On 22 December 2025, the European Securities and Markets Authority (ESMA) issued a final report on guidelines on internal controls for benchmark administrators (BAs), credit rating agencies (CRAs) and market transparency infrastructures. The final report follows an earlier consultation paper that ESMA issued on 19 December 2024.

In the final report ESMA explains its overarching rationale for the guidelines, summarises the feedback it received to its earlier consultation and includes the finalised guidelines on internal controls. The guidelines are structured in two parts, each dealing with one pilar of the internal control system. The first part focuses on a supervised entity’s overall framework for internal controls (IC Framework) while the second part focuses on the roles and responsibilities of different internal control functions within this framework (IC Functions). Under each part, the IC Framework and the IC Functions are then further split into different components.

The guidance under the IC Framework is split into the following five components: (i) control environment; (ii) risk management; (iii) control activities; (iv) information and communication; and (v) monitoring activities.

The guidance on IC Functions is split into components which match specific IC Functions, namely: (i) compliance; (ii) risk management; (iii) information security management (only for supervised entities not in remit of the Digital Operational Resilience Act); (iv) internal audit; (v) review function (for CRAs); (vi) oversight function (for BAs). For these IC Functions, ESMA sets out what the role of each function should be, what its reporting lines should be, and whether it can be merged or combined with other functions.

The guidelines will become effective on 1 October 2026. When the guidelines come into force the current guidelines on internal control for CRAs will be repealed.