EBA/GL/2025/01 08/01/2025 Final Report Guidelines on the management of environmental, social and governance (ESG) risks

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 2 Contents

1. Executive Summary 3
2. Background and rationale 4
3. Guidelines 13
4. Reference methodology for the identification and measurement of ESG risks 18
5. Minimum standards and reference methodology for the management and monitoring of ESG risks 27
6. Plans in accordance with Article 76(2) of Directive 2013/36/EU 38
7. Accompanying documents 46

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 3

1. Executive Summary The EBA is mandated in accordance with Article 87a(5) of Directive 2013/36/EU to issue guidelines on minimum standards and reference methodologies for the identification, measurement, management and monitoring of environmental, social and governance (ESG) risks by institutions. ESG risks, in particular environmental risks through transition and physical risk drivers, pose challenges to the safety and soundness of institutions and may affect all traditional categories of financial risks to which they are exposed. To ensure the resilience of the business model and risk profile of institutions in the short, medium and long term, the guidelines set requirements for the internal processes and ESG risk management arrangements that institutions should have in place. Institutions, based on regular and comprehensive materiality assessments of ESG risks, should ensure that they are able to properly identify and measure ESG risks through sound data processes and a combination of methodologies, including exposure-, portfolio- and sector-based, portfolio alignment and scenario-based methodologies. Institutions should integrate ESG risks into theirregularrisk management framework by considering their role as potential drivers of all traditional categories of financial risks, including credit, market, operational, reputational, liquidity, business model, and concentration risks. Institutions should have a robust and sound approach to managing and mitigating ESG risks over the short, medium and long term, including a time horizon of at least 10 years, and should apply a range of risk management tools including engagement with counterparties. Institutions should embed ESG risks in their regular processes including in the risk appetite, internal controls and ICAAP. Besides, institutions should monitor ESG risks through effective internal reporting frameworks and a range of backward- and forward-looking ESG risk metrics and indicators. Institutions should develop specific plansto address the risks arising from the transition and process of adjustment of the economy towards the regulatory objectives related to ESG factors of the jurisdictions they operate in. To this end, institutions should assess and embed forward-looking ESG risk considerations in their strategies, policies and risk management processes through transition planning considering short-, medium- and long-term time horizons. CRD-based plans take a risk￾based view and contribute to the overall resilience of institutions towards ESG risks and should be consistent with transition plans prepared or disclosed by institutions under other pieces of EU legislation. Next steps The guidelines will apply from 11 January 2026 except for small and non-complex institutions for which the guidelines will apply at the latest from 11 January 2027.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 4 2. Background and rationale 2.1 Impact of ESG risks

1. Climate change, environmental degradation, biodiversity loss, social issues and other environmental, social and governance (ESG) factors pose considerable challenges for the economy. The impact of acute and chronic physical risk events, the need to transition to a low-carbon, resource-efficient and sustainable economy, as well as other ESG challenges, are causing and will continue to cause profound economic transformations that impact the financial sector.
2. The Commission’s Renewed Sustainable Finance Strategy and the banking package (Directive 2013/36/EU (Capital Requirements Directive, CRD) and Regulation (EU) No 575/2013 (Capital Requirements Regulation, CRR)) recognise that the financial sector has an important role to play both in terms of supporting the transition towards a climate-neutral and sustainable economy, as enshrined in the Paris Agreement, the United Nations 2030 Agenda for Sustainable Development and the European Green Deal, and for managing the financial risks that this transition may entail and/or those stemming from other ESG factors.
3. Environmental risks, including climate-related risks, are expected inter alia to become even more prominent going forward through different possible combinations of transition and physical risks. These may affect all traditional categories of financial risks to which institutions are exposed. In addition, institutions’ counterparties or invested assets may be subject to the negative impact of social factors, such as breaches of human rights, demographic change, digitalisation, health or working conditions, and governance factors, such as shortcomings in executive leadership or bribery and corruption, which may in turn lead to financial risks that institutions should assess and manage.
4. To maintain adequate resilience to the negative impacts of ESG factors, institutions established in the EU need to be able to systematically identify, measure and manage ESG risks. However, the specificities of ESG risks such as their forward-looking nature and distinct impacts over various time horizons, as well as the lack of relevant historical experience, means that understanding, measurement and management practices can differ significantly across institutions. The EBA’s observations stemming from the monitoring of supervisory colleges, as well as supervisory experience from competent authorities, also show that the management of ESG risks is still at an early stage and ‘work in progress’, with only nascent practices on ESG risks other than climate-related risks in most EU institutions. Despite action taken in recent years, several shortcomings have been observed in the inclusion of ESG risks in business strategies and risk management frameworks that may pose challenges to the safety and soundness of institutions as the EU transitions towards a more sustainable economy and the materialisation of ESG risks intensifies.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 5 2.2 Legal mandate and objective of these guidelines 5. To enhance the prudential framework’s focus on ESG risks faced by institutions, new provisions have been introduced and adjustments have been made to several Articles in the CRD and in the CRR. In particular and to ensure a uniform understanding of ESG risks, definitions of ESG risks, environmental risk, physical risk, transition risk, social risk and governance risk have been laid down in Article 4 of the CRR. Articles 73 and 74 of the CRD have been amended to require that short-, medium- and long-term horizons of ESG risks be included in credit institutions’ strategies and processes for evaluating internal capital needs as well as adequate internal governance. A reference to the current and forward-looking impacts of ESG risks and a request for the management body to develop concrete plans to address these risks have also been introduced in Article 76 of the CRD. 6. In addition, a new Article 87a has been included in the CRD, according to which:

1. Competent authorities shall ensure that institutions have, as part of their robust governance arrangements including risk management framework required under Article 74(1), robust strategies, policies, processes and systems for the identification, measurement, management and monitoring of ESG risks over the short, medium and long term.
2. The strategies, policies, processes and systems referred to in paragraph 1 shall be proportionate to the scale, nature and complexity of the ESG risks of the business model and scope of the institution’s activities, and consider the short and medium term, and a long-term time horizon of at least 10 years.
3. Competent authorities shall ensure that institutions test their resilience to long￾term negative impacts of ESG factors, both under baseline and adverse scenarios within a given timeframe, starting with climate-related factors. For such resilience testing, competent authorities shall ensure that institutions include a number of ESG scenarios reflecting potential impacts of environmental and social changes and associated public policies on the long-term business environment. Competent authorities shall ensure that in the resilience testing process, institutions use credible scenarios, based on the scenarios elaborated by international organisations.
4. Competent authorities shall assess and monitor developments of institutions’ practices concerning their ESG strategy and risk management, including the plans, quantifiable targets and processes to monitor and address the ESG risks arising in the short, medium and long-term, to be prepared in accordance with Article 76(2). This assessment shall take into account the institutions’ sustainability-related product offering, their transition finance policies, related loan origination policies, and ESG-related targets and limits. Competent authorities shall assess the robustness of those plans as part of the supervisory review and evaluation process.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 6 Where relevant, for the assessment referred to in the first subparagraph, competent authorities may cooperate with authorities or public bodies in charge of climate change and environmental supervision. 7. To foster robust risk management practices and ensure convergence across the Union, the EBA has been empowered in Article 87a(5) of the CRD to issue guidelines to specify: a) minimum standards and reference methodologies for the identification, measurement, management and monitoring of ESG risks; b) the content of plans to be prepared in accordance with Article 76(2) of the CRD, which shall include specific timelines and intermediate quantifiable targets and milestones, in order to monitor and address the financial risks stemming from ESG factors, including those arising from the process of adjustment and transition trends towards the relevant Member States and Union regulatory objectives in relation to ESG factors, in particular the objective to achieve climate neutrality by 2050 as set out in Regulation (EU) 2021/1119, as well as, where relevant for internationally active institutions, third￾country legal and regulatory objectives; c) qualitative and quantitative criteria for the assessment of the impact of ESG risks on the risk profile and solvency of institutions in the short, medium and long term; d) criteria for setting the scenarios referred to in paragraph 3 of Article 87a of the CRD, including the parameters and assumptions to be used in each of the scenarios, specific risks and time horizons. 8. These guidelines address the aspects included in points a), b) and c) of the mandate entrusted to the EBA. Point d) of the mandate will be addressed through the development of complementary guidelines on scenario analysis related to ESG factors. Therefore, these guidelines on the management of ESG risks only include a broad requirement for institutions to perform scenario-based analyses, which will be further specified by the future guidelines on scenario analysis. 9. These guidelines aim at enhancing the identification, measurement, management and monitoring of ESG risks by institutions, as referred to under Article 4(1) point 3 of Regulation (EU) No 575/2013, and at supporting their safety and soundness as they are confronted with the short-, medium- and long-term impact of ESG factors. The guidelines contain requirements as to the internal processes and ESG risk management arrangements that institutions should have in place, including specific plans to address the risks arising from the transition and process of adjustment to relevant sustainability legal and regulatory objectives. 10. The guidelines include minimum reference methodologies to be developed and used by institutions to assess ESG risks. Acknowledging the continuous progress in the availability and development of ESG risk data and methodologies, the focus is on the main features of key

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 7 types of methodologies, whilst flexibility is left to institutions regarding specific details, also to facilitate the development of institutions’ own methodologies over time. 2.3 Plans to monitor and address ESG risks 11. The long-term nature and the profoundness of the transition process towards a climate￾neutral and sustainable economy may entail significant changes in the business models of institutions and in the types and levels of risks they are confronted with. As a result, according to Article 76(2) of the CRD, institutions shall set out specific plans to monitor and address the financial risks arising from ESG factors, including those arising from the transition and process of adjustment to the relevant Member States and Union regulatory objectives in relation to ESG factors, as well as, where relevant for internationally active institutions, third-country objectives. 12. These guidelines specify requirements for CRD-based plans and are focused on risk-based transition planning from a micro prudential perspective. Their objective is to ensure that institutions comprehensively assess and embed forward-looking ESG risk considerations in their strategies, policies and risk management processes, including by taking a long-term perspective and with a view to ensuring their soundness and resilience to the risks faced. 13. Whilst based on the prudential framework for banks, these guidelines and especially Section 6 and the Annex have been prepared by taking into consideration other initiatives and legislative frameworks related to plans, commonly called transition plans, that should be disclosed and/or developed by sets of non-financial and financial corporates to ensure that their business model and strategy are compatible with the transition. These include the Corporate Sustainability Reporting Directive (CSRD) 1 , the Corporate Sustainability Due Diligence Directive (CSDDD)2 , and the European Commission’s (EC) Recommendation of June 2023 on facilitating finance for the transition to a sustainable economy3 as well as, where relevant, other international public or private initiatives. 14. The requirements related to plans that are included under various pieces of EU legislation have specific but complementary purposes and should be addressed by institutions that are in the scope of these requirements in a coherent and consistent manner. Notably, CSRD and CSDDD include requirements for the disclosure and adoption, respectively, of plans to ensure the compatibility of business models of undertakings with the transition to a sustainable economy and with the limiting of global warming to 1.5°C in line with the Paris Agreement and the objective of the EU to achieve climate neutrality by 2050. CSRD aims at providing transparency to investors and other stakeholders. CRD and these guidelines include 1 Directive (EU) 2022/2464 of the European Parliament and of the Council of 14 December 2022 amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC and Directive 2013/34/EU, as regards corporate sustainability reporting. 2 Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence and amending Directive (EU) 2019/1937 and Regulation (EU) 2023/2859. 3 Commission Recommendation (EU) 2023/1425 of 27 June 2023 on facilitating finance for the transition to a sustainable economy - https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023H1425

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 8 requirements for the monitoring and management of financial risks stemming from ESG factors, including those arising from the transition towards a climate-neutral and more sustainable economy, and therefore have a deeper focus on risk assessment and management. Plans required under CRD as specified by these guidelines are not subject to disclosure, although some parts may be covered by transparency requirements of CSRD and/or Pillar 3, but will be assessed by prudential supervisors of institutions as part of the supervisory review and evaluation process. 15. Whilst these guidelines are focused on the prudential aspects of transition planning, the EBA emphasises that institutions will need to develop a single, comprehensive strategic planning process that covers all regulatory requirements stemming from applicable legislation (also beyond the strictly prudential, i.e. including CSRD, CSDDD, sectoral legislation, etc.) and all relevant aspects, including inter alia business strategy, risk management, due diligence, and sustainability reporting. Such an integrated, holistic internal approach should ensure consistent outcomes when addressing all applicable requirements, the coordination of all efforts related to transition planning within institutions, the operationalisation of strategic climate targets and commitments, a reduced administrative burden, and the development of risk management arrangements commensurate with the strategies followed by institutions. In particular, an institution that carries out its sustainability reporting in accordance with Articles 19a and 29a of the Accounting Directive4 should ensure consistency of information used to comply with these guidelines and information disclosed in accordance with the European Sustainability Reporting Standards (ESRS) and rely on the already available materially identical or significantly comparable relevant information to the extent possible. 16. These guidelines do not require CRD-based plans to set out an objective of fully aligning with Member States or Union sustainability objectives or one specific transition trajectory. At the same time, it must be noted that plans developed by institutions to monitor and address ESG risks in accordance with the CRD also need to consider and ensure consistency with institutions’ voluntary commitments and other requirements stemming from non-prudential regulations. Such consistency is explicitly required under Article 87a(5) subparagraph 2 of the CRD which states that, where relevant, the methodologies and assumptions sustaining the targets, the commitments and the strategic decisions disclosed publicly by institutions under the Accounting Directive, or other relevant disclosure and due diligence frameworks, shall be consistent with the criteria, methodologies, assumptions, and targets used in the plans to be prepared in accordance with the CRD. 17. In addition, while these guidelines do not prescribe any particular business strategy, institutions need to assess financial risks stemming from misalignments of their portfolios with relevant EU regulatory objectives towards a sustainable economy, including the climate 4 Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 9 targets for 2030 and 2050 included in the European Climate Law5 , namely the reduction by 2030 of greenhouse gas emissions levels by 55% compared to 1990, and achieving net-zero emissions by 2050. From a risk management perspective, institutions therefore need to understand the potential implications for their business models of the transition process and of the broader EU legislative framework and develop a strategic response to manage the risks associated with these developments as part of a unified internal transition planning exercise. 18. It should also be pointed out that the goal of CRD-based plans is not to force institutions to exit or divest from greenhouse gas-intensive sectors but rather to stimulate institutions to proactively reflect on technological, business and behavioural changes driven by the transition, to thoroughly assess the risks and opportunities they entail, and to prepare or adapt accordingly through structured transition planning, including by engaging with their clients and supporting them where appropriate, notwithstanding other mitigation actions consistent with sound risk management. 19. Moreover, CRD-based plans are closely related to the policy proposals included in the EBA report on the management and supervision of ESG risks6 , which recommended institutions to integrate ESG risks into their processes, including by extending the time horizon for strategic planning to at least 10 years, at least qualitatively, and by testing their resilience to different scenarios. 20. Against this background, CRD-based plans can be understood as the overview and articulation of the strategic actions and risk management tools deployed by institutions, based on a forward-looking business environment analysis and a single, comprehensive transition planning process, to demonstrate how an institution ensures its robustness and preparedness for the transition towards a climate and environmentally resilient and more sustainable economy. These plans aim at ensuring that institutions identify, measure, manage and monitor ESG risks, in particular environmental transition and physical risks, over several time horizons including long-time horizons while also setting targets and milestones at regular time intervals. Such plans should be embedded in the institutions’ strategy and risk management and address the risks arising from the structural changes that may occur within the industries and counterparties to which institutions are exposed, taking into account the transition pathways and adaptation frameworks compatible with the legal and regulatory objectives of the Member States, EU, and where relevant, other jurisdictions in which they operate. 21. These guidelines refer to transition planning as the internal strategic and risk management process undertaken by institutions to prepare for risks and potential changes in their business model associated with a transition to an environmentally resilient and more sustainable economy, including the implementation of their objectives and targets for monitoring and addressing ESG risks. The plans are in turn the outputs of the transition planning process. 5 Regulation (EU) 2021/1119 of the European Parliament and of the Council of 30 June 2021 establishing the framework for achieving climate neutrality and amending Regulations (EC) No 401/2009 and (EU) 2018/1999 (‘European Climate Law’) 6 EBA Report on management and supervision of ESG risks for credit institutions and investment firms (EBA/REP/2021/18)

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 10 22. Acknowledging the fast-evolving developments related to transition plans and the need to preserve the responsibility of the management bodies to set the overall business strategies and policies, these guidelines focus on processes, principles, core expectations and main features, including metrics, of sound plans for the management of ESG risks, while leaving flexibility and responsibility to institutions as to the specific details and levels of targets. The Annex provides guidance on how institutions could structure the presentation of their plans in line with the requirements established in the guidelines, while not introducing additional requirements nor intending to be exhaustive. 2.4 Proportionality 23. The guidelines have been drafted taking into account the proportionality principle set out in Article 87a(2) of the CRD (see paragraph 6 above). This means that proportionality should firstly be understood as driven by the materiality of ESG risks associated with the institution’s activities and business model. As such, these guidelines establish in Section 4.1 that institutions should rely on the results of their materiality assessments of ESG risks to design and implement proportionate strategies, policies, processes and plans. 24. In addition, since these guidelines cover internal governance and risk management arrangements of institutions, they apply in accordance with the general principle of proportionality applicable to internal governance and risk management arrangements of all institutions, as laid out in Title I of the EBA Guidelines on internal governance7 . 25. The size of institutions is not a sufficient criterion to apply proportionality with regard to the management of ESG risks. Smaller institutions are not immune to ESG risks, for example in case of concentrations of exposures in ESG-sensitive economic sectors or in geographical areas prone to physical risks. All institutions should therefore implement approaches that are commensurate with the results of their materiality assessment and that ensure their ability to manage ESG risks in a safe and prudent manner. 26. However, the size and complexity of institutions do play a role in the level of available resources and capacities to manage ESG risks. These guidelines therefore provide some differentiated provisions for small and non-complex institutions (SNCIs) as well as for other non-large institutions, where appropriate, allowing them to implement less complex or sophisticated arrangements. On the other hand, these guidelines include some more extensive requirements for large institutions8 . 27. Concretely, the specific provisions included in these guidelines for SNCIs and other non-large institutions relate to the frequency of updates of the materiality assessment (see paragraph 11 of the guidelines), the extent to which qualitative considerations and/or estimates and proxies can be used (see e.g., paragraph 15 of the guidelines), the number and granularity of risk assessment methodologies (see section 4.2.3) and monitoring metrics (see paragraph 81) 7 EBA Guidelines on internal governance under Directive 2013/36/EU (EBA/GL/2021/05) 8 Definitions of SNCI and large institution provided in Article 4(1)(145) and Article 4(1)(146) of the CRR, respectively, apply.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 11 as well as certain aspects of CRD-based planssuch as their granularity (paragraph 110), update frequency (paragraph 114), scenarios (paragraph 97) and metrics (paragraph 106). 28. With regard to CRD-based plans, Article 76(2) of the CRD allows Member States to indicate in what areas a waiver or a simplified procedure may be applied by SNCIs. Section 6 of these guidelines already provides proportionality measures for SNCIs and other non-large institutions which apply even in cases where Member States do not make use of the mentioned CRD provision. If a Member State decidesto apply the provision, Section 6 of these guidelines will apply to SNCIs dependent on the transposition of CRD into national law. 2.5 Environmental risks and ESG risks 29. As reflected in the CRD provisions, and in line with the sequenced approach adopted under other EBA regulatory products on ESG risks such as the Implementing Technical Standards on Pillar 3 disclosures, these guidelines put emphasis on environmental risks while still containing some minimum requirements on the remaining categories of ESG risks. 30. Although currently institutions are typically more advanced as regards the measurement and assessment of climate-related risks, it is important that institutions progressively develop tools and practices that aim at assessing and managing the impacts of a sufficiently comprehensive range of environmental risks, as defined in Article 4(1)(52e) of the CRR, extending beyond merely climate-related risks to also include broader environmental risks such as risks stemming from the degradation of ecosystems and biodiversity loss, as well as from other ESG factors9 . Given the widespread dependence of economic activities on nature, it is particularly relevant that institutions properly understand the potential physical and transition risks that could result from nature degradation and from actions aimed at protecting and restoring it. 31. In addition, it should be kept in mind that institutions can be both impacted by (so-called ‘financial materiality’) and have an impact on (so-called ‘environmental and social materiality’) environmental and social factors through their core business activities, i.e. their lending to counterparties and their investments in assets. On the financial materiality side, the economic and financial activities of counterparties or invested assets can be negatively impacted by environmental or social factors, which might affect the value and risk profile of such activities and in turn translate into a financial impact on the institution. On the environmental and social materiality side, the economic and financial activities of counterparties or invested assets can have a negative impact on environmental and social factors, which could in turn translate into a direct financial impact on the institution or affect it through reputational, litigation or business model risks. The assessment and management of environmental and social risks should take both of these dimensions into account to the extent that they affect the financial risks to which institutions are exposed. 9 Annex 1 of EBA Report on management and supervision of ESG risks provides a non-exhaustive list of ESG factors (EBA/REP/2021/18)

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 12 2.6 Articulation with international developments and other EBA products 32. These guidelines build on existing EU and international requirements and/or principles on the management of ESG risks, such as the BCBS principles for the effective management and supervision of climate-related financial risks 10 . They also take into account the analysis performed and recommendations included in the EBA Report on the management and supervision of ESG risks, guidance published by supervisors or networks of central banks such as the Network for Greening the Financial System (NGFS), various initiatives related to transition planning and plans 11 as well as supervisory experience regarding institutions’ practices on the management of climate and environmental risks. 33. These guidelines are consistent with and include cross-references to other EBA guidelines or standards which refer to ESG risks, such as the EBA Guidelines on loan origination and monitoring (with respect to integration of ESG risks in credit risk policies), the EBA Guidelines on internal governance (with respect to integration of ESG risks in governance arrangements), and the EBA Implementing Technical Standards on Pillar 3 disclosure of ESG risks(with respect to ESG risk metrics). In addition, based on the recent amendments to the CRD, the EBA will introduce or incorporate further ESG risk considerations when developing future guidelines on scenario analysis and when updating its guidelines on internal governance, guidelines on fit-and-proper assessments and guidelines on remuneration policies. These future developments and updates will be done in a way that ensures consistency with these guidelines on the management of ESG risks, complementing them in specific areas such as scenario analysis, the responsibilities of the management body or the integration of ESG risks into institutions’ remuneration frameworks. 34. These guidelines are part of the EBA’s mandates and tasks in the area of sustainable finance and ESG risks which cover the three pillars of the prudential framework for banks as well as other areas related to sustainable finance and the assessment and monitoring of ESG risks, as laid out in the EBA’s roadmap on sustainable finance12 . 10 BCBS Principles for the effective management and supervision of climate-related financial risks https://www.bis.org/bcbs/publ/d532.htm 11 Non-exhaustive examples include publications by the NGFS, EU Platform on Sustainable Finance, UK Transition Plan Taskforce, Taskforce on Nature-related Financial Disclosures. 12 EBA roadmap on sustainable finance

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 13 3. Guidelines

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 14 EBA/GL/2025/01 08/01/2025 Guidelines on the management of environmental, social and governance (ESG) risks

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 15

1. Compliance and reporting obligations Status of these guidelines
2. This document contains guidelines issued pursuant to Article 16 of Regulation (EU) No 1093/20101 . In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent authorities and financial institutions must make every effort to comply with the guidelines.
3. Guidelines set the EBA view of appropriate supervisory practices within the European System of Financial Supervision or of how Union law should be applied in a particular area. Competent authorities as defined in Article 4(2) of Regulation (EU) No 1093/2010 to whom guidelines apply should comply by incorporating them into their practices as appropriate (e.g. by amending their legal framework or their supervisory processes), including where guidelines are directed primarily at institutions. Reporting requirements
4. According to Article 16(3) of Regulation (EU) No 1093/2010, competent authorities must notify the EBA as to whether they comply or intend to comply with these guidelines, or otherwise with reasons for non-compliance, by 03.06.2025. In the absence of any notification by this deadline, competent authorities will be considered by the EBA to be non￾compliant. Notifications should be sent by submitting the form available on the EBA website with the reference ‘EBA/GL/2025/01’. Notifications should be submitted by persons with appropriate authority to report compliance on behalf of their competent authorities. Any change in the status of compliance must also be reported to EBA.
5. Notifications will be published on the EBA website, in line with Article 16(3). 1 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC, (OJ L 331, 15.12.2010, p.12).

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 16 2. Subject matter, scope and definitions Subject matter and scope of application 5. These guidelines specify robust governance arrangements institutions need to have in place in accordance with Articles 87a(1) and 74 of Directive 2013/36/EU1 2 , and cover: (a) minimum standards and reference methodologies for the identification, measurement, management and monitoring of environmental, social and governance (ESG) risks, in accordance with Article 87a(5)a) of that Directive; (b) qualitative and quantitative criteria for the assessment of the impact of ESG risks on the risk profile and solvency of institutions in the short, medium and long term, in accordance with Article 87a(5)c) of that Directive; (c) the content of plans to be prepared in accordance with Article 76(2) of that Directive by the management body, which shall include specific timelines and intermediate quantifiable targets and milestones, in order to monitor and address the financial risks stemming from ESG factors, including those arising from the process of adjustment and transition trends towards the relevant Member States and Union regulatory objectives in relation to ESG factors, in particular the objective to achieve climate neutrality by 2050 as set out in Regulation (EU) 2021/1119, as well as, where relevant for international active institutions, third country legal and regulatory objectives, in accordance with Article 87a(5)b) of that Directive. 6. These guidelines address the ESG risk management processes of institutions as part of their broader risk management framework. They apply in relation to the robust strategies, policies, processes and systems for the identification, measurement, management and monitoring of ESG risks over the short, medium and long term that institutions subject to Directive 2013/36/EU shall have as part of their robust governance arrangements including risk management framework required under Article 74(1) of Directive 2013/36/EU. These guidelines also complement and further specify EBA Guidelines on internal governance3 and EBA Guidelines on loan origination and monitoring4 in relation to the management of ESG risks. 7. Competent authorities and institutions should apply these guidelines in accordance with the level of application set out in Article 109 of Directive 2013/36/EU. 1 2 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). 3 EBA Guidelines on internal governance under Directive 2013/36/EU (EBA/GL/2021/05) 4 EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06)

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 17 Addressees 8. These guidelines are addressed to competent authorities as defined in Article 4(2) point (i) of Regulation (EU) No 1093/2010 and to financial institutions as defined in Article 4(1) of Regulation (EU) No 1093/2010 which are also institutions in accordance with Article 4(1) point 3 of Regulation (EU) No 575/20135 . Definitions 9. Unless otherwise specified, terms used and defined in Directive 2013/36/EU and Regulation (EU) No 575/2013 have the same meaning in these guidelines. 3. Implementation Date of application 10. These guidelines apply to institutions other than small and non-complex institutions from 11 January 2026. These guidelines apply to small and non-complex institutions at the latest from 11 January 2027. 5 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.06.2013, p. 1).

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 18 4. Reference methodology for the identification and measurement of ESG risks 4.1 Materiality assessment 11. As part of the reference methodology for institutions’ identification and measurement of ESG risks to be included in their strategies and internal procedures, institutions should provide for the regular performance of a materiality assessment of ESG risks. That assessment should be performed at least every year or, for small and non-complex institutions (SNCIs), every two years. Institutions including SNCIs should, however, update their assessment more frequently in case of a material change to their business environment related to ESG factors, such as significant new public policies or shifts in the institution’s business model, portfolios or oper￾ations. 12. The materiality assessment of ESG risks should be performed as an institution-specific assess￾ment which provides the institution with a view on the financial materiality of ESG risks for its business model and risk profile, supported by a mapping of ESG factors and transmission channels to traditional financial risk categories. The materiality assessment of ESG risksshould be consistent with other materiality assessments conducted by the institution, in particular those made for the purpose of disclosing material sustainability risks in accordance with Di￾rective 2013/34/EU6 and Commission Delegated Regulation (EU) 2023/27727 , where applica￾ble, and should be integrated into the internal capital adequacy assessment process (ICAAP) materiality assessment. 13. The materiality assessment of ESG risks should use a risk-based approach that takes into ac￾count the likelihood of occurrence and the potential magnitude of the financial effects of ESG risks in the short and medium term and over a long-term horizon of at least 10 years. 14. With a view to comprehensively assessing the materiality of ESG risks, institutions should ensure that the scope of their materiality assessment sufficiently reflects the nature, size and complexity of their activities, portfolios, services, and products. Institutions should consider the impact of ESG risks on all traditional financial risk categories to which they are exposed, including credit, market, liquidity, operational (including litigation), reputational, business model and concentration risks. The determination of material ESG risks should consider both 6 Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (OJ L 182, 29/06/2013, p. 19). 7 Commission Delegated Regulation (EU) 2023/2772 of 31 July 2023 supplementing Directive 2013/34/EU of the European Parliament and of the Council as regards sustainability reporting standards (OJ L, 2023/2772, 22.12.2023).

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 19 their impacts on financial risk categories and the amounts and/or shares of exposures, revenues and profits exposed to the risks. 15. With regard to the materiality assessment of environmental risks, institutions should use both qualitative and quantitative information. Institutions should consider a sufficiently large scope of environmental factors that includes at least climate-related factors, degradation of ecosystems and biodiversity loss. Institutions should assess both transition and physical risk drivers, taking into account at least the following: a) For transition risks: i. the main economic sectors that the financed assets support or in which the institution’s counterparty has its principal activities; ii. ongoing and potential future material changes in public policies, technologies and market preferences (e.g. new environmental regulations or tax incen￾tives, development of innovative low-carbon technologies, shifts in consumer or investor demand); iii. with respect to climate-related risks:

1. exposures towards sectors that contribute highly to climate change as specified in Recital 6 of Commission Delegated Regulation (EU) 2020/1818 i.e. the sectors listed in Sections A to H and Section L of Annex I to Regulation (EC) No 1893/2006 8 , with particular consideration given to exposures towards fossil fuel sector entities;
2. the degree of alignment or misalignment of portfolios with the relevant regulatory objectives of the jurisdictions where they operate – for SNCIs and other non-large institutions at least on the basis of a high-level qualitative assessment; b) For physical risks: i. the geographical areas in which key assets of counterparties (e.g. production sites) and, in particular for real estate exposures, physical collateral islocated; ii. the vulnerability level to environmental hazards (e.g. temperature-related, wind-related, water-related, solid mass-related hazards) associated with dif￾ferent climate scenarios and transition pathways or, for SNCIs and other non￾large institutions, associated with at least one adverse scenario. 8 Commission Delegated Regulation (EU) 2020/1818 of 17 July 2020 supplementing Regulation (EU) 2016/1011 of the European Parliament and of the Council as regards minimum standards for EU Climate Transition Benchmarks and EU Paris-aligned Benchmarks (OJ L 406, 03/12/2020, p. 17) - Climate Benchmark Standards Regulation - Recital 6: Sectors listed in Sections A to H and Section L of Annex I to Regulation (EC) No 1893/2006

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 20 16. Institutions should substantiate and document as part of their ICAAP their materiality assessments of ESG risks, including methodologies and thresholds used, inputs and factors considered and main results and conclusions reached, including non-materiality conclusions. 17. Institutions should develop and implement measurement methods, risk management arrangements and transition planning processes, respectively in accordance with Section 4.2, Section 5, and Section 6, that are commensurate with and informed by the outcomes of the materiality assessment. To this end, institutions should have more extensive and sophisticated arrangements for ESG risks identified as material. In turn, the ESG risk measurement methodologies and ESG risk monitoring metrics used by institutions should support and inform the regular updates of the materiality assessment. Smaller institutions with less complex activities may apply less extensive and sophisticated arrangements, which however should be commensurate with the results of their materiality assessment of ESG risks. 4.2 Identification and measurement of ESG risks 4.2.1 General principles 18. As part of the minimum standards to identify and measure ESG risks, institutions’ internal procedures should include tools and methodologies to assess ESG risk drivers and their trans￾mission channels into the different prudential risk categories and financial risk metrics affect￾ing the institution’s exposures, including with a forward-looking perspective. 19. To ensure a proper identification and management of ESG risks, institutions should consider the potential impact of these risks in the short, medium and long term. The level of granularity and accuracy of data points, quantification tools, methods and indicators used by institutions should take into account their materiality assessment and their size and complexity and gen￾erally be higher for the short and medium term. Long-term time horizons should at least be considered from a qualitative perspective and support strategic assessments and decision￾making. 20. With regard to environmental risks, internal procedures and methodologies should allow in￾stitutions to: a. quantify climate-related risks, such as by estimating the probabilities of materialisa￾tion and magnitude of financial impacts stemming from climate-related factors; b. properly understand the financial risks that may result from other types of environ￾mental risks, such as those stemming from the degradation of nature, including bio￾diversity loss and the loss of ecosystem services, or the misalignment of activities with actions aimed at protecting, restoring, and/or reducing negative impacts on nature;

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 21 c. establish key risk indicators (KRIs) covering at least short- and medium-term time ho￾rizons and a scope of exposures and portfolios determined in line with the results of the materiality assessment. 21. With regard to social and governance risks, where quantitative information is initially lacking, institutions’ internal procedures should provide for methods that start by evaluating qualita￾tively the potential impacts of these risks on the operations of, and financial risks faced by, the institution, and should progressively develop more advanced qualitative and quantitative measures. Institutions should gradually enhance their approaches in line with regulatory, sci￾entific, data availability and methodological progress. 22. With regard to the interactions between the different categories of, respectively, environ￾mental, social and governance risks, institutions’ internal procedures should ensure that each category of risk is first assessed taking into account its specific characteristics, before consid￾ering potential interconnections and interdependencies in the measurement of these risks. 4.2.2 Data processes 23. Institutions’ internal procedures should provide for the implementation of sound information management systems to identify, collect, structure and analyse the data that is necessary to support the assessment, management and monitoring of ESG risks. Such systems should be implemented across the institution as part of the overall data governance and IT infrastruc￾ture. Institutions should regularly review their practices to ensure they remain up to date with public (e.g. increased data availability due to regulatory initiatives) and market developments and should have in place arrangements to assess and improve data quality. 24. Institutions’ internal procedures should ensure that institutions gather and use the infor￾mation needed to assess, manage, and monitor the current and forward-looking ESG risks they may be exposed to via their counterparties, by aiming at collecting client- and asset-level data at an appropriately granular level. 25. Institutions’ internal procedures should build on both internally and externally available ESG data, including by regularly reviewing and making use of sustainability information disclosed by their counterparties, in particular in accordance with European Sustainability Reporting Standards developed under the Directive 2013/34/EU or voluntary reporting standard for non-listed Small and Medium-size Enterprises (SMEs) as per the Communication COM (2023) 535 on the SME relief package9 . 26. Institutions should assess which other sources of data would effectively support the assessment, management and monitoring of ESG risks, such as information obtained through engagement with clients and counterparties as part of new and existing business relationships, or third-party data. When institutions use services of third-party providers to 9 COM (2023) 535 - Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions - SME Relief Package

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 22 gain access to ESG data, institutions should ensure they have a sufficient understanding of the sources, data and methodologies used by data providers, including their potential limitations. 27. Where the quality or availability of data is initially not sufficient to meet risk management needs, institutions should assess these gaps and their potential impacts. Institutions should take and document remediating actions, including the use of estimates or proxies, e.g. based on sectoral- and/or regional-level characteristics and, when feasible, making adjustments to account for counterparty-specific aspects. Institutions should seek to reduce the use of estimates and proxies over time as ESG data availability and quality improve. 28. For large corporate counterparties as defined by Article 3(4) of Directive 2013/34/EU, institutions should consider collecting or obtaining the following data points, where applicable: a. For environmental risks: i. geographical location of key assets (e.g. production sites) and exposure to environmental hazards (e.g. temperature-related, wind-related, water-related, solid mass-related hazards) at the level of granularity needed for appropriate physical risk analysis, and availability of insurance; ii. current and, if available, targeted greenhouse gas (GHG) scope 1, 2 and 3 emissions in absolute value and, where relevant, in intensity value; iii. dependency on fossil fuels, either in terms of economic factor inputs or revenue base; iv. energy and water demand and/or consumption, either in terms of economic factor inputs or revenue base; v. level of energy efficiency for real estate exposures and the debt servicing capacity of the counterparty; vi. the current and anticipated financial effects of environmental risks and opportunities on the counterparty’s financial position, financial performance and cash flows; vii. transition-related strategic plans, including transition plan for climate change mitigation disclosed in accordance with Article 19a or Article 29a of Directive (EU) 2022/2464, when available; b. For social and governance risks: i. alignment with the OECD Guidelines for Multinational Enterprises, UN Guiding Principles on Business and Human Rights and International Labour Organisation Declaration on Fundamental Principles and Rights at Work;

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 23 ii. negative material impacts on own workers, workers in the value chain, affected communities and consumers/end-users including information on due diligence efforts or processes to avoid and remediate such impacts. 29. For exposures towards other types of counterparties than large corporates, institutions should: a. determine the data points needed for the identification, measurement and management of ESG risks, considering the list provided in paragraph 28 to support that assessment; b. where needed to address data gaps, use expert judgment, qualitative data, portfolio-level assessments and proxies in line with paragraph 27. 4.2.3 Main features of reference methodologies for the identification and measurement of ESG risks 30. Institutions’ internal procedures should provide for a combination of risk assessment methodologies, including exposure-based, sector-based, portfolio-based, and scenario-based methodologies, as set out in paragraphs 31 to 42. The combination of methodologies should be put together in a way that allows institutions to comprehensively assess ESG risks over all relevant time horizons. In particular, institutions should at least use exposure-based methods to obtain a short-term view of how ESG risks are impacting the risk profile and the profitability of their counterparties, use sector-based, portfolio-based and scenario-based methods to support the medium-term planning process and the definition of risk limits and risk appetite for steering the institution towards its strategic objectives, and assess through scenario-based methods their sensitivities to ESG risks across different time horizons including long-term ones. a. Exposure-based methods 31. At an exposure-based level, in line with the provisions in paragraphs 126 and 146 of the EBA Guidelines on loan origination and monitoring, institutions should have internal procedures in place to assess the exposure of their counterparties’ activities and key assets to ESG factors, in particular environmental factors and the impact of climate change, and the appropriateness of the mitigating actions. To this end, institutions should ensure that ESG factors, in particular environmental factors, are properly reflected in their internal risk classification procedures, are taken into account in the overall assessment of default risk of a borrower and, where justified by their materiality, are embedded into the risk indicators, internal credit scoring or rating models, as well as into the valuation of collateral. 32. With regard to the assessment of environmental risks at exposure level, institutions’ internal procedures should include a set of risk factors and criteria that capture both physical and transition risk drivers. For large institutions, this includes, where applicable, at least the following:

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 24 a) the degree of vulnerability to environmental hazards, taking into account the geographical location of the key assets of counterparties and guarantors, or of the physical collateral backing the exposures, considering both on-balance sheet and off￾balance sheet exposures; b) the degree of vulnerability to transition risks, taking into account relevant technological developments, the impact of applicable or forthcoming environmental regulations affecting the sector of activity of the counterparty, the current and if any targeted GHG emissions in absolute and, where relevant, intensity value of the counterparty, the impact of evolving market preferences, and the level of energy efficiency in the case of residential or commercial real estate exposurestogether with the debt service capacity of counterparties; c) the exposure of the counterparty’s business model and/or supply chain to critical disruptions due to environmental factors such as the impact of biodiversity loss, water stress or pollution; d) the exposure of the counterparty to reputational and litigation riskstaking into account completed, pending or imminent litigation cases related to environmental issues; e) the (planned) maturity or term structure of the exposure or asset; f) risk-mitigating factors, such as private or public insurance coverage, for example based on applicable national catastrophe schemes or similar frameworks, and the capacity of the counterparty to ensure resilience to transition and physical risks including through forward-looking transition planning. 33. Where data needed to assess certain criteria is not yet available, such as for smaller corporate counterparties, institutions should follow the steps outlined in paragraphs 26, 27 and 29. 34. With regard to the assessment of social and governance risks at exposure level, institutions should implement due diligence processes with a view to assessing the financial impacts stemming from, and the vulnerability of counterparties’ business model to, social and governance factors, taking into account the adherence of corporate counterparties to social and governance standards such as those mentioned in paragraph 28 b(i), the exposure of the counterparty to litigation risk driven by social or governance issues, as well as the applicable legislation in the jurisdiction where the counterparty operates. b. Sector-based, portfolio-based and portfolio alignment methods 35. Institutions’ internal procedures should provide for sector-based and portfolio-based methodologies, in particular heat maps that highlight ESG risks of individual economic (sub-) sectors in a chart or on a scaling system as referred to in paragraphs 127 and 149 of the EBA Guidelines on loan origination and monitoring. Institutions’ methodologies should allow to

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 25 map their portfolios according to ESG risk drivers and identify any concentration towards one or more type(s) of ESG risks. 36. With regard to non-climate related ESG factors, large institutions should develop: a) methods to identify sectors that are highly dependent on, or have significant impact on, ecosystem services, and tools to measure the financial impact of nature degradation and actions aimed at protecting, restoring and/or reducing negative impacts on nature; b) approaches to measuring the positive or adverse impacts of their portfolios on the achievement of the UN Sustainable Development Goals and evaluating potential related financial risks. 37. With regard to climate-related risks, institutions’ internal procedures should provide for the use of at least one portfolio alignment methodology to assess on a sectoral basis the degree of alignment of institution’s portfolios with climate-related pathways and/or benchmark scenarios. Institutions should also consider assessing the alignment at counterparty level e.g. by comparing the GHG emissions intensity of a given counterparty with an applicable sectoral benchmark. 38. For the purposes of paragraph 37, institutions should use scenarios that are science-based, relevant to sectors of economic activity and the geographical location of their exposures, up to date and originating from national, EU or international organisations such as national environmental agencies, Joint Research Center of the EU Commission, the International Energy Agency, Network for Greening the Financial System, International Panel on Climate Change. Sectoral decarbonisation pathways should be consistent with the applicable policy objective, such as the EU objective to reach net-zero GHG emissions by 2050 and to reduce emissions by 55% by 2030 compared to the 1990 level, or any national objective where applicable. 39. For the purposes of paragraph 37, institutions should determine the appropriate scope of the portfolio alignment assessments and the degree of sophistication of the methodologies used based on the characteristics of their portfolios, the results of their materiality assessment and their size and complexity. Large institutions with securities traded on a regulated market within the Union should take into account the list of sectors included in Template 3 of Annex I of the Commission Implementing Regulation (EU) 2022/245310 . SNCIs and other non-large institutions may use representative samples of exposures in their portfolios to undertake portfolio alignment assessments. 10 Commission Implementing Regulation (EU) 2022/2453 of 30 November 2022 amending the implementing technical standards laid down in Implementing Regulation (EU) 2021/637 as regards the disclosure of environmental, social and governance risks (OJ L 324, 19.12.2022, p. 1).

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 26 40. Institutions should justify and document their methodological choices including the choice of scenario(s) and the base year, the selection of sectors and, for SNCIs and other non-large institutions, the identification of a representative sample of exposures, as well as any significant methodological change over time. When data needed to measure alignment is missing, institutions should follow the steps set out in paragraphs 26, 27 and 29. 41. Institutions should consider insights gained from climate portfolio alignment methodologies to: a. assess and monitor climate-related transition risks stemming from misalignments of counterparties and/or portfolios with EU, Member State or third-country regulatory objectives and pathways consistent with applicable climate goals, and potential related financial risks; b. inform their decision-making process on the formulation and implementation of their risk appetite, business strategy and transition planning including regarding prioritisation of engagement with certain counterparties. c. Scenario-based methods 42. In addition to exposure-based, sector-based, portfolio-based and portfolio alignment methods, institutions’ internal procedures should provide for the use of scenario-based analyses to test their resilience to ESG risks, starting with climate-related risks, under various scenarios11 . 11 Point d) of the mandate included in Article 87a(5) of Directive 2013/36/EU will be addressed through the development of complementary EBA Guidelines on scenario analysis to test the resilience of institutions to environmental, social and governance factors.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 27 5. Minimum standards and reference methodology for the management and monitoring of ESG risks 5.1 ESG risk management principles 43. For the purposes of integrating ESG risks into the institution-wide risk management frame￾work in accordance with paragraph 152 of the EBA Guidelines on internal governance, insti￾tutions should consider the role of ESG risks as potential drivers of all traditional categories of financial risks, including credit, market, operational (including litigation), reputational, li￾quidity, business model, and concentration risks. 44. Institutions should embed ESG risks within their regular risk management systems and pro￾cesses ensuring consistency with their overall business and risk strategies, including plans in accordance with Article 76(2) of Directive 2013/36/EU as further specified in Section 6. Insti￾tutions should ensure that they have a fully integrated approach where ESG risks are properly captured and considered as part of risk management strategies, policies and limits. Where institutions have in place specific arrangements for ESG risks, they should ensure this is re￾flected in, and feeds into, the regular risk management framework. 45. Institutions should develop a robust and sound approach to managing and mitigating ESG risks over the short and medium term and over a long-term horizon of at least 10 years, taking into account the principles outlined in paragraph 19. 46. Institutions should determine which combination of risk management and mitigation tools would best contribute to this, by considering a range of tools, including the following: a) engagement with counterparties aiming at better understanding the risk profile of the counterparty and at ensuring consistency with the institution’s risk appetite and stra￾tegic objectives, in particular by: i. determining the scope of counterparties with whom to engage, taking into account the outcomes of the materiality assessment and of the risk measure￾ment process; ii. establishing a dialogue with those counterparties to review their resilience towards ESG risks, taking into account the sectoral legislation that affects those counterparties and any transition plan they have developed; iii. where relevant and possible, providing relevant information and advice to clients on the assessment or mitigation of ESG risks they are exposed to; and

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 28 iv. considering a range of counterparty-specific actions, such as adjustment to product offering, agreement on a plan and remedial actions to support tran￾sition efforts and an enhanced resilience of the counterparty, or as a last re￾sort cessation of the relationship when continuation is considered incompat￾ible with the institution’s planning and risk appetite. b) adjusting financial terms (e.g. including contractually-agreed safeguards and correc￾tive measures), conditions (e.g. tenor) and/or pricing based on ESG risk-relevant cri￾teria and the institution’s risk strategy and internal capital policy; c) considering ESG risks when developing sectoral policies and when setting global, re￾gional and sectoral risk limits, exposure limits and deleveraging strategies; d) diversification of lending and investment portfolios based on ESG risk-relevant crite￾ria, e.g. in terms of economic sectors or geographical areas; e) other risk management tools deemed appropriate in line with the institution’s risk appetite, such as a possible reallocation of financing between and within sectors to￾wards exposures more resilient to ESG risks. 5.2 Strategies and business models 47. Institutions should account for ESG risks when developing and implementing their overall business and risk strategies, which should include at least: a) understanding and assessing the business environment in which they operate, and how they are exposed to structural changes in the economy, financial system, and competitive landscape over the short, medium and long term as a result of ESG fac￾tors; b) understanding and assessing how ESG risks, in particular environmental risk drivers including transition and physical risks, can have an adverse impact on the viability of their business model and sustainability of their business strategy, including profitabil￾ity and revenue sources, over the short, medium and long term; c) considering how these ESG risks, in particular environmental risk drivers including transition and physical risks, may affect their ability to achieve their strategic objec￾tives and remain within their risk appetite; d) formulating, implementing and monitoring plans and targets as set out in Section 6. 48. For the purposes of paragraph 47 and with a view to ensuring sufficiently informed strategies, institutions should consider insights gained from a combination of forward-looking risk as￾sessment methods, including:

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 29 a) portfolio alignment methodologies, as described in Section 4.2; b) environmental risk scenario analyses, taking into account the (potential) business en￾vironment(s) in which they might be operating in the short, medium and long term, including a time horizon of at least 10 years; c) climate or environmental stress tests performed by the institution. 49. Institutions should have a comprehensive understanding of their business model, strategic objectives and risk strategy from an ESG risk perspective and should ensure that their govern￾ance, transition planning process and risk management framework, including risk appetite, are adequate to implement them. 5.3 Risk appetite 50. Institutions should ensure that their risk appetite clearly defines and addresses ESG risks which are part of their risk inventory following the materiality assessment. The risk appetite should specify the level and types of ESG risks institutions are willing to assume in their port￾folio, including as regards the portfolio’s concentration and diversification objectives. The in￾tegration of ESG risks in the risk appetite should be consistent with the institution’s strategic objectives and commitments and with the plans and targets specified under Section 6. 51. The risk appetite should be implemented with the support of ESG-related KRIs, including e.g. potential limits, thresholds or exclusions. For the determination of relevant and appropriate KRIs, institutions should consider the results of their materiality assessment and the specific features of their business model, taking into account relevant business lines, activities, prod￾ucts, and exposures towards economic sectors and geographies, including jurisdictions and more granular geographical areas. Institutions should consider the metrics listed in Section 5.7 when determining which selected KRIs to use in their risk appetite framework. 52. Institutions should ensure that all relevant group entities and business lines and units bearing risk properly understand and implement the institution’s risk appetite in terms of ESG risks. In particular in large institutions risk limits should be set at different levels within the institu￾tion, ensuring consistency with the overall risk appetite, and should anchor ESG risk consid￾erations in relation to the products or financial instruments issued, originated or held by the institution, client segments, type of collateral and risk mitigation instruments. 53. The institution’s risk appetite and associated KRIs should be subject to monitoring and esca￾lation processes as set out in paragraph 80. 5.4 Internal culture, capabilities and controls 54. Institutions should develop on an ongoing basis their capabilities to identify, assess, monitor, manage and mitigate ESG risks as appropriate. Institutions should ensure, as part of their

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 30 training policy, that their management body and staff are adequately trained to understand the implications of ESG factors and ESG risks with a view to fulfilling their responsibilities ef￾fectively. The policies and procedures on training activities should be kept up to date and take into account scientific and regulatory developments; the procedure for managers should take into account that knowledge of ESG factors and ESG risks is relevant for the assessment of the suitability of members of the management body and for key function holders in line with the Joint EBA and ESMA Guidelines on suitability assessments12 . 55. The sound and consistent risk culture that accounts for ESG risks implemented within the institution in accordance with Title IV of the EBA Guidelines on internal governance13 should include clear communication from the management body (‘tone from the top’) and appropri￾ate measures to promote knowledge of ESG factors and ESG risks across the institution, as well as awareness of the institution’s ESG strategic objectives and commitments. 56. For the purposes of Title V of the EBA Guidelines on internal governance14, institutions should incorporate ESG risks into their internal control frameworks across the three lines of defence. The internal control framework should include a clear definition and assignment of ESG risk responsibilities and reporting lines. 57. The first line of defence should be responsible for undertaking assessments of ESG risks, tak￾ing into account materiality and proportionality considerations, during the client onboarding, credit application, credit review and, where relevant, investing processes, and in ongoing monitoring and engagement with existing clients. Staff in the first line of defence should have an adequate understanding and knowledge to be able to identify potential ESG risks. 58. As part of the activities of the second line of defence: a) the risk management function should be responsible for undertaking ESG risk assess￾ment and monitoring independently from the first line of defence, including by en￾suring adherence to the risk limits, questioning and where necessary challenging the initial assessment conducted by the business relationship officers; b) the compliance function should oversee how the first line of defence ensures adher￾ence to applicable ESG risk legal requirements and internal policies, and should advise the management body and other relevant staff on measures to be taken to ensure such compliance. In addition, in relation to the sustainability claims and/or commit￾ments made by the institution, it should provide advice on the reputational and con￾duct risks associated with the implementation or failure to implement such claims and/or commitments; 12 Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU (EBA/GL/2021/06) 13 Title IV – Risk culture and business conduct 14 Title V – Internal control framework and mechanisms

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 31 c) the compliance function and the risk management function should be consulted for the approval of new products with ESG features or for significant changes to existing products to embed ESG aspects. 59. As third line of defence, the internal audit function (IAF) should provide an independent re￾view and objective assurance of the quality and effectiveness of the overall internal control framework and systems in relation to ESG risks, including the first and second lines of defence and the ESG risk governance framework. 5.5 Internal capital adequacy assessment process and internal liquidity adequacy assessment process 60. Institutions should incorporate material ESG risks and their impacts on financial risk catego￾ries into their ICAAP to assess, and maintain on an ongoing basis, the amounts, types and distribution of internal capital that they consider adequate to cover the nature and level of ESG risks, taking into account the short, medium and long term. 61. When institutions take into account longer time horizons for the coverage of ESG risks, these time horizons should be used as a source of information to ensure a sufficient understanding of the potential implications of ESG risks for capital planning within the regular ICAAP time horizons. The time horizons considered for the determination of adequate internal capital to cover ESG risks should be consistent with the time horizons used as part of the institutions’ overall ICAAP. The ICAAP should be sufficiently forward-looking and where an institution as￾sesses that risks should not be covered by capital but be mitigated through other tools or actions, it should be explained. 62. Institutions should use insights gained from their risk assessment methodologies, including those referred to in Section 4.2, to identify and measure internal capital needs for exposures or portfolios assessed as more vulnerable to ESG risks, taking into account the differing levels of availability and maturity of quantification methodologies for environmental risks compared to social and governance risks. 63. With regard to environmental risks, institutions should include in their ICAAP a forward-look￾ing view of their capital adequacy under an adverse scenario that includes specific environ￾mental risks elements. In addition, institutions should specify any changes to the institution’s business plan or other measures derived from climate or environmental risks stress testing and/or reverse stress testing, in line with paragraph 90 of EBA Stress Testing Guidelines15 . 64. Institutions should incorporate material environmental risks and their impacts on liquidity in their internal liquidity adequacy assessment process (ILAAP) over appropriate time horizons within the scope of the ILAAP coverage. 15 EBA Guidelines on institutions stress testing (EBA/GL/2018/04)

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 32 65. Institutions should include in their ICAAP and ILAAP frameworks a description of the risk ap￾petite, thresholds and limits set for, respectively, material ESG risks and material environmen￾tal risks and their impacts on their solvency or liquidity, as well as the process applied to keep￾ing these thresholds and limits up to date. Institutions should provide sufficient contextual information to understand their analysis of the capital and liquidity implications of, respec￾tively, ESG and environmental risks, including by providing clarity on the methodologies used and underlying assumptions. 66. When integrating ESG risks into their ICAAP and environmental risks in their ILAAP, the com￾plexity of the processes and the degree of sophistication of the methodologies used by insti￾tutions should take into account their size and complexity and the results of their materiality assessment. 5.6 Policies and procedures for financial risk categories 67. Institutions should understand and manage the current and potential future impact of ESG risks on their exposures to credit risk, on the valuation of their positions subject to market risk, in particular for prudent valuation purposes, on their liquidity risk profile and buffers, on their operational (including litigation) risks, and on reputational risks, including through the use of forward-looking analyses. 5.6.1 Credit risk 68. For the purposes of integrating ESG risks into credit risk policies and procedures as set out in paragraph 56 of the EBA Guidelines on loan origination and monitoring, institutions should ensure that their credit sectoral policies, reflecting ESG risks, are cascaded down and trans￾lated into clear origination criteria available to business lines staff and credit decision-makers, and should ensure that ESG risks are embedded into the credit risk monitoring framework. 69. With regard to environmental risks, institutions should include in their policies and proce￾dures a combination of qualitative and quantitative aspects. Based on their materiality as￾sessment and their risk appetite, institutions should set quantitative credit risk metrics cov￾ering the most significant client segments, types of collateral and risk mitigation instruments. 5.6.2 Market risk 70. With respect to market risk, institutions should consider how ESG risks could affect the value of the financial instruments in their portfolio, evaluate the potential risk of losses on their portfolio and increased volatility in their portfolio’s value, and establish effective processes to control or mitigate the associated impacts as part of their market risk management frame￾work including where needed reviewing the trading book risk appetite and setting internal limits for positions or client exposures.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 33 5.6.3 Liquidity and funding risk 71. With respect to liquidity and funding risk, institutions should at least consider how ESG risks could affect net cash outflows (e.g. increased drawdowns of credit lines) or the value of assets that constitute their liquidity buffers and, where appropriate, incorporate these impacts into the calibration of their liquidity buffers or their liquidity risk management framework. 72. In addition, with regard to environmental risks, institutions should consider how these risks could affect the availability and/or stability of their funding sources and take them into ac￾count in their management of funding risk. To this end, institutions should consider different time horizons and both normal and adverse conditions, which should reflect among others the potential impacts of environmental risks on reputational risks, a situation of hampered or more expensive access to market funding and/or accelerated deposit withdrawals. 5.6.4 Operational and reputational risks 73. With respect to operational risk, institutions should consider how ESG risks could affect the different regulatory operational risk event types referred to in Article 324 of Regulation (EU) No 575/2013 and their ability to continue providing critical operations and should incorporate material ESG risks in their operational risk management framework. 74. With regard to environmental risks, institutions should: a) identify and label losses related to environmental risksin their operational losses reg￾isters, in line with the risk taxonomy and methodology to classify the loss events set out by the regulatory technical standards adopted by the Commission pursuant to Article 317(9) of Regulation (EU) No 575/2013; b) develop processes to assess and manage the likelihood and impact of environment￾related litigation risks; c) use scenario analysisto determine how physical risk drivers can impact their business continuity; and d) take material environmental risks into account when developing business continuity plans. 75. With respect to reputational risks, institutions should consider and manage the impact of ESG risks on their reputation, including by considering potential risks associated with lending to and investing in businesses which may be prone to ESG-related controversies, such as viola￾tions of social or human rights. Institutions should also consider, where applicable, the repu￾tational risks associated with the failure to deliver on their sustainability commitments or transition plans, or with the (perceived) lack of credibility of such commitments and plans.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 34 76. As part of their management of conduct, litigation and reputational risks, institutions should have in place sound processes to identify, prevent and manage risks resulting from green￾washing or perceived greenwashing practices taking into account the ESAs high-level princi￾ples set out in Section 2.1 of the EBA Final Report on greenwashing monitoring and supervi￾sion16 . To this end, institutions should take all necessary steps to ensure that sustainability￾related communication is fair, clear, and not misleading, and that sustainability claims are accurate, substantiated, up to date, provide a fair representation of the institution’s overall profile or the profile of the product, and are presented in an understandable manner. That should be done at both the institution level (e.g. in relation to sustainability commitments including forward-looking targets) and the product or activity level (e.g. in relation to products and activities marketed as sustainable), including by monitoring legal developments, market practices, and controversies around alleged greenwashing practices. 5.6.5 Concentration risk 77. With respect to concentration risk, institutions should consider and manage the risks posed by concentrations of exposures or collateral in single counterparties, interdependent coun￾terparties or in certain industries, economic sectors, or geographic regions which may present a higher degree of vulnerability to ESG risks. To identify ESG-related concentration risks, insti￾tutions should consider the size and/or shares of their exposures that may be affected by ESG risks relative to total exposures and as a proportion of Tier 1 capital. Institutions should take into account several ESG factors amongst which GHG emissions, sectoral characteristics, vul￾nerability of geographical areas to physical risks, and social or governance deficiencies or con￾troversies identified in jurisdictions where exposures or collateral are located, as well as the availability of risk mitigating factors. Institutions should assess if and how ESG-related con￾centration risk aggravates the prior financial vulnerability of exposures. 5.7 Monitoring 78. Institutions should monitor ESG risks through effective internal reporting frameworks that convey appropriate information and aggregated data to senior management and the man￾agement body, such as by integrating ESG risks into regular risk reports or in the form of dash￾boards containing metrics that support an effective oversight. 79. Institutions should monitor ESG risks on a continuous basis and ensure that they maintain an institution-wide view, adequately covering the nature, size and complexity of their activities, as well as, for the most significant portfolios determined on the basis of the materiality as￾sessment, a portfolio view of their vulnerability to ESG risks. Furthermore, institutions should implement granular and frequent monitoring of counterparties, exposures, and portfolios as￾sessed as materially exposed to ESG risks, including through incorporating considerations of ESG risks into the credit risk monitoring process of retail counterparties and into regular credit 16 EBA Final report on greenwashing monitoring and supervision (EBA/REP/2024/09)

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 35 reviews for medium-sized and large counterparties and/or by increasing the frequency and granularity of these reviews due to ESG risks. 80. Institutions should set early warning indicators and thresholds and should have in place pro￾cedures to escalate alerts, deviations and breaches and to take corrective and/or mitigation actions in case limits are exceeded, including through adaptations to business strategy and risk management tools. 81. Institutions should monitor a range of backward- and forward-looking ESG risk metrics and indicators. Large institutions should monitor at least the following indicators: a) Amount and share of exposures to, and income (interest, fee and commission) stem￾ming from, business relationships with counterparties operating in sectors that highly contribute to climate change in accordance with Recital 6 of Commission Delegated Regulation (EU) 2020/1818, i.e. the sectors listed in Sections A to H and Section L of Annex I to Regulation (EC) No 1893/2006. Institutions should use a sectoral differentiation that is as granular as possible. In par￾ticular, the degree of granularity should allow institutions to monitor the amount and share of exposures to, and income stemming from, relationships with specific coun￾terparties, such as fossil fuel sector entities and/or companies excluded from EU Paris-aligned benchmarks17 . b) Portfolio alignment metrics showing at a sectoral level the extent to which exposures and production capacities operated by clients are, or are projected to be, (mis-)aligned with a pathway consistent with the applicable climate legal and regula￾tory objective, such as reaching net-zero GHG emissions by 2050, based on alignment metrics relevant to the selected sectors and using methods described in Section 4.2.3 b). Institutions should complement these indicators with information related to the as￾sessment of potential financial risk impacts resulting from misalignments. c) Financed GHG emissions with a breakdown by scope 1, 2 and 3 emissions in absolute value and, where relevant, intensity relative to units of production or revenues, split by sectors, using a sectoral differentiation that is as granular as possible and at least for selected sectors determined on the basis of the materiality assessment. Institutions should complement these metrics with qualitative or quantitative infor￾mation and criteria supporting the interpretation of their evolution over time, includ￾ing e.g. a temporary increase due to the provision of transition finance to GHG-in￾tense counterparties, and identifying the underlying drivers of the changes in emis￾sions. 17 In accordance with Article 12(1), points (d) to (g), and Article 12(2) of Climate Benchmark Standards Regulation.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 36 Examples of methodologies or databases that may support institutions when compu￾ting these metrics include the Global GHG Accounting and Reporting Standard for the Financial Industry, developed by the Partnership for Carbon Accounting Financials, and the Carbon Disclosure Project. d) The level of progress achieved in the implementation of key financing strategies de￾termined by the institution to ensure its resilience to ESG risks and preparedness for the transition towards a more sustainable economy, e.g. by monitoring financial flows towards financial assets or counterparties that share a common set of characteristics relevant to the institution’s targets or risk appetite in relation to ESG risks. e) Client engagement metrics providing information about: i. the percentage of counterparties for which an assessment of ESG risks has been performed, also as regards their transition strategies and, where avail￾able, transition plans and their consistency with the institution’s objectives, specifying the scope of selected sectors, products and business lines covered by these assessments; ii. the results and outcomes of such engagement such as the positive (or any sub-classification within that category) or negative (or any sub-classification within that category) assessments of these counterparties’ adaptability and resilience to the transition to a sustainable economy, the alignment progress against the institution’s targets and objectives, and follow-up actions taken by the institution. f) A breakdown of portfolios secured by real estate according to the level of energy ef￾ficiency of the collateral. g) The ratio of financing of low-carbon energy supply technologies in relation to the fi￾nancing of fossil-fuel energy supply technologies. h) The ratio of environmentally sustainable exposures financing activities that contrib￾ute or enable the environmental objective of climate change mitigation referred to in Article 9 point (a) of Regulation (EU) 2020/85218 in relation to the GHG-intense expo￾sures. i) Levels of physical risk the institution is exposed to, and their impact on financial risks, by considering several scenarios and all hazards relevant to the institution’s activity, supplemented with information on the progress achieved in the implementation of risk mitigation measures. 18 Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019/2088 (OJ L 198, 22/06/2020, p. 13).

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 37 j) Measures of concentration risk related to physical risk drivers (e.g. measurement of exposures and/or collateral in high flood risk, water-stressed or wildfire risk areas) and transition risk drivers (e.g. exposures to sectors with elevated transition risks), by using a sufficiently granular geographical split of exposures. k) Amount of historical losses related to ESG risks and, based on scenario-types meth￾ods, forward-looking estimate(s) of exposures-at-risk and potential future financial losses related to ESG risks. l) A measure of ESG-related reputational risk tracking how regulation, communication, commitments or public controversies regarding current and future business-related activities impact directly or indirectly the institution, by considering interactions with operational risk and strategic and business model risks, such as loss of business opportunities or strategic partnerships. m) Any ESG-related litigation claims in which the institution has been, is or may become involved in, based on available information. n) The status of ESG risk-related capacity building, such as the percentage of staff who have received specific training. o) Metrics related to non-climate related factors such as portfolio-level dependencies and impacts on ecosystem services, or exposures to counterparties with material de￾pendencies or negative impacts on biodiversity, taking into account both sectoral and geographical location information. p) Progress against all of the institution’s targets set in relation to ESG risks and ESG objectives, including as part of the institution’s plan as referred to in Section 6 or as part of other sustainability commitments made by the institution. 82. SNCIs and other non-large institutions should monitor a range of indicators included under paragraph 81, selected on the basis of the results of their materiality assessment, and should take steps to expand the list of monitored indicators over time. 83. Institutions should have clear and well-documented methodologies pertaining to their moni￾toring metrics and indicators. When data needed to compute metrics is initially missing, insti￾tutions should follow the steps set out in paragraphs 26, 27 and 29.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 38 6. Plans in accordance with Article 76(2) of Directive 2013/36/EU 6.1 Overarching principles 84. Plans developed in accordance with Article 76(2) of Directive 2013/36/EU are a product of the transition planning process outlined in Section 6.3 and should be based on a forward-looking business environment analysis and a comprehensive strategic planning process within insti￾tutions. They should provide an overview of the strategic actions and risk management tools deployed by institutions to demonstrate how they ensure their robustness towards ESG risks and preparedness for the transition towards a climate and environmentally resilient and more sustainable economy. 85. Institutions should ensure that their plans address forward-looking ESG risk management aspects while being consistent with other applicable requirements including those relating to due diligence, sustainability reporting, and strategic actions to ensure the compatibility of business models with the transition to a sustainable economy. In particular, plans should include objectives, actions and targets with regard to the business model and strategy of the institution that are consistent with the plans disclosed pursuant to Article 19a or Article 29a of the Directive 2013/34/EU, where applicable, and with ESG-related objectives or commitments that institutions are required to meet by law or regulation, as well as those they have voluntarily set. Where institutions disclose plans in accordance with Article 19a paragraph 2 (a) (iii) or Article 29a paragraph 2 (a) (iii) of the Directive 2013/34/EU, they should consider reusing the already available relevant information as a first step. 86. Institutions should ensure that their plans and targets are well integrated into their business strategies and that they are aligned and consistent with their risk and funding strategies, risk appetite, ICAAP and risk management framework as set out in Section 5. The extensiveness of the governance arrangements, transition planning process, and the degree of sophistication of objectives, targets and metrics of the plans should reflect the nature, size and complexity of institutions’ activity and their materiality assessment of ESG risks. 87. In view of the institutions’ obligation to ensure that arrangements, processes and mecha￾nisms related to their plans are consistent and well-integrated, including in their subsidiaries established outside of the Union, and the obligation of those subsidiaries to be able to pro￾duce data and information relevant to the purpose of supervising consolidated plans in ac￾cordance with Article 109(2) of Directive 2013/36/EU, parent institutions should take into ac￾count ESG risks to which subsidiaries established outside of the Union are materially exposed when elaborating and implementing the consolidated plan, by having regard to applicable local legislation and ESG regulatory objectives, and should be able to demonstrate a well￾informed consolidated approach.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 39 6.2 Governance 6.2.1 Roles and responsibilities 88. Institutions should clearly identify and allocate responsibilities for the development, validation, implementation and monitoring of the plans. When assigning roles and responsibilities at the appropriate level of seniority, institutions should take into account the interrelation and influence that the transition planning process should have on other processes such as the broader business strategy and risk appetite. 89. The management body should be responsible for the approval of the plans and should oversee their implementation, including being regularly informed of relevant developments and progress achieved in relation to the institution’s targets and taking decisions on remedial actions in case of significant deviations. 90. For the purposes of integrating ESG risks across the three lines of defence in line with Section 5.4: a) the first line of defence should be responsible for establishing a dialogue with counterparties about their own transition strategies and assessing consistency with the institution’s objectives and risk appetite, based on clear engagement policies as set out in paragraph 109 e(i). To this end, institutions should ensure that relevant staff possess sufficient expertise and capabilities to assess the extent to which the transition strategies of counterparties, including their transition plans where available, will enhance their resilience to ESG risks and align with the institution’s targets; b) the risk management function should ensure that the risk limits set in the risk appetite statement as part of the risk management framework are consistent with all aspects of the institution’s plan, including sectoral policies; c) the IAF should review the institution’s plan as part of the risk management framework and assess whether it complies with legal and regulatory requirements and whether it is consistent with the risk strategy and risk appetite of the institution as regards ESG risks. To this end, the IAF should consider whether the plan allows the institution to detect and address changes in itsrisk profile, how the institution addresses deviations from its targets, and whether the underlying assumptions, methodologies and criteria have been selected and used with integrity. 6.2.2 Internal processes and capacity 91. Institutions should ensure meaningful and regular interaction and exchanges at all levels of the organisation to ensure that insights and feedback from internal stakeholders can be taken into account in the process of formulating, implementing and reviewing the plans. To this end,

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 40 institutions should at least involve units, departments and functions responsible for strategic planning, risk management, sustainability disclosures, legal services and compliance in the elaboration of the plans, and should assess which additional units, departments and functions should be involved. 92. In line with Section 5.4, institutions should ensure they possess sufficient capacity, expertise and resources to develop and implement their transition planning process as well as to regularly assess the robustness of their plans and monitor their implementation. Institutions should map existing gaps in skills and expertise and take remedial actions where necessary. 6.2.3 Data management 93. Institutions should have in place sound governance processes to collect, validate and aggregate the data that are needed to inform their transition planning efforts and monitor their implementation, including by using available public information and counterparties’ transition plans as set out in Section 4.2.2. 6.3 Transition planning 6.3.1 Scenarios and pathways 94. Institutions should understand their sensitivity to ESG risks, in particular environmental transition and physical risks, under different scenarios, including those implying higher levels of physical risk or a disorderly transition. Institutions should understand how different scenarios may affect their transition planning efforts. 95. For the purposes of monitoring and addressing the specific environmental risks that may stem from the process of adjustment towards the climate-related and environmental regulatory objectives of the jurisdictions in which they operate, institutions should carefully select scenarios by taking all the following steps: a) assess the potential implications of EU, Member States and, where relevant, third countries’ objectives for transition pathways, at least for selected sectors determined on the basis of the materiality assessment. In this process, institutions should take into account the likely pathways originated from the European Green Deal, the EU Climate Law, and the latest reports and measures prescribed by the European Scientific Advisory Board on Climate Change; b) consider science-based and up-to-date scenarios originating from national, EU or international organisations as referred to in paragraph 38; c) take into account voluntary or regulatory-mandated objectives or commitments of the institution with respect to climate change mitigation and adaptation.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 41 96. The geographical reference and granularity, such as in terms of regional breakdowns, of the scenarios and pathways used by institutions should be relevant to their business model and exposures. 97. The range and complexity of the scenarios used by institutions should be proportionate to their size and complexity. SNCIs and other non-large institutions may rely on a simplified set of main parameters and assumptions, included risks, time horizons considered, and regional breakdown of impacts. Large institutions should benchmark their plans (including final and intermediary targets) against a scenario compatible with the limiting of global warming to 1.5°C in line with the Paris Agreement and with the objective of achieving climate neutrality by 2050 as established by the EU Climate Law. 98. Institutions should ensure that scenarios and pathways used as part of their plans are consistent across the organisation and time horizons considered, such as when building business strategies and setting targets for the short, medium and long term. Institutions should document the process for scenario selection, and the reasons for any change or different usage. Decisions to use different scenarios for different purposes as well as decisions to modify scenarios should be clearly justified. 6.3.2 Time horizons and milestones 99. Institutions should establish a set of different time horizons as part of their plans which should include the short term, medium term and a long-term planning horizon of at least 10 years. The arrangements developed to monitor and address ESG risks across time horizons should take into account the principles outlined in paragraph 19. 100. Institutions should set milestones at regular time intervalsto monitor and address ESG risks that stem from the short-, medium- and long-term regulatory objectives of the jurisdictions in which they operate. This includes the objectives of the EU to reduce GHG emissions by 55% by 2030 compared to 1990 level and achieve net-zero emissions by 2050, other intermediate climate targets set by EU or, where applicable, national legislation, as well as objectives related to other environmental factors such as nature restoration19 or deforestation20 . 101. Institutions should ensure that short-, medium- and long-term objectives and targets interact and are well-articulated. This includes ensuring that long-term objectives, such as commitments to achieve net-zero GHG emissions, translate into medium-term strategies (e.g. medium-term sectoral policies or growth targets for business lines) and that short-term financial metrics or targets (e.g. profitability indicators, cost of risk, KPIs, KRIs, risk limits, pricing frameworks) are coherent and consistent with the medium-term and long-term objectives. 19 Regulation (EU) 2024/1991 of the European Parliament and of the Council of 24 June 2024 on nature restoration and amending Regulation (EU) 2022/869 (OJ L, 2024/1991, 29.7.2024). 20 Regulation (EU) 2023/1115 of the European Parliament and of the Council of 31 May 2023 on the making available on the Union market and the export from the Union of certain commodities and products associated with deforestation and forest degradation and repealing Regulation (EU) No 995/2010 (OJ L 150, 09/06/2023, p. 20).

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 42 6.3.3 Materiality assessment basis 102. The transition planning process of institutions should aim at managing material ESG risks, in particular environmental transition and physical risks identified on the basis of a robust, regularly updated materiality assessment of ESG risks conducted in accordance with Section 4.1. Institutions should set out dedicated actions to monitor and address material ESG risks stemming from exposures, portfolios, and the economic activities and production capacities being financed, which may be particularly vulnerable to the process of adjustment of the economy towards the applicable legal and regulatory objectives related to ESG factors. 6.3.4 Metrics 103. Institutions should use a range of metrics including forward-looking metrics to support target-setting and drive and monitor the implementation of their plans. 104. For the purposes of setting targets, institutions should use a set of metrics and indicators considering the ones included in paragraph 81. Institutions should determine, taking into account their business strategies and risk appetite, which other risk-based and forward￾looking metrics and targets they will include in their plans with a view to monitoring and addressing ESG risks. This includes assessing, computing, and using metrics to evaluate the financial implications of transition planning for institutions’ business and risk profile over the short, medium, and long term, including by measuring the impact of transition planning on financial performance, revenue sources, profitability, and risk level of portfolios. 105. When data needed to compute metrics and support the setting of targets is missing, institutions should follow the steps outlined in paragraphs 26, 27 and 29. 106. SNCIs and other non-large institutions may rely on a smaller range of indicators for the use of metrics and setting of targets and formulate to a higher extent qualitative objectives. 107. Whilst institutions should at least use a combination of metrics related to climate-related risks, they should take steps to progressively include metrics that support risk assessment and strategic steering related to institutions’ exposure to, and management of, environmental risks other than climate-related, e.g. risks stemming from the degradation of ecosystems and biodiversity loss and their potential reflective influence with climate-related risks, as well as social and governance risks. 6.4 Key contents of the plans 108. Institutions should document their plans including their methodologies, assumptions, cri￾teria, targets and actions planned to reach targets, along with performed and scheduled revi￾sions. Institutions should specify the scope of risks captured by each part of the plan, e.g. whether it applies to environmental, social or governance risks, and should ensure that all aspects of the plan address at least environmental risks.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 43 109. Large institutions should ensure that their plans include at least the following aspects: a. Strategic objectives and roadmap of the plans: i. high-level overarching strategic objective to address ESG risks in the short, medium and long term, in line with overall business strategy and risk appetite; ii. comprehensive set of long-term goals with intermediate milestones to ensure resilience of the business model towards ESG risks, including consistency of business structure and revenues with such milestones; iii. key assumptions, inputs and background information relevant to the understanding of institutions’ objectives and targets, including selection of central or reference scenario(s) and institutions’ conclusions stemming from the outcomes of materiality assessments of ESG risks, portfolio alignment assessments and other scenario analyses; b. Targets and metrics: i. quantitative targets set to address ESG risks, including those stemming from the process of adjustment towards the legal and regulatory sustainability objectives of the jurisdictions where the institution operates and broader transition trends towards a sustainable economy, and metrics used to monitor ESG risks and the progress in achieving the targets; ii. portfolios, sectors, asset classes, business lines and, where applicable, economic activities (i.e. individual technologies) covered by targets and monitoring metrics, ensuring that the scope of targets and metrics sufficiently reflects the nature, size and complexity of institution’s activity and its materiality assessment of ESG risks; iii. time horizons over which targets and metrics apply; c. Governance: i. governance structure for the plans including roles and responsibilities for the formulation, validation, implementation, monitoring and updating of the plan, including escalation steps in case of deviation from targets; ii. capacity and resource-related actions to ensure appropriate knowledge, skills and expertise for effective implementation of the plan, including ESG risk-related trainings and internal culture;

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 44 iii. remuneration policies and practices to promote sound management of ESG risks in line with the institution’s objectives and risk appetite; iv. data and systems used for the transition planning process; d. Implementation strategy: i. overview of short-, medium-, and long-term actions taken or planned in core banking activities and processes to achieve the plan’s targets, including how the institution embeds the plan’s objectives into its decision￾making process and its regular risk management framework, complemented by information on the observed effectiveness or estimated contribution of each action to the relevant target(s); ii. adaptations to policies and procedures on financial risk categories and to lending and investment policies and conditions on key economic activities, sectors and locations; iii. changes introduced to the mix and pricing of services and products to support the implementation of the plan; iv. investments and strategic portfolio allocation supporting the institution’s business strategy and risk appetite in relation to ESG risks, including information on sustainability-related and transition-related products and services, and how any changes in strategic financing choices are accompanied by commensurate risk management procedures; e. Engagement strategy: i. policies for engaging with counterparties, including information on the frequency, scope and objectives of engagement, types of potential actions and escalation processes or criteria; ii. processes, methodologies and metrics used for collecting and assessing information related to counterparties’ exposure to ESG risks and alignment towards the institution’s objectives and risk appetite; iii. outcomes of engagement practices, including an overview of counterparties’ adaptability and resilience to the transition towards a more sustainable economy. 110. SNCIs and other non-large institutions should include in their plans at least the aspects covered in points a(i)-(ii), b(i)-(ii), c(i), d(i)-(ii) and e(i)-(ii) of paragraph 109. 111. Institutions should consider using the Annex as a supporting tool to develop and formalise their plans.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 45 6.5 Monitoring, review, and update of the plans 112. Institutions should monitor the implementation of their plans using monitoring processes and metrics in line with Section 5.7 and Section 6.3.4. Institutions should perform regular projections to assess their ability to achieve their targets. 113. The monitoring framework should allow the management body to simultaneously track how ESG risk monitoring metrics evolve and the progress achieved towards the plan’s milestones, with a clear and detailed rationale behind missed targets or objectives, and evaluations of the potential impact on different types of financial risks for different time horizons. 114. Institutions should regularly, and at least every time they update their business strategy in accordance with Article 76(1) of Directive 2013/36/EU, review and, where needed, update their plans, taking into account updated information such as new materiality assessments of ESG risks, developments in their portfolios and counterparties’ activities, new available scenarios, benchmarks or sectoral pathways, and impacts of current or upcoming regulation.

Annex This Annex provides a supporting tool for institutions for the development of plans required under Article 76(2) of Directive 2013/36/EU as further specified by Section 6 of these guidelines. It does not introduce additional requirements but provides for each key content required by the guidelines some examples, references and potential metrics that institutions may consider as they structure and formalise their plans. Institutions may adapt the format of this common approach provided they ensure that all required key contents are included in their plans. In line with the need for consistency with other applicable requirements as per section 6.1 and in particular paragraph 85, institutions should ensure consistency of information used to comply with the guidelines with information disclosed in accordance with Directive 2013/34/EU and Commission Delegated Regulation (EU) 2023/2772. .6.4 Key contents of plans Key words or elements of the required key content Examples of qualitative and quantitative out￾puts and their potential supporting metrics References to other EU frameworks Clarifications and reference to the Guidelines Potential Output (Qualitative) Potential Output (Quantitative) Pillar 3 CSRD / ESRS How to read this tool? Direct extract from section 6.4, paragraph 109 of the Guidelines Key words or sub-ele￾ment Clarifying guidance with reference to the relevant section(s) or paragraph(s) of the Guidelines Qualitative description of potential output re￾lated to this Guide￾lines' requirement:

• With examples or ‘do not forgets’,
• For example, narra￾tives characteristics. All examples are for il￾lustration only. Quantitative description of potential output re￾lated to this Guidelines' requirement:
• With examples or ‘warnings’ in using met￾rics and targets,
• For example, recalling the different angles a KPI could cover. All examples of KPIs / KRIs are for illustration only. Links towards Pillar 3 and ESRS requirements that institutions, where applicable, should con￾sider to ensure consistency and interconnections and rely to the extent possible on materially identical or significantly compa￾rable relevant information. References to Pillar 3 and ESRS may need to be updated to re￾flect future regulatory develop￾ments. Key words or sub-ele￾ment Clarifying guidance with reference to the relevant section(s) or paragraph(s) of the Guidelines

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 47 6.4 Key contents of plans Key words or elements of the required key content Examples of qualitative and quantitative out￾puts and their potential supporting metrics References to other EU frameworks Clarifications and reference to the Guide￾lines Potential Output (Qual￾itative) Potential Output (Quantitative) Pillar 3 CSRD / ESRS a. Strategic objectives and roadmap of the plan i. High-level overarching stra￾tegic objective to address ESG risks in the short, medium and long term, in line with overall business strategy and risk appe￾tite. Overarching objective: This pertains to the overarch￾ing strategic objective institu￾tions seek to accomplish con￾cerning ESG risks, in line with the incorporation of ESG risks in business and risk strategies and risk appetite in accord￾ance with section 5.2 and sec￾tion 5.3.

Qualitative description

of strategies to ensure the compatibility of business models with the transition to a climate-neutral and sustainable economy, par￾ticularly when subject to CSDDD and/or CSRD re￾quirements, and how these strategies affect the direction and priorities for ESG risk management ini￾tiatives

High-level approaches

to manage ESG risks iden￾tified as most material given the institution's scope of activities and ma￾teriality assessment

Overarching objec￾tives could be linked to

selected KPI or KRI tar￾gets

Cross-reference to

other parts of the plan may be considered e.g. towards part a(ii) or part b Qualitative: Table 1 (a) (b) Table 2 (a) (b) Table 3 (c) (d) ESRS-E1-1 ESRS 2 - BP1 ESRS-E1-MDR-P ESRS-E1-2 Short, me￾dium and long term: This pertains to how the stra￾tegic objective applies across the different time horizons considered in accordance with section 6.3.2. ii. Comprehensive set of long￾term goals with intermediate milestones to ensure resilience of the business model towards ESG risks, including consistency of business structure and reve￾nues with such milestones. Long term goals: Long term goals that support the realisation of the over￾arching objective over a time horizon of at least 10 years in accordance with the CRD and paragraph 99 of the Guide￾lines.

Long-term goals to ad￾dress risks stemming from

the EU objective to achieve net-zero GHG emissions by 2050, with intermediate milestone in 2030 considering the EU

Financial exposure to

different economic sectors

Portfolio alignment

metrics

Profitability metrics:

Qualitative: Table 1 (b) (j) Table 2 (b) (k) (l) Table 3 (c) (d) ESRS-E1-1 GHG reduction targets: ESRS￾E1-4

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 48 Intermediate milestones: Intermediate milestones measuring progress towards long-term goals, in accordance with paragraph 100 of the Guidelines. objective to reduce emis￾sions by 55% compared to the 1990 level

Long-term goals and in￾termediate milestones to

address risks stemming from EU objectives re￾lated to deforestation or nature restoration

How the institution en￾sures that its business

structure and revenue streams are aligned with its long-term goals and in￾termediate milestones return and risk ad￾justed return indica￾tors across relevant breakdowns (e.g. sec￾tors, portfolios, prod￾ucts...)

Business strategy

metrics: forward look￾ing KPIs describing the institution's strategy in terms of pricing, capi￾tal, liquidity, balance sheet allocation

Percentage of ESG

milestones achieved on time Quantita￾tive: Template 1 Template 3 Consistency of business structure and revenues with milestones: How the institution will ensure its ability to generate ade￾quate profitability along the path. iii. Key assumptions, inputs and background information rel￾evant to the understanding of in￾stitutions’ objectives and tar￾gets, including selection of cen￾tral or reference scenario(s) and institutions’ conclusions stem￾ming from the outcomes of ma￾teriality assessments of ESG risks, portfolio alignment assess￾ments and other scenario anal￾yses. Key assump￾tions and se￾lection of ref￾erence sce￾nario(s): This pertains to the documen￾tation of key methodological criteria and assumptions in ac￾cordance with paragraph 108, including reference scenario(s) selected by the institution in line with section 6.3.1.

Identification of and jus￾tification for scenario(s)

selected e.g. from na￾tional environmental agencies, Joint Research Center of the EU Commis￾sion, IEA, NGFS, IPCC

Qualitative description

of material environmental transition and physical risks faced by the institu￾tion

Degree of alignment

or misalignment com￾pared to climate-re￾lated pathways and/or benchmark scenarios for selected sectors and/or counterparties

Quantitative

measures of environ￾mental risk impacts on financial risk categories

Quantitative out￾comes of the material￾ity assessment of ESG

risks Qualitative: Table 1 (j) (k) (l) Table 2 (h) (i) (j) Table 3 (d) Quantita￾tive: Template 3 ESRS-E1-SBM3 ESRS-E1-IRO ESRS-E1-9 Outcomes of materiality as￾sessment, portfolio alignment as￾sessments and scenario anal￾yses: Key findings and conclusions from materiality assessment, portfolio alignment methods and scenario analyses, con￾ducted in accordance with sec￾tion 4.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 49 b. Targets and metrics i. Quantitative targets set to address ESG risks, including those stemming from the pro￾cess of adjustment towards the legal and regulatory sustainabil￾ity objectives of the jurisdictions where the institution operates and broader transition trends to￾wards a sustainable economy, and metrics used to monitor ESG risks and the progress in achiev￾ing the targets. Targets to ad￾dress ESG risks and monitor￾ing metrics: This pertains to the metrics and targets used by institu￾tions in accordance with sec￾tion 5.7 and section 6.3.4. N/A

Exposures towards

high-risk sectors or counterparties

Portfolio alignment

metrics and targets

Financed emissions

across relevant break￾downs

Progress achieved in

key financing strate￾gies

Real estate portfolios

with certain level of en￾ergy efficiency

Energy supply bank￾ing ratio

Level of physical risk

the institution is ex￾posed to

Information on the

riskiness of the portfo￾lio across relevant breakdowns (e.g. non￾performing exposures) Qualitative: Table 1 (b) (c) Table 2 (b) Quantita￾tive: All tem￾plates ESRS-E1-1 GHG reduction targets: ESRS￾E1-4 Risks stem￾ming from the process of ad￾justment to￾wards regula￾tory sustaina￾bility objec￾tives: This pertains to the specific metrics and targets to monitor and address ESG risks arising from the transition and pro￾cess of adjustment to the rele￾vant regulatory objectives, such as those included in the EU climate law in accordance with Article 76(2) CRD

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 50 ii. Portfolios, sectors, asset classes, business lines and where applicable economic activities (i.e. individual technologies) cov￾ered by targets and monitoring metrics, ensuring that the scope of targets and metrics suffi￾ciently reflects the nature, size and complexity of institution’s activity and its ESG risks materi￾ality assessment. Scope of cov￾erage: This pertains to information related to the scope of targets and metrics and its signifi￾cance from both a risk and fi￾nancial perspective.

For each target, what

are the activities, asset classes, sectors and busi￾ness lines covered

Institution-level targets

broken down into more specific sectoral targets

Targets applied to spe￾cific portfolios, exposures,

groups of assets or invest￾ments that share similar characteristics or risks

Specific, actionable tar￾gets for particular pro￾jects, technologies, or

business activities

On- and off-balance

sheet activities captured

Exclusion in coverage

and planned coverage

Percentage of identi￾fied ESG risks that are

actively monitored and managed

Percentage of busi￾ness units with ESG

risk-related targets in￾tegrated into their op￾erational plans

Percentage of opera￾tions in different re￾gions that have ESG

risk-related targets and initiatives in place

Percentage of sectors

that have developed specific action plans aligned with group￾level ESG risks targets.

Achievement of sec￾toral targets

Qualitative: Table 1 (b) (c) (j) Table 2 (h) (i) Quantita￾tive: All tem￾plates ESRS-E1-1 ESRS 2 - MDR-T Current reve￾nues by sectors: ESRS 2 - SBM -1 GHG reduction targets: ESRS￾E1-4 iii. Time horizons over which targets and metrics apply. Time horizons: This pertains to the short, me￾dium or long-term time hori￾zons with which metrics and targets are associated in line with section 6.3.2.

Qualitative description

of the set of targets and metrics applied for the short, medium and long term

Justification of short￾term increases in metrics

and targets, if applicable

Evolution e.g. in￾crease/decrease in the

level of target(s) to be achieved across differ￾ent time horizons ESRS-E1.IRO￾1_10_ AR 12a ESRS-E4-1_04 13d

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 51 c. Governance i. Governance structure for the plans including roles and re￾sponsibilities for the formula￾tion, validation, implementation, monitoring and updating of the plan, including escalation steps in case of deviation from targets. Governance structure: The governance structure for the plan in accordance with section 6.2.1, section 6.2.2. and section 6.5.

Roles and responsibili￾ties of the management

body, any sub-committee and three lines of defence

Escalation protocol that

defines the process for ad￾dressing deviations, in￾cluding who should be no￾tified and the steps to be taken.

Frequency of board

meetings dedicated to the plan

Delays in approval of

the plan

Number of internal

audits conducted on the plan

Percentage of audit

recommendations im￾plemented

Number of escala￾tions processed and/or

unresolved escalations Qualitative: Table 1 (e) (g) (h) (q) Table 2 (d) (f) Table 3 (a) ESRS 2 GOV-1 _AR 4 Deviation and escalation procedure: Governance arrangements for decision-taking on remedial actions in case of significant deviations in line with para￾graphs 80 and 89. ii. Capacity and resources-re￾lated actions to ensure appropri￾ate knowledge, skills and exper￾tise for effective implementation of the plan, including ESG risk￾related trainings and internal culture. Capacity and resources: The capacity and resources re￾lated actions for the effective execution of the plan, based on an initial assessment by the institution of the potential gaps and needs as regards in￾ternal culture and capabilities for ESG risks in line with sec￾tion 5.4.

Training and develop￾ment programs for ESG

risks

Hiring and recruitment

plans

Knowledge sharing and

collaboration platforms

Leadership commitment

ESG risks-related

training completion rate

Identified gaps in ESG

risk-related skills and knowledge

Frequency and qual￾ity of internal commu￾nications regarding

ESG risk-related objec￾tives and progress Qualitative: Table 1 (f) (m) ESRS 2-GOV-1 - para 23 ESRS G1 GOV-1

• para 5b iii. Remuneration policies and practices to promote sound management of ESG risks in line with the institution’s objectives and risk appetite. Remuneration policies and practices: This pertains to how the insti￾tution takes into account its risk appetite in relation to ESG risks as part of its remunera￾tion policies and practices in line with Article 74(1)e of CRD.

Qualitative description

of how remuneration pol￾icies and practices have been, are or will be ad￾justed to align with the overarching strategic ob￾jective to address ESG

Metrics used to em￾bed the risk appetite

related to ESG risks in remuneration policies

Proportion of staff

with ESG risk-related metrics included in re￾muneration Qualitative: Table 1 (i) Table 2 (g) Table 3 (a) ESRS 2-GOV-2 - para 29 ESRS-E1-GOV-3

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 52 risks and with the risk ap￾petite

Weighting of ESG-risk

related metrics in the overall remuneration iii. Data and systems used for the transition planning process Data and sys￾tems: This pertains to the data and systems used for the formula￾tion, implementation and monitoring of plans in accord￾ance with section 4.2.2 and paragraph 93.

Data inventory with an

identification of all rele￾vant ESG risk data points and assessment of their availability and quality

Policies and procedures

to ensure data quality

Percentage of rele￾vant data points col￾lected and available

Percentage of sys￾tems and processes

that integrate ESG data Qualitative: Table 1 (p) ESRS 1 Appen￾dix B ESRS 2 AR 2 ESRS 2 SBM￾1_42a ESRS-E2-4_30c ESRS-S1-6_50d ESRS-S1-7_55b d. Implementation strategy i. Overview of short-, me￾dium-, and long-term actions taken or planned in core banking activities and processes to achieve the plan’s targets, in￾cluding how the institution em￾beds the plan’s objectives into its decision-making process and its regular risk management framework, complemented by information on the observed ef￾fectiveness or estimated contri￾bution of each action to the rele￾vant target(s). Actions taken or planned in core banking activities: This pertains to how the insti￾tution will implement its ob￾jectives and targets through its core activity.

Implementation of new

tools for assessing ESG risks in current portfolios

Integration of ESG risk￾related objectives into the

medium and long-term strategic planning and de￾cision-making processes

Incorporating ESG risks

into the risk management framework

Percentage of activi￾ties affected by imple￾mentation actions

Percentage of busi￾ness decisions that aim

at implementing the plan's targets

Adoption rate of ESG

risk management tools Qualitative: Table 1 (n) Table 2 (a) Table 3 (c) Key actions: ERSR-E1-1_16b ESRS-E1 MDR-A ESRS 2 MDR-A ESRS-E1-2 ESRS-E1-3

ESRS-E2-E5 ESRS-S1-S4 ESRS-G1 MDR-A ESRS-E3 MDR-A ESRS-E4 MDR-A ESRS-E5 MDR-A Changes to the regular risk manage￾ment frame￾work: This pertains to how the insti￾tution will embed its targets into the mix of existing risk management tools (e.g. ICAAP, ILAAP, RAS, risk limits, capital/portfolio allocation, budgeting process, strategic plan, funding plan, etc), in line with section 5.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 53 ii. Adaptations to policies and procedures on financial risk cate￾gories and to lending and invest￾ment policies and conditions on key economic activities, sectors and locations. Policies and conditions on activities, sec￾tors, loca￾tions: Policies and the conditions that govern them, including updates to existing policies and newly created policies, in line with paragraph 46(b-c).

A list of current policies

and original ESG risk sta￾tus

A roadmap detailing

which policies & condi￾tions, and their scope, will be updated or created, how, when and by whom

For each policy, the fol￾lowing aspects may be in￾cluded:

. Goal: how it reflects the strategic objective, risk strategy and supports the implementation of the plan . Scope: precise iteration of business, location, sec￾tor etc that are governed and impacted . Conditions: clear criteria ensuring ease of applica￾bility and tracking . Exclusions: any exclu￾sions in line with risk ap￾petite

Policy adoption rate,

e.g. percentage of branches or depart￾ments that have adopted new ESG risks policies

Number of times ESG

risk policies are re￾viewed and updated within a given period

Percentage of opera￾tions in compliance

with updated ESG risk policies

Outcomes of internal

and external audits fo￾cused on ESG risk man￾agement framework Qualitative: Table 1 (d) (o) Table 2 (c) (e) Table 3 (c) (d) ESRS-E1-1_16b ESRS-E1-2 ESRS-E1-3 Activities re￾lated to sites in/near biodi￾versity-sensitive areas: ESRS E4.IRO￾1_19a Policies and procedures on financial risk categories: This pertains to the adapta￾tions made to policies and pro￾cedures in accordance with section 5.6.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 54 iii. Changes introduced to the mix and pricing of services and products to support the imple￾mentation of the plan. Mix and pric￾ing of services and products: This pertains to how the insti￾tution will adapt its mix of ser￾vices and products and their pricing based on ESG risk-rele￾vant criteria and the institu￾tion’s risk strategy and inter￾nal capital policy, in line with paragraph 46b.

Risk-based pricing: ad￾justing pricing based on

the ESG risk profile of the borrower or project

Incentives for risk miti￾gation: offering incentives

for clients who implement effective ESG risk mitiga￾tion strategies

Frequency and extent

of pricing adjustments based on ESG risk pro￾files

Number of clients

taking advantage of in￾centive pricing Qualitative: Table 1 (r) Table 2 (j) Table 3 (d) Activities in￾compatible with transition: ESRS-E1.IRO-1 AR12 iv. Investments and strategic portfolio allocation supporting the institution’s business strat￾egy and risk appetite in relation to ESG risks, including infor￾mation on sustainability-related and transition-related products and services, and how any changes in strategic financing choices are accompanied by commensurate risk management procedures. Sustainability￾related and transition-re￾lated products and services: The types of financial instru￾ments (green and sustainabil￾ity-linked loans, bonds, mort￾gages, funds…) and advisory services offered or managed by the institution.

Strategy, policies and

criteria on green or transi￾tion or ESG-linked mort￾gages, loans and bonds

Growth in sustaina￾ble financing: year-to￾year growth in the vol￾ume and proportion of

sustainable financing

Default rate on green

or transition or ESG￾linked mortgages or loans Qualitative: Table 1 (m) (r) Table 2 (e) Quantita￾tive: Templates 06>10 ESRS-E1-3 ESRS-E4-1 AR 1 e Outcomes for affected com￾munities: ESRS-S3-4 AR 34 b Consistency of strategic fi￾nancing choices with risk manage￾ment proce￾dures: This pertains to how the insti￾tution will ensure, when it de￾cides to adapt its business mix and strategy, that those changes fit the risk manage￾ment arrangements to have in place in accordance with sec￾tion 5.

Diversification of lend￾ing and investments port￾folios based on ESG risk￾relevant criteria e.g. in

terms of economic sectors or geographical areas

Credit risk policies on

green loans and mort￾gages

How an institution that

finances renewable en￾ergy projects ensures that the projects comply with environmental regula￾tions to avoid legal and reputational risks

Proportion of new fi￾nanced projects that

undergo a comprehen￾sive ESG risk assess￾ment

Percentage of credit

decisions that explicitly consider ESG risks

Profit margins on

ESG-related products: comparison of profit margins between ESG￾related products and traditional products

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 55 e. Engagement strategy i. Policies for engaging with counterparties, including information on the frequency, scope and objectives of engage￾ment, types of potential actions and escalation processes or cri￾teria. Engagement policies: Clear policies that the institu￾tion will follow to engage identified counterparties to achieve its strategic and risk management objectives, tak￾ing into account outcomes of the materiality assessment and risk measurement meth￾ods, in line with paragraph 46a.

Purpose and overall ob￾jective e.g. understanding

of risk profile and/or checking consistency with risk appetite and targets

Available solutions to

counterparty

Escalation and valida￾tion process

The percentage of

counterparties with which dialogue has been pursued or is planned to be pursued

The percentage of

counterparties for which an assessment of ESG risks has been performed

Proportion of sectors,

products and business lines captured Qualitative: Table 1 (d) (o) Table 2 (c) Table 3 (b) (c) ESRS 2-SBM 2 ii. Processes, methodolo￾gies and metrics used for collect￾ing and assessing information re￾lated to counterparties’ expo￾sure to ESG risks and alignment towards the institution’s objec￾tives and risk appetite. Process, methods and metrics for as￾sessing ESG risks: This relates to the institution's application of exposure-based, sector-based, portfolio-based and portfolio alignment meth￾ods in line with section 4.2.3.

Due diligence screening

to identify high-risk coun￾terparties based on pre￾defined criteria

ESG risks reflected in in￾ternal or external scores

and/or ratings

Methods for measuring

alignment of select coun￾terparties against climate pathways

The percentage of

counterparties under￾going ESG risk due dili￾gence

Changes in the credit

ratings of counterpar￾ties given impact of ESG risks

Concentration of ex￾posures within specific

sectors subject to ele￾vated transition or physical risks

Involvement in ESG￾related controversies

or incidents Qualitative: Table 1 (k) (l) Table 2 (i) (k) ESRS-E1.IRO-1 ESRS-E4-1.AR￾1a

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 56 iii. Outcomes of engage￾ment practices, including an overview of counterparties’ adaptability and resilience to the transition towards a more sus￾tainable economy. Outcomes: This relates to the outcomes of engagement, allowing for a meaningful interpretation of the risk profile of the counter￾parties and actions taken by the institution, in line with paragraph 81e(ii).

Criteria used to identify

counterparties with signif￾icant ESG risks that may require immediate atten￾tion

Adjustment of credit

terms, such as interest rates or collateral require￾ments, based on ESG risk assessments

Enhanced due diligence,

e.g. implementing more rigorous due diligence processes for high-risk counterparties

(More) targeted engage￾ment, e.g. developing spe￾cific engagement plans to

address identified ESG risks, such as setting im￾provement targets or of￾fering new financial prod￾ucts that cater to the needs of counterparties

Positive (or any sub￾classification within

that category) or nega￾tive (or any sub-classifi￾cation within that cate￾gory) assessments of these counterparties’ resilience and align￾ment against the insti￾tution’s targets and risk appetite

Number and types of

follow-up actions taken by the institution Qualitative Table 1 (o) Table 2 (m) Table 3 (c) (d) ESRS-E1 ESRS 2 -SBM￾2_45a AR 16

7. Accompanying documents 7.1 Cost-benefit analysis / impact assessment
8. On 31 May 2024, the European Commission published the directive amending the Capital Re￾quirements Directive (from now on CRD VI). Article 87a of the CRD VI mandates the EBA to issue guidelines to specify minimum standards and reference methodologies for ESG risk manage￾ment practices. These guidelines provide the EBA answer to such mandate.
9. As per Article 16(2) of the ESAs regulation (Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 of the European Parliament and of the Council), any guidelines devel￾oped by the ESAs shall be accompanied by an Impact Assessment (IA) annex which analyses ‘the potential related costs and benefits’ of the guidelines. Such annex shall provide the reader with an overview of the findings as regards the problem identification, the options identified to re￾move the problem and their potential impacts.
10. The EBA prepared the IA included in this section analysing the policy options considered when developing the guidelines. Given the nature of the study, the IA is qualitative in nature. A - Problem identification
11. Environmental, social and governance (ESG) factors are causing and are expected to increasingly lead to significant changes in the real economy that will in turn impact the financial sector through new risks and opportunities.
12. Since the adoption of the Paris Agreement on climate change and the UN 2030 agenda for Sus￾tainable Development in 2015, governments around the world are taking action to encourage the transition to low-carbon and more sustainable economies. In Europe in particular, the Euro￾pean Green Deal targets the ambitious objective of making Europe the first climate-neutral con￾tinent by 2050 and it is expected that the financial sector will play a key role in this process.
13. In this regard, the European Commission has launched a set of initiatives to enhance the resili￾ence and contribution of the financial sector. As a result, several efforts have been initiated to incorporate ESG risks into prudential supervision. These guidelines target the inclusion of ESG risks in institutions’ broader risk management frameworks. B - Policy objectives
14. The main objective of these guidelines is to answer the mandate set up in Article 87a of the CRD VI which requests the EBA to issue ESG risk management guidelines.
15. As a result, the general objective is to provide guidance on how institutions will incorporate ESG risks in their risk management processes including defining how ESG risks should be considered

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 58 when defining business and risk strategies, risk appetite levels and internal controls, risk moni￾toring, etc. 9. The specific objectives of the guidelines are defined in the CRD VI mandate which indicates that the guidelines should specify:

• the minimum standards and reference methodologies for the identification, measurement, management and monitoring of ESG risks;
• the content of plans to be prepared in accordance with Article 76(2) of the CRD, which shall include specific timelines and intermediate quantifiable targets and milestones, in order to monitor and address the financial risks stemming from ESG factors, including those arising from the process of adjustment and transition trends towards the relevant Member States and Union regulatory objectives, in particular the objective to achieve climate neutrality by 2050 as set out in Regulation (EU) 2021/1119, as well as, where relevant for internationally active institutions, third country legal and regulatory objectives;
• the qualitative and quantitative criteria for the assessment of the impact of ESG risks on the financial resilience and risk profile of institutions in the short, medium and long term. C - Baseline scenario

10. The current framework does not specify any guidelines about how institutions shall incorporate ESG risks in their internal risk management nor it defines how institutions shall define their plans to monitor and address ESG risks. As a result, institutions may follow different criteria to con￾sider ESG risks and incorporate them in their plans which would create divergencies in how banks account for those risks and pose difficulty for the work of supervisors to monitor and control that banks operate at adequate risks levels. D - Options considered 11.When drafting the present guidelines, the EBA considered several policy options under nine main areas:

1. Scope of the ESG risks covered by the guidelines Article 87a of the CRD VI mandates the EBA to issue guidelines on ESG risk management practices. The definition of risk management practices for environmental but also for governance and social risks is an ambitious target considering the less advanced data, methodological and regulatory developments in social and governance aspects. Therefore, while developing the current guidelines, the EBA has analysed three possible options: Option 1: To focus equally on the three aspects. Option 2: To focus on environmental aspects only. Option 3: To mainly focus on environmental aspects but give some guidance on social and government aspects.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 59 2) Frequency of the materiality assessment of ESG risks Institutions should regularly assess the potential effects of ESG risks on their business models and risk profile. Such assessment will provide the institution with a view on the financial materiality of ESG risks to which it is or may become exposed. The adequacy of regularity in which such assessment should be carried out will ensure that the materiality of ESG risks remains adequately measured. Therefore, while developing the current guidelines, the EBA has analysed three possible options: Option 1: Every year for all institutions. Option 2: Every two years for all institutions. Option 3: Every year for non-SNCIs and at least every two years for SNCIs. 3) Consideration of ESG risks in banks’ business models and strategies The needed transition towards a more sustainable economy will lead to new business opportunities but will also expose financial institutions to risks stemming from the transition. Therefore, while developing the current guidelines, the EBA has analysed if banks should consider ESG risks when defining their business models and strategy. In particular, the EBA has analysed two possible options: Option 1: ESG risks should be considered in banks’ business models and strategies considering different time horizons. Option 2: ESG risks may not be considered in banks’ business models and strategies. 4) Data processes To ensure an adequate identification and measurement of ESG risks, institutions should analyse enough information and data. Therefore, while developing the current guidelines, the EBA has analysed how banks’ data processes should be defined to incorporate ESG risks. In particular, the EBA has analysed three possible options: Option 1: Institutions may rely only on publicly available ESG data, aggregate it and exploit it to manage ESG risks. Option 2: Institutions should aggregate and exploit publicly available data but also collect additional ESG data when engaging with their clients and counterparties. Option 3: Institutions should gather and use the information needed to assess current and forward-looking ESG risks, building on available ESG data but also considering where needed collecting data from clients and counterparties or using third-party data, and using where needed for certain counterparties proxies or portfolio-level assessments. 5) Features of reference methodologies for the identification and measurement of ESG risks When defining their methodologies to identify and measure ESG risks, institutions should select one or more features of reference. Therefore, while developing the current guidelines,

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 60 the EBA has analysed two options regarding which are the most adequate features institutions should refer to: Option 1: Institutions should develop exposure-based, portfolio and sector-based, and scenario-based methodologies. Option 2: Institutions should develop methodologies based on at least one of the three elements included in option 1. 6) Materiality assessment Appropriate risk managements frameworks as well as CRD-based plans should be based on a robust materiality assessment of the ESG risks faced by institutions. Therefore, while developing the current guidelines, the EBA has analysed three possible options: Option 1: The materiality assessment of ESG risks should automatically define as material certain exposures based on their sector. Option 2: Institutions should have full flexibility when defining the materiality of ESG risks independently from the sector of the exposure. Option 3: Institutions should consider certain criteria, exposures and sectors in their assessments while remaining responsible for determining their materiality, substantiating and documenting their assessments. 7) Data and engagement with counterparties in relation to their transition plans To formulate and implement an adequate plan to monitor and address ESG risks, institutions need to have information about the risks they face in the transition process and engage clients. This includes using information about their counterparties and their own risks during the transition process. Therefore, while developing the current guidelines, the EBA has analysed three possible options regarding the engagement with counterparties: Option 1: Institutionsshould engage and request all counterparties to submit a transition plan as part of the due diligence phase. Option 2: Institution should engage and request large counterparties only to submit a transition plan as part of the due diligence phase. Option 3: Institution should consider collecting forward-looking plans of at least large corporate counterparties, including transition plans disclosed under CSRD, and should determine the scope of counterparties with whom to engage, taking into account outcomes of the materiality assessment and risk measurement methodologies. 8) Time horizons considered for banks’ plans Institutions need to consider several time horizons as part of their transition planning process. Therefore, while developing the current guidelines, the EBA has analysed four possible options: Option 1: To focus requirements on short-term time horizons. Option 2: To focus requirements on medium-term time horizons. Option 3: To focus requirements on long-term time horizons.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 61 Option 4: To consider several time horizons, including a long-term time horizon articulated with short- and medium-term strategies. 9) Plans’ targets Institutions should define targets as part of their plans. Therefore, while developing the current guidelines, the EBA has analysed four possible options: Option 1: To predefine the full list of metrics that institutions should target. Option 2: Not to predefine the list of metrics that institutions should target and allow institutions to define their own list of metrics. Option 3: To include a minimum set of metrics that institutions should target while seeking to complement them. Option 4: To require institutions to consider using some metrics included in the guidelines while complementing them. E - Assessment of the options and preferred option 12. In respect to the different options considered, the EBA has assessed their potential cost and benefits, and has selected a preferred option in the nine main areas considered:

1. Scope of the ESG risks covered by the guidelines ESG risks include environmental, social and governance factors. Article 87a of the CRD VI mandates the EBA to issue guidelines on management practices for the full scope of these risks. However, the EU and international regulatory developments for environmental risks are more advanced than for social and governance risks. Although it is important to continue the development of management practices for the full set of ESG factors, it is also important to allow enough time for institutions to introduce the necessary changes. Therefore, in order to reduce the burden for institutions and the time pressure to adapt to the new regulatory developments, it is considered that the guidelines should focus on environmental risks mainly, although introducing some high-level requirements to define the management practices for social and governance risks. This is indeed in line with the sequenced approach adopted under other EBA regulatory products (e.g. Pillar 3 ITS). Therefore, the preferred option is Option 3: To mainly focus on environmental aspects but give some guidance on social and government aspects.
2. Frequency of the materiality assessment of ESG risks Institutions should perform their ESG risk materiality assessment with sufficient frequency to ensure that any development in the external environment that could affect their exposure to ESG factors are adequately captured. Focusing on the E factor, environmental changes can develop in a fast manner, for example in terms of new policies or technologies or shifts in market and consumer preferences, potentially affecting the level of banks’ exposures to environmental risks. For these reasons, the EBA considers that banks’ materiality assessment should be carried out with a short-term periodicity to ensure that the relevant risks are captured sufficiently and in time. However, performing such assessment requires an intensive use of resources. It may be disproportionate to request all types of institutions to perform such assessment with a regularity of up to a year, as small institutions have limited resources available and such request could be burdensome for them. An adequate balanced approach would allow SNCIs to perform the materiality assessment with lower regularity although keeping an adequate periodicity to

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 62 capture all potential risks. For these reasons, the preferred option is Option 3: Every year for non-SNCIs and at least every two years for SNCIs. 3) Consideration of ESG risks in banks’ business models and strategies The following reasons justify the consideration of ESG risks in bank’s business models and strategies:

• The time horizon of ESG risks: the full impact of ESG risks is likely to unfold in a long￾term period. Additionally, changes in business models may require some time to be implemented. Therefore, it seems reasonable that institutions follow a forward-looking approach and consider ESG risks when defining their strategies and a business model that will be viable and adequate when the ESG risks materialise.
• Potential negative financial impact: when defining their business model, institutions should consider potential financial impacts that may be linked with their strategy. This includes the consideration of ESG risks.
• Political actions in favour of transforming the current global economy into a more sus￾tainable one: there are several examples of political actions at international and EU level targeting a transition to a more sustainable economy. These initiatives could push for significant changes in the business environment in the upcoming years. Banks should anticipate the potential negative impact of such transformation and take ad￾vantages of the arising new opportunities in the redefinition of their business model. Moreover, in recent years, some institutions have taken steps to account for ESG factors in their business strategies. However, as concluded in the EBA report on the management and supervision of ESG risks for credit institutions and investment firms34, more progress is still needed to adequately incorporate ESG risks in banks’ strategies and business models’ definition processes. Considering both the reasons that justify the integration of ESG risks in banks’ strategies and business models and the current insufficient implementation in banks’ processes, the EBA considers that there is a need to incorporate such a requirement as part of the ESG risk management guidelines and therefore the preferred option is Option 1: ESG risks should be considered in banks’ business models and strategies considering different time horizons. Additionally, given the distinctive impacts of ESG risks across different time horizons, banks should consider different (including a long-term) time horizons when defining their business models.

4. Data processes A robust risk management framework heavily relies on data to develop robust metrics and risk indicators. Well defined, strong data processes are key to adequately gather and exploit data to identify and measure ESG risks. However, as explained in the EBA report on the management and supervision of ESG risks for credit institutions and investment firms, the lack of data to identify and measure ESG risks is one of the main challenges faced by institutions. The EBA has balanced these two aspects when defining the way data processes should be integrated in banks’ ESG risk management guidelines. Given the importance of having accurate data to adequately measure ESG risks, it is considered that institutions should take action to better use and aggregate the data already available and that will be available as a result of EU and international developments on sustainability reporting on one hand (e.g. CSRD/ESRS), and on 34 See report here.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 63 the other hand, improve the availability of ESG data via the collection of relevant ESG information from their clients and counterparties as part of their business relationship. There are other ESG regulatory developments such as the Pillar 3 disclosure requirements as per Article 449(a) of Regulation (EU) 2019/876 that also push institutions to take action in a similar direction. However, the collection of detailed ESG-related data for all counterparties may create an excessive burden for institutions. In order to reduce such a burden, the EBA considers that institutions should be able to use external data in line with the outsourcing framework, as well as proxies, expert judgments and portfolio-level assessments in those cases where data is not available or its collection via engagement with clients and counterparties is considered excessively difficult. Therefore, the preferred option is Option 3: Institutions should gather and use the information needed to assess current and forward-looking ESG risks, building on available ESG data but also considering where needed collecting data from clients and counterparties or using third-party data, and using where needed for certain counterparties proxies or portfolio-level assessments. 5) Features of reference methodologies for the identification and measurement of ESG risks When drafting these guidelines, the EBA has analysed which features should be of reference for institutions when defining their methodologies to identify and measure ESG risks. The possible types of methodologies that have been considered include: a) exposure-based methodologies, which provide a granular assessment of the ESG factors at counterparty level; b) portfolio and sector-based methodologies which allow institutions to have a more compre￾hensive risk assessment and to analyse the degree of alignment on a sectoral basis of insti￾tution’s portfolios with climate-related sustainability targets; c) scenario-based analyses to assess ESG risks allowing for a forward-looking perspective. The definition of methodologies to assess ESG risks at these different levels will answer to different risk management needs. Therefore, the EBA considers that all aforementioned perspectives are needed to adequately measure ESG risks in a comprehensive manner and taking into account the different time horizons in which ESG risks are expected to materialise. Therefore, the preferred option is Option 1: Institutions should develop exposure-based, portfolio and sector-based, and scenario-based methodologies. 6) Materiality assessment Appropriate risk management frameworks as well as CRD-based plans should be based on a robust materiality assessment of the ESG risks faced by institutions. To guarantee consistency across all the processes in the institutions, the materiality assessment of ESG risks should be consistent with other materiality assessments carried out by the institution. To facilitate such standardisation, institutions should refer to clear definitions of ESG risks and there should be a minimum set of criteria, exposures and sectors to be considered as part of those assessments. Given the limitations of broad, purely sector-based classifications, it is more appropriate to not automatically define certain sectors as materially exposed to ESG risks but to emphasise banks’ responsibility to conduct robust assessments. Therefore, the preferred option is Option 3: Institutions should consider certain criteria, exposures and sectors in their assessments while remaining responsible for determining their materiality, substantiating and documenting their assessments.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 64 7) Data and engagement with counterparties in relation to their transition plans Institutions need information about their counterparties’ risks during the transition process to formulate and implement an adequate CRD-based plan. However, institutions may encounter some problems while collecting such information as first, not all counterparties may have developed a clear and structured transition plan and, second, institutions will need resources to collect transition plans from all counterparties, review and understand them and assess the relevant risks. In other words, the collection of all necessary data and information from counterparties is a complex and costly process for institutions. At the same time, a comprehensive set of information is needed to adequately evaluate the risks. The direct interaction between the institution and the counterparty to discuss the risks that the latter may face arising from the transition and possible options to mitigate them, is key to have a comprehensive assessment and management of risks. In order to strike the right balance, the EBA considers that such information should be obtained or collected at least for the large corporate counterparties as defined by the CSRD. However, institutions should have all the relevant data at their disposal to adequately assess the level of transition risk for all counterparties. Therefore, the preferred option is Option 3: Institution should consider collecting forward-looking plans of at least large corporate counterparties, including transition plans disclosed under CSRD, and should determine the scope of counterparties with whom to engage, taking into account outcomes of the materiality assessment and risk measurement methodologies. 8) Time horizons considered for banks’ plans ESG risks have distinctive impacts across time horizons. This is also the case when referring to ESG risks arising from the transition process towards legal and regulatory objectives related to ESG factors. Therefore, institutions should consider several time horizons when defining their plans. They should, however, include a horizon that is long enough to cover for those risks that may fully materialise in the long term. The preferred option is Option 4: To consider several time horizons, including a long-term time horizon articulated with short- and medium-term strategies 9) Plans’ targets Institutions should define targets as part of their plans. The EBA is aware that banks are already using some metrics either voluntarily or based on current or (expected) future EU legislation but that developments are still ongoing to design most appropriate metrics for target-setting. The EBA considers that requiring institutions to both monitor several metrics and consider using some of these metrics for target-setting purposes will help achieving comparable plans and support the work of supervisors in their reviews. At the same time, it is important to allow institutions flexibility in defining the exact combination of metrics and setting the level of targets they deem appropriate given their business strategies. It is also important to ensure that banks will take steps to progressively include metrics related to non-climate-related risks, in particular risks stemming from the degradation of ecosystems and biodiversity loss, and compute and use metrics relating to the financial implications of transition planning for their business and risk profile. Therefore, the preferred option is Option 4: To require institutions to consider using some metrics included in the guidelines while complementing them

7.2 Feedback on the public consultation Summary of responses to the consultation and the EBA’s analysis Comments Summary of responses received EBA analysis Amendments to the proposals General comments Overall, the Guidelines are broadly welcomed as stakeholders noted that efforts made by EU banks to assess and manage ESG risks have increased over recent years but still need to be amplified. A common European framework on the incorporation of ESG risks in banks’ risk management and transition planning will help in that regard and enhance the resilience of the banking sector. Efforts to give institutions clarity on the expectations substantiating the CRD requirements before setting out the implications in terms of supervision are appreciated. A wide range of views was nonetheless expressed on several issues and whether the Guidelines strike the right balance between ensuring a sufficiently robust and prudent management of ESG risks and accounting for feasibility considering data and methodological challenges. The EBA has taken note of the comments received and thanks respondents for their contributions. Answers to specific issues and comments are included below. Guidelines amended as described below. Risk-based approach The risk-based approach is supported but the Guidelines are not always consistent with it, for instance when referring to the EU Climate Law, measures prescribed by the European Scientific Advisory Board on Climate Change (ESABCC), or the EU Taxonomy. The blurring of the prudential boundary is evident through the references to ‘objectives’ and ‘targets’ which appear to envisage the decarbonisation or reduction of institutions’ impact on ESG factors. The risk-based approach involves managing financial risks stemming from the transition process towards political objectives including carbon neutrality. EU climate law, measures by ESABCC and ‘targets’ are explicitly mentioned in CRD. See below for EU Taxonomy and amendments to section 4.1. Section 4.1 amended. Alignment with EU objectives We wonder how the EBA conciliates its Guidelines that on the one hand explain not requiring an objective of fully aligning with Member States or The Guidelines do not require to align portfolios but to measure and monitor the Section 4.2 clarified.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 66 Union sustainability objectives or one specific transition trajectory (i.e., a 1.5°C or NZE objective), and on the other hand the requirements on portfolio alignment. Where the EBA does believe that it is relevant to cite external political objectives and targets, it should clearly explain how institutions should consider alignment/misalignment in relation to their own planning and the risk implications. degree of alignment as an input to strategy and risk management decision-making in relation to climate transition risks. Transition finance The Guidelines should ensure that risk management strategies and plans help to support transition finance. Banks should be expected to develop a strategic perspective on capturing and supporting opportunities that arise in the transition, consistently with EU legal frameworks, but also to mitigate long-term risks arising from lack of climate action. The Guidelines require to consider ESG risks when formulating and implementing business strategies. The section on plans refers more explicitly to transition finance. Section 6 amended. ESG risks as risk drivers The EBA rightly considers ESG risks as risk drivers of traditional risk types and not as a separate risk type. This approach is however not consistently applied in the Guidelines where certain requirements suggest that ESG risks should be treated as a separate risk category. The definition of ESG risks provided in CRR applies throughout. To ensure that banks properly assess impacts of ESG risks on financial risk types, additional processes or modifications to existing processes are needed and detailed in the Guidelines. Sections 4.1, 5.3, 5.5 clarified. Level of prescriptiveness Not prescriptive enough. The Guidelines remain too principle based. The flexibility left and the lack of detailed requirements will undermine the quality of the exercise and could lead institutions to develop a purely administrative exercise to justify not changing their approach to manage ESG risks. We recommend EBA to provide additional minimum safeguards and clarifications on the practical implementation. Too prescriptive. The Guidelines should adopt a principles-based approach. The consultation paper sometimes takes an overly prescriptive approach that does not account for challenges faced by banks and would constrain the institutions’ learning curve on ESG risks. Sufficient flexibility should be left - and maintained over time – with regard to: methodologies and use of proxies; risk mitigation tools; engagement with counterparties; data sourcing and gathering; indicators, metrics and targets The EBA has considered the range of views received on the level of prescriptiveness of the draft Guidelines. The EBA recalls that its mandate is to specify minimum standards, criteria and methodologies for the identification, measurement, management and monitoring of ESG risks. Delivering on this mandate entails providing harmonised and generally applicable requirements with a degree of granularity. Given the fact that management of ESG risks is evolving, the Guidelines have nonetheless maintained a degree of flexibility for institutions to develop their methodologies. Institutions No fundamental changes.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 67 as banks should set their own metrics and targets based on their own strategies. The Guidelines should focus on institutions’ achievement of appropriate prudential risk outcomes rather than over-specifying the means and/or method by which institutions should identify, measure, monitor and manage ESG risks. A "demand-based approach" may be considered in which the objectives are explained to the institutions but the path to their implementation must be taken largely independently. As another possible model, we would like to recommend a "solution-based approach". Here, the tools for assessment and for the management of ESG risks are developed and explained, even trained and then published by the supervisory authority. The Guidelines could better distinguish between mandatory requirements and recommendations for good practices. remain responsible for developing business strategies and for determining the best combination of risk mitigation tools they will implement. The EBA also recalls that Guidelines set requirements institutions should comply with, and not good practices. Time horizons The guidelines should reflect on what long term entails for prudential purposes. It could be clarified that long-term horizon is not expected for every risk management tool as this would be too excessive and demanding. The definition of long-term as at least 10 years should be specific to the climate and environmental elements and for the purposes of prudential transition plans. Medium and long-term assessments are expected to be mainly qualitative/ subjective/ expert based so supervisory expectations should be high level. Long-term horizon is not consistently applicable across E, S, G risks. More specifically, given the uncertainty around social and governance factors, along with the lack of clear long-term goals, long-term time horizons may not be relevant for S and G risk drivers. A sound management of ESG risks should consider the short, medium and long term as required under CRD. However, the Guidelines clarify that the level of granularity and quantification of tools and indicators used by institutions should be higher for the short and medium term. Long-term time horizons should at least be considered from a qualitative perspective and support strategic considerations. Sections 4.1, 5.5. and 6 amended. Scope – scenario analysis, disclosures, capital requirements More guidance is needed on how to perform ESG scenario analysis, foster transparency of institutions’ practices, and ensure that supervision and enforcement of the Guidelines will be effective. More support to green investments and/or higher capital requirements for fossil fuel-related assets held by banks need to be considered in the prudential framework. These comments deal with aspects that are addressed by separate mandates on incorporation of ESG risks in scenario analysis, supervision, disclosures (revision of the Pillar 3 standards) and the prudential treatment of exposures. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 68 Scope – banking book and credit risk The Guidelines should be limited to the banking book and focused on credit risk, while foreseeing a gradual approach for enlarging the scope to trading book and other risk types when they become more mature and/or material. Limited progress has been made on assessing climate-related financial risk transmission mechanisms for exposures held for trading. Positions held in the trading book are actively risk managed, held for very short time horizons and, as such, may not present a very meaningful reflection of how the bank is exposed to climate-related risk factors. If the trading book was to be in scope of the final Guidelines, it would be necessary to phase in the requirements to allow time for solving data and methodological issues. ESG risks can affect various financial risk types and banks should ensure a comprehensive assessment of ESG risks based on their business model and scope of activities. Given more advanced understanding on transmission channels to credit risk, more extensive requirements are included on the latter. No change Articulation with ECB Banks under direct SSM supervision are already under significant pressure by the ECB on environmental risks management. The Guidelines should be articulated with CRD on one hand and the supervisory practice on the other hand. It is desirable to have a common regulatory and supervisory attitude towards ESG. EBA and ECB should ensure alignment and clarity of application of the respective Guidelines. The Guidelines have been prepared with all competent supervisory authorities in the EU, including the SSM. They take into account supervisory experience on both shortcomings and progress of banks. The Guidelines apply to all EU banks and supervisors. No change International developments / Level playing field The framework for ESG risks is still evolving at the international level. Convergence of EU regulations with international standards is important to ensure the level playing field and avoid complexity having to comply with different requirements within the same group for international banks. Certain stringent requirements may generate unlevel playing field, with a risk that clients divert from EU institutions to the benefit of non-EU institutions that are not subject to such requirements. The treatment and relevance of financial institution transition planning is currently an area of active discussion and analysis at the international level. Given that the EBA’s mandate does not require the publication of these specific guidelines until 18 months following the entry into force of the CRD, the EBA could use the allowed time to engage with other authorities globally and work towards a more aligned approach. The EBA could conduct further consultation on the transition planning element in its draft Guidelines later to reflect international developments. The Guidelines take into account BCBS principles on climate-related risks and international developments (e.g. NGFS, BCBS) on transition planning, to which the EBA and its members contribute. They however provide further details as they are based on the EU legal framework. The EBA supports international convergence on ESG risks management and considers that sound risk management and transition planning strengthen banks’ business model. Future updates to the Guidelines may reflect international developments if needed. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 69 EU requirements should be interoperable with future international standards, which may require future revisions to the EU approach. Date of publication and date of application The EBA states that their intention is to publish the Guidelines towards end of 2024 and for the application date to be aligned with the application date of the amended Directive 2013/36/EU. However, the proposed amendments to CRD only require that the EBA publish these Guidelines within 18 months from date of entry into force of this amending Directive and do not set specific timelines for the application date of the Guidelines. We would question why the EBA is seeking to publish significantly in advance of this date. Clarification on the application date of the Guidelines would be appreciated. Considering the current state of methodological developments and the numerous regulatory requirements banks will have to comply with the next few years (notably CSRD), banks will need sufficient time for the application of the Guidelines. Implementation period of at least two years is crucial, given the complexity of the topic and its interdisciplinary nature (data, IT, strategy, risk processes). Large institutions within the meaning of the CSRD that qualify as SNCIs and are treated as listed SMEs in the CSRD are only subject to the corresponding reporting obligations for the 2028 reporting year. This should be taken into consideration when finalizing the Guidelines. The EBA has published the Guidelines in advance of the deadline provided by the CRD and decided to align the date of application with the date of application of CRD6 i.e. January 2026, for most banks. This early publication ensures clarity over upcoming requirements and gives time to institutions to prepare for both the implementation of new obligations under CRD6 and compliance with the Guidelines. To ensure proportionality and considering other regulatory developments e.g. CSRD, a one￾year phase-in is provided for the date of application of the Guidelines to SNCIs (i.e. application at the latest from January 2027). Date of application delayed by 1 year maximum for SNCIs. Question 1: EBA’s understanding of the plans required by Article 76(2) of the CRD, and articulation with other EU requirements Definition of Plan(s) When respondents expressed their direct view on EBA’s understanding, they nearly all agreed it was an appreciated effort and solid tentative to provide directions and definition based on CRDVI mandate. Yet albeit appreciated, many had comments, questions, and suggestions about the definition of (transition) plan(s) and how many plans should exist and flexibility around it. Some respondents express their clear preference for focused, risk-based or The EBA Guidelines use the same language as per CRD where its mandate originates. To reflect the different but closely related strategic efforts spanning various EU requirements, the background now further clarifies that plans are output of a single transition planning process which includes all Background and section 6.1 updated.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 70 single plans only, while others either appreciate the flexibility of the GLs or express strong single transition plan views. relevant strategic and implementation aspects. Articulation with EU and other practices Regarding the articulation with CSRD/CSDDD/ISSB/BCBS, answers revolve around three clear and complementing points on that matter:

• (further) Clarification needed overall
• The absolute necessity of (more) alignment and consistency with CSRD (and CSDDD and ISSB to a lesser extent) with another clarifica￾tion sought on articulation and feeding directions between plans.
• Avoiding overlaps between requirements and create complementing frameworks. Linkage with EU disclosure and due diligence frameworks is further recalled in the Guidelines background where the complementary purposes of the different EU requirements are stressed. See also below on section 6 and annex. Background updated Plans validation A few respondents asked for supervisors’ validation of plans, mostly through SREP while one respondent would prefer less formality. Supervision of CRD-based plans is out of scope of these Guidelines. The background however recalls that banking supervisors will assess their robustness as part of SREP, as per CRD6. Background updated Reference and pathways towards EU 2050 objective Respondents raised antagonistic views spanning ‘no pathway – no alignment – no need to align as it is risk choice’ to improved and inclusive definition to explicitly mention EU 2050 objective in definition and/or scenarios or (more) pathways. Respondents also raised questions such as:
• Does referring to CSRD suffice to imply that EU 2050 is a target – some would like it to be more explicit.
• Some see no need to indicate or refer to pathways as this is a risk document. Which feeds which: CSRD is expected to feed CRD but CSRD is still evolving. The Guidelines stress that they are not prescribing a specific climate or ESG objective but require transition planning efforts to take into account the likely pathways implied by EU legislation and targets. See also above on alignment with EU objectives. Section 6 amended Group / SNCIs scope / Proportionality Some respondents preferred a scope of application at Group level only for a plan, while others preferred EU entity level and not at Group level or asked for more clarity overall. While proportionality is a recurring theme on various subtopics, there are explicit requests to remove demands for SNCIs or take into account the CRD6 waiver option, and not having to create a plan solely because CSRD disclosures are needed. The level of application of the Guidelines is aligned with the level of application specified in CRD article 109. With regard to SNCIs, CRD requires them to have a plan. It is clarified that in case Member States decide to use the CRD ‘waiver’ Background updated

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 71 provision, the GLs will apply dependent on the transposition into national law. Sectors / Divesting Some respondents suggest explicit sectors divesting should be present in the requirements related to CRD-based plans (mostly fossil fuels). Overall divesting is seeing more cautiously from other respondents given it could have some unintended effects. The goal of CRD-based plans is not to force institutions to exit or divest from greenhouse gas-intensive sectors but to thoroughly assess risks and to prepare accordingly through structured transition planning, including by engaging clients and supporting them where appropriate, notwithstanding other mitigation actions consistent with sound risk management. No change Question 2: Proportionality approach Size versus business model and risk profile Proportionality seems to be mostly based on institution’ size as illustrated by the Guidelines’ references to SNCIs. Proportionality is a crucial principle for Pillar II and should be considered more holistically and not only with regard to the size of the institution. Proportionality should be better linked to the business model, risk profile of a bank and to the level and materiality of the financial risk. Smaller institutions may have even higher ESG risks due to less diversified portfolios and higher sectoral (e.g. agriculture) and/or geographical concentrations. Hence it would not be sound to reduce or suspend requirements for them. Different institutions have varying capacities and resources. The process of adaptation to robust ESG risk management could be a significant challenge for many small institutions. Size is not the decisive factor in the Guidelines, rather the risk materiality associated with institutions’ activities and business model, in line with CRD art 87(a)(2) and recognising that smaller institutions are not necessarily less exposed to ESG risks. Nonetheless, smaller and less complex institutions can implement less sophisticated processes given their limited resources. Some simplifications are thus provided for SNCIs and in certain cases also for all non￾large institutions. Background clarified Cost/benefit Proportionality should be ensured regarding the cost/benefit analysis of the measures proposed. The incorporation of ESG-related risks in the prudential A cost-benefit analysis is included in section 7.1. The benefits of the requirements of the Section 7.1 updated

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 72 framework will imply a significant workload for institutions – it is therefore important that the proposed requirements provide actual value-added both from an ESG risk management and supervisory perspective. Guidelines are considered to outweigh costs given the importance of a sound management of ESG risks. Proportionality throughout the Guidelines Proportionality should be applied throughout the Guidelines. A paragraph on the application of the proportionality principle may be added in Chapter 2 'Subject matter, scope and definitions' rather than only mentioned in the background. Proportionality should apply to all the Guidelines’ requirements, allowing institutions to focus on the most material risks. The Guidelines should clarify that all requirements are subject to the materiality principle. If materiality assessments of ESG risks do not identify material ESG risks transmission channels from counterparties, requirements such as identification data, engagement with counterparties, and internal reporting metrics should be considered in a proportionate manner, regardless of the size of the institution. Based on this principle, only relevant risk category(ies) i.e. E, S or G factors should follow the processes indicated in the Guidelines. Excessively harsh or detailed requirements could entail the risk of ineffective mechanisms, a resource allocation inconsistent with the effective level of financial risk, creating a tick box list and/or banks withdrawing from some sectors hence jeopardizing the supply of credit required for the transition. The clarifications regarding the proportionality approach are reflected both in the background and in the main body of the Guidelines, such as sections 4.1 and 6.1. Proportionality cannot lead to a consideration of whether to implement the Guidelines or not. However, the extensiveness of the various risk management processes and procedures should be proportionate to the outcomes of the institution’s materiality assessment. Sections 4.1 and 6.1 clarified SME clients The principle of proportionality must extend beyond financial institutions to encompass their business partners in particular SMEs. SMEs should receive the necessary support to address ESG challenges without facing financial penalties or too demanding data collection efforts. Banks’ management of ESG risks for SMEs should be based only on data to be reported based on EFRAG’s proportional and voluntary sustainability reporting standards. The Guidelines do not penalise SME financing and data collection efforts are targeted towards large corporates. A reference to voluntary reporting standard for SMEs has been included. Section 4.2.2 amended Scope of addressees A consistency with CSRD and CSDDD would mean that the addresses of the Guidelines are consistent with those of CSRD, CSDDD. Therefore, the Guidelines should not address SNCIs in general, but only bigger SNCIs, similar to CSRD. The Guidelines are based on CRD which applies to all institutions, but they embed proportionality, see above. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 73 Specific business models The proportionality approach can be further promoted for some types of institutions with specific business models such as national promotional banks or institutions that focus on positive ESG-related activities and have lower exposure to regulatory, transitional and reputational risks. A business model guided by the principles of the social economy cannot reasonably be interpreted as "more" prone to risk. It is of utmost importance that such banks be recognized as such, and that their business model be acknowledged. It is not appropriate for the Guidelines to recognise or distinguish between specific business models, but proportionality should apply based on the ESG risk materiality associated with institutions’ activities. No change Support for small institutions To further support smaller institutions, the EBA should consider providing more tailored guidance or examples on understanding, defining, and implementing proportionate ESG risk management practices. Additionally, facilitating access to ESG data and risk assessment tools could help smaller institutions meet the Guidelines without disproportionate effort. The simplifications provided for SNCIs aim at facilitating their implementation of the Guidelines. See also below regarding access to ESG data. Background and section 4.2 amended Update frequency The option for small, non-complex institutions to carry out the review of risk strategies/policies only every two years, as set out in Art. 76 (1) CRD, should be used. Proportionality is provided regarding the frequency of updates of materiality assessments and plans, for the latter in line with Art 76(1) CRD. Section 6 clarified Identifying simplifications An annex to guidelines or a synoptic table outlining the facilitations or simplifications granted to SNCIs would be helpful in providing an overall view of the simplifications applied in line with the proportionality principle. Simplifications provided for SNCIs are outlined in the background. Background amended Question 3: Consideration of climate, environmental, and social and governance risks General comments Stakeholders broadly supported the Guidelines’ approach i.e. the emphasis put on E while including some general requirements on S and G risks. There is wide recognition that most progress has been achieved on climate-related risks in the financial sector and this should be reflected in the requirements. Two conflicting views have however been expressed:

• A first category of respondents considers that a more comprehensive approach is needed and further guidance would be justified on non￾climate aspects. S and G are also sources of financial risk and affect Overall the Guidelines maintain the emphasis put on environmental risks, while still containing minimum requirements for social and governance risks. A restricted scope on E would not be in line with the CRD provisions. However, the Guidelines recognise that approaches for social and governance risks are expected to Section 4.2 amended.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 74 banks’ counterparties. The full spectrum of ESG factors is captured by frameworks such as CSRD, SFDR, SASB materiality mapping or the UN SDGs. More guidance is needed on how to approach social risks for specific customer segments or industries.

• A second category of respondents on the other hand called for an even more gradual and phased approach, starting with environmen￾tal considerations and in particular climate aspects. This would re￾flect the maturity level reached on various dimensions (e.g. data, methodologies) and their specificities (e.g. differences in transmis￾sion channels, time horizons, systemic nature of E versus idiosyn￾cratic nature of S and G). The Guidelines should focus on climate and provide flexibility regarding management of S and G risks, with no mandatory KRIs and only qualitative requirements. They could fur￾ther capture non-climate aspects at a later stage e.g. in future up￾dates when analytical and operational challenges are addressed. be gradually enhanced in line with regulatory and methodological progress. CSRD and CSDDD The Guidelines could further build on CSRD. CSRD will result in more data available on all ESG aspects and also addresses risk management processes and strategies. The data that will be reported by counterparties should be the foundation of banks’ approach to social risks. CSRD also defines ESG factors as opposed to CRD. CSDDD refers to violations of rights and prohibitions included in international human rights agreements, with a long list of human rights and fundamental freedom conventions. The Guidelines could add that banks should pay attention to any risk deriving from the violation of legal duties established to pursue social goals in force at national level, in the jurisdiction of the client. Further alignment with CSRD has been ensured for instance in terms of data items institutions should collect. The Guidelines require banks to take into account adherence of counterparties to applicable social standards, in line with those mentioned in CSRD. Section 4.2. amended More support needed It would be useful to shape an internationally agreed roadmap for the gradual integration of social and governance factors towards quantitative measures. The EBA could consider developing a common risk taxonomy across ESG risk areas, including a taxonomy of nature related risk drivers. Such initiative would be welcomed by the EBA. The EBA is not necessarily best placed to do that, however developments on supervisory reporting are ongoing and the final Guidelines further refer to nature-related risks (see below). No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 75 Nature related risks – caution needed Greater distinction should be made between climate and non-climate aspects such as biodiversity, given the different maturity levels in the understanding, measurement and management of associated financial risks. The Guidelines require quantification of climate-related risks and proper understanding of nature-related risks. Background and section 4.2.1 amended Nature related risks – need for more requirements Assessment of nature-related financial risks can already be done. The financial sector is vulnerable to destabilising impacts of environmental changes, scientific evidence is available (IPBES assessments), half of world’s GDP is highly dependent on nature, and key sectors and companies have been identified as high-risk e.g. for deforestation. There are gaps in management and disclosure of nature-related risks and opportunities by financial institutions, and a need to integrate further forest and water related risks in strategies. More recommendations on nature related risk management should be included in the Guidelines, starting with deforestation and/or building on first publications available (NGFS, TNFD, SBTN). An integrated approach is needed given the climate-nature nexus. The Guidelines have been amended to further explain the relevance of nature￾related risks - covered by the definition of environmental risks in CRR - in the background as well as to clarify requirements in terms of materiality assessment and risk measurement methodologies. Section 4 amended Scope of E risks We understand that ecosystems degradation and biodiversity loss may be only examples of a broader range of elements, which leaves a certain degree of uncertainty. For example, would institutions be expected to include water and pollution matters in heat maps? Environmental risks are defined in CRR. Institutions should take into account a broad range of E factors. No change Interactions between E, S, G – conceptual comments ESG issues are interconnected and should be considered holistically, by considering macro trends and the entire production chain of economic activities e.g. for electric vehicles. The green transition can have both positive and adverse effects on social issues. See below regarding clarifications provided on interactions. No change Interactions between E, S, G - suggestions No guidance. It is difficult to provide generally applicable guidance on how to deal with interactions. Interdependencies between E, S, G risks would be best considered by institutions in individual risk assessments rather than through general requirements in the Guidelines. More guidance. The EBA could provide further guidance on how to handle interactions and/or illustrations on how to do it. Limited guidance. The Guidelines could specify that banks should understand interconnections between various dimensions and consider them in risk management practices. The Guidelines include a new paragraph which states that with regard to the interactions between the different categories of, respectively, environmental, social and governance risks, institutions should apply an approach that firstly assesses each category of risk taking into account its specific characteristics, before considering potential interconnections. This should prevent the Section 4.2.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 76 Banks should avoid using aggregated scores for ESG and focus separately on each dimension to avoid black boxes or mixing risks of various nature and magnitude. Employing a differentiated approach is needed to take into account the different inherent characteristics of each category of risk Using the Taxonomy DNSH criteria – e.g. assessing if counterparties meet these criteria - can help to assess and mitigate risk across various environmental objectives. risk that institutions would mix or offset risks of various nature and magnitude. Transition plans The integration of social and governance risks in transition plans is not clear. Banks should take a holistic approach rather than siloed with separate plans for different risks. In particular, one single plan for both climate and nature would be justified. Requirements on plans are focused on climate risks but other E and S&G risks cannot be ignored, in line with CRD. No fundamental change but section 6 clarified Para 26 - Double materiality Not for the Guidelines. Double materiality is relevant for sustainability reporting but not for micro-prudential risk management. We recommend that the Guidelines refer to financial materiality only since they are focused on risk management. The last sentence of para 26 – i.e. conditionality on financial risks – should be mentioned in the core text of the Guidelines, not only in the background. Need for more recognition. Double materiality should be recognised more clearly and integrated throughout the Guidelines, in line with CSRD approach. Targeted clarification. The Guidelines strike a good balance but could further clarify how (adverse) impact that a counterparty may have can entail financial risks for institutions, for instance through a range of risk categories including strategic, litigation and reputation risks. The Guidelines are focused on financial materiality in line with CRD but clarify that adverse impacts should be taken into account to the extent that they can drive financial risks and/or reputation, litigation and business model risks. Background clarified Question 4: Materiality assessment

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 77 General comment The materiality assessment is a key exercise as an inadequate assessment would undermine the adequacy of the risk management approach as a whole. The conclusions of the EBA monitoring exercise on the IFRS9 implementation serve as evidence for the need of such guidance, as the EBA has identified largely divergent practices of banks when handling forward￾looking information for risk assessments. Robust materiality assessments are key and positioned as starting points for sound ESG risk management approaches. Section 4.1 amended as explained below Flexibility Not enough. Guidance should not be too prescriptive (one size fits all) and should enable some flexibility on how to approach materiality assessment as banks may have developed other internal indicators to identify homogeneous exposures in terms of ESG (e.g. as an alternative to proposed activities, services, products segmentation). Individual institutions should have greater flexibility to assess the materiality of ESG risks in their specific portfolios and across their sectoral exposures. Too much. The expectations for the execution of the materiality assessment should be better specified completed with minimum safeguards to improve the reliability of the exercise. The introduction of qualitative/quantitative thresholds would be useful. The Guidelines strike a balance between providing minimum standards and criteria and maintaining the responsibility of banks to conduct materiality assessments that correspond to their business model and risk profile. The Guidelines do not specify thresholds but require banks to document their methodologies including any threshold used. See also below on question 5. No change Significance of activities, services and products There should be further clarification on how materiality and how the significance of activities, services, products should be measured. The significance of activities, services and products could be determined through measurable indicators. §14b should clarify that the activities can be considered as most significant not only from the perspective of their relative size in the portfolio but most importantly from the perspective of the potential of these activities to generate substantial impacts for instance in terms of reputation. It has been clarified that institutions should ensure that the scope of their materiality assessment sufficiently reflects the nature, size and complexity of their activities, portfolios, services and products. Institutions should document their methodologies including indicators. Section 4.1 clarified Quantification It should be clarified, when referring to the quantitative view to capture potential impacts of ESG risks, that it should not necessarily be a capital or P/L impact. Rather, the quantitative view may be supported by the determination of the amounts of exposures and revenues that are significantly exposed to the said risks. Clear differentiation should be promoted between the assessment of risks (using qualitative and It has been clarified that the determination of material ESG risks should consider both their impacts on financial risks categories and the amounts of exposures or revenues exposed to the risks. Quantitative information should be used at least for environmental risks. Section 4.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 78 quantitative views) and risk quantification/measurement (which should be based on a capital or liquidity impact). For some aspects there are no established calculation methods for quantifying, therefore the guidelines should enable qualitative assessment where appropriate. Asset class versus sector and geography A sectoral and geographic classification of portfolio exposures should be required as part of the materiality assessment of climate-related risks. Reversely, the traditional classification per asset class should be discouraged, as the portfolio vulnerabilities to climate and transition risks depend on the sectors and geographies. It has been further clarified that sectoral and geographic location information should be taken into account as part of materiality assessments. Section 4.1 clarified E, S, G E, S and G materiality assessments should not be under similar requirements. Guidelines should include a reference to nature-related transition and physical risks. More detailed requirements are included for E risks. The Guidelines have been amended to refer to exposures towards sectors highly dependent on nature and ecosystem services. Section 4.1 amended Clarification on materiality assessment perimeter Guidelines should clarify if portfolio/exposures are encompassed in activities as per §14b? Guidelines should clarify the materiality assessment for non-UE exposures. It is proposed that it is circumscribed in terms of transition risk. The Guidelines clarify that portfolios are encompassed in activities. The transition risk assessment should take into account exposures’ vulnerabilities to relevant jurisdictions’ objectives. Section 4.1 clarified Time horizons The materiality assessment for the time horizon proposed (including at least 10 years) is too long to be used for financial resource planning: liquidity assessment (including stress testing & planning) focuses on short to medium term risks, making it difficult to cater for long term events; while a capital assessment focus (including stress testing and planning) beyond 5 years would not be meaningful. The business model of a bank when determining the length of the forecast horizon for assessing the materiality of ESG risks should be considered. Long-term time horizon of the materiality assessment should increase to 20 years or minimum of 25 years to align with transition planning. See above regarding the clarifications provided in paragraph 19 and below for the ICAAP section of the Guidelines. Section 4.2 and section 5.4 amended Materiality assessment Guidelines should elaborate further on the relationship, synergies and differences between the materiality assessment as required under CSRD and The Guidelines have been amended to refer to consistency with CSRD and further align Section 4.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 79 consistency with CSRD EFRAG guide and the materiality assessment as required in the EBA guidelines. Guidelines should enable reusing materiality assessment performed under CSRD. Definitions of time horizons should be consistent and Guidelines should clarify if severity in §15 is the same as in the ESRS (1§45). §15 likelihood and severity of the materialisation of the risks should be replaced by likelihood of occurrence and the potential magnitude of the financial effects; to align with CSRD/ESRS with CSRD and EFRAG implementation guidance on the financial materiality assessment, including regarding terminology. Wording of former paragraph 15 has been aligned. Double materiality Pros Banks should also assess how their activities can do more good and less harm to the environment in order to mitigate risks that can be amplified in the financial system. Guidelines should include requirements on engagement with affected stakeholders or their representatives and the assessment of the impact of ESG risks on people and the environment. Cons Guidelines should clarify that their focus is on financial materiality and the management of financial risks to the institution only. It would help banks to deepen their analysis and efforts where the risks are material, in a consistent manner with the risk-based approach. The Guidelines are focused on financial materiality in line with the nature of the CRD but clarify that adverse impacts should be taken into account to the extent that they result in financial risks and/or reputational, litigation and business model risks. Background clarified More guidance More detailed guidance or best practice would be welcome on: likelihood regarding ESG risks; the number and/or which scenario to be used under §14c including their time horizons and if different scenarios should be considered across time horizons; how counterparties are considered “most critical”. It has been clarified that likelihood refers to likelihood of occurrence, in line with CSRD. The EBA will develop further Guidelines on scenario analysis. The reference to most critical counterparties has been removed. Section 4.1 amended Divergence of counterparties from transition objectives Assessing the divergence of counterparties from transition objectives is too prescriptive, too broad for a bank wide materiality analysis and assumes an unproven correlation between transition recalcitrance and the counterparty risk. Institutions should be given the flexibility including making their own judgements as to whether counterparty divergence from transition objectives is a relevant factor. Banks should not have to rigidly refer to a counterparty’s alignment with different net-zero pathways to quantitatively assess financial risk. The degree of alignment or misalignment of portfolios with jurisdictions’ regulatory objectives is an input to materiality assessment in particular given its relevance to transition planning. Section 4.1 slightly amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 80 Link with transition planning Materiality should always be a relevant driver for the transition planning obligations (i.e., sectors that are not material for the institution’s business model and/or capital should not be part of the transition plan). Transition planning should address material ESG risks. Section 4.1.and section 6 clarified. S and G Guidelines should allow banks to carry out their materiality assessment in a way that is proportionate given the lack of clarification from the legislator/regulator on the risks to be precisely regulated. Due to missing social taxonomy, limitation of the use of S and G data should be more emphasized. See above regarding E versus S and G. No change Redrafting proposals • General: Guidelines should refer to ESG risk drivers rather than ESG risks • §14. With a view to comprehensively capturing the material potential impacts of ESG risks • §14a. The consideration and use of both qualitative and quantitative elements and data where these are available • §14c should clarify further that the banks should first explore the key propagation channels of climate impacts and transition impacts for the bank, per sector and country of activity of their counterparties, based on a range of information (including forward-looking infor￾mation such as a range of scenarios). • §15 should include “expert” assessment when considering long term horizon. ESG risks is the term used in CRR. Comprehensive assessment is important. No change – but limited to E risks. The suggestions are considered to be captured by the Guidelines. See response on time horizons. No change No change No change – but limited to E risks. No change No change Frequency Reduced frequency of materiality assessment for SNCI is appreciated. Guidelines should set a 3-year frequency in line with SREP guidelines. More generally, materiality assessment frequency should be on an ad hoc basis, when significant changes have occurred is more relevant. The minimum 2-year frequency has been kept for SNCIs. Institutions can rely on past assessments but should ensure they remain valid as part of regular reviews. No change ICAAP §18 should be completed to clarify that the banks should justify how criteria are weighted relatively to each other. They should also document how they address the data gaps. The corresponding decisions with respect to the treatment of ESG risks should also be clearly documented, alongside the clear internal definition of materiality, which is already required in the ICAAP framework for all risks relevant to the institution. It has been further clarified that banks should substantiate and document their assessments and methodologies, including thresholds and conclusions. Section 4.1 clarified. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 81 Guidelines should clarify whether the execution of the reference methodology should be formally in line with the internal mechanisms already established regarding ICAAP or should refer only to the materiality of such ICAAP mechanisms. Additionally, it should be further clarified how to entangle these material assessments with other materiality assessments conducted by institutions, i.e., whether one or the other (or both) should cross-reflect the risk identified in each assessment. The ESG risks materiality assessments should be consistent with and integrated into other assessments such as those made for ICAAP. Disclosure Transparency and credibility are key in materiality assessments. Guidelines should include requirements for banks to conduct third-party review and consultation and to disclose all details regarding its methodologies, processes and results. Disclosure is out of scope of these Guidelines and covered by other regulations (e.g. Pillar 3, CSRD). No change Question 5: Presumption of materiality for E and assessment of physical, S and G risks Minimum set of exposures (pros) Support to the general approach in §16, which is consistent with the climate benchmark regulation and Pillar 3 template 1. However, this wide approach should be completed by a more targeted focus on a few critical sectors, coal, oil, gas. These sectors alone are influential enough to derail the Paris Agreement and the EU climate law. In addition, this will ensure more consistency with the CSRD. In particular exploration of new fossil fuel reserves represents high transition risk. Care should be given to the justification provided for the purpose of §17. It is necessary to maintain the requirement for the bank to explain when it considers that these sectoral exposures are non-material. Guidelines should further specify and extend the list to account for nature￾related risks as well. In the identification of such sectors, it should be built on the extensive body of existing evidence (in particular, key sectors and companies have been identified as potentially high risk for deforestation). The Guidelines have been amended to include a reference to exposures towards fossil fuel sector entities. It has been clarified that conclusions, including non-materiality ones, should be substantiated and documented. The Guidelines have clarified that nature degradation and dependencies on ecosystem services should be considered. Section 4.1. amended Section 4.1 clarified Section 4.1 clarified Use of taxonomy (pros) Taxonomy is a good proxy as it means the exposure meet the EU sustainability goals. Yet, the derogation provided in §17 may imply negative See below regarding the deletion of the reference to taxonomy-alignment as a proxy Section 4.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 82 consequences as it does not provide strong guarantees and could benefit to oil/gas/coal mining exposures (e.g. high level of alignment is not clearly established). “Such as” and “high level of [EU taxonomy] alignment” does not strictly provide mitigation to this derogation. Alignment with taxonomy should be 100% otherwise sectors could include activities that do not meet the DNSH criteria hence bear transition risk. The derogation should be complemented by a second criteria consisting in 100% of the sector/activity exposure to DNSH taxonomy criteria. Taxonomy may be used in combination with additional tools (e.g., CPRS, corporate emissions, elements of corporate transition plans) given the lack of information on Taxonomy performance, especially for SMEs. 'Transitional' activities should be excluded from the derogation in §17 as medium-to-long-term transition risks carried by associated sectors remain high. for justifying derogation to presumption of materiality. Non-UE exposure treatment Guidelines should provide flexibility for group institutions based outside the EU managing activities outside the EU, such as referring to local taxonomy. Making sole reference to the EU Taxonomy as a proxy for non-materially would also pose significant extraterritorial effects for banks with presence in third countries. EU taxonomy will not be useful for banks with material exposure outside of EU or a portfolio composition with a potential lower share of eligible assets for GAR calculation. Voluntary or internally well justified green assessment should be likewise used for justification, or the materiality assessment will not allow for level playing field with respect to exclusion of exposure as materially affected. See below regarding taxonomy-alignment Section 4.1 amended Minimum set of exposures (cons) More flexibility should be provided as for the sectors to be included in the materiality assessment. Do not support that exposures should automatically qualify as materially subject to environmental transition risks on the basis of Institutions should conduct robust materiality assessments that reflect the nature, size and complexity of their activities. Section 4.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 83 their sector (§16). This would imply a significant data and assessment burden even when it is qualitatively obvious that the NACE sector in question poses no environmental risks to the firm. The reversal of the burden of proof makes the risk inventory de facto absurd. Materiality categorisation can be applied e.g. per risk type and only when certain quantitative/qualitative materiality thresholds are reached. The categorisation of certain sectors as material does not automatically mean that they are material from an institution's perspective. Materiality for institutions depends, among other things, on the business model, risk, concentrations, maturity of the loans, the willingness/possibility of debtor to shift its business model, whether the sector itself has the possibility to decarbonize etc. Therefore, para. 16 and 17 should be removed, and the approach to materiality assessment should be left to the discretion of the institutions. The financial materiality and risk-based approach of the prudential framework is not necessarily consistent with a purely sector-based approach. Other complementary factors will determine the financial materiality of an activity such as the time horizon, the size of the exposure, the existence of mitigation mechanisms, effective transition paths or dedicated financing that are in line with an efficient transition, and stress assumptions. While close attention is given to high-emitting sectors, the materiality assessment should be commensurate to the size, business activity and types of risks carried by the institution. Sectoral approach including all activities listed in Sections A to H and Section L of Annex I to Regulation (EC) No 1893/2106 is too broad (e.g. insufficient differentiation at the level of NACE code 1), especially if including the level of granularity as NACE 2-3-4 digits and does not take into account the specific/idiosyncratic client’s situation. This presumption will impose a disproportionate documentary and audit burden on banks to establish that The final Guidelines have removed the presumption of materiality for certain sectors considering the limitations of automatically classifying all exposures towards certain sectors as material. However, the Guidelines require institutions to thoroughly assess material ESG risks by taking into account a set of criteria and exposures, including their exposures towards sectors that highly contribute to climate change, with particular consideration given to exposures towards fossil fuel sector entities. Institutions are responsible for conducting their assessments and should substantiate and document their conclusions, including non-materiality conclusions.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 84 the exposure is not material. There will be many exemptions if classifying all listed sectors per se as materially subject to environmental transition risks. The list should be illustrative instead of a mandatory. There is also the risk that there is no incentive to investigate exposures to sectors not covered by the predefined list. The list of sectors is not aligned with sectors covered by NZBA targets. This approach is also inconsistent with the list of sectors provided by the International Energy Agency (IEA) for their Net-Zero Emissions (NZE) scenarios, well-recognised and adopted globally, as the activities in sections E, F and G are not included in the IEA NZE. Use of taxonomy (cons) The reference to the EU Taxonomy for the exclusion of some sectorial activities should be removed: assessing Taxonomy alignment even when it is clear that the exposure is not relevant and/or immaterial is too burdensome; high level of alignment is too ambiguous; taxonomy-eligible portion in the banking book is very small as benchmarks have shown for many banks. The mere alignment to the EU taxonomy does not directly imply less ESG risk as the EU taxonomy regulation classifies the activities as green not from a risk-based perspective and the EU Taxonomy framework is not designed as a risk management tool. There is to date no evidence of a generalized positive risk differential according to green vs. brown features of counterparty activities. EU Taxonomy does not have a full coverage of all activities, some counterparties are not subject to it due to their sizes, there are products outside the taxonomy (e.g. SLN) with objectives to facilitate/enhance counterparties’ transition efforts that are not captured by the taxonomy. The taxonomy operates as a classification tool at the activity level, not at the sectoral level. In light of the removal of the presumption of materiality for certain sectors and the limitations of taxonomy-alignment from a financial risk assessment perspective, the paragraph outlining derogation options has been deleted. Section 4.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 85 Similar requirements for S, G, physical (cons) Similar requirements should not be provided: social and governance risks are not comparable as a transmission channel of financial risk to environmental risks. It would be disproportionate to include them in the same manner. Social and governance risks are more related to client-idiosyncrasy. Trying to build a risk-assessment system or metrics for governance or social risks would be extremely burdensome and would not be supported by a cost/benefit analysis. Given the difficulties stemming from the identification of transition risk, it is unclear that a similar approach would provide better results on other type of risks (physical, social, governance). The materiality assessment for social, governance, biodiversity risks should be done on a best effort basis at this stage. The Guidelines contain more detailed requirements for the materiality assessment of E risks. No change Similar requirements for S, G (pros) Guidelines should provide similar approach / requirements by consistently requiring 1/ use of qualitative and quantitative data, 2/ a risk-based approach to take into account likelihood and severity of the materialization of the risks. Guidelines should provide equivalent requirements for biodiversity risk, in particular deforestation. Biodiversity loss and deforestation pose significant environmental risks and have far-reaching social and governance implications, including impacts on local communities, indigenous rights, and supply chain integrity. Nature-related risks financial impact on individual banks has been well-documented. Guidelines should provide a minimum set of exposures to be considered as material for each type of risk - environmental (E), social (S), and governance (G). However, it is essential to recognise that materiality may vary depending on the context and nature of each financial institution's operations. Guidelines should extend the list to sectors A to U, as they involve risks from third parties (data processing including data centers, information and communication) on the physical, social and governance risks sides. The risk-based approach outlined in paragraph 13 of the final Guidelines applies to ESG risks. Quantitative information is only required for E. A reference to nature degradation and ecosystem services has been included. The materiality assessment should be supported by a mapping of ESG factors and transmission channels to financial risks. The list of sectors identified as highly impacting climate change relies on EU regulation. No change Section 4.1 amended. Section 4.1 amended. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 86 Similar requirements for physical - suggestions Guidelines could refer to minimum set of asset classes to be considered (eg, secured by property) as well as to publicly available registers of natural hazards, which institutions should use in order to exclude exposure from minimum set. Areas and sectors at high risk of drought, flooding, marine submersion, water stress, soil erosion etc. (alone or combined) should be considered a priority for materiality. Public actors are making efforts to identify the key risk exposures in Europe; as illustrated by the EEA’s European Climate Risk Assessment report. A possible way to integrate this as part of the present guidelines is to require that the banks update their list of mandatory material exposures on physical risks continuously according to public recommendations. A minimum list of physical risk hazards that are generally considered as "material" by geographical area - in example NUTS3 level would be helpful for the institution to evaluate the coverage of its own physical risk assessment framework. The Guidelines require institutions to take into account the geographical areas in which key assets of counterparties or physical collateral, in particular for real estate exposures, is located. There is no mandatory list of exposures for physical risks, but institutions are responsible for conducting robust assessments by using both qualitative and quantitative information and considering a sufficiently large scope of environmental factors. Institutions may use information stemming from EEA reports to support their assessments. Section 4.1 amended Question 6: Data processes List of items to collect under §23a (pros) Strong support to list in point 23 the information that should at least be gathered when assessing the current and forward-looking ESG risk profile of counterparties. Points i, ii, iii, iv, v, vi, ix of the list are particularly relevant to assess the ESG risk profile of counterparties. Some data points should be made more prescriptive: • Current and forecasted greenhouse gas (GHG) scope 1, 2 and 3 emis￾sions in both absolute and intensity terms. • Investment (capex) in fossil fuels, split between investment in exist￾ing infrastructures and new ones, and operational expenses (opex) related to fossil fuel consumption and/or infrastructures. Such expo￾sures bear particularly high financial stability risk. A minimum list of data points that institutions should consider obtaining or collecting for large corporates has been maintained in the Guidelines, with some adjustments. The Guidelines align with CSRD/ESRS i.e. absolute and where relevant intensity. The Guidelines require to consider counterparty’s dependency on fossil fuels. Section 4.2.2 amended.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 87 Banks should collect some data related to biodiversity. It can start with data related to deforestation, with data on the dependency to high-risk activities

• both in terms of economic factor inputs and revenue base and the investment (capex) in such activities. The Guidelines require to consider material impacts on biodiversity and related policies. List of items to collect under §23a (cons) In case the approach of a minimum requirement list is kept, data collection in retail banking should be limited to data on climate related factors such as greenhouse gas emissions (car financing) and energy efficiency (real estate financing). Institutions should determine which data points they will collect for retail counterparties by considering the list provided in the guidelines, which includes climate related factors. Section 4.2.2 clarified Transition plans Pros Strong support to the recognition of the counterparties’ transition plans as a relevant source of forward-looking information for financial institutions’ risk assessments. Once the transition plans in the non-financial sector are streamlined and made credible via the assurance function, such transition plans offer themselves as a credible and comparable source of information, which should contribute to the convergence of views on transition risk among financial institutions. Cons Do not support the obligation to use data from transition plans to assess large companies, particularly as there is no obligation to prepare such plans under the CSRD. The Guidelines have kept the transition plans as one of the data points that institutions should consider given their ability to inform the forward-looking risk assessment of counterparties. Wording has been clarified to refer to plans disclosed in accordance with CSRD, when available. No change Section 4.2.2 clarified Consistency with CSRD The list of data to be collected from counterparties listed in §23 should be primarily focused on data being published under CSRD, which has set up an extensive reporting framework for ESG data that is quite unique at international level, attempting to calibrate the reporting burden of companies and the need for ESG data. Data requirement should not go beyond what is required by CSRD and further align: emissions targets instead of forecasts, dependence of natural resources rather than on fossil fuels, risk of litigation not requested by CSRD. Timing of requirements of the guidelines should be consistent with that of disclosure under CSRD so banks can build out their data systems to house a variety of non-financial datapoints from their clients and counterparties. The list of data is focused on data large corporates will have to disclose under CSRD. Alignment has been reinforced for example to refer to targets instead of forecasts. Although disclosure of litigation cases is not requested under CSRD, this informs the risk assessment institutions should perform and this has been moved to section 4.2.3. The Guidelines apply from 2026 or, for SNCI, 2027, allowing to make use of CSRD data to a large extent. Section 4.2 amended.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 88 Client engagement compared with CSRD Guidelines should provide some clarification on the extent to which it is needed to engage with counterparts beyond the publicly available ESG data they provide. Client engagement should not be made necessary if primary data is publicly available under CSRD. Some Member States appear to have asked financial institutions to limit bilateral outreach to corporates to collect data and rely as much as possible on data reported from CSRD and from data providers. This goes against the requirements from the Guidelines to primarily engage with clients to collect data. Counterparties might face multiple asks from different banks at a time when they are deploying huge effort to produce CSRD data. The Guidelines require institutions to build on available ESG data, and to assess which other sources of data would effectively support the identification of ESG risks, such as information captured through engagement. Section 4.2.2 clarified Flexibility with respect to data to collect Data collection may prove to be very difficult, as banks will have to look through a large number of counterparties with which they can be engaged with. The list of data to be collected for large corporate counterparties should be indicative (or seen as recommendation) only as it does not depend on materiality analysis and does not include a proportionality approach based on the type of service offered to these customers. Counterparty data gathering (including for large corporate counterparties) should be based upon a materiality assessment of the risk of the counterparty, ESG risks identified, the type of clients, collateral and exposures, etc. Data requirements should be determined using a risk-based approach as some data points are more important to assess risk in certain sectors. The list of data points has been maintained but it has been clarified that institutions should consider obtaining or collecting this list, with a view to ensuring they have appropriate information to assess ESG risks. Data processes should also be developed taking into account the outcomes of the materiality assessment, as clarified by paragraph 17. Section 4.2.2 amended Para 24 Guidelines should set a baseline for ESG-related data collection for non-large counterparties, to ensure a minimal level of data collection across institutions. As per the EBA Guidelines on Loan Origination and Monitoring §126, institutions may conduct portfolio-based evaluations for micro/small enterprises instead of borrower-specific assessments. This regulation is sensible as it reduces the burden on micro and small enterprises. Such approach should be foreseen in §24. Given data availability, the baseline is set for large corporates counterparties, but institutions should consider the list provided for those counterparties when determining data points needed for other counterparties. See also below on exposure-based method for SMEs. Section 4.2.2 clarified

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 89 Para 25 Guidelines should clarify expectations around the timeframe for reducing reliance on proxies, and quality assurance for data procured from third party providers. Guidelines should ensure the phase-out of proxies to help fill data gaps by specifying the exact timeline for doing so: 3 to 5 years maximum are recommended. No specific timeframe is included in the Guidelines but institutions should progressively seek to reduce use of proxies and improve practices and data quality. No change Data gaps More guidance is expected to address data gaps. Data gap may increase for the banks to assess ESG risks as the EC is proposing to increase the threshold for corporations to be considered SMEs. It might reduce the scope of the corporations under the CSRD. Guidelines should stress that missing data or difficulties resolving gaps should not discourage banks from integrating these ESG risks and that institutions should take precautionary measures. The EBA notes that efforts are ongoing to address ESG data gaps in the EU. Institutions should leverage on these developments and assess remaining gaps and document remediating actions. No change Use of proxies Pros The use of proxies throughout the guidelines should be revised. The collection of ESG data is still very challenging, with multiple issues ranging from comparability of data to coverage of data. Some sections of the guidelines give the impression that the use of estimated values and proxies is an inferior method. However, proxies can generally represent a good and justifiable measure, particularly in the volume business, and need not be inferior to the quality of raw data. Ultimately, proxies also serve to avoid overburdening small companies and private customers. The use of proxies should therefore generally be made possible for all companies. Cons Proxies have some limitations such as being difficult to use in risk management functions; they are based on averages; they consider that all companies in a given sector are similar or they might have a limited time horizon. The use of estimates and/or proxies can only be contemplated as a last resort, and that both the choice to use them (lack of data or unreliable data) and the choice of a certain estimate and/or proxy instead of others must be justified. The Guidelines do not prevent the use of proxies but request institutions to make use of available data and assess which other sources may be useful. Proxies can represent an alternative to raw data in certain cases but also present limitations which justify efforts by institutions to seek to gradually reduce their use. Section 4.2.2 clarified

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 90 Guidance and support needed Guidelines should clarify how institutions should use proxies and estimates in the case of data unavailability. Guidance would be expected on which sources or proxies can be used for social and governance risk. The choice of specific proxies and estimates is the responsibility of institutions who should document and justify their choices. No change Data providers The data providers are not only used to obtain estimates when data is not directly available from the counterparts, but also to optimize the collection of the data from corporates even where those data are publicly available (avoiding the need for institutions to examine each of sustainability report of thousands of entities). Hence, using data providers should be left to the institutions in a consistent manner with the outsourcing framework. Guidelines should provide that banks rely on the data quality assurance of the data provider and make that an important criterion in the vendor evaluation process; the vendor should check the quality of its data and it should be selected based on data quality. Requirements to verify the quality of the data will place on banks a responsibility and a cost of resources that is not proportionate to the role of the banks: data subject to external audit should be presumed of high quality. Non-audited data which are provided by the company should also be presumed to be reliable, except in the case of obvious inconsistency or public controverses. Guidelines should clarify how, in what context, for what purpose data from external parties can be used. The Guidelines have been amended to clarify that institutions should assess which sources of data would effectively support the identification of ESG risks. Using data providers is not prohibited but, in line with sound governance and outsourcing practices, when institutions use services of third-party providers they should ensure sufficient understanding of the sources, data and methodologies used by data providers. Institutions should also have in place arrangements to assess and improve quality of data used. Section 4.2.2 clarified Clarification needs §23aiii. “Material” is not defined and could imply different assumption/interpretation among financial institutions. Who assesses that impacts are material? Should it leverage more explicitly on CSRD? §23aix. “Adaptive capacity” should be clarified, as adaptation is typically used in the context of climate physical risk, but here seems to refer to company transition plans. These topics require different datasets, and further clarification could help avoid confusion. A materiality assessment has to be performed under CSRD. Banks may rely on that assessment or decide to challenge it. No change. Wording has been clarified and ‘adaptive capacity’ removed. Section 4.2.2 clarified Drafting suggestions §20-21-25. The use of ESG risk-related data / ESG data / ESG profile / ESG risk profile should be harmonized to avoid misunderstandings. Wording has been harmonised to refer to ESG risk-related data or ESG data. Section 4.2.2 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 91 §21. Should be amended so that institutions should be allowed to efficiently design data processes based on the relevance of business activities in relation to all risk types and the results of the materiality analysis. §23 could be amended to avoid the reference to generic statements such as “Governance practices”, and point to more specific frameworks. §23.a.i. Regarding the collection of geographical location of key assets, we recommend that, at a minimum, longitude and latitude coordinates, addresses, square meters, and building type should be collected. §23.a.ii. Inconsistency with §94.a. where the metric is in absolute terms only. Due to known weaknesses of “monetary intensity” it is proposed to reshape this requirement and make a hierarchy of metrics). The intensity approach, whether promoted or accepted by SBTi and many industry alliances, does not reflect the fact that global warming is fed by actual emissions, not intensity, giving a false impression of progress towards a carbon neutral economy and making targets easier to reach. GHG emission reduction targets should at least be expressed in absolute amounts. §23.a.iii. and v. should be deleted. Institutions and supervisory authorities are in no position to judge or disincentivize environmental impact, as long as such impact is legitimate by law and does not constitute financial risk (e.g. GHG certificate prices) relevant for default risk. The mere fact of resource consumption, as long as legitimate under the law, does not constitute a financial ESG risk factor from any institution’s point of view. §23.a.vi. More specific metrics should be provided as EPC is not yet standardized. §23.a.vii. Requirements for institutions should expand to report on their alignment with specific regulatory and framework disclosures, such as the CSRD and the Taskforce on Nature-related Financial Disclosures (TNFD). §23.a.vii. The adherence to voluntary or mandatory climate and environmental reporting (point vii) will also not say much about the actual level of ESG risk exposure of the counterparty. §23.a.viii. The inclusion of litigation risks may not be practical in all cases. Detailed information on imminent or pending litigation is likely to be Data processes should be proportionate to materiality assessments. Requirements have been amended to align with the Taxonomy and CSRD. Banks could decide to collect these data but the general requirement is to collect data enabling physical risk analysis. Guidelines now align with CSRD (absolute value and where relevant intensity). Adverse impacts and dependence on natural resources may result into financial risks. EPC has been removed. The Guidelines do not address disclosure requirements for institutions. This data item has been deleted. The assessment of litigation risk should support the risk identification and

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 92 restricted, and gaining sufficient information to determine the relevance, impact and likelihood of outcomes from a litigation will prove extremely difficult. § should be amended to include “where available”. An imminent litigation risk of the counterparty is likely to be provisioned by the counterparts. Hence, this consideration may lead to a double counting in the credit risk associated with this counterparty. §23.a.ix. Note that CSRD is a disclosure directive and does not require preparing a transition plan. § should be amended accordingly. §23.a.x. (new) third party assessments performed regarding environmental performance, notably credibility and robustness of corporate transition plans. As transition plan content is highly complex information, leveraging on third party assessment should be a useful source of information in order to avoid unnecessary burden. §23.b.ii. More guidance is needed regarding governance practices. For instance, different categories of governance practices could be defined. This would make the assessment of different institutions’ exposures to governance risk more understandable and comparable. 23.b.iv. should be deleted. ESG risk factors are only to be taken into account in exceptional cases where local circumstances are such that lawsuits against institutions or their clients are evidently imminent and could put the creditworthiness of borrowers at risk. But this is so rare that the wording of item (iv) seems much too vague to capture it. Moreover, it is already covered by item (v). §23.b.i-v. The below should replace current content: • due diligence procedures to ensure alignment with the OECD Guide￾lines for Multinational Enterprises and the UN Guiding Principles on Business and Human Rights, including the principles and rights set out in the eight fundamental conventions identified in the Declara￾tion of the International Labour Organisation on Fundamental Prin￾ciples and Rights at Work and the International Bill of Human Rights. (exact text of taxonomy minimum safeguards art. 18) measurement process. This has been moved to exposure-based method in section 4.2.3. Wording has been clarified. Institutions may decide to collect these assessments or assess counterparty’s plans directly. This requirement has been amended to align with CSRD and the EU Taxonomy. This requirement has been amended to align with CSRD and the EU Taxonomy. This requirement has been amended as suggested by the comment to align with CSRD and the minimum social safeguards of the EU Taxonomy.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 93 • negative material impacts on own workers, workers in the value chain, affected communities and consumers/end-users (to align with CSRD ESRS 2 SBM 3 and ESRS S1-S4) including information on due dil￾igence efforts to avoid and address such impacts SNCI Guidelines should introduce an opening clause to allow LSIs or SNCIs to choose the metrics, with §23.a being used only as an example. SNCI should be excluded from §23b. The Guidelines should aim to provide additional guidance to SNCIs with limited data for their assessment of financial impacts stemming from ESG factors. SNCIs should also develop sound data processes but may implement less complex arrangements in line with the general proportionality approach. No change CSDDD Guidelines should clarify how the data collection requirements relate to the due diligence requirements laid down in the CSDDD. Social factors and data on due diligence should be introduced progressively, in consistent manner with CSDDD, which only covers entities over 1000 employees, and which includes a review clause of 2 years for the application to financial services. The requirements in the Guidelines may support the implementation of CSDDD or leverage on due diligence procedures performed by counterparties. No change Data sources Institutions may consider below data sources: forests finance, Global Oil Gas Exit list, ENCORE. Institutions should build on available data and assess data quality. No change Data quality Guidelines should set clear standards for the quality and integrity of the ESG data collected. This guidance should mirror the specificity found in frameworks such as the PCAF's guidance on greenhouse gas emissions ensuring institutions can rely on high-quality, relevant data for risk assessments and decision-making. The Guidelines request banks to review their practices regularly and improve data quality. No change Question 7: Measurement and assessment principles More guidance needed on S&G risks Excessive focus on environmental issues. The EBA should provide guidance/requirements in terms of quantification for social and governance risks. See above regarding the emphasis put on E. Banks should progressively enhance practices towards quantification for S and G. No change Para. 26a Single-name information and mapping The EBA should clarify that institutions are expected to use analytical models that overcome sectoral approaches being able to evaluate single-name information. A combination of methodologies should be used, including at exposure level. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 94 Mapping of exposures to individual risk drivers would be extremely challenging and would represent questionable benefit in terms of risk management information versus the effort/ cost involved for institutions. This mapping should be restricted to economically material exposures. Not every exposure needs to be mapped against all risk drivers but tools should allow to assess transmission of ESG risks drivers to financial risks. Para. 26b ESG risk concentration ESG risk concentration is not yet defined in regulation and implies first identification and evaluation of ESG risk. Ask for flexibility in the measurement of concentration risk. Call for a gradual implementation of this approach and to keep consistency with other concentration risk related initiatives in Pillar 1 and 2. See below regarding concentration risk. No change Proportionality and use of the three methods Support for the broad range of methods. Request for flexibility/discretion in the use of the three methods and proportionality in the application of them. The range of methods has been kept. They should be applied taking into account the materiality assessment. No change Para. 27 Clarification on use of three methods Request for further clarification about which particular methodology responds to which particular risk management need and how the three methodologies complement each other, how institutions can use different methodologies for different portfolios and what are the expectations regarding forward-looking measurement methods and what are the differences between portfolio and scenario-based methodologies. The structure of section 4.2 has been changed to clarify key principles for measurement and assessment methods first. Paragraph 30 specifies how the methods should be applied for complementary time horizons and purposes. Portfolio-based methodologies rely on scenarios but should be complemented by other types of scenario analyses, which will be specified by the EBA in complementary Guidelines. Section 4.2 amended Specify baseline criteria ESG risk measurement The integration of forward-looking scenarios, especially concerning environmental risks, enables institutions to gauge potential future states and adjust their strategies accordingly. While the EBA's approach is comprehensive, an alternative could involve specifying baseline quantitative criteria for ESG risk measurement to ensure consistency across institutions. The Guidelines specify criteria for exposure￾based methods. The EBA will also issue Guidelines on climate scenario analysis. No change Allow use of qualitative instruments (esp. SME) Institutions should be allowed to put more focus on qualitative tools, e.g. questionnaires. EBA should welcome the possibility of using qualitative data, especially for counterparties with limited data (e.g., SMEs). Increased flexibility has been incorporated in the Guidelines regarding assessment of ESG risks for non-large corporate counterparties, including use of portfolio-based assessments, proxies and qualitative data where needed. Section 4.2.2 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 95 Instead of (indirectly) obliging SMEs to collect data, all banks and companies involved should be allowed to use estimated values and proxies. This could be in the form of portfolio-based assessments instead of borrower-specific assessments, or sector data. Para. 27 Portfolio alignment methodology Portfolio alignment methodologies not considered as relevant, but seen as, mostly, an artificial level of technical complexity highly model-dependent. To some extent, one could consider that collective metrics performed at an economically sound perimeter (such for instance as a value chain or a sectoral-based perimeter) might bear some relevance. Portfolio alignment metrics should only complement other approaches. See below regarding portfolio alignment methods. No change Para. 27 Sector-based approach While portfolio alignment tools are useful to provide the “big picture”, they cannot provide sufficient granularity alone to inform and shift the decision￾making process at sector and asset level. For that purpose, sector-specific analysis is necessary for the key sectors. A key entry point for banks is sector￾specific finance (mortgages for buildings; infrastructure finance; energy finance; shipping finance, etc). The Guidelines clarify that institutions should use sector-based methods as part of their range of methods. Guidelines and section 4.2.3 clarified Quantification and probability of materialization It is unrealistic to require banks to quantify probabilities and consequences of environmental risks. EBA should clarify that both physical and transition risk should be included and own models should be allowed to be used. Quantification of E in particular climate￾related risks is important for sound risk management. Both physical and transition risks form part of E. No change Para. 28 KRIs EBA should define specific guidance on what specific KRIs institutions should establish for the measurement of ESG risks. A KRI-list with examples is useful (e.g., transition: green asset ratio, scope 1,2,3 emissions, alignment measures per sector). Limit KRIs to large corporates (para 23) A list of metrics is included under section 5.7 of the Guidelines and can support institutions in the determination of appropriate KRIs, covering a scope of exposures consistent with the outcomes of the materiality assessment. No change Para. 29 Forward-looking assessment is difficult at this point and building scenario analysis methodology will take time. In future guidelines it would be advisable to include specific guidance on how to combine top-down and bottom-up scenarios. The EBA will issue Guidelines on climate scenario analysis. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 96 It would be useful that regulatory expectations around measurement are framed recognizing those limitations and acknowledging that banks will have to take simplistic projection assumptions when going beyond three years. See above regarding clarification provided on time horizons. Due diligence Institutions should commit to performing due diligence to gather comprehensive data on ESG risks. This involves collecting information directly from counterparties and utilising data from diverse sources such as NGOs, governments, and civil society organisations. See above regarding data processes. Section 4.2.2 amended Asset-level approach EBA should integrate an asset-level approach for activities that bear a particularly high transition risk, such as fossil fuel extraction facilities, or fossil-fuel fired power plants Asset-level data is mentioned in the section on data processes. See also above on materiality assessment. No change Question 8: Exposure-based methodology Support General support for use of the three methods. Support for the requirements for the exposure-based methodology Exposure-based methods are part of the final Guidelines. No change Request for discretion for the use of methods Clarify in paragraphs 30 to 33 that institutions have discretion as to design appropriate methodologies i.e. a principle-based approach. The exposure-based method should be subject to materiality assessment in 4.1. Institutions should design methods by complying with the Guidelines and apply them subject to materiality. See also above on materiality. No change Use more methods The exposure-based method should be complemented by other tools, such as stress testing, scenario analysis and qualitative assessments. A range of methods is requested including scenario-based methods. No change Para. 30 Concerns about mandatory integration ESG aspects into PD modelling Integration of ESG aspects into PD modelling is challenging due to data unavailability, lack of evidence and the potential technical unsoundness, particularly when considering the long-term impact of E-factors. It would be premature to modify credit scoring or rating models. It is assumed that banks are not obliged to incorporate ESG risks into their rating models, provided that an existing ESG score covers all E, S, and G components and is used as a decision criterion during the lending process. Request for further clarification. Institutions should ensure that ESG factors, in particular environmental factors, are taken into account in the overall assessment of default risk of a borrower and, where justified by their materiality, embedded in the scoring or rating models. No change Para. 30 Need for adjustments in Question if a dedicated DoD definition related to ESG risk drives is needed. Introduce a shadow PD factoring in climate-related financial risks. Modifications in the Pillar 1 prudential framework are out of scope of the Guidelines. This is covered by EBA report of No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 97 prudential framework The prudential framework should be adjusted to allow for larger weight of forward-looking assessments. Introduce pragmatic solution such as the margin of conservatism or a downturn component. October 2023 and upcoming reports under CRR3. Para. 30 Use of scores/expert judgements Give institutions flexibility to rely on existing ESG scores used as decision criterion in the lending process or expert judgements/overrides. Institutions should design and use tools as specified by the Guidelines. See also clarification on the assessment of each category of risk. No change Make requirements discretionary Regarding the risk factors and criteria, change “at least’ into “where applicable” or alike, as the list is not relevant for all exposures and sets requirement regardless of portfolio materiality. Where applicable was already included. The method should be applied subject to materiality. No change Para. 31(a)(b) Degree of vulnerability Support for consideration vulnerability. Clarify what is meant by ‘the degree of vulnerability’ in 31(a)(b). Do not limit ‘degree of vulnerability’ to new technical developments (e.g., carbon capture projects). The degree of vulnerability should be assessed by institutions taking into account the factors listed in the Guidelines. No change On- and off￾balance sheet Support EBA’s approach to cover both on- and off-balance sheet activities. Request that this should be made clear through the whole GL. CRD and the Guidelines require institutions to have risk management processes comprehensive and proportionate to the nature, scale and complexity of their activities. No change Para. 31b The EBA should ensure that GHG-emissions are analysed in absolute and intensity terms. Para. 31b should be amended as to clarify that GHG emissions as such are not a risk driver, as long as they are legitimate under the law, and as long as GHG certificate prices do not contribute to the underlying businesses risk of default. The analysis should be completed by the level of alignment of counterparties with the Paris objectives. Include scenario analysis in the evaluation of mortgage collateral. See above – alignment with CSRD. GHG emissions are not a direct predictor of financial risk but should be taken into account in the risk assessment. See portfolio alignment method. Banks should use scenario-based tools. Section 4.2.3 amended Para. 31b Consideration of transition plans EBA should include transition plans and the credibility and robustness of transition plans of the counterparty to mitigate these risks in para. 31b. Transition plans are part of the risk mitigating factors banks should take into account as clarified in paragraph 32. Section 4.2.3 clarified

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 98 Transition plans/objectives are important and given the drawbacks of the prudential framework (backward-looking; data limitations etc.), EBA is encouraged to work with other EU/international supervisors towards a common baseline approach to transition risk analyses and measurement. Para. 31c Difficulties with inclusion of supply-chain Concerns about the inclusion of the supply chain. Request for clarification of what is expected. Proportionality of the institutions and the counterparty should be considered. One respondent asks to only ask broad questions about the supply chain. Information required should not go beyond the CSRD. It should be made explicit that the supply chain is not the responsibility of the bank; reference is made to the CSDDD where the downstream value chain of financial institutions is out of scope. Some respondents note ‘likelihood’ estimation of critical disruptions to the business model/supply chain would remain complex in the near future and the supply chain element is too far-reaching and not manageable. One respondent asks to change ‘likelihood of critical disruptions’ into ‘exposure to critical disruptions’ to maintain flexibility. To properly assess ESG risks at the exposure level banks should understand if the business model or supply chain of the counterparty could be affected by critical disruptions due to ESG factors. This is without prejudice to the application of CSDDD and forms part of sound risk management. The wording has been amended to refer to exposures to critical disruptions. Section 4.2.3. amended Para. 31c Currently there are no market standards or science based initiatives which provide such reliable impact assessment of biodiversity loss, water stress or pollution. Banks should gradually develop their practices and benefit from improving ESG data. No change Para. 31d Maturity Agree to include the maturity. Clarify that the maturity of the exposure is needed to identify which risks are relevant for the exposure, depending on their time-horizon of materialization. The maturity criteria has been maintained in the list of factors to consider. No change Para. 31e Risk mitigation Agreeance that risk mitigation aspects should be carefully considered to enable transition finance for both transition/physical risk. Especially the willingness of the customer to transit. Of possible use: client transition plans. Provide further clarification on the forward-looking element of risk mitigation opportunities and how this is expected to be embedded as part of the assessment. Risk mitigating factors including insurance and transition plans are part of the factors banks should consider when assessing ESG risks at exposure level, as clarified in paragraph 32. Section 4.2.3 clarified

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 99 It is important that banks who are not in the first line, could deduct the insured portion of their loans and only keep the residual one when assessing their materiality. Para. 32 Engagement with small counterparties Difficulties of meeting the requirements in para. 32 re. the engagement with smaller counterparties to obtain data. Request for additional considerations and simplifications for SMEs, e.g., to use portfolio-based valuation methods like in the EBA GLOM, or the use proxies on portfolio level, expert judgement or data vendors. Data collection should only be done in the onboarding process to avoid burden for the bank and SME later. Respect principle of proportionality. Under no circumstances should the data requirements to be provided to SMEs exceed those in the reporting standard of the voluntary reporting standard for SMEs (VSME). The issues posed around obtaining useful vendor data would make it necessary for the EBA to clarify and possibly narrow its definition of counterparty to allow for institutions to be able to fulfil the requirements. See above regarding data processes and the increased flexibility incorporated for non￾large counterparties. Section 4.2 amended Para. 33 Time horizon S and G factors Limit the time horizon for S+G risks to short-term as para. 33 contradicts para. 27. The requirements regarding the time horizons are too imprecise and clarification is requested of what is expected. The reference to time horizons has been removed in this specific paragraph. See also above on time horizons. Section 4.2.3 amended. Para. 33 Clarify due diligence requirements Support for the inclusion of social and governance due diligence. EBA should clarify that the due diligence assessment is limited to borrowers for whom such procedures are considered essential/suitable for the business relationship. More guidance on how the assessment should be implemented. Institutions should perform due diligence to assess financial risks stemming from S and G factors. This should be done by taking into account outcomes of materiality assessment. Section 4.2.3 clarified. Para. 33 It is not clear how S&G factors would drive prudential risk aside from certain severe scenarios – therefore we believe that institutions should be allowed to make their own assessment of the relevance of these factors to their risk management. Institutions should assess potential financial risks linked with S and G factors. Section 4.2.3 clarified.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 100 Para. 33 Include that institutions can consider sector and country risk levels on social and governance matters as a way to assess exposure when limited counterparty data is available. When data is not available institutions should follow the steps outlined in the data processes section. No change Reach out to universities Financial Institutions may seek scientific validation from universities when developing and using new methodologies on S and G. Banks may decide to do so. No change Para. 33 There should be global alignment on social/governance aspects, as it cannot be expected of banks to reach out to all customers separately in different jurisdictions, or several times with regulation becoming more concrete and demanding. The responsibility placed on banks regarding due diligence is excessive and could lead to different outcomes in different institutions. Due diligence on clients is part of banks’ risk management, in line with materiality and proportionality considerations. No change Consideration of social and governance risk Para. 33 The evaluation of a counterparty's social and governance risks should extend beyond merely checking its compliance with international standards. It should also encompass an assessment of the effectiveness of the strategies implemented by the counterparty to mitigate these risks. Institutions should assess financial risks taking into account adherence to social and governance standards. Section 4.2.3 clarified Question 9: Portfolio alignment methodologies Alignment with other European regulatory initiatives EBA should work with other EU supervisory authorities, as well as non￾financial authorities, to establish a set of scenarios for common use, as well as encourage further cross-institutional work on the sufficiently granular regional and sectoral pathways. Connect the sectoral portfolio alignment guidelines to the PiT distance to the IEA NZ 2050 scenario disclosed in the Pillar 3 ESG Templates. Profit from NACE code-level information, to connect the misalignment of exposures to these sectors, depending on the level of alignment (or non-alignment) of the relevant exposures to the EU taxonomy. The EBA will issue Guidelines on climate scenario analysis. See also below on the choice of scenarios. The Guidelines have been kept high-level; the (mis)alignment may be expressed in terms of point in time distance in percentage points. No change. Transition risk Alignment only means a lower risk if the economy gradually transforms towards CO2 neutrality. If this does not happen and the world remains in a hot house world scenario, sustainable exposures could even be riskier. The financial impacts analysis should take into account both Net Zero scenarios and "most probable" scenarios that Banks seek as appropriate in Banks should assess ESG risks based on a range of scenarios. The Guidelines include portfolio alignment methods as one of the tools banks should use to assess climate transition risks, and will be complemented by No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 101 order to perform sensitivity analysis related to the impacts stemming from setting Net Zero target strategies when the economy is not moving towards a Net Zero direction. Guidelines on climate scenario analysis considering a wider range of scenarios. General Consequences of misalignment Will penalties and/or remediation measures/actions be imposed when the portfolio's gap from these objectives is significant? In a perspective of aligning portfolios with the climate target, the regulator could clearly define the criteria that banks must consider in the loan origination process. The Guidelines do not address supervisory measures but explain how institutions should consider insights from alignment assessments. No change Para. 34 Focus should be on sector-level. EBA should dismiss portfolio-based methodologies and rather use asset-level assessment. To some extent sectoral-based metrics could be considered, leveraging notably on existing transition scenario trajectories and sectoral objectives. Portfolio-level metrics could encourage to finance climate￾neutral sectors instead of facilitating the transition. Either make explicit that portfolio-based methodologies must include sector￾based methodologies, or add a fourth level with sector-based methodologies. It has been clarified that the section deals with sector-based methods, portfolio-based and portfolio alignment methods. In particular alignment assessments should be conducted on a sectoral basis. Section 4.2.3 clarified Para. 34 Bank’s discretion in ESG risk management is not prescribing portfolio alignment Absent firm-level net-zero requirements (EU Climate Law holds for Member States), why should be banks required to factor climate-related portfolio alignment into their risk management practice? Firms may choose to shift the composition of their portfolio away from certain exposures/sectors to reduce transition risk, but they may equally decide to adopt other risk management strategies that allow them to retain their existing portfolio balance (e.g. through other hedging strategies). The Guidelines do not prescribe an alignment strategy. Institutions should decide which strategy they pursue. Portfolio alignment assessments should be taken into account in this process given insights provided into exposure to climate transition risks. Section 4.2.3 clarified Para. 34 Science-based methodologies We recommend specifying that while the banks may choose appropriate methodologies, these should be science-based. Caution regarding implied temperature alignment methodologies from third-party vendors, which should follow appropriate data and model risk management processes. Focus of the section is not on implied temperature alignment at the institution’s level but on assessment at the sector level, including through reference to science-based scenarios. Section 4.2.3 clarified Consideration of off-balance sheet exposures EBA should instruct institutions to have internal procedures in place to assess their off-balance sheet exposures and, in particular capital market activities. Procedures should be proportionate to ESG risks associated with different activities. No change Para. 35 Supplement the climate portfolio alignment methodologies with the energy supply-banking ratio (ESBR). ESBR compares the underwriting activity of Such metric has been added in section 5.7, see below on monitoring indicators. Section 5.7 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 102 Energy supply￾banking ratio banks in two sectors: low-carbon and fossil-fuel energy. It can be used to monitor the alignment of a bank with an investment trajectory that meets the Paris Agreement. Para. 35a Reference to GHG-emissions only Alignment with GHG emissions only could make financial institutions encounter more difficulty in supporting net-zero transition of hard-to-abate sectors (triggering financial institutions' divestment), which could hinder the real economy from achieving decarbonisation. The Guidelines do not require exit or de￾financing; alignment assessments can be used as starting point to focus engagement on certain counterparties. Section 4.2.3 clarified Para. 35a 1990 base year not feasible The reference to the 1990 baseline is not workable for banks (e.g., did the current group structure exist already in 1990). We also would like to flag that under the EBA ST "fit for 55" exercise, banks were asked to work on a 2022 baseline. EBA should provide more flexibility. The priority for institutions should be to develop a methodology of portfolio alignment in relation to the wider EU target, in order to identify the gap between this target and institutions’ own portfolios and manage the risk arising from any gaps. The reference to 1990 should be understood in the context of the EU objective to reduce emissions at the jurisdiction’s level. It does not apply to 1990 banks portfolios but to decarbonisation pathways at EU level. Section 4.2.3 clarified Para. 35a - Financial risks It should be clarified that alignment gaps can be leading directly to financial risks for the bank. Alignment assessments support climate transition risks and related financial risks assessments. Section 4.2.3 clarified. Para. 35a Support for S&G matters Including S&G could provide more holistic view of sustainability. For social and governance matters the portfolio based methodology can point to social and governance related metrics of SFDR Principal Adverse Indicators as relevant portfolio level indices. Please provide more guidance on how to apply the portfolio-based methodology to social and governance risks. It is considered preferable to give institutions flexibility to develop their methodologies on S and G risks. No change Para. 35b - scope of paragraph Clarify whether paragraph 35b only relates to transition risk (i.e. in relation to 35a) and excludes physical risk. Portfolio alignment assessments are relevant for climate transition risk. Section 4.2.3 clarified Para. 36 List of sectors; range of comments

1. Remove list, as there is a risk of diverting resources from strategic indus￾trial sectors such as automotive, aviation, and maritime transport, which are also essential in terms of defence from a geopolitical perspective.
2. Take a more neutral approach – i.e. they should not define the sectors to which these methodologies apply, nor the scope within each sector. In￾stead this should depend on institutions’ materiality risk assessment. The list of sectors against which portfolio alignment assessments should be performed has been amended to more clearly refer to institutions’ portfolios characteristics and materiality assessment. Institutions that disclose alignment metrics under Pillar 3 Section 4.2.3 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 103 3. Need for a common understanding of the sectors which are potentially subject to higher transition risks. 4. Explain why only the limited list is included. 5. Add sectors (e.g., fossil fuel production; also extended to the entire value chain (upstream, transformation, storage, refining, processing and distri￾bution)). 6. Align with NZBA sectors. 7. List is not consistent with sectors referred to in para. 72b. should take into account the minimum list of sectors included under Pillar 3 requirements. Large institutions Explain what is meant by “large institutions”. The CRR definition applies. No change Para. 36 Notes on IEA methods Support IEA approach. Where IEA sets targets in terms of absolute and intensity, both should be considered. Clarify that the latest updated scenario should be used to prevent the use of outdated scenarios Up-to-date scenarios are required. See also below regarding IEA. Section 4.2.3 amended Para. 36 Use of other scenarios than IEA (flexibility)

1. Allow other scenarios than IEA, like NGFS, NZBA, GFANZ, IPCC sce￾narios.
2. IEA scenarios have limitations (e.g., not specific enough and do not take into account national/regional specificities, account for sectors that are dependent on energy only). No scenarios available for the agricultural sector nor forestry, nor does it consider land subsequent nature-based carbon sequestration. More sectoral pathways should be considered. Also, creates oligopoly situation and undue costs of smaller banks.
3. EBA should provide guidance on how institutions can account for dif￾ferences between sectors, countries, and regions (to tackle critique on IEA scenario). Articulate whether regional scenarios could be con￾sidered to distinguish between exposures in (a) emerging markets and developing economies and (b) exposures in developed coun￾tries.
4. Align with GFANZ's best practices on measuring portfolio alignment, and providing principles-based guidance, such as the Portfolio Align￾ment Tool key design judgements. The Guidelines have been amended to keep the reference to IEA but as an example among a range of scenario providers. Key selection criteria (science-based, consistent with policy objective etc) are outlined in the Guidelines and institutions should document their methodological choices. Section 4.2.3 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 104 5. The EBA should encourage European banks to voluntarily uptake Mortgage Portfolio Standard (given that mortgage portfolios are a material source of climate risk) as part of their strategies to decar￾bonise their assets and to manage and act upon their ESG risks, and rely on the NZBA portfolio-level tools. European banks would then develop emissions metrics using on PCAF to quantify financed emis￾sions, and finally set targets through SBTi. 6. Instead of using the IEA scenario as a baseline, use the Paris Agree￾ment scenario. This is not only in line with the 1,5-degree goal but also reflects an internationally signed and acknowledged framework. Para. 36 Representative samples of exposures for SNCI Explain/define 'representative samples of exposures' for SNCIs. Require that institutions explain how it manages to identify representative sample of exposures in their portfolios, as this determines the quality of the generalization of the results. The Guidelines have added an obligation for banks to document and justify their methodological choices including for SNCIs the identification of representative exposures. Section 4.2.3 amended Para. 36 Explain use of counterparty￾level data Require institutions to highlight how they use counterparty-level data to perform portfolio analysis. Require the banks to explain when an aligned portfolio includes counterparties with high misalignment and that could lead to high-risk exposures for the bank, for example in terms of strategic or reputation risk of the bank. Counterparty-level data is an input to portfolio analysis. Alignment analysis can also be performed at counterparty level. Section 4.2.3 amended Para. 37 More information requested on methods. Provide detailed information on specific scenarios and methodologies, specifically on regional characteristics (sectoral/jurisdictional). Ensure the methodology is acknowledged globally (not European). Lacking a credible approach/metrics to analyse portfolio misalignment with climate objectives as a source of transition risk, EBA should provide more guidance on the possible approaches for comparability. See above regarding the choice of scenarios and key criteria. The Guidelines specify main features of methods but leave a degree of flexibility to banks to develop their own tools. No change Para. 37 nature￾related risks Provide further guidance on how portfolio-based methodologies can be applied to ESG risks, including nature, from both a financial and impact￾related perspective. The requirement on nature has been clarified, still with flexibility left to institutions to develop their own tools. Section 4.2.3 clarified. Para. 37 Use of heatmaps The explicit mentioning of heatmaps raises questions, as floods seem to generate the most material damage in the EU. Heatmaps are a relevant tool and can be applied to a range of E (including floods), S and G factors. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 105 Heatmaps for S&G will require more time in order to be able to identify relevant topics, exposures and metrics. Para. 38a Methods to identify natural capital dependencies

1. Support.
2. Provide additional guidance, e.g. indicators such as deforested hec￾tares or utilising tools like ENCORE (Exploring Natural Capital Oppor￾tunities, Risks, and Exposure) to assess the impact of environmental degradation on financial portfolios.
3. Tools mentioned are Impact Analysis tool (UNEP FI), the Biodiversity Risk Filer (WWF) and the Water Risk Filer (WWF).
4. Para. 38a should mention also "impacts" on nature and not only "de￾pendencies" to better represent the environmental risks stemming from the portfolio exposures. The Guidelines do not require specific tools but institutions can consider the tools mentioned in the comments as well as potential other tools and data bases. Impacts on nature has been added with a view to assessing potential related financial risks. Section 4.2.3 amended Para. 38 Requirement goes beyond mandate; impact materiality Para. 38 is impact materiality. But either (i) the institution has made commitments and full transparency must be provided on the method and scope of these commitments, or (ii) it has not made a commitment and the guidelines must not create a framework and an obligation to make a commitment. Adverse impacts may result in financial effects. No change Para. 38b Remove SDG or concerns related
5. Support.
6. Remove reference to SDG goals; positive impact goes beyond risk perspective. The EU and member states utilize the SDGs as a frame￾work for setting political goals in legislation. Therefore, alignment analyses implicitly cover the SDGs.
7. The CSRD sufficiently addresses how companies position themselves in relation to the SDGs.
8. The requirement is deemed restrictive and not consistent across the document.
9. Caution that in some business activities, conflicts between the SDG goals arise.
10. Why would EBA refer to SDGs when we have principal adverse im￾pacts within SFDR? Couldn't the Regulatory Technical Standards be used for this? The requirement has been maintained as it only applies to large institutions and can inform the assessment of risks linked to a range of ESG factors, taking into account data requested or made available under other regulations such as CSRD and SFDR. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 106 GL on scenario analysis In relation to the future Guidelines on scenario analysis, it would be helpful for the EBA to provide additional detail on the anticipated timelines and scope. The EBA will issue a consultation in Q1 2025 and final Guidelines by end-2025. No change Question 10: ESG risk management principles (par. 40) ESG as driver of traditional risk categories We welcome the recognition that ESG risks are not an independent risk type, but transversal in the sense that they influence traditional risk types. Depending on the paragraph ESG seems to be a separate risk instead of a driver of traditional risks. The definition of ESG risks provided in CRR applies throughout the Guidelines. No change (par. 42 intro) time horizons of 10 years - too short We encourage the EBA to consider a longer time horizon than 10 years because: need to capture the longer-term physical effects of climate change; the (NGFS) scenarios tend to be longer term; transition plans are aiming for net zero emissions by 2050; many net-zero commitment and climate pledges aiming for 2050. See above on time horizons and below on plans. Section 5.1 clarified (par. 42 intro) time horizon of 10 years - too long The 10-year time horizon implies enormous challenges given the lack of available data, as well as the uncertainties inherent to the transition. Institutions should therefore be granted enough flexibility to set their own time horizons and interim milestones under the Guidelines. A time horizon of 10 years or longer is feasible and adequate for many institutions. However, promotional banks and guarantee institutions members pursue business models and funding mandates that are characterised by shorter terms and observation periods. This also applies to the period typically considered in the risk management process for material risks. We therefore propose that the wording here be adapted to a long time horizon so that a suitable definition can be made for the institutions on the basis of the business model and the respective funding mandate. The section has clarified that banks should take into account the principles applied to the level of granularity and quantification tools outlined in paragraph 19. Challenges for long time horizons exist but various including long time horizons need to be integrated into comprehensive and forward-looking risk management approaches for ESG risks, as also required by CRD, which also specified the minimum 10 years period. Section 5.1 clarified (par. 42 intro) support The principles seem consistent to us and the "minimum" range of tools for managing and monitoring ESG risks seems sufficient to us. The comment has been noted. No change (par. 42 intro) too prescriptive We have found the requirements outlined in para. 42 to be somewhat restrictive. It should be at the discretion of the institutions which measures The requirement for institutions to determine which combination of tools they No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 107 they take to measure and mitigate risks. In the latter case, "bearing a risk" may also be a possible option that is not even considered by the EBA here. Regionally anchored institutions or institutions with a sector specialization are inherently less diversified but have specialist knowledge. With regard to the tools to be considered (para. 42), we request that the wording "at least" be deleted and the measures mentioned be cited as examples, not intended to be mandatory. will apply, considering a range of tools specified by the Guidelines, is not considered overly prescriptive. Banks may decide to apply some tools to a higher/lesser extent, ensuring consistency with their risk appetite. (par. 42 intro) language In par 42d, the term “ESG-relevant criteria” is not precise enough. It should be replaced by the term “ESG risk-relevant criteria”. The term has been changed to ESG-risk relevant criteria. Section 5.1. amended (par. 42 intro) Proportionality The engagement policy should not be a binding tool in its scope (counterparty and services concerned) and in the elements to be included therein as it relates to the customer and trust relationship between the customer and the bank. We therefore recommend that the guidelines present this topic as a tool that the institution can consider in a proportionate manner. The banks should consider engaging counterparties for sound risk management and transition planning. See also clarification on the scope below. Section 5.1 amended (par. 42a) Engagement activities – suggestion to create dedicated EBA GL on this point, more guidance needed Need of EBA guidelines on institutions’ engagement with counterparties: for the paragraph 42 a), we strongly recommend EBA to develop such guidelines, as a follow up of these guidelines (ie in the course of 2025). Indeed, the points (a) to (d) are not detailed enough and will very likely be difficult to implement and to monitor. For example, it is not specified at all what the “soundness” of counterparties’ transition plans should mean (ii) and how they should be assessed by institutions. For this critical issue of transition plan assessment, EBA should build on the ATP-COL global multi-stakeholder initiative, led by the World Benchmarking Alliance. What engagement means exactly should be specified by EBA. The EBA is not mandated to issue other, new Guidelines on engagement. However, requirements for engagement policies as well as for the assessment of counterparties’ ESG risks have been included in these final Guidelines on ESG risk management. No change (par. 42a Engagement activities as risk mitigation tool – need to be effective and credible We support the recognition of the role that engagement should play as a tool to mitigate ESG risks. However, EBA should clarify the expected measures to encourage counterparties to mitigate and disclose ESG risks. Institutions indeed cannot consider having mitigated their ESG risks if engagement does not result in mitigating actions at the level of the counterparty or in the integration of the actual risk. Engagement activities should therefore be linked to clear time-bound objectives, an escalation process and a The final Guidelines have incorporated in this section the requirements on engagement that were originally part of section 6, and which include aspects relating to counterparty-specific actions, including exit as a last resort. Escalation procedures should Section 5.1 amended.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 108 divestment strategy for off-track counterparties or counterparties with no sound and credible transition plans. be specified in the engagement policies (see below). (par. 42a) Engagement activities – influence, feasibility/ flexibility, proportionality, potential clashes The lever with the counterparts highly depends on the type of services banks provide and the depth of their customer relationship. We fully share the EBA view on the importance of engagement policy to ensure consistency with banks’ climate commitments. However, we are wondering whether these guidelines are an appropriate place to stipulate engagement policies. The first objective of the engagement policy is to collect relevant data which is consistent with the need of data quality. Beyond that, the need for banks to strive towards improving the counterparts’ ESG profile (and relative metrics) should be left as a tool that banks may consider managing their ESG risks or the implementation of their transition plans, instead of being required in these guidelines. We would like to highlight that there does not appear to be any proportionality around the proposed requirement for institutions to engage counterparties, as specified in para 42(a). These elements would be considered by banks in their engagement policies. The Guidelines refer to engagement as a means to gather relevant information in the data processes section. In addition, engagement as a tool in the risk management and transition planning toolbox is considered relevant also from a prudential perspective. The Guidelines have clarified that banks should determine the scope of counterparties with whom to engage. Section 5.1 amended (par. 42a(i, ii)) Which counterparties to engage with – more precision needed Need for specification: We call on EBA to provide more granular definitions on the terms most important and most critical counterparties, large counterparties and large corporate counterparties. We note that the Draft Guidelines include various qualifiers to describe the scope of counterparties that should be covered by engagement activities. A balance needs to be struck between encouraging institutions to meaningfully engage with counterparties who are most relevant to the management and mitigation of ESG risks, and avoiding creating an overburdening obligation to demonstrate engagement with every possible counterparty. A key learning in relation to striking this balance was that prioritisation of stakeholders is vital. However, the group of relevant or priority counterparties can vary widely across financial institutions, depending e.g. on the business model of the firm, the sectors it provides financing to, or the geographic location of The final Guidelines require banks to determine the scope of counterparties with whom to engage, taking into account their materiality assessment and risk measurement methodologies to support their prioritisation choices. Section 5.1 amended.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 109 the counterparties. In addition, it may make sense for an institution to evolve its stakeholder prioritisation over time. Importantly, the size of a counterparty may not necessarily be a reliable proxy of whether engagement with that counterparty should be prioritised, as size may not be a good indicator of the extent of that counterparties’ relevance to the ESG-risk exposure of the financial institution and/or the success of its transition plan. In some cases, the financial exposure to a given counterparty may be more relevant. (par. 42a(i)) Which counterparties to engage with – materiality criteria and definition of criticality In the identification of priority counterparties where engagement should be carried, we also recommend EBA clarifying the factors of criticality. The size of the exposures, but also the sector, the availability of transition plans, the location and the deviation from initial transition targets are factors that should be considered. We would also emphasise that the scope of counterparty engagement should be linked to institutions materiality assessment, rather than solely size. That is the prerequisite to ensure efficient allocation of resources. See answer provided above. Section 5.1 amended (par. 42a(i)) Which counterparties to engage with – inclusion of SMEs needed We also contend that engagement strategies should also include SMEs. Non￾large corporates will play an important role in the transition to a low-carbon economy, and institutions, through relationship managers, could contribute to this role. This would also prevent the generation of a portfolio-level blindspot, where small ESG-related risks could, in the aggregate, become material to institutions. SMEs may be included in the scope of counterparties to engage with, depending on institutions’ nature of activities. See clarification on scope below. Section 5.1 amended (par. 42a(ii)) Role of banks in assessing clients transition plans We support these ESG risk management principles, in particular paragraph 42 on the need to consider a range of risk management and mitigation tools, including engagement with counterparties on their transition plans to improve their ESG risk profile. No response needed. No change (par. 42a(ii)) Role of banks in assessing clients transition plans – Additional guidance on how this assessment should be performed must be provided, including on sectoral pathways to which corporate transition pathways could be compared. We believe it should be the responsibility of public institutions to put in place effective measures to assess and monitor the credibility and soundness of the counterparties’ transition plans. Risk assessment methods are specified under 4.2, however do not remove banks’ responsibility to assess the risk profile and creditworthiness of their counterparties, by taking into account ESG risks and risk No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 110 methodological advice wanted We would appreciate any proposals on the methodology for evaluating clients transition plan, particularly regarding the feasibility of the plans. mitigating factors such as transition plans of counterparties. (par. 42a(ii)) Role of banks in assessing clients transition plans – need to rely on auditors, cannot be responsible It should be clarified that banks cannot be made responsible for the assessment of the credibility of clients’ transition plans. Even with a limit to large counterparties, assessing the credibility of transition plans could in practice be a huge challenge for banks, especially without clear benchmarks and further guidance as to the depth of the assessments and a clear link to materiality of risks. In any case such requirement would go beyond what should be the responsibilities of banks. The expectations should therefore be clarified, including on the role of auditors in the assessment of clients transition plans. While banks should be in the position to understand clients plans, they should be able to rely on the auditors assessment of the robustness, soundness and credibility of these plans. We should be able to presume that plans published under CSRD are credible, reliable, robust, and sound. Moreover, it should be noticed that if this process is to be made by every bank, it can come with different outcomes. The Guidelines do not refer to credibility but to transition plan of counterparties as potential risk mitigation factors. Assurance provided by auditors in the CSRD/ESRS context do not relieve banks’ responsibility for assessing the risk profile of their clients. No change (par. 42a(iii)) - greenwashing risk Need for specification: provide further guidance on how to assess processes, and define escalation mechanisms where greenwashing risk is not mitigated. We have concerns about the evaluation of the processes of borrowers to identify and mitigate greenwashing risks. The requirement seems to go far in terms of banks’ interference in clients’ management. Banks should not be made responsible for the review of the risk of greenwashing of their counterparties (even the larger ones). From a proportionality point of view, at least LSIs and SNCIs should be excluded from the analysis of greenwashing risks. Requirements on the management of greenwashing risk have been removed from this section and consolidated in section 5.6. Section 5.1 and section 5.6 amended (par. 42a(iv)) Engagement activities – encourage to mitigate risks Paragraph 42 a) iv. should also mention explicitly here the use of an escalation process as part of the engagement process, including the potential recourse by the bank to coalitions with other financial actors where relevant. This escalation process is key for the bank to make the most of its engagement with the counterparty in a context of risk management. See above on integration of requirements originally part of section 6, and below on engagement policies including escalation procedures to be specified under plans. Section 5.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 111 In addition, we recommend a new point (vi) on divestment when needed as a last resort strategy, if the escalation process is deemed to fail. As a matter of fact, EBA mentions “last resort cessation of the relationship when continuation is considered incompatible with the institution’s planning and risk appetite”, in Pararaph 103. (par. 42b) more guidance The EBA could consider establishing more granular guidance on the operationalization of these management principles, such as methodologies for adjusting financial terms based on ESG risk assessments. The granularity of the Guidelines has been considered sufficient. No change (par. 42b) Engagement activities - adjusting financial terms and/or pricing - challenging At present, institutions may face challenges in empirically detecting the impact of ESG issues on the PD or calculating the ESG-sensitivity of the risk premium. This information is crucial for adjusting financial terms. While adjusted pricing policy may result from the credit rating of the counterparts it should not been seen as an automatic tool to use to manage ESG risks. Indeed, such a tool, if required by regulation, could result in level playing field issue where other banks will offer better prices. This could create important level playing field issues, resulting in EU banks becoming less competitive than non-EU banks, which do not face such requirements. It may also disincentivize institutions from providing transition finance. Also, in the case of syndicated loans where several banks are involved, it may be complex to unilaterally change financial terms and conditions. The EBA acknowledges that there are challenges but institutions should develop their practices to assess the impact of ESG risks on financial risk types. The Guidelines require banks to consider adjustments in their pricing policies, where relevant and in line with their risk appetite. No change. (par. 42c) Risk management/mi tigation - Risk limits We also ask for clarification that a limit is not set or derived solely on the basis of ESG aspects. Various risk drivers are responsible for this as part of risk management. This one-sided presentation of the limit (purely on the basis of ESG criteria) would not be consistent and should not be understood as integration into the existing methods and procedures. To avoid misunderstandings, we request the following rewording: “considering ESG for the purpose of setting global, regional and / or sectoral limits, ...”. The final Guidelines have been adjusted by clarifying that ESG risks should be considered when setting limits. Section 5.1 amended (par. 42c and e) Risk mitigation tools – role of The EBA should acknowledge the role of sectoral policies and especially fossil fuel sectoral policies and other restrictions in ESG risk mitigation: Today, many financial institutions already consider this, notably by adopting sectoral Sectoral policies have been added more clearly in the range of tools. In addition, fossil fuel sector entities are mentioned in the Section 4 and section 5.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 112 sectoral and restriction policies policies that restrict their support to some activities and objectives to increase support to higher ESG-ranked activities or companies. In this regard, sectoral policies that apply to the fossil fuel sector are the most widespread and can especially contribute to proper risk management, but other ESG sectoral restrictions have been used (for example on tobacco). materiality assessment procedures, which should support the engagement policies and other risk management processes. (par. 42d) Risk management/ mitigation￾diversification It is our belief that the information provided in para. 42 d), such as 'by economic sector or geographical area,' is intended as an illustrative example and should not be regarded as a mandatory criterion. The example could be removed as the bank establishes its own standards for diversification, considering various factors. Although ESG criteria are significant, they are of secondary importance in this context. We do not agree with the request for banks to diversify their lending and investment portfolios based on ESG-relevant criteria. EBA should not request banks to have a certain percentage of exposures towards green investments as a risk mitigation tool but must allow banks to assign investments towards sustainable activities based on their overall commitments and investors’ appetite. Banks should focus on the quality of their exposures, and not on the volumes of green exposures. Yes, ‘e.g. in terms of economic sector or geographical area’ is an example of possible application. As in the rest of the section, the requirement is to consider this tool as part of a risk management approach. Diversification can support institutions in managing ESG risks, without any requirement set in the Guidelines on the volumes of green exposures. No change Question 11: section 5.2 – ESG risks in strategies and business models General The provisions should be reinforced, via among others divestment from most environmentally harmful sectors or development of clear strategies to finance and push the transition. Banks remain responsible for setting particular strategies. See also list of risk management tools. No change General To ease the integration of ESG risks in institutions’ business model and strategic planning, EBA should provide a template or framework to operationalize the guidelines more effectively. See answers on section 6 below, also as regards the addition of an annex to the Guidelines. Annex added Para 43 Some flexibility should be given to institutions to run their business model and strategy, to define their risk appetite and to include ESG risks in their already existing framework (with no need for additional tools for strategic analysis or specific metrics), as long as they can demonstrate they have put The section is not considered overly prescriptive. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 113 in place a governance and a sound risk management framework. The provisions are considered too prescriptive. Para 43 Particular flexibility should be given to SNCIs (recommending only a qualitative analysis of strategy and risk appetite as part of the materiality assessment, with no need of transition planning) and to entities with a ‘social economy function’ (recognizing their mission, being social economy goals aligned with ESG factors per se). See answers provided on proportionality above. No change Para 43 In institutions’ business and risk strategies, also possible risk arbitrage at various horizon levels should be considered, as well as the need to ensure that short, medium and long-term objectives and targets interact and are well articulated. This aspect is covered under section 6. No change Para 43(a) Further guidance is needed regarding how business environment might affect ESG risks. Institutions should assess how ESG risks can affect the business environment. No change Para 43(d) EBA should reinforce provisions on KPIs, e.g. by making it clear that they should be accompanied by a risk/profitability analysis, rely on specific business and market assumptions and/or calibrated based on Paris Agreement and the 1.5°C target, and by recommending the disclosure of KPIs and amendments thereof over time. Other respondents disagree on mandatory KPIs. Targets are key to support strategies and their implementation should be monitored. More details are provided under section 6. No change Para 44 Considering the different level of details for ‘E’ risks, the EBA should clarify if the provisions are applicable to all ESG risks, eventually complementing the wording thereof. The EBA should clarify the scope of stress tests (EBA or other stress tests? SIs or also SNCIs taking a proportionality principle into account?) No change – the section refers to ESG, in particular E. See also above on C, E, S, G. It has been clarified that institutions should take into account their internal stress tests. Section 5.2 clarified. Paras 43, 44(a) and 45 The EBA should clarify the terms ‘ESG factors’ and ‘ESG perspective’, suggesting that they should be accompanied by the term ‘risk’, and the para 44(a) should be deleted. The Guidelines refer to the ESG risk perspective. Section 5.2 clarified Question 12: Section 5.3 – ESG risks in risk appetite (par. 48) “escalation” Paragraph 48 refers to an escalation process set out in section 5.8 but it looks like it is set out instead in section 6.5 paragraph 103. Escalation has been mentioned more explicitly in paragraph 80 in section 5.7. Section 5.7 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 114 Connection and need for consistency between risk appetite and strategic business model objectives Risk appetite is a framework for dialogue between strategy and risk considerations. It would be useful to take advantage of this framework to ensure overall consistency with any climate commitments made by the bank, the transition plan and its sector-specific dimensions on objectives (decarbonization, financing). All this should feed into the risk appetite and credit limits that the institution must set itself, if we assume that the prudential transition plan must contribute to (or not detract from) the climate transition plan. The Guidelines have added that the integration of ESG risks in the risk appetite should be consistent with the institution’s strategic objectives and commitments and with the plans and targets specified under section 6. Section 5.3 clarified (general) planetary boundaries Given the unprecedented urgency of the state of climate change and nature loss, we recommend EBA to express more prescriptive recommendations on what level of ESG risk appetite might be considered excessive or dangerous. In this, we suggest referring to the planetary boundaries. The Guidelines specify risk management arrangements from a microprudential perspective. No change (general) insights from stress testing Additionally, the EBA could provide guidance on integrating ESG risks into stress testing frameworks, further informing risk appetite decisions with forward-looking insights. Inputs from stress testing should inform business strategies under 5.2 hence risk appetite. No change (general) ESG as stand- alone vs. driver of traditional risk categories It is not clear why ESG should play a separate role as a risk driver when determining risk appetite compared to traditional risks. Ultimately, it materializes in the known risk types for which risk limits and risk capital are set or allocated. The separate consideration of ESG as a risk driver when defining the bank’s risk appetite is questionable, as it affects the traditional risks. ESG risks need to be defined and addressed in risk appetite in order to manage their impacts as they materialise in traditional risk types. This is in line with BCBS principles and CRD6 which refers to “risk appetite in terms of ESG risks”. No change (par. 46) no appetite (exclusion) Paragraph 46 outlines that the risk appetite should specify the type and extent of ESG risks institutions are willing to assume. This should be further nuanced indicating that this should include no appetite / exclusion areas, e.g knowingly lending to companies that will use the money to violate human rights. The Guidelines require banks to determine KRIs such as limits, thresholds or exclusions. No change (par. 46, 47) proportionality, flexibility, too much granularity required in the To ensure proportionality, the granularity of the requirements should be adjusted. Institutions should be granted more flexibility in defining their ESG risk appetite, taking into account factors such as business model, size, and portfolio structure. For example, it may be considered excessively granular for large institutions with a diversified business model to provide a higher level of detail than at the country level. As with other sections of this The final Guidelines have clarified that institutions should determine their KRIs based on their business model and have added a reference to risk limits set at a lower level within institutions, so that ESG risks are both captured at the highest level with Section 5.3 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 115 current paragraph consultation paper, we kindly request that this be limited to key assets, material products, and services. We believe that the significance of identifying the type and degree of ESG risks at the granularity of the proposed guidance is minimal. It is difficult to have too many metrics in the RAS, only the most appropriate ones should be selected. In addition to being technically difficult to construct, such a level of granularity would make it difficult to understand and link with capital allocation. selected key indicators and at lower levels with potential additional indicators and limits, consistent with the overall risk appetite. (par. 47) further guidance on ESG KRIs We suggest that further guidance should be provided with regard to the term "ESG-related key risk indicators", i.e. in particular with regard to the catalogue of criteria, the framework and scope of this requirement. ESG-related KRIs should translate the risk appetite into concrete indicators, in line with the risk appetite function and design. No change (par. 47) minimum set of KRIs is too large Institutions should be allowed to justify removing KRI from the minimum set of KRIs to be used for defining the ESG risk appetite, e.g. in case of lacking data availability or alternative and comparable steering measure already in place. The final Guidelines have clarified that banks should determine which KRIs they include in the risk appetite, by considering metrics under 5.7. Section 5.3 clarified (par. 47) language In paragraph 47, the term “ESG considerations” gives rise to misunderstandings and should be replaced by “ESG risk considerations”. The final Guidelines use the term ESG risks considerations. Section 5.3 clarified (par. 46, 47) need to distinguish between top￾level RAF and lower-level limits framework In the proposed guidelines we do not see a clear differentiation between the Risk Appetite Framework (RAF) and the general limit/threshold framework that an entity can have at a lower management level. It is important to make this differentiation, to avoid hampering the correct functioning of the risk appetite framework. The RAF is a formally defined process, with a strict governance model. It is approved by the Board of Directors, and it is based on internal metrics. The risks included in the risk appetite framework must be quantitatively targeted, measurable, and monitored within a specific timeframe (monthly, quarterly). Moreover, they must be carefully selected as the most relevant within their risk category, as we are the top management level. Any other limit/threshold system should be left for lower management levels. The final Guidelines have clarified that institutions should determine their KRIs based on their business model and have added a reference to risk limits set at a lower level within institutions, so that ESG risks are both captured at the highest level with selected key indicators and at lower levels with potential additional indicators and limits, consistent with the overall risk appetite. Section 5.3 amended (par. 48) cascading not feasible, and For large institutions, metrics and targets must be set at consolidated level and it would not be feasible to run different sets of metrics at group level and The final Guidelines have been adjusted to require that institutions should ensure that all relevant group entities and business lines Section 5.3 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 116 could lead to outsized focus on ESG inside RAF at more granular levels. This could create adverse effects and would certainly be too difficult to monitor. Also it seems important to keep in mind that adding too many metrics, targets and limits on ESG considerations may create dangerous unbalanced effects on the full edifice of the Risk appetite framework compared to other risks. As such, we recommend starting with basic ones and to incorporate gradually as ESG factors become material new ones. In any case, banks should give enough flexibility to choose relevant metrics with targets and limits/ with a focus on the most material risks to its business model. The consideration of ESG risks in risk appetite should be aligned with the entities' management that already considers the embedding of such risks considering their geographical footprint, business diversification, among other factors. Banks should not be required to change their management processes due to the requirement to conduct a cascade down approach. Risk appetite should be monitored in those risks deemed material according to entities' own models and internal procedures (e. g., at client level, portfolio level). Rather than cascading, a combination of origination policies and close monitoring could prove much more efficient and would avoid potential adverse effects. and units bearing risk properly understand and implement the institution’s risk appetite. Risk limits set at different levels within institutions should be consistent with the overall risk appetite in terms of ESG risk. Question 13: Section 5.4 – ESG risks in internal culture, capabilities and controls (section 5.4 in general) supportive; tone from the top is key Strongly support the inclusion of the proposed guidance on culture, capabilities and controls within the scope of the EBA Draft GL. These all play a critical role in ensuring that companies are able to respond effectively to ESG risks, including by developing and implementing robust and credible transition plans. Key strength: integrating ESG risks into existing governance systems (including the 3 LODs) as opposed to proposing separate, ESG￾specific structures. Aligned with bringing robust management of ESG risks into standard business practice, and importance of "tone from the top" (Par. No response needed. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 117 50) which in our experience with leading companies (mature TPs) is flagged as a key success factor in securing organisational support for integrating climate transition planning into business strategy. Alignment with CSRD/ESRS Recommend to align section 5.4 on internal culture, capabilities and control with the European Sustainability Reporting Standards (ESRS) and particularly the ESRS G1-1 on Corporate culture and business conduct policy. This section is consistent with ESRS and with EBA Guidelines on internal governance but focused on ESG risk management for banks. No change (section 5.4. in general) too prescriptive / redundant, suggestion to delete the whole section 5.4 The EBA GL on Internal Governance provide sufficient framework for the implementation of an appropriate risk culture and the concept of the 3 LODs. The explanations in section 5.4. are redundant with the mentioned GL and contrary to considering ESG as driver of existing risk categories. Banks' internal governance and control guidelines already include specific instructions that affect the whole entity and should suffice. Separate policies and governance for ESG purposes should not be required. Banks should be granted the flexibility choosing the way they organize suiting their own circumstances and preferences, taking into consideration ESG factors when appropriate and integrate ESG into their existing processes. Standalone processes and controls to manage ESG risk factors should not be required. Section 5.4 is too restrictive of the organizational freedom of institutions with regard to ESG topics. We are in favour of deleting this section. The explicit incorporation of ESG risks into the overall risk culture and three lines of defence model is deemed an important part of sound risk management of ESG risks. The Guidelines specify what arrangements should be in place for ESG risks, ensuring consistency with internal governance Guidelines. This also reflects the BCBS principles for climate risk management. No change (par. 49) fit and proper - goes too far Agree on importance of training management on ESG given the novelty of these risks but it should not be a determinant factor in considering a member of the management bodies as unsuitable. Suitability assessments for managers and key function holders should not be used as a tool to choose decision-makers in institutions according to their overall ESG political preferences. These notions are in the CRD6 and will be further integrated in the Fit and proper EBA Guidelines. No change (par. 49); banks to engage with city experts & universities There may be scope for institutions to further develop relationships with universities, cities and city science offices to strengthen their internal culture, capabilities and control capacities – for understanding and interpreting scientifically verified ESG risks which are particular to environmental and social investments in regions, cities and urban environments. Although this is a possibility, banks are responsible for deciding how specifically they will increase their capabilities. No change (par. 49) expected ESG The recommendation for adequate training of the banks' management body and staff on ESG risks should be clarified. Expertise on climate & ESG risks is The Guidelines have added that training policies should be kept up to date and be Section 5.4 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 118 skills require regularly updated guidance; GL should specify more detailed requirements for ESG trainings nascent and evolving, with a range of available approaches. EBA with other relevant authorities should provide banks with regularly updated guidance - seek to clarify the types of training, knowledge, experience and expected skills on ESG and climate-related risks that are appropriate for different staff categories, and that are necessary to ensure collective suitability of the bank's management bodies. The GL should specify more detailed requirements for ESG training programs, including core topics to be covered and recommended training frequencies. informed by scientific and regulatory developments. Requirements for the management body will be further specified by the update to the fit and proper EBA Guidelines. (par. 49) qualifications EBA should define clear minimum requirements for the evaluation of counterparties’ ESG risk mitigation actions and particularly the qualifications of responsible staff to ensure that the latter follow a high standard. It is considered that the Guidelines reach a sufficient level of granularity on those points. No change (par. 49 and 50) language on ESG In pars. 49-50 the term "ESG factors and risks" is misunderstandable and should be replaced by "ESG risk factors". In paragraph 53 (d), the terms "ESG features" and "ESG aspects" should be replaced by "ESG risk features" and "ESG risk aspects", respectively, for clarity. It should not be a goal to impose bank supervisors' ESG policies and societal norms when it comes to the availability and pricing of financial services for individuals or corporates. Terminology has been adapted to refer to ESG factors and ESG risks. However, with regard to products it is considered more appropriate to refer to ESG features or ESG aspects. Section 5.4 amended (par. 49 / 50) ESG KPIs should feed into performance evaluation and remuneration KPIs should be integrated into performance evaluation and remuneration frameworks. Remuneration schemes must be consistent with the institution's prudential plan and formulated strategies, ensuring alignment with broader business objectives and risk management priorities. Remuneration schemes are key to ensure integration of ESG factors and risks in the bank's internal organization. EBA should recommend that banks adapt remuneration schemes to incentivize the staff in implementing the bank's prudential transition plan. The integration of ESG risks into remuneration policies is covered by the EBA Guidelines on remuneration policies which will be further specified to reflect CRD6 amendments. Section 6 also includes a reference to remuneration. Section 6 amended (par. 51) Role of external parties vs. 3 LODs, and role of internal teams with counterparty A specific technicity might be required (especially on climate/biodiversity topics) so financial institutions might leverage on external parties providing specific technical inputs and this could be explicated in the GL as this does not fit per se in the 3 LODs. Banks are responsible to decide how they will ensure sufficient capabilities to manage ESG risks. Regarding external parties, the existing framework and requirements for outsourcing arrangements apply. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 119 ESG risk expertise Most financial institutions now have dedicated sustainable investment teams. In many institutions, these teams play active roles at multiple stages of the risk lifecycle: they may participate in counterparty risk assessments, assist in drafting and disseminating ESG elements in credit policies and procedures, or provide training to staff across the 1 st, 2nd or 3rd LOD. They are a key organizational element to foster an "ESG-aware" culture. EBA GL should require large institutions to maintain a dedicated counterparty ESG risks as departments as owners of counterparty-related ESG processes. Dedicated teams can support the management of ESG risks within institutions, provided that this is appropriately reflected and feeds into regular risk management policies and practices. (par. 52) 1st LOD and product approval The draft places the approval process of new products within the first line of defense, which is in contradiction with the traditional role and responsibilities of the 2nd line compliance function. The approval process of new products has been removed from the 1st LOD paragraph. Section 5.4 amended (par. 52) 1 LOD - ESG risk considerations in client onboarding Regarding risk assessments which should be carried out by the 1 st LOD (although ESG risk assessments should be conducted at different stages of the client relationship), ESG risk observance should not be as comprehensive in e.g. credit review process as is at client's onboarding. Exception to this should be clients from sectors under alignment objectives who need a more robust and continuous monitoring. The depth of assessment is not specified by the paragraph and can be adjusted provided that it ensures prudent assessment of ESG risks. No change (par. 52) Suggestion of additional wording to enrich description of 1 LOD role Proposal to a add the underlined words: The first line of defense should be responsible for undertaking ESG risks assessments based on applicable sustainability requirements and commitments, taking into account materiality and proportionality considerations, during the client onboarding, credit application and credit review processes, during investing processes, and in ongoing monitoring and engagement with clients as well as in new product or business approval processes. Staff in the first line of defense should have adequate knowledge, awareness and understanding of sustainability requirements and commitments to be able identify potential ESG risks. Rationale: The quality of 1 st LOD work depends on their knowledge of applicable sustainability requirements and this should be explicit. Not just for lending but also investment. Staff, namely managers in the 1 st LOD on all levels have key role and responsibility in this respect. “investment processes” and “knowledge” have been added. The explicit mentioning of sustainability requirements and commitments is not considered necessary and does not represent all the aspects that should be taken into account. Section 5.4 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 120 (par. 53b) 2nd LOD – “sustainability commitments” Given the diverse nature of ESG-related goals (e.g., objectives, commitments, targets), we suggest including a more detailed definition of "sustainability commitments". The Guidelines have added claims and/or commitments. This may take different forms e.g. see EBA report on greenwashing. Section 5.4 amended (par. 53b) 2nd LOD – Compliance function responsibilities need aligning with various existing EBA GLs and ECB Guide Given that within standard corporate governance the compliance function does not usually bear the ultimate responsibility of the firm's adherence to laws and regulations, we suggest aligning this with paragraph 209 of EBA GL on internal governance (EBA/GL/2021/05), with paragraph 47 of EBA GL on the role of the AML/CFT Compliance Officer (EBA/GL/2022/05) and with Expectation 5.5 of ECB Guide on C&E risks (2020) and thereby adopt a formulation similar to the ones mentioned, such as: "the compliance function should advise the management body on measures to be taken to ensure compliance with" applicable rules and regulations. The Guidelines have been further aligned with the Guidelines on internal governance and include language as suggested in the comment. Section 5.4 amended (par. 53b) Description of 2 LOD compliance function, explicit mention of the legal function and nuancing the split of responsibility inside operational risks Proposal to add the underlined words: The compliance function should oversee how the first line of defense ensures adherence to applicable ESG risks rules and regulations and should, in relation to the sustainability commitments made by the institution and the respective policies set, provide advice on reputational and conduct risks associated with the implementation or failure to implement such commitments. The legal function should provide advice on legal risks, including litigation risk associated with the implementation or failure to implement sustainability commitments. Rationale: As per dedicated EBA GL, the compliance function is a level 2 function and their main role is to oversee/to monitor the relevant 1st LOD, e.g. commercial units, as they are the owners of the risks. With respect to the advisory role of compliance function, wording should be precise to include only reputational and conduct risks, as part of compliance risks and not the whole range of operational risks, since different functions cover different types of operational risks. Legal risk, including litigation risk, is traditionally covered by legal function and this should be reflected also in this EBA GL. The Guidelines have been further aligned with the Guidelines on internal governance and include wording as suggested in the comment, however without referring to the legal function which is not subject to particular requirements under EBA Guidelines on internal governance nor BCBS principles on climate risk management. It is however expected that all relevant functions contribute to the management of risks, including ESG risks, in line with sound governance arrangements. Section 5.4 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 121 (par. 53b) 2nd LOD – Compliance function – not solely responsible for ensuring adherence to ESG commitments, and not at all responsible for some of them Ensuring adherence or providing advice regarding ESG risk rules or sustainability commitments does not have to be a sole responsibility of the compliance function. Assignment of the responsibilities can vary among institutions for different reasons. The compliance function is usually not the sole function responsible for advising on measures to be taken to ensure compliance with the entirety of rules, regulations and regulatory requirements - with prudential regulations in particular typically falling outside of its perimeter. We would like the EBA to provide further detail on the "applicable ESG risks rules and regulations" to clarify Compliance responsibilities. The role of Compliance as regards "sustainability commitments made by the institution" is not central. There are several sustainability/ESG related commitments which do not come under Compliance's scope nor require specific actions by Compliance, although Compliance has a coordination role regarding reputation risk. See answers provided above. The compliance function does not have to be the sole responsible for the aspects mentioned. Section 5.4 amended (par. 53b) 2nd LOD – Compliance function – not responsible for some of the risk types listed here, notably operational and legal risk – role of Legal function needs to be explicit here It should also be noted that as a matter of principle, each Function is responsible for risks within its perimeter, including ESG risk factors. Consequently, operational risk comes under RISK's scope, the same way legal risk is under the responsibility of Legal as a second line of defence (LoD2). As formulated, the draft GL do not reflect these organizational principles. We suggest that EBA comment on the envisioned role of 1st LoD in this context. Moreover, the EBA should further specify the role of Compliance in providing "advice on operational risks", as some of the risks listed ("legal, reputational and conduct") might fall outside of the scope of Compliance responsibilities, depending on individual institutional setups. In relation to [the Compliance function providing advice on operational risks ("legal, reputational and conduct risks") associated with sustainability commitments, we recommend aligning with the EBA GL on internal governance and allow for all relevant functions to provide advice in their respective field of expertise. All relevant functions should provide advice in their respective field of expertise. The Guidelines focus on the 3 LODs, specified under BCBS principles and EBA Guidelines on internal governance. The operational risk has been removed from the paragraph on the compliance function. Section 5.4 amended.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 122 Role of compliance for products Paragraph 53c accurately summarizes the role of Compliance as regards, for instance, new products with ESG features. No response needed. No change Role of other non-financial risks specialists such as Legal Agree with the role assigned to either the compliance or the risk management units as shapers of the business units decisions, during the design and approval process of new products with ESG features or for significant changes to existing products to embed ESG aspects; but we recommend to also include the rest of the non-financial risk specialists in this role, for example, the legal unit. See above – legal function should be involved in its area of expertise but the Guidelines focus on the risk management and compliance function. No change (par. 54) 3rd LOD Challenging specific metrics and calculations to establish the pathways goes beyond the Internal Audit Function’s usual remit. They are built by LoD1 and reviewed by LoD2, and IAF should not be mandated to build specific capabilities for this. Once the data is built by LoD1 and LoD2, IAF must inspect to ensure that the data has been managed with integrity, and that the transition plans include the different aspects demanded by the regulation, but nothing further. The Guidelines do not mention challenging specific metrics and calculations but reviewing quality and effectiveness of the ESG risks governance framework. No change Question 14: Section 5.5 - ESG risks in ICAAP and ILAAP (par. 55) ESG as standalone drivers or not The ICAAP is a global process that goes hand in hand with other internal processes. While we agree relevant ESG risk drivers should be incorporated into the process, these risk drivers should be indistinguishable from the rest of the risks, meaning that the ICAAP should take into account all relevant risk drivers in the same manner. We support the approach to avoid a separate ESG ICAAP but rather include the ESG dimension within the existing ICAAP. This is consistent also with the overall approach that sees ESG risks affecting the traditional risk categories. ESG risks are defined in CRR; they materialise through the traditional categories of financial risks. The Guidelines have clarified that material ESG risks and their impacts on financial risk types should be captured in the ICAAP. Section 5.5 clarified Non-inclusion justification It is unclear what would be expected in the case where an institution sees that ESG risks do not affect the ICAAP (e.g. would a qualitative description as to why that is not the case be required?). Institutions should provide sufficient information to understand their analysis of the capital implications of ESG risks. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 123 Economic and regulatory perspectives To the best of our knowledge, the EBA has not used the terms “economic” and “regulatory” perspectives in its previous supervisory publications. A clear definition of these two terms is therefore necessary. These terms have been removed from the final Guidelines. Section 5.5 amended (par. 55) too early for E, S and G The climate risk dimension is fully integrated in our bank’s ICAAP. However, the EBA should take a sequential perspective and start incorporating environmental-related risk factors and not rush into including social and governance until we have enough data to ensure we do it in a sound manner. The BCBS Climate Principles, which are more narrowly scoped in terms of risk focus than the draft GL, recognize that "climate-related financial risks will probably be incorporated into banks' internal capital and liquidity adequacy assessments iteratively and progressively, as the methodologies and data used to analyse these risks continue to mature over time and analytical gaps are addressed." This consideration should also be applied by the EBA in terms of recognizing that the ability of banks to capture climate-related risk drivers in the ICAAP exceeds that of broader E/S/G risk drivers. It is recognised that banks’ practices are more advanced on climate-related risks. However, as explained in the Guidelines, tools and practices should be developed for other types of E risks and approaches to S and G should be gradually enhanced. CRD6 in article 73 (ICAAP) refers to ESG risks. The section notes that banks should take into account the levels of availability and maturity of quantification methodologies for different risks. No change (par. 55) Concerns on ILAAP The banking industry is at an early stage in terms of understanding the transmission channels to liquidity risks. The lack of information is a significant obstacle to integrate ESG risks into the ILAAP, especially S and G. These draft recommendations are difficult to understand given the EBA/REP/2023/34 report on the role of E and S risks in the prudential framework, as no changes are expected regarding LCR and NSFR. Liquidity risk is a short-term risk, whereas climate and environmental risks are more expected to materialize over a longer-term horizon. The disconnection between these two timeframes means that the materialization of climate risks in the definition and management of liquidity buffers today for banks is not expected to be material. Nevertheless, to the extent that climate and environmental risk drivers could have consequences on liquidity, these consequences would have to be taken into account. Given the characteristics of ESG risks as drivers of liquidity risk, the evolving market practices and the regulatory framework, the final Guidelines have separated the requirements on ICAAP and on ILAAP to focus the latter on E and on appropriate time horizons within the scope of ILAAP coverage. Section 5.5 amended (par. 55) Long time horizon vs. Certain methodological features related to ESG risks conflict with ICAAP/ILAAP internal features and need to be further elaborated on before being requested. The forward-looking nature of ESG risks requires the use of Institutions should consider various time horizons for the assessment of ESG risks. In addition, CRD article 73 requires banks to Section 5.5 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 124 ICAAP purposes (usually 3 years) long-term science-based scenarios that cannot serve as a basis for financial projections, because science-based ESG scenarios do not easily translate into financial risks scenarios. This requires a complete overhaul of current market practices in terms of scenarios and forecasts. Requesting an immediate inclusion of all ESG factors from longer term non-financial scenarios in financial forecasts of the ICAAP comes at the risk of basing analysis on forward-looking elements, whose impact on financial risks has not yet been evidenced. We assume that the risk observation horizon in the ICAAP remains unchanged in both the normative and economic perspectives. Additionally, we assume that no multi-year risk-bearing capacity calculation is required beyond the normative perspective period. The most frequent time horizon in the ICAAP is 3 years. A multi-year calculation going beyond this should not be mandatory. The longer-term time horizon of 10 years would serve to inform the normative and economic perspective with regard to possible ESG risk factors. Disagree with backing medium and long-term risks, which are not reliably quantifiable, with internal capital - this would be neither appropriate nor sensible. The time horizons considered for internal capital are fundamentally different from the time horizons considered for ESG purposes. For ICAAP, institutions make forecasts based on methodologies, historical data and plausible scenarios that cannot easily translate into longer term horizons. These forecasts influence business planning and practical decision-making, which can hardly be the case of 25-year projections. Hence, time horizons that go beyond 10 years should only be informative and not serve as a base to the normative and internal allocation of capital. Capital should remain within the current prudential practises, and not cover hypothetical medium to long term ESG factors that will evolve in time, not necessarily translate into financial risks and be mitigated in time. take into account the short, medium and long terms for the coverage of ESG risks. The EBA recognises however that quantifying long￾term potential risks and building capital planning for long time horizons raises challenges. The Guidelines clarify that when institutions take into account the short term, medium term and long term for the coverage of ESG risks, longer time horizons should be used as a source of information to ensure sufficient understanding of potential implications of ESG risks for capital planning. The time horizons considered for the determination of adequate internal capital to cover ESG risks should be consistent with time horizons used as part of the institutions’ overall and regular ICAAP. (par. 56) Limits It seems difficult to have specific limits/triggers regarding ESG impacts on an indicator like the CET1 ratio or the ICAAP. Institutions should describe limits set for material ESG risks. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 125 (par. 57) gradual application? Integration of ESG risks (to be checked on correct understanding) in ICAAP and ILAAP should only come after making progress on common understanding and reliability of data as a first step for a dedicated treatment of related exposures. A gradual and methodological approach is preferable over setting (fixed) parameters and metrics. It has been clarified that banks should use insights gained from risk assessment methods to support the (binding) integration of material ESG risks in ICAAP. Section 5.5 clarified (par. 57) ref. to Section 4.2 We request clarification with regard to the reference in paragraph 57 to section 4.2 that the reference is not intended to apply the longer-term alignment method in the ICAAP. Insights gained through risk assessment methods should be considered. See also above on long-term time horizons. No change (par. 57) methodologies and data Are institutions free in terms of methodologies to use for the evaluation of internal capital relative to their ESG risks/factors? Historical data is insufficient and there is no globally unified measurement method, so it is difficult to take into account ESG risks. Institutions should develop their methods and consider insights from methods required under 4.2, and document their analysis. No change (par. 57) pool of exposures Other approaches may exist such as to identify and measure internal capital need for pool of exposures homogenous in terms of ESG risks rather than individual exposures. The term ‘portfolio’ applies in this context to any group of exposures selected according to some criteria. No change (par. 55 – 57) too prescriptive and too broad vs current bank approaches & ECB expectations In line with the ECB Guide to ICAAP, the ICAAP is an internal process, and it remains the responsibility of individual institutions to implement it in a proportionate and credible manner. For now only risks arising from ESG consideration for part of the banking book are taken into consideration by banks in the ICAAP, if they are material. The assessment is based on climate scenarios. Internal methodologies will be capturing counterparties transition plans as they become available. We recommend aligning this section with ECB expectations on this part and what was done on materiality assessment by banks. EBA Guidelines specify new CRD6 requirements and will be subject to comply or explain processes for all EU competent authorities. No change (par. 57) ref. to Section 4.2 on scenario-based methodologies Supervisory scenario setting does not align with the internal character of ICAAP, and we propose to refrain from it. The required mandatory inclusion of E risk elements seems to have a permanent character, which does not correspond to the internal character of ICAAP stress tests under the normative perspective, which should address a financial institution’s key vulnerabilities also taking into account the scenario horizon of (at least) 3 years. The Guidelines do not set a particular scenario, but a forward-looking view of capital adequacy considering potential future E risks is needed for sound risk management. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 126 (par. 57) capital needs - Space for capital relief needed Agree with integration of ESG risks and transition plans in ICAAP and ILAAP. However it seems that such integration will only require capital add-ons but not capital relief. In the particular case of environmental risks, transition to a net zero economy should be capital neutral. It is true that there will be winners (banks that orderly transition to net zero) and losers (banks that delay transition relative to peers). We believe credible transition plans should drive Pillar 2 capital relief while lagging plans should attract capital add-ons. Supervision including Pillar 2 capital requirements is out of scope of these Guidelines. Banks should assess ESG risks implications for their solvency. No change (par. 58) supportive of scenario analysis for climate but not for (other) environmental risks We have planned to integrate considerations related to climate risks into the scenarios used for provisioning and capital planning. We have also implemented climate-related stress scenarios for specific risk analysis (e.g. stress on cost-of-risk). But we do not plan to have capital planning scenarios driven primarily by environmental risks. We consider it excessive to impose such specific stress scenarios for capital planning in the ICAAP. Climate risks are part of E risks. The adverse scenario should include E risks elements but not necessarily be primarily driven by E risks. No change (par. 58) more granular guidance Request for more granular guidance on modelling and quantifying the impacts of ESG risks within ICAAP and ILAAP frameworks, including examples of adverse scenarios and stress testing methodologies also to interpret/understand reverse stress testing regarding ESG. The Guidelines do not specify stress testing requirements as this is, and will further be, covered by dedicated EBA Guidelines. No change (par. 58) too early for full incorporation of E scenarios Recognize the relevance of scenario analysis as a forward-looking tool to assess the possible impacts of climate-related risk drivers in the future, given the long-term nature of climate change. But it is premature for banks to fully integrate E risk related scenarios alongside the wider economic scenarios used for capital planning and projections, due to data and conceptual limitations. Climate risks are part of E risks, see also above on C, E, S and G. No change Question 15: Section 5.6 – ESG risks in credit risk policies and procedures Challenges for social risks There are insufficient definitions concerning the social sphere to allow for an assessment of the adverse impact of such risks on an entity’s credit profile. It is deemed challenging to determine materiality associated with social risks See above on C, E, S, G. Quantitative credit risk metrics are required for E risks only in the Guidelines. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 127 and establish appropriate quantitative criteria and methods for evaluating the impact on credit risk. Credit risk – quantitative methods Quantitative credit risk metrics regarding environmental risks have not yet been established and it is unclear what is specifically intended. Further guidance should be provided regarding the requirement to develop and implement quantitative credit risk metrics, such as a catalogue of criteria as well as a description of the framework and scope of this requirement. The Guidelines require to include quantitative metrics in credit risk policies/procedures to support the management of E risks. Institutions should set their metrics and can consider the metrics provided in 5.7. No change Credit risk – (permanent) use of qualitative measures In addition to quantitative credit risk metrics, the use of qualitative methods should be explicitly considered. The credit ratings established today consider both, quantitative and qualitative aspects, including ESG risks. Some institutions may initially have to use qualitative methods if quantitative methods are not yet appropriate. Further, for certain areas and for certain institutions, the use of qualitative methods should be permanently available. It has been clarified that institutions should implement a combination of qualitative and quantitative approaches. Section 5.6.1 clarified Insufficiency, incompleteness and incomparability of ESG data Especially in context of the application of quantitative credit risk metrics, the insufficiency, incompleteness, and incomparability of ESG data has to be considered. ESG factors can drive credit policies in terms of portfolio segmentation, credit allocation, target selection. The analysis of ESG risks could improve the ability to perform an efficient and effective creditworthiness assessment with a material impact on at least the probability of default and the loss given default, if (and when) the underlined data is of appropriate quality. The most important barrier that can slower this process is represented by metrics and dataset. A lack of data is especially relevant for smaller institutions. See above on data. Section 4.2 amended ESG risk mitigation measures The section on credit risk policies and procedures could be more specific on the question of ESG risk mitigation measures. In particular an analysis of companies' transition plans in high-stake sectors would seem to be a priority. See above on the exposure-based method and risk mitigating factors including transition plan. Section 4 amended Integration of ESG risks in loan origination and monitoring processes Credit granting policies should be aligned to the alignment trajectories that some banks have publicly committed to follow. As part of credit policies, banks should clarify their procedures on counterparty and projects that persistently refuse or fail to implement a credible transition plan. Credit policy on large corporate counterparties Banks should ensure consistency between their strategy, risk appetite and risk management policies (see section 6). Sections 5.1 and section 6 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 128 should include a conditionality of credit to the counterparties’ credible plan. Such a policy should also include an escalation process. Engagement with counterparties is covered under sections 5.1 and 6.4. Credit risk metrics Banks should monitor physical and transition risks in segments of portfolios that are deemed to be material according to banks materiality assessment methodology. As opposed to regulatory requirements for pricing strategies and pricing decisions, a set of pricing best practices should be included. ESG-linked features in lending are not intended to compensate institutions for taking on ESG risks. Rather, the ESG adjusted interest rates and fees serve as an ‘incentive’ for the borrowers to meet specified ESG targets and, by this, mitigate their transition risks. A reference to the materiality assessment has been included. As already laid out in the EBA GL on loan origination, the pricing structure of a loan product should reflect the inherent risk profile of its counterparty, considering all aspects including also ESG factors. Best practices cannot be included. Section 5.6.1 amended. No change Proposed methodologies The EBA should encourage financial institutions to voluntarily adopt Mortgage Portfolio Standards (‘MPS’). For the purpose of valuing collateral the IVSC International Valuation Standards could be referred to as they are applied globally. Guidelines set requirements for banks. Specific details on the valuation of collateral are out of scope. No change Question 16: Section 5.7 – ESG risks in policies and procedures for other risk types General comments Article 4.1 point 52d of the CRR provides that environmental, social and governance risk materialise indirectly through the traditional categories of financial risks. Therefore, when it comes to para 63 and 66 of the draft ESG Guidelines, the EBA should stick to the CRR 3 and not go beyond its mandate. The Guidelines specify how ESG risks as defined by the CRR should be taken into account in policies for management of different risk types. No change Market risk In relation to market risk, it is difficult to identify ex ante which part is due to ESG as it is already embedded in the price of the products. Further a waiver should be allowed for some of the charges suggested by the report, such as adding a RRAO charge in FRTB-SA or asking for an RNIME in FRTB-IMA for explicitly ESG-linked derivatives, should the bank demonstrate to the satisfaction of competent authorities that the possible losses associated to them are already covered in the prudential framework. Stress test metrics are considered to be most suited indicators to account for derivatives. Challenges are understood but banks should develop their approaches and understanding. Pillar 1 requirements are out of scope of these Guidelines. Forward-looking analyses are key and mentioned in paragraph 67. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 129 Operational risk It is required to indicate whether the ESG factor flagging is required for each operational loss event. Further, it needs to be clarified whether the mapping should follow the 7 operational risk categories according to Basel methodology or operational risk factors (people, processes, systems, external events). Paragraph 63 could provide illustrative examples of potential future impacts from ESG-risks that could have an impact on operational risk as well as other non-financial risks such as litigation and reputational risks. The E flag is required when it is a driver of the loss event. Reference to Article 324 of CRR has been included regarding the different regulatory operational risk event types. ESG risks can impact operational risks through various channels such as physical risk drivers or litigation risk. Section 5.6.4 amended Operational risk losses – identification and labelling While the internal taxonomies already have a natural disaster label it is extremely difficult to differentiate between natural disasters that are directly caused by environmental factors and those which are not (and driven by cyclical factors). Further guidance is needed on how to identify and label operational losses related to the environmental risks given the indirect nature of ESG drivers. The identification and labelling should be done consistently with the risk taxonomy and methodology to classify loss events specified by the dedicated RTS on this issue. Reference to RTS pursuant to Article 317(9) of CRR added. Section 5.6.4 amended Operational risk – Reputational risk Specifically in relation to the references to reputational risk in paragraphs 53 and 63 of the draft Guidelines, the current drafting seems to include reputational risk as a component of operational risk, however that is misaligned with the EU CRR3 definition of operational risk (which excludes reputational risk). We would suggest deleting these references to reputational risk in the final Guidelines for avoidance of confusion. To clarify this issue the reputational risk is covered under a separate paragraph in the final Guidelines. Section 5.6 amended. Reputational risk related to transition plan An explicit reference should be made, that a core aspect of reputational / litigation risk is the discrepancy between banks transition plan and actions. To address the reputational risk associated with banks failing to comply with their sustainability commitments or transitions plans, it is recommended that the EBA specifies that these plans are dependent on the EU’s and Member States’ commitments to achieve climate neutrality, as outlined in the EU Climate Law. Further, reputational risks are not considered significant for LSIs in particular. Banks should not be held solely responsible in the event that the EU or member states fail to meet or change their targets. Discrepancy between plans and actions can lead to reputational and greenwashing risks as covered in the Guidelines. The EBA notes that external dependencies and assumptions should be explained by institutions when disclosing plans and targets. No change Para 67 Para 67 should move away from provisions for yearly risk provisioning and focus more on a dedicated RWA approach. Additionally, given that historical litigation experiences are not fully public due to the confidentiality of some Changes to RWAs are out of scope of these Guidelines. The relevance of forward-looking Section 5.6.4 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 130 agreements, it is crucial to specify that any model incorporating historical data might inherently underestimate this specific ESG risk. Therefore, a dedicated RWA for each transaction above a very substantial amount (limited to a few transactions) could be more than sufficient to manage this liability risk effectively. Regarding conduct, reputation, and litigation risk in para 67, we encourage more focus on human rights, discrimination and other social controversies which are known and tracked for corporate counterparties. analyses is however mentioned in paragraph 67. Violations of human and social rights have been added to illustrate potential ESG￾related controversies. Greenwashing Para 67 refers to the ESAs high-level understanding of greenwashing (EBA/REP/2023/16). This is not a legal definition and should hence not be referenced in the EBA GL. The broad understanding of greenwashing reduces the legal certainty and therefore risks hampering financial institutions transition finance efforts. Clarification is needed if it is necessary to have a separate specific process to identify, prevent and manage litigation or reputation risks resulting from greenwashing or perceived greenwashing practices, or can it be catered for by regular internal processes and standard risk assessments. Paragraph 67 should be amended to consider situations where reputational risk can also arise through NOT lending to or NOT investing in businesses, because ESG-related controversies can and will go both ways, as experience shows. Clarification on whether banks should expect the final guidelines to be amended in accordance with the final report on Greenwashing, including concrete examples of greenwashing across investment value chain the financial institutions should build on. Reference has been kept as it provides a reference point to understand greenwashing in the financial sector. Clear, fair and non￾misleading transition finance efforts should not be penalised. ESG risks including risks stemming from greenwashing should be captured by regular risk management processes. Institutions should consider various risk channels but this specific addition is not considered necessary. Reference to the final report has been included. Institutions can consult the report including for examples. Section 5.6.4 amended. Concentration risk The requirements included in the draft Guidelines on concentration risks could have adverse impacts on the financing of the transition as they would not consider counterparties transition strategies and pathways. A reference to risk mitigating factors, which can include counterparties’ transition strategies, has been included. Banks remain responsible to set their risk appetite for ESG-related concentration risks. Section 5.6.5 slightly amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 131 The approach to concentration risk should remain flexible to allow banks to use their own methodologies and define and measure ESG concentration risk according to their own methodologies, risk appetite and business models. It is very difficult to carefully define concentration risk in the context of ESG risk factors; there is not currently a well-established definition in the EU or globally. Thresholds for what constitutes a high degree of concentration would likely be needed, including analysis of an appropriate way to define and calibrate such thresholds. Given that the risk assessment process is multidimensional, it is also necessary to avoid unintended consequences associated with reliance on certain characteristics (e.g.some of the proposed metrics in the draft GL, such as GHG emissions) which could indicate that certain sectors or geographies are more or less risky in a way that is too crude. Supervisors should not demand institutions attributing concentration risk where a sector may or might be prone to ESG risk factors. This is too subjective and could be influenced by political opinion, thereby masking the real risk drivers that would require the institutions’ attention. Sentence 2 of this paragraph the words ‘may be’ should be replaced by ‘demonstrably are’ (data-driven approach). Sentence 3 should be deleted, because it is not helpful for describing the process of how existing concentration risk (as opposed to assumedly problematic sectors) can be determined. An approach of looking purely at industry concentration goes against banks’ efforts to engage with clients to assess the consistency of the clients' transition plans with the institutions transition planning. In addition, this contradicts paragraph of the section 6.5 of the Guidelines. Besides, concentration risk is already part of banks' risk management frameworks, including sector and geographical concentration, and it is also addressed in the Pillar 2 framework. The Guidelines require to manage ESG￾related concentration risk understood as risks posed by concentrations of exposures or collaterals in single counterparties, interdependent counterparties or in some industries, economic sectors, or geographic regions which may present a higher degree of vulnerability to ESG risks; however, for the purpose of the guidelines, thresholds for what constitutes high concentration risk should be determined by institutions in accordance with their risk appetite. Assessing concentration risk on a sectoral basis does not force institutions to adopt any particular risk mitigating action. Institutions should decide how to best manage ESG￾related concentration risks considering section 5.1, which refers to engagement with counterparties as one possible tool.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 132 Question 17: Section 5.8 – monitoring of ESG risks General ESG factors are already incorporated in other existing and publicly available reports, so there should not be any additional requirement to produce a standalone report. Paragraph 78 provides that banks may integrate ESG risks into regular risk reports or develop new dashboards. No change General Indicators should not be considered mandatory in the final guidelines, but sufficient flexibility should be given to banks in the identification of the most appropriate metrics. The EBA is mandated to specify standards, criteria and methods for the monitoring of ESG risks. However, the full list of indicators is only mandatory for large banks while others should monitor a range, that they will select. Section 5.7 amended General The focus is only on climate and considerations on other "E" risks and/or "S" and "G" should be included. It is recognised that progress on metrics is most advanced on climate. However, the section clarifies that large institutions should monitor metrics related to nature and biodiversity-related risks. Section 5.7 amended General The EBA should clarify that ESG risk monitoring also fully covers off balance sheet activities and that facilitated emissions should be monitored. It has been clarified that banks should have an institution wide view of ESG risks, adequately covering the nature, size and complexity of their activities. Section 5.7 clarified General The EBA should consider encouraging the development of industry-wide benchmarks or thresholds for ESG risk indicators, facilitating peer comparisons and transparency. The EBA considers that thresholds should be set by banks. Benchmarks can usefully be developed by the industry. The EBA is also developing a risk monitoring framework. No change General The EBA should clarify the expected frequency of monitoring activity. Given that some risks, could materialise over varying or yet unknown time horizons and especially climate-related impacts could worsen over time, institutions should be encouraged to take a long-term consideration of ESG￾related financial risks and a proactive dynamic risk management approach. Guidelines provide that institutions should monitor ESG risks on a continuous basis and implement frequent monitoring of counterparties and portfolios materially exposed to ESG risks. No change Level of application The monitoring of metrics should be limited at the group level and such indicators and thresholds should be set at a sector or portfolio level rather than at individual client or entity level. The Guidelines apply in line with the level of application specified under article 109 of CRD. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 133 Proportionality The reference to the reporting requirement for SNCIs is unclear and the limited availability of ESG related data (in particular from SMEs) needs to be taken into better account. The granular and frequent monitoring of counterparties cannot be implemented for institutions that have a short-term lending business model or for leasing companies. The Guidelines have clarified that SNCIs and other non-large banks may monitor only a subset of indicators. Section 5.7 clarified Para 72 (a) The lack of data for historical losses should be considered. Historical losses should be monitored with specific indicators per type of ESG risk and more focus should be put on the monitoring of the exposures to physical climate risk. This metric covers ESG risks hence also physical risks. Data for historical losses may be built progressively. Wording clarified Para 72 (b) The KPI does not make sense at the NACE 1 aggregation level. The amount and share of sector-related income seems unsuitable to capture relevant ESG risks as it is unrelated to the risks of counterparties. Institutions should monitor also investments in fossil fuels and other high impact activities, besides the amount and share of income. This metric can inform institutions on potential business model dependencies. Reference to amount and share of exposures and income to fossil fuel sector entities has been included. Section 5.7 amended. Para 72 (c) Risks need to be monitored at sectoral-based perimeter, to help make connections with sectoral policies used to manage ESG risks. See portfolio alignment section. Section 5.7 amended Para 72 (d) Scope 3 emissions are deemed currently challenging to be recorded due to limited data availability. Scope 3 financed emissions is a crucial metric to assess the exposure of financial institutions to transition risks and suggest to make it mandatory for every sector and every portfolio. A clear guidance and a consistent approach on Scope 3 emissions methodologies are needed together with a request for qualitative information to complement the metric and interpret its evolution. Data challenges are recognised but ongoing efforts e.g. CSRD should progressively alleviate them. It is considered more appropriate to focus on sectors and portfolios identified on the basis of the materiality assessment. The Guidelines have clarified that qualitative information should supplement the metric to interpret its evolution. Section 5.7 amended Para 72 (e) The EBA should better specify how to define the percentage of counterparties with whom the institution has engaged and institutions should also report the objectives, the frequency and the governance behind the engagement. Such aspects should be specified under banks engagement policies, see section 6. Section 6 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 134 It may be more suitable to refer to a volume measure, such as credit exposure and the proposed ratio is not risk-based metric. A metric in form of a ratio informs about the level of progress achieved by the bank to engage clients as part of risk management. Para 72 (f) The GAR should not be included among the metrics to be monitored considering that i) it is not a risk management tool, ii) it does not reflect the sustainability profile of institutions, iii) there are issues with its calculation methodology. The metric should be complemented with indicators showing the portion of exposures Taxonomy aligned based on the classification framework adopted (e.g. GFANZ, CBI or ACT Finance). The objective of this metric is to compare Taxonomy-aligned exposures for climate change mitigation to carbon-intense exposures. However, due to methodological challenges, metrics relating to adverse impacts on other objectives of the Taxonomy have been removed. Institutions may compute and monitor additional metrics, such as based on different classification frameworks adopted. Section 5.7 amended Para 72 (h) A reference to “water-stressed areas” risk among the physical risk drivers mentioned should be added. It has been added as an example of physical risk drivers. Section 5.7 amended Para 72 Additional metrics are suggested: • that reflect stakeholders' expectations regarding financial institu￾tions' disclosures and their connection to real-economy transition plans; • related to portfolio-level dependencies on water or natural capital; • counterparties’ progress in doing their transition; • low carbon CapEx; • energy supply-banking ratio (ESBR); • sustainable power supply to fossil fuel financing ratio; • climate Value-at-Risk; • metrics related to physical, nature and biodiversity; • at portfolio level o portfolio alignment (by sector) with verified (externally) 1.5 degree goals; o portfolio alignment of verified (externally) credible transi￾tion plans; The EBA has considered the suggestions and adjusted the list of metrics. In particular, the following metrics have been added:

• the energy supply banking ratio,
• progress in the implementation of key financing strategies, which may include financial flows towards finan￾cial assets or counterparties that share a common set of characteris￾tics such as their alignment status relative to the applicable regulatory sustainability objectives and/or insti￾tution’s risk appetite
• exposures to fossil fuel sector enti￾ties and portfolio-level dependencies on ecosystem services. Section 5.7 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 135 o proportion of “green” (with breakdown specifically to sus￾tainable power solutions) and “transition” exposure (with a comprehensive science-based definition); o proportion of fossil fuel (with breakdown of coal, oil, gas) ex￾posure with and without credible transition plans; o proportion of high emitting hard-to-abate sector exposure with and without credible transition plans (with a compre￾hensive definition). Question 18: Key principles for plans in accordance with Article 76(2) of the CRD CRD vs CSRD plans Several characteristics of comparability and interoperability between CRD and CSRD-related requirements on plans were raised:

• ESRS alignment: respondents expressed a range of views e.g. closer / looser alignment (internal procedure only) / no guidance necessary
• CSRD is not a plan but the reporting of a plan...
• ...leading to expected unicity of plan – one transition plan with a risk side.
• Avoid CSRD / CRD confusion (naming, scope, ...) In addition, disclosure scope was mentioned:
• Only banks in CSRD and CSDDD scope should be required to disclose their CRD plans The Guidelines in the background and section 6 clarify that banks should ensure that their plans address forward-looking ESG risk management aspects while being consistent with other applicable requirements including those stemming from CSRD and CSDDD. CRD plans are not subject to specific disclosure but may partly be covered by other transparency requirements. Background and section 6 amended SNCIs SNCIs are only required to comply with the corresponding reporting obligations starting from the 2026 fiscal year if reporting is required for the first time. Therefore, it is recommended that any regulations for SNCIs should not be provided before this deadline The Guidelines provide a 1-year phase-in for SNCIs to give additional time to implement necessary changes, as well as several proportionality measures. Section 6 amended Level of prescriptiveness Respondents asked for more or less prescriptiveness of the principles with additional suggestions. Less prescriptiveness: o More flexibility in the implementation of the plans, recognising the different materiality of the risk for banks See responses on level of prescriptiveness and on alignment with EU objectives in general comments, and responses on materiality assessment, portfolio alignment and risk management tools. Section 6 amended.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 136 o GLs should focus on risk management tools and not on decarbonisa￾tion, alignment or sectorial targets o The transition plans should not have in scope the business strategy o Reference to EU law should not be interpreted as a requirement to reduce emissions by 55% by 2030 More prescriptiveness:

• On scope: o fossil fuels and other harmful activities o decarbonization strategy, targets and their quality/align￾ment. o elements related to financial planning o engagement activities and their consequences for compa￾nies o link between plans and remuneration o due diligence requirement for banks. o the importance of supply chain analysis for banks o clarify sufficient capacity and resources (para 88.) o financial materiality should be better clarified.
• On method: o more emphasis should be given to risk acceptance and capi￾talisation of risks. o frequency of update of the plans o full ESG spectrum (e.g. E, S & G), their interdependencies across relevant time horizons o reference to the EU climate law should be clarified (e.g. 1990 baseline) With regard to other comments:
• exposures to fossil fuel sector enti￾ties should be considered as part of materiality assessments, which form the basis for transition planning;
• engagement including outcomes is more clearly referred to in the key contents of plans in section 6.4;
• remuneration policies are referred to in the key contents of plans, reflect￾ing new CRD6 provisions;
• the frequency of updates of plans is clarified in section 6.5 and aligned with updates of strategies required by CRD;
• the scope of risks captured by each part of the plan should be specified as per paragraph 108. Non-EU entities Respondents asked for clarifications or raised concerns regarding the inclusion of non-EU entities in the scope of the requirements given that non￾EU entities have lower data availability and face less ambitious climate regulation. See response on level of application. The Guidelines state that parent institutions should take into account ESG risks that subsidiaries established outside of the Union are materially exposed to when elaborating No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 137 and implementing the consolidated plan, by having regard to applicable local legislation and ESG regulatory objectives. Time horizons The feedback revolves around Define / Reduce / Extend the time horizons. See responses above on time horizons. No change Question 19: Section 6.2 – Governance of plans required by the CRD Allocation of responsibilities Respondents raised comments regarding the following: o Specify more which management body should be driving what (strat￾egy, operational plan, ...). o Consistency oversight with the overall bank strategy. o Recommend specific ESG committees within the management body. Requirements about the supervisory and management function of the management body as well as rules for the setting of committees are specified by the EBA Guidelines on internal governance. Consistency of plans with overall strategy is required in section 6.1. No change Risk appetite Specify alignment between transition targets and risk appetite. Section 6.1 and section 5.3 require alignment and consistency between plans and risk appetite. Section 5.3 amended. First line o Concerns expressed on over-expectation on counterparties / clients’ transition plan review. The credibility assessment should be per￾formed externally. o S & G knowledge gap. The 1st line of defence plays an important role to assess the risk profile of counterparties including given their transition strategies. Expertise and capabilities should be developed, noting the emphasis put in the GLs on E. Section 6.2. clarified Second line The (perceived equal role) role of compliance vs. risk management in the GLs is being challenged: o Respondents suggested the removal of the reference to the compli￾ance function from par. 86 b) as the risk limits referred to in this par￾agraph are typically monitored by the risk management function. o In alignment with paragraphs 179-187 of EBA Guidelines on internal governance (EBA/GL/2021/05), which assign to the risk management The reference to the compliance function has been removed from this paragraph to focus on the role of the risk management function. The compliance function’s responsibilities are specified under section 5.4. Section 6.2 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 138 function the responsibility of the risk management framework in￾cluding assessing the consistency of risk appetites and limits with the risk strategy Engagement with counterparties without transition plan Precise the expected engagement with counterparties with no transition plan because of their size, location, local regulation etc. The Guidelines require banks to determine, justify and document their engagement policies, including their scope. Transition plans of counterparties should be leveraged, where available. Section 5.1 and section 6.2 clarified. Question 20: Metrics and targets Targets and Metrics – Purposes (Strategic versus Prudential approach) The targets and metrics presented are strategic and unable to be used as risk management tools. The content of the plans will be guided by public policy objectives aimed at carbon neutrality. Therefore, it does not appear clear how the targets and metrics will aid banks in the assessment of prudential risk. To solve this problem, two options could be considered:

• Paragraph 90 could be amended, by deleting “risk management and” or replacing “with a view to mitigating risks” with “with a view to achieve strategic goals”.
• In order for plans to both serve risk management and strategic steer￾ing purposes, metrics and targets could be defined as per the ESRS with potential additional datapoints to fulfil specific requirements of the prudential risk approach. The metrics and targets in 5.7, 6.3 or 6.4 are meant to focus on risk management aspects such as integration in the risk management framework, assessment and monitoring of exposures / emissions / portfolios alignment, engagement with clients etc. The choice of specific targets is the responsibility of banks. ESRS are disclosure purpose based and CRD is focused on prudential / risk aspects. See also response above on 5.7 and Annex tool for indicative ESRS references. Section 6.3.4 amended Purposes (Physical risk) A reference to physical risks could be added in paragraph 90 (“risks stemming from the physical impacts of changing climate”). Physical risks are integral part of requirements as set in background (para. 20 – 30), in 4.1 - materiality assessment (para. 16), and metrics within 5.7 monitoring. No change Targets and metrics – Consistency with CSRD The guidelines should require data based on ESRS requirements. As of now, the metrics and targets lack consistency with CSRD. More specifically, the EBA should align the target-setting horizon of prudential plans with CSRD (2030 and 2050 instead of a short-term 3-year horizon). Consistency with See responses above on data, time horizons and metrics. The 3-years horizon reference has been removed. Section 6.3 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 139 future sector-specific ESRS for the financial sector should also be taken into account. The annex provides ESRS cross-references vs. each part of the 6.4 output plan. Targets and metrics – Consistency with NZBA The guidelines are not consistent enough with voluntary commitments such as NZBA, especially because paragraph 94 raises concerns on the methodology of alignment used (absolute vs relative emissions). Moreover, it should be sufficient for CRD plans to refer to strategic climate targets taken as voluntary commitments. GLs set regulatory requirements for all institutions. Alignment metrics are requested and may be computed based on emissions intensity. Consistency with voluntary commitments is now mentioned. Section 6.1 amended Consistency with P3 The guidelines should be more consistent with Pillar 3 reports. Some metrics and parts of plans are interconnected with parts of Pillar 3 and where relevant consistency has been ensured and references included in the Annex. However, plans have their own, internal risk management purpose and go beyond Pillar 3. No change Targets and metrics – Proportionality This section of the guidelines could expressly recall the proportionality principle as compliance with this section would be disproportionate for small and medium-sized institutions. Proportionality is recalled within several parts of the GLs and specifically in application of the metrics in 6.3.4 and 6.4. Section 6.3 and section 6.4 amended Targets – Extension of the scope of activities covered The targets should cover all activities and jurisdictions and paragraph 89 should be re-written as “all activities and business lines are covered by targets and metrics”. Institutions should set specific sector-based targets for the most environmentally harmful sectors. These targets should be based on the evolution of the sector in a 1.5° no/low overshoot scenario (with limited volume of negative emissions). Metrics and targets – including sector alignment metrics – are meant to monitor and address material ESG risks identified on the basis of comprehensive materiality assessments. No change Targets - different scales Cascading down the targets at economic activities level (i.e. individual technologies) seems too detailed and associated with uncertainties regarding data quality and availability. In some cases, metrics and targets can apply to specific economic activities. Section 6.4 clarified Metrics – Optional nature The metrics should be viewed as suggestions, rather than compulsory. The guidelines are too prescriptive and would benefit from more flexibility given to institutions (to tailor targets and metrics to the specific needs of each institution). The guidelines should not require institutions to set targets for metrics that are based on specific scenarios (e.g. the IEA NZ2050). If The Guidelines require banks to consider the metrics listed in 5.7 for the purpose of target setting. Banks should determine, taking into account their business strategies and risk appetite, which other risk-based and forward-looking metrics and targets they will Section 6.3.4 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 140 minimum requirements are kept, they should be concentrated to climate￾related factors. The question of the limits to be set was also raised, with several respondents calling for targets and limits to be imposed only on the most relevant metrics. include in their plans. Banks are responsible for setting specific targets levels. See also above on IEA scenario. Metrics – Mandatory nature The mandatory nature of metrics is welcomed. The EBA could even take further actions for a more prescriptive approach on the format and content of transition plans. See response in row above. Section 6.3.4 amended Metrics – Nature-related risks The guidelines should include metrics related to nature-related risks (including by adopting a double materiality approach informed by the recommendations of the TNFD). The Guidelines require banks to take steps to progressively include metrics that support risk assessment and strategic steering related to institutions’ exposure to, and management of, environmental risks other than climate-related, e.g. risks stemming from the degradation of ecosystems and biodiversity loss. Section 6.3.4 amended Metrics - Transparency Banks must be transparent with the methodologies used to calculate metrics. CRD based plans are not required to be disclosed. However, documentation of metrics and plans is required in section 5.7 and section 6.4. Section 5.7 and section 6.4 clarified Metrics – Forward-looking nature Point-in-time metrics might not be relevant and do not distinguish between investments in a high-emitting sector which are designed to decarbonise, versus those which finance the status quo. The guidelines need to lay out forward-looking metrics related to emissions such as Expected Emissions Reductions (EER). The combination of both point-in-time and forward looking metrics is needed in order to get a “complete picture” of expected transition and physical risks exposures. The GLs mention that institutions should compute, use and monitor forward-looking ESG risks metrics and indicators. See also amendments to section 5.7 in particular on financed emissions (cf row below). Section 5.7 and section 6 clarified Metrics – Comments and proposed changes – Paragraph 94a) was subject to many proposals, among which:

• Consider consistency with the methodology developed under NZBA (targets are expressed as intensities and not as absolute emissions for sectors other than oil and gas under NZBA methodology) The metric related to financed emission has been amended. Para. 94a) is now 81c) and includes: Section 5.7 amended.

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 141 Financed emissions

• GHG emission intensity metrics can be misleading and should not be required (variety of formulas for calculating relative emissions, inten￾sity per euros is misleading, need to reduce absolute emissions)
• Extend emission coverage to include facilitated emissions
• Emissions targets to be differentiated to cover individual sectors, as￾set classes, and gases, as well as aggregated across portfolios, and gases (by using the metric of CO2-equivalent).
• Consider a hierarchy with i. financed GHG emissions (absolute emis￾sions, in tons CO2 equivalent, and where relevant in intensity per unit of production, or by default, intensity of revenues, associated with a portfolio) and ii. Current and forecasted (short, middle and long-term) GHG emissions in absolute, and where relevant in inten￾sity per unit of production, or, by default, in intensity such as per million-euro revenues
• Set targets for the total emissions of the companies financed, both at a sectoral and portfolio-wide level, without using an attribution factor Financed GHG emissions by scope 1, 2 and 3 emissions in absolute value and where relevant intensity relative to units of production or revenues, split by sectors, using a sectoral differentiation as granular as possible and at least for selected sectors determined on the basis of the materiality assessment. Institutions should complement this metric with qualitative or quantitative information and criteria supporting the interpretation of its evolution, including any temporary increase due to provision of transition finance to greenhouse gas-intense counterparties, and identifying the underlying drivers of emissions change. Metrics – Comments and proposed changes – Portfolio alignment Paragraph 94b) was subject to some comments:
• Clarify the definition of “production capacities operated by clients”
• Limit portfolio alignment metrics or replace them with sectoral align￾ment metrics
• Take into account the fact that (mis)alignment of a counterpart to a given sectoral pathway might not be representative of the financial risks it carries Para. 94b) is now 81b) and includes: Portfolio alignment metrics at sectoral level. Institutions should complement this indicator with information related to the assessment of potential financial risks impacts resulting from misalignments. Production capacities operated by client may capture physical output vs. emissions. Section 5.7 amended Metrics – Comments and proposed changes – Share of income Regarding 94c), respondents suggest to: o Add the total share of income related to business with counterpar￾ties operating in sectors that highly contribute to nature degradation o Add capex metrics for high-risk sectors, starting with coal, oil and gas The metric might not allow the consideration of counterparty-specific factors (e.g. best-in-class) or the nature of exposures. Para. 94c) is now 81a) and includes: a) Amount and share of exposures to and income. A metric related to nature-related risks has been included and a reference to monitoring exposures to fossil fuel sector entities added. Section 5.7 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 142 Metrics – Comments and proposed changes – Energy efficiency of collaterals Regarding 94d), the following comments were made: o The lack of harmonization at EU level between EPC regulations is a strong limit to the use of this metric. o Banks could also assess the financed emissions of their real estate assets (in addition to energy efficiency). No mention of EPC anymore in the GLs. Changed to: Energy efficiency. Section 5.7 amended Metrics – Comments and proposed changes – Engagement with counterparties Paragraph 94e) could be amended to: Clarification: o Clarify the definitions of (positive) engagement and “percentage of borrowers” o Show a more direct connection with counterparties’ transition plans (“including in relation to counterparties’ transition plans”) Counterparties: o Reflect that engagement should be performed for companies that need to take further transition actions (concentration of engage￾ment on companies that are already sustainable would not mitigate transition risk) o Limit the metric to counterparties that have been identified as ma￾terial, are included in a portfolio subject to the alignment targets and are on the top of the consideration of the level of services the bank is providing to this counterpart Metric: o Add a metric for the engagement stage the companies are in and dis￾close the cases where engagement was unsuccessful and led to di￾vestment o Separate the metric into 2 indicators: (i) the first focusing on moni￾toring the engagement activities of the institution, (ii) the other fo￾cusing on monitoring the performance of counterparties Evaluate progress observed over time against individual institution’s transition plan assessment methodologies Para. 94e) is now 81e):

• Clarification: The percentage of coun￾terparties for which an assessment of ESG risks has been performed, also as regards their transition strategies and where available transition plans
• There is no concept of material client but banks should determine, justify and document the scope of engage￾ment
• A range of counterparty-specific ac￾tions may be taken in line with sec￾tion 5.1, this is reflected in follow-up actions taken by the institution. Section 5.7 amended Metric – Comments and Paragraph 96) proposed amendment: Given the importance of both physical risks and concentration risks (from a transition Section 5.7 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 143 proposed changes – Paragraph 96 o Regarding physical risks, institutions should perform a comprehen￾sive assessment that distinguishes between chronic and acute risk impacts, across various climate scenarios, as well as appropriate granularity depending on the use case. o Regarding ESG-related concentration risk, the work done is imma￾ture (the concept has not been yet defined in the regulation), which could justify a phased implementation and physical risks perspective), metrics related to these risks are included in 5.7. Metrics – Proposals for new metrics The guidelines could impose new metrics, such as: o Environment o Sector-specific o Indicators related to fossil fuel (e.g. forward-looking metrics regard￾ing the total portfolio exposure to fossil fuels, including details about how this breaks down according to fossil fuel type (coal, oil, gas), value chain exposure (upstream, midstream, and storage), as well as regional breakdowns where possible) o An indicator on the sustainable power supply to fossil fuel financing ratio (e.g. ESBR) o Indicators on sustainable exposures and carbon-intensive exposures mentioned in Section 5.8 paragraph 72 o Proportion of high emitting hard-to-abate sector exposure with and without credible transition plans o Portfolio alignment (by sector) with verified 1.5-degree goals and with verified credible transition plans (verified externally) o Others o Financial projections, including revenue, Capital Expenditures (CAPEX) and Operational Expenditures (OPEX) o An indicator reflecting the Climate Value-at-Risk of counterparties under a range of climate scenarios and across multiple time-horizons o Assessment of the emissions profile for mortgages and real estate assets See response above on metrics included in 5.7. The GLs in paragraph 81 listing minimum metrics is completed by paragraph 104:

• Institutions should determine, taking into account their business strategies and risk appetite, which other risk￾based and forward-looking metrics and targets they will include in their plans with a view to monitoring and addressing ESG risks. This includes assessing, computing and using met￾rics to evaluate the financial implica￾tions of transition planning for insti￾tutions’ business and risk profile
• In addition, the Annex supporting tool offers several examples of addi￾tional metrics spanning E, S & G Section 5.7 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 144 o Proportion of “green” exposures with breakdown specifically to sus￾tainable power solutions o Proportion of “transition” exposures with a comprehensive science￾based definition o An indicator related to nature-related risks o An indicator related to the mitigation of physical risks o An indicator that requires to show the consistency between sustain￾ability-related risk targets and impact targets • Social & Governance o Indicators related to remuneration (e.g. proportion of individuals with remuneration linked to transition plan progress) or training (e.g. percentage of staff receiving transition plan-related training) o Indicators inspired by social and governance Principal Adverse Im￾pact indicators of SFDR as well as social and governance metrics of CSRD ESRS Question 21: Climate and environmental scenarios and pathways General comments – Proportionality The requirements set in Section 6.4 might not be suitable for small and medium-sized institutions. Paragraph 97 is seen as too detailed and paragraph 97a should be the only paragraph formulated as binding for SNCIs. As paragraph 98 requires a significant amount of information to fulfil these requirements, the EBA should consider a phased approach to implementation. The Guidelines now provide that the complexity of the scenarios should be proportional to the size and complexity of institutions. Non-large institutions may rely on a simplified set of main parameters and assumptions, included risks, time horizons considered, and regional breakdown of impacts. Section 6.3.1 amended General comments – Binding nature The EBA should specify that the list of scenarios mentioned is representative and not mandatory. If scenarios are publicly recognized and science-based, banks should be given more flexibility. The Guidelines do not preclude and even ask banks to use public, science-based scenarios. Scenarios may now be national on top of EU or international. See also above on portfolio alignment assessments. Section 6.3.1 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 145 Type of scenarios / Suggestions for adding new scenarios The EBA should consider including NGFS, IPCC and the scenarios used for the Fit-for-55 exercise as sources for publicly available scenarios. The guidelines should also explicitly mention that banks are allowed to develop their own internally designed scenarios. It could also be useful to encourage banks to also use worst-case scenarios and clarify the need to use among the different scenarios those with high tail risks. The guidelines should also consider scenarios where financed NFCs won't be able to timely achieve a transition that is fully aligned with benchmark one. See above on portfolio alignment methods. The guidelines now further emphasise that banks should understand their sensitivity to ESG risks under different scenarios and understand how different scenarios may affect their transition planning efforts. Section 6.3.1 amended Type of scenarios / Clarifications expected from the EBA Risk management and strategic steering as different use cases for climate scenarios and pathways would require banks to also consider “real-world” projections of decarbonisation trajectories in addition to “normative” pathways (such as the IEA Net zero emission scenario). Moreover, the guidelines should specify that a uniform scenario does not necessarily have to be used on a company-wide basis, as different jurisdictions have different transition pathways. See above on the clarification regarding consideration of different scenarios. In addition, the Guidelines provide that the geographical reference and granularity, such as in terms of regional breakdowns, of the scenarios and pathways used by institutions should be relevant to their business model and exposures. Section 6.3.1 amended Type of scenarios / Global vs. regional scenarios The publicly available scenarios quoted do generally not provide regional breakdowns (global scenarios). Reflecting geographical aspects and granularity will require the consideration of additional or alternative scenarios. Moreover, national authorities often publish their own scenarios, which might be more tailored to portfolios with a national focus. These scenarios in line with EU objectives could offer valuable data. See above for: national consideration, geographical differences. Furthermore, para. 95 provides: addressing the specific environmental risks that may stem from the process of adjustment towards the climate and environmental￾related regulatory objectives of the jurisdictions where they operate. Section 6.3.1 amended Negative emissions / climate overshoot The EBA should provide clear guidance specifying that the methodology must be based on a 1.5°C scenario with no or low overshoot and with limited reliance of negative emissions. Para. 95b) refers to para. 38, which requires sectoral decarbonisation pathways to be consistent with the applicable policy objective, such as the EU objective to reach net-zero GHG emissions by 2050 and to reduce emissions by 55% by 2030 compared No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 146 to the 1990 level, or any national objective where applicable. In addition, methodological choices should be justified and documented. Limitations in the use of scenarios The guidelines should identify explicitly limitations in the use of scenarios. The economic models used for climate scenarios analysis were developed to deal with traditional financial risks and are not suitable for climate-related risks. Tipping points and feedback mechanisms are not modelled and the models ignore some severe impacts of climate change (sea-level rise, migration, etc). The risks could therefore be underestimated. Each scenario comes with its own limitation in both design and application. Banks should understand implications of different scenarios, as set out in these GLs and future GLs on scenario analysis. Section 6.3.1 amended Transparency Institutions should provide transparency on the underlying model choices and assumptions. Disclosure is out of scope but banks should justify and document their methodological choices. No change Question 22: Section 6.5 – transition planning Structure & relation with other sections The structure of Section 6.5 should be reviewed for further clarity. In particular, the EBA could establish clearer links with sections 6.1 and 6.2, whose themes are closely interrelated with transition planning. The structure of section 6 has been reviewed including to specify transition planning aspects before setting out the key contents of plans. Section 6 restructured Alignment of the section with GFANZ framework Section 6.5 could be aligned with the GFANZ framework by grouping paragraphs 101, 102, 104 and 105 under the heading “Implementation Strategy Section” and paragraph 103 as the “Engagement Strategy Section” in order to provide a visible signal of international consistency. Section 6.4 detailing the key contents of plans now includes two parts catering for implementation and engagement (para. 109d) e)). Section 6.4 amended Engaging with counterparties – Clarifications needed The guidelines should stress the importance of engagement as the main driver of a transition plan (as scope 3 represents most of a bank's emissions). It would therefore seem worthwhile clarifying some of the EBA's expectations, including the definition of engagement, based on time-bound objectives and an escalation strategy (incl. exit strategy). Section 6.4 includes requirements for engagement, including policies, processes and outcomes. See also response on section 5.1. Section 6.4 amended Engaging with counterparties – Difficulties raised The requirements set by the EBA are too extensive (reviewing counterparties transition plans is seen as very resource intensive, whereas banks could rely on ESG scores instead for instance). See answers provided above on counterparties engagement. Section 5.1 and section 6 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 147 counterparties plans – Scope too narrow Requesting transition plans for only large counterparties might generate a portfolio-level blind spot. Moreover, the exclusion of financial corporates in paragraph 102 is not justified. See answers provided above on the scope of client engagement. Section 5.1 and section 6 amended counterparties plans – Scope too large Difficulties with the engagement process were raised, including the fact that it is not possible to engage with all clients. One way of solving this issue would be to implement a phased approach. These difficulties are further exacerbated for institutions that have a short-term lending business model. See answers provided above on the scope of client engagement. Section 5.1 and section 6 amended counterparties plans – Verification of counterparty actions External verification of counterparties transition plans should be encouraged to enhance credibility. The plan should be accompanied by an annual Scope 1, 2 and 3 emissions inventory that is complete, accurate, transparent, consistent, relevant and verified by a third party. Moreover, the guidelines should define the way the bank entails course corrections when the plan is proven infeasible. See answers provided above on the bank’s responsibility to assess the risk profile of counterparties. No change Transition planning processes Further details could be provided for certain aspects, such as clarification on how to assess the implications of transition planning on the business and risk profiles. Transition planning processes could be presented more precisely, by describing them as the collection of interoperable metrics from corporates and setting interim targets. Transition planning has been reviewed and expanded. An expected roadmap with interim objectives is present in 6.4 Section 6 amended The role of banks in the transition Even though institutions play a key role in the transition process, the role given to banks is too broad. Section 6.5 seems to suggest that the task of transition is exclusively reserved for banks. It is therefore seen as too far￾reaching to ask banks to consider “adjustments to the product offering, the agreement of an action plan and remediation measures to support an improved transition path for the counterparty” (paragraph 103). The guidelines and the range of actions listed as potential risk management tools aim at supporting banks’ safety and soundness, including in the process of the transition. No change Question 23: Level of granularity for the plans Areas needing more details On top of answers stating “more details needed” without further precision, respondents highlighted the need for more details on transition plan credibility. Transition planning (now section 6.3) has been fully revamped and their output (6.4) are specified with more details. Section 6 amended

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 148 In addition, sector (e.g. fossil fuels) commitments / action plan should be more detailed, including carbon offsets management. S&G would deserve more details. Finally, inter alia, targets, governance, monitoring or materiality assessment were cited as needing more details. Areas too detailed (and why) Few respondents thought the guidelines were too detailed with too many rules and should remain high level – need for flexibility and principles-based guidelines, especially on transition plan, decarbonisation strategies, ESG risk metrics … The guidelines were also deemed too detailed and overwhelming for SNCIs / LSIs. Para. 110 caters specifically for SNCIs with less requirements in the plans content (6.4). Section 6.4 amended Question 24: Common format for the plans required by the CRD General views The answers were quite polarised with most respondents asking for a common format type of template, while other respondents having a negative view on the proposal. Many positive respondents did not elaborate except it would improve interoperability with greater standardisation including proportionality for SNCIs. Induced qualities brought by a potential template were: Comparability; Efficiency / cost; Consistency; Ease of approval / review On the negative side, demand for flexibility dominates and a loose (or NZBA’s) framework catering for every need is preferred. There was no specific trend expressed on the structure or tool to be considered for the common format but some features mostly around interoperability. Taking into account the comments received, the EBA has decided to include a supporting tool for institutions in the Annex. This does not introduce additional requirements but provides for each key content required by the guidelines some examples, references and potential metrics that institutions may consider as they structure and formalise their plans. Institutions may adapt the format of this common approach provided they ensure that all required key contents are included in their plans. Annex included Improving interoperability Most of the ideas proposed invokes a starting or mixed format including other EU requirements (at least CSRD / ESRS) to be complemented by CRD plans or at least a conversion table between ESRS and EBA GL is mentioned. Key is to align targets, metrics, KPIs…or at least leverage same data across frameworks. The annex supporting tool provides references to CSRD / ESRS to foster interconnections and consistency. Annex included

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 149 Some respondents recall it is the transition plan expected role to unify the frameworks. Question 25: Other challenges Capital neutrality It is important to ensure that transition to a net zero economy is capital neutral. Regulators have the opportunity to deliver capital relief to those banks delivering on credible transition plans. A capital add-on only approach for ESG risks will be a missed opportunity. The Guidelines do not address supervisory measures such as capital add-ons. No change Risk methodology complexity The guidelines propose a combination of methodologies, including exposure￾based, portfolio-based, and scenario-based, to measure ESG risks. Implementing and integrating these approaches might pose challenges due to their complexity and the level of expertise required. There should be sufficient clear instructions for banks to integrate ESG factors into credit, market, operational risk models. With many of these topics (outside of climate) being at early stage of development, we see a potential risk that individual institutions will follow fairly different routes and approaches. Additional tools or frameworks, particularly for the complex methodologies suggested for ESG risk assessment should be provided. Providing more examples and use cases can certainly improve the understanding of the document and facilitate the application of the rules by the institution. More explicit guidance on predicting and preparing for future ESG risks, including potential changes in technology, regulations, or industry practices would help. The Guidelines provide harmonised requirements on the types of methodologies, and main features for each type, to be used by institutions to assess ESG risks. Given data and methodological developments, institutions should improve practices and develop their own complementary methods over time. Institutions remain responsible to properly understand, assess and manage risks they face, including ESG risks. No change but also see above on section 4.2 Question 26: Other comments Supervisory gold plating As the EBA has already flagged that the Guidelines will be eventually integrated into the SREP, institutions should not expect to have to meet a secondary set of supervisory expectations on top of the Guidelines’ requirements. The EBA SREP Guidelines will be addressed to competent authorities and not include requirements for institutions. No change

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 150 Integrate transition plans in other sections As transition plans are recognised by the Guidelines as a risk management tool, provisions on transition plans should be integrated into the respective sections on materiality assessment, risk management, monitoring, governance, ILAAP and ICAAP - rather than being singled out in the section 6, which led to certain requirements being duplicative/overlapping. The EBA has considered several options. Integrating requirements on plans in a dedicated section of the Guidelines allows to provide clarity on all requirements, which should be read in conjunction. Duplications have been removed and cross-references added. Section 6 amended Recognise governance structures The Guidelines should recognize differences in institutional setups and allow room for implementation in accordance with existing governance structures. The Guidelines should be applied by banks regardless of their governance structure. See Guidelines on internal governance. No change Mutualisation of banks’ data collection In order to avoid high reporting burden for corporates, it could be relevant to suggest financial institutions to rely on mutualization of efforts (e.g. mutualized questionnaire, common initiatives…)? The banking industry might explore such avenue. The Guidelines list certain data points to consider for the assessment of ESG risks, hence supporting harmonisation. No change Engagement with stakeholders We recommend continuous engagement with industry stakeholders to keep the Guidelines relevant and practical, including by involving employees and trade unions in the development, implementation and update process of the Guidelines. The EBA engages with stakeholders and will conduct public consultations in case of future updates. No change Risk neutrality of public administration The Public Administration (i.e. central governments, regional governments, local authorities and public sector entities) should be considered ESG risk neutral and therefore excluded from risk assessments for the following reasons: high availability of public funds for climate emergencies, exclusion of expenses for emergencies from public budget deficit, essential public services mechanism, interventions to support public services continuity and sustainability, exclusion from EU Taxonomy. Banks should assess ESG risks stemming from exposures towards various types of counterparties, taking into account specific risk mitigating factors. No change Regulatory risk to banks Regulatory risk could be added in the risk descriptions, as authorities and politics increasingly seem to view the bank and finance industry as part of the "solution" or a part of the toolbox. This results in increased obligations and expectations for the industry also in non-bank regulations (e.g., the building energy directive, potentially in the deforestation regulation, etc.). The Guidelines require banks to take into account regulatory developments as part of risk management and transition planning. Section 6 clarified

FINAL REPORT ON GUIDELINES ON THE MANAGEMENT OF ESG RISKS 151 Real economy transition The real economy is still at the beginning of its transitioning process. Hence, ESG transition also in the financial sector remains a challenge, most likely over several years to come. This needs to be taken into consideration. As part of the range of considerations to support strategy and risk management decision-making, banks should consider the real economy transition progress. UNGPs and OECD MNE Guidelines The UN Guiding Principles on Business and Human Rights (UNGPs) and OECD Guidelines for Multinational Enterprises (OECD MNE Guidelines) provide a common reference point for responsible business conduct including as it relates to environment and social sustainability. All businesses, including financial market participants, have a responsibility to respect human rights and that should be implemented through a process of human rights due diligence. The UNGPs and OECD MNE Guidelines have gained wide legitimacy and are referenced in ESG related EU regulation. The Guidelines require banks to implement due diligence processes with a view to assessing financial impacts stemming from S and G factors, taking into account the adherence of corporate counterparties to social and governance standards, including the UNGPs and OECD MNE Guidelines. Section 4.2 amended