2) To safeguard security and enhance data management and usability, digital means of registration have been taken into account specifying the information and the form and content of the application for recognition as a third-country external reviewer of European Green Bonds. Any information submitted to ESMA in an application should be machine-readable and in a durable medium. (3) To assist ESMA in identifying the documents that an applicant has submitted as part of the application for recognition, a unique reference number should be provided to correspond to each document. (4) For assurance and accountability purposes, applicants that submit an application for recognition to ESMA should complement that application with a letter signed by a member of 14 OJ L, 2023/2631, 30.11.2023.

15 October 2025 ESMA84-858037815-684 44 its senior management, attesting that the submitted information is accurate and complete to the best of that member’s knowledge. (5) This Regulation is based on the draft regulatory technical standards submitted by ESMA to the European Commission in accordance with Article 10 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council15 . (6) This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, and notably the right to protection of personal data. The processing of personal data for the purposes of this Regulation should be carried out in accordance with Union law on the protection of personal data. In that regard, any processing of personal data performed by ESMA in application of this Regulation should be carried out in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council. Any processing of personal data performed by entities applying for external reviewer within application of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council and national requirements on the protection of natural persons with regard to the processing of personal data. (7) To enable ESMA to conduct the assessment for the purposes of recognition, while ensuring appropriate safeguards, personal data relating to applicants for recognition as an external reviewer should be kept by external reviewers and ESMA for no longer than five years after that applicant has ceased to perform its function where the applicant has been registered as a recognised external reviewer. Where ESMA has refused to register an applicant external reviewer or where the applicant withdraws its application for recognition, personal data relating to that applicant should be kept by ESMA no longer than five years after the refusal of the recognition of the applicant or after the withdrawal of the application. (8) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council16 and delivered formal comments on [XX-XX-2025]. (9) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) 1095/2010 of the European Parliament and of the Council, HAS ADOPTED THIS REGULATION: Article 1 15 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84). 16 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

15 October 2025 ESMA84-858037815-684 45 Format to follow for the application for recognition as a third-country external reviewer of European Green Bonds

1. Applicants seeking recognition as external reviewers of European Green Bonds shall submit the information referred to in the Annexes to this Regulation in the format set out in those Annexes.
2. Applicants shall provide its application to ESMA in a machine-readable format which: (a) allows the information to remain accessible for a period of time adequate for the purposes of the application; (b) allows for the unchanged reproduction of the information stored.
3. Applicants shall provide a unique reference number to each document that they submit to ESMA. Applicants shall ensure that the information they submit clearly identifies which specific requirement of this Regulation it refers and in which document that information is provided. Applicants shall submit the table set out in Annex I to this Regulation as part of their application and shall clearly identify the document in which they have provided the information required.
4. Where a requirement of Regulation (EU) 2023/2631 does not apply to the application for registration, applicants shall state that in the relevant table set out in Annex I to this Regulation and shall provide an explanation.
5. Applicants shall accompany their application for registration with a letter signed by a member of the applicants’ senior management, attesting that the submitted information is accurate and complete to the best of that member’s knowledge, as of the date of that submission.
6. Personal data relating to applicants for registration as an external reviewer shall be kept by external reviewers and ESMA for as long as it is necessary for the assessment of the initial registration and no longer than five years after that applicant has ceased to perform its function. Where ESMA has refused the registration of the applicant external reviewer or where the applicant withdraws its application, personal data relating to that applicant should be kept by ESMA no longer than five years after the refusal of the registration of the applicant or after the withdrawal of the application. Article 2 Entry into force This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, For the Commission The President

15 October 2025 ESMA84-858037815-684 46 ANNEX I DOCUMENT REFERENCES Annex to this Regulation to which the information relates (II-VIII) Unique reference number of the document Title of the document Specific requirement of Regulation (EU) 2023/2631 to which the information relates Chapter or section or page of the document where the information is provided or reason why the information is not provided

15 October 2025 ESMA84-858037815-684 47 ANNEX II GENERAL INFORMATION OF THE APPLICANT Full name of the third-country applicant Address of registered office [Country, city, street address, postal code] Website Legal Entity Identifier (LEI) [Where available] Contact person(s) Name Title Address [Country, city, street address, postal code] Email address Telephone number Legal form of the third-country applicant Competent authority responsible for supervision of the third-country external reviewer seeking recognition in the third country

15 October 2025 ESMA84-858037815-684 48 [Where applicable]

15 October 2025 ESMA84-858037815-684 49 ANNEX III OWNERSHIP STRUCTURE OF THE APPLICANT Owner Percentage of capital Nature of the holding Percentage of the voting rights [Please specify whether legal or natural person] [Direct or indirect]

15 October 2025 ESMA84-858037815-684 50 ANNEX IV MEMBERS OF SENIOR MANAGEMENT AND THE BOARD OF THE APPLICANT Name Board member Member of senior managem ent Date of birth Place of birth Role Submitted documents CV Proof of the absence of criminal records relating to money laundering, terrorist financing, provision of financial services or data services, acts of fraud or embezzlement, notably through an official certificate, or, where such a certificate is not available in the relevant third-country authority, a self-declaration of good repute and the authorisation to ESMA to request such information from the relevant authorities on whether that member has been convicted of a criminal offence in connection with money laundering, terrorist financing, the provision of financial services or data services or in relation to acts of fraud or embezzlement Declaration of fitness and propriety and conflicts of interest referred to in Article 1(2), point (b), of Commission Delegated Regulation (EU) 2025/…

15 October 2025 ESMA84-858037815-684 51 [First name] [Last name] [Yes/No] [Yes/No] [DD/MM/ YYYY] [City, Country] [Unique reference number] [Unique reference number] [Unique reference number]

15 October 2025 ESMA84-858037815-684 52 ANNEX V ANALYTICAL RESOURCES OF THE APPLICANT

1. Information regarding analysts, employees and other persons directly involved in assessment activities Name Role Please select the appropriate column Years in role Years in the industry CV Temporar y Permanen t [Number of years working in assessment activities similar to those tasks required of an external reviewer pursuant to Regulation (EU) 2023/2631] [Unique reference number of the document] Any information regarding the number of employees shall be provided on a full-time equivalent (FTE) basis calculated as the total hours worked divided by the maximum number of hours subject to compensation within a working year as defined by the relevant national law.

15 October 2025 ESMA84-858037815-684 53 2. Information regarding the assessment activities Estimated duration of an external review [Number of days] Expected number of assessments in the next 24 months [Number] 3. Information on the evaluation of the applicant Reasons that the applicant considers the number of analysts, employees and other persons directly involved in assessment activities and their roles to be appropriate Reasons that the applicant considers the number and duration of external reviews to be appropriate

15 October 2025 ESMA84-858037815-684 54 ANNEX VI POLICIES AND PROCEDURES OF THE APPLICANT Point Topic Reference number 1 Training and development plan for analysts, employees and other persons directly involved in assessment activities 2 Policies and procedures put in place to ensure the continuity and regularity in the performance of assessment activities; the safeguarding of the confidentiality and security of records and documents on the services provided; sound administrative and accounting procedures; and the adequacy of information processing systems implemented to meet the obligations of an external reviewer 3 Policies and procedures outlining the internal control framework [In case of a large number of documents, these should be grouped according to the relevant areas of the internal control framework] 4 Policies and procedures to ensure the internal control framework complies with the criteria referred to in Article 5(2) of Commission Delegated Regulation (EU) 2025/… 5 Whistleblower policy ensuring that the anonymity of whistleblowers is safeguarded and reprisals are prohibited 6 Remuneration policy ensuring the independence of the employees subject to variable compensation arrangements

15 October 2025 ESMA84-858037815-684 55 7 Procedures and methodologies implemented to issue reviews 8 Terms of reference of the governance bodies, including the board and, where established, its committees 9 Last meeting minutes of the board 10 Organisational chart, including the identification of reporting lines and job functions 11 Conflict of interest policy 12 Inventory of actual or potential conflicts of interest and proposed mitigation measures 13 Information on how potential conflicts of interest situations, including transactions with related parties, employee personal account dealing, outside business activities and the acceptance of gifts and hospitality are reviewed and approved consistently 14 Documents and information related to any existing or planned outsourcing arrangements for activities of the external reviewer covered by Regulation (EU) 2023/2631, including information on entities assuming outsourcing functions, and the evaluation of how the external reviewer ensures compliance with Article 33(1) of that Regulation

15 October 2025 ESMA84-858037815-684 56 ANNEX VII OTHER ACTIVITIES OF THE APPLICANT Activity Description Offered through subsidiaries [NACE code of the activity, where available] [Yes/No: if Yes, please provide the name of the entity]

15 October 2025 ESMA84-858037815-684 57 ANNEX VIII LEGAL REPRESENTATIVE ESTABLISHED IN THE UNION Full name Address of the registered office within the Union [EU Member State, city, street address, postal code] Email address Legal status Deed of incorporation, articles of association or other constitutional documents Website Legal Entity Identifier (LEI) [Where available]

15 October 2025 ESMA84-858037815-684 58 3.4.6 ITS on material changes to registration COMMISSION IMPLEMENTING REGULATION (EU) 2025/… of XXX laying down implementing technical standards for the application of Regulation (EU) 2023/2631 of the European Parliament and of the Council with regard to the standard forms, templates and procedures for the notification of material changes in the information provided for registration as an external reviewer (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2023/2631 of the European Parliament and of the Council of 22 November 2023 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds 17 , and in particular Article 24(2), fourth subparagraph, thereof, Whereas: (1) To ensure uniform information is provided, this Regulation sets out the standard forms, templates and procedures an external reviewer should use for a notification to ESMA of material changes in the information provided in accordance with Article 23(1) of Regulation (EU) 2023/2631. (2) To safeguard security and enhance data management and usability, the standard forms, templates, and procedures that an external reviewer should use when it notifies ESMA of material changes in the information provided for registration should allow for digital means of registration. Any information that an external reviewer submits to ESMA in a notification should therefore be machine-readable and be provided in a durable medium. (3) To assist ESMA in identifying the documents that an external reviewer has submitted as part of the notification of material changes in the information provided for registration, a unique reference number should be provided to correspond to each document. (4) For assurance and accountability purposes, an external reviewer that notifies ESMA of material changes in the information provided for registration should complement the notification with a letter signed by a member of its senior management, attesting that the submitted information is accurate and complete to the best of its knowledge. 17 OJ L, 2023/2631, 30.11.2023.

15 October 2025 ESMA84-858037815-684 59 (5) This Regulation is based on the draft implementing technical standards submitted to the Commission by ESMA. (6) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council18 and delivered formal comments on [XX-XX-2025]. (7) ESMA conducted open public consultations on the draft implementing technical standards on which this Regulation is based. It has analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) 1095/2010 of the European Parliament and of the Council19 , HAS ADOPTED THIS REGULATION: Article 1 Format to follow for the provision of the information referred to in Article 24(1) of Regulation (EU) 2023/2631

1. External reviewers that intend to notify ESMA of a material change in the information provided in accordance with Article 23(1) of Regulation (EU) 2023/2631 shall submit the information referred to in the Annexes to this Regulation in the format set out in those Annexes.
2. External reviewers shall provide their notification to ESMA in a machine-readable format which: (a) allows the information to remain accessible for a period of time adequate for the purposes of the notification; (b) allows for the unchanged reproduction of the information stored.
3. External reviewers shall provide a unique reference number to each document that they submit to ESMA. External reviewers shall ensure that the information they submit clearly identifies to which specific requirement of [Commission Implementing Regulation (EU) 2025/… laying down implementing technical standards for the application of Regulation 2023/2631 of the European Parliament and of the Council with regard to the standard forms, templates and procedures for the provision of the information for an application for registration as an external reviewer for European Green Bonds] or [Commission Delegated Regulation (EU) 2025/... laying down regulatory technical standards for the application of Regulation 18 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). 19 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

15 October 2025 ESMA84-858037815-684 60 2023/2631 of the European Parliament and of the Council with regard to the information, form and content of applications for recognition] it refers and in which document that information is provided. External reviewers shall submit the table set out in Annex I to this Regulation as part of their notification and shall clearly identify the document in which they have provided the information required. 4. Where a requirement of Regulation (EU) 2023/2631 does not apply to the notification, external reviewers shall state that in the relevant table set out in the Annex to this Regulation and shall provide an explanation. 5. External reviewers shall accompany their notification with a letter signed by a member of the external reviewer’s senior management, attesting that the submitted information is accurate and complete to the best of that member’s knowledge, as of the date of that submission. Article 2 Entry into force This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, For the Commission The President

15 October 2025 ESMA84-858037815-684 61 ANNEX I DOCUMENT REFERENCES Annex to Commission Implementing Regulation (EU) 2025/… or Commission Delegated Regulation (EU) 2025/… Regulation to which the information relates Unique reference number of the document Title of the document Specific requirement of Regulation (EU) 2023/2631 to which the information relates Chapter or section or page of the document where the information is provided or reason why the information is not provided

15 October 2025 ESMA84-858037815-684 62 ANNEX II NOTIFICATION OF MATERIAL CHANGES Full name of the external reviewer Date of registration or recognition with ESMA [Please specify the relevant legal reference indicating the Article of, or Annex(es) to, [Commission Implementing Regulation (EU) 2025/… laying down implementing technical standards for the application of Regulation 2023/2631 of the European Parliament and of the Council with regard to the standard forms, templates and procedures for the provision of the information for an application for registration as an external reviewer for European Green Bonds or Commission Delegated Regulation (EU) 2025/... laying down regulatory technical standards for the application of Regulation 2023/2631 of the European Parliament and of the Council with regard to the information, form and content of applications for recognition] [Please use this column to provide an explanation of the change(s)]

15 October 2025 ESMA84-858037815-684 63 [Please add more rows if needed] [Please indicate which Annex of Commission Implementing Regulation (EU) 2025/… laying down implementing technical standards for the application of Regulation 2023/2631 of the European Parliament and of the Council with regard to the standard forms, templates and procedures for the provision of the information for an application for registration as an external reviewer for European Green Bonds or Commission Delegated Regulation (EU) 2025/... laying down regulatory technical standards for the application of Regulation 2023/2631 of the European Parliament and of the Council with regard to the information, form and content of applications for recognition is to be resubmitted] Annex I (Yes/No) Annex V (Yes/No) Annex II (Yes/No) Annex VI (Yes/No) Annex III (Yes/No) Annex VII (Yes/No) Annex IV (Yes/No) Annex VIII [recognised external reviewers only] (Yes/No)