Navigating European Financial Supervision: Institutions, Hard Law And Soft Law In Practice

1. Introduction

European financial regulation has grown substantially in complexity over the past two decades. Multiple institutions operate at global, European and national levels, each with a distinct mandate, legal basis and range of instruments. For financial institutions, understanding who regulates what, and through which type of measure, is not merely an academic exercise. It directly determines how obligations arise, how they must be implemented and what enforcement mechanisms apply.

A fundamental but frequently misunderstood distinction underlies the entire supervisory architecture: the difference between hard law and soft law. Hard law consists of binding legal acts that create enforceable rights and obligations. Soft law encompasses recommendations, guidelines and technical standards that shape behaviour without being directly enforceable in the same way. In practice, the boundary between the two is not always clear, and soft law instruments frequently carry significant compliance expectations. This distinction operates at both EU and national level.

This article maps the principal institutions active in European banking supervision and explains the practical implications of the hard law and soft law distinction for financial institutions operating in the European Union.

The practical relevance of this framework has been underscored by the legislative developments of recent years: the implementation of Basel IV through CRR III and CRD VI, the entry into force of DORA, and ongoing EBA work on supervisory convergence have all added new layers to an already complex landscape. Understanding the architecture and the nature of each instrument has therefore become more important than ever. More recently, the EU Artificial Intelligence Act, which entered into force in August 2024 and applies progressively through 2026, has introduced a further cross-sectoral layer of obligations relevant to financial institutions deploying AI systems in regulated functions such as credit scoring, anti-money laundering screening or automated customer interaction.

2. The European Supervisory Architecture: Three Levels

European financial supervision is organised across three interconnected levels: global standard-setters, European institutions, and national authorities. Each level contributes to the overall regulatory framework in a different way.

2.1 Global Standard-Setters

At the international level, two bodies are particularly relevant for banks operating in Europe.

The Financial Stability Board (FSB) coordinates global financial stability policy. It comprises representatives of finance ministries, central banks and supervisory authorities, including the European Central Bank (ECB) and the European Commission. The FSB does not produce binding rules. Instead, it identifies vulnerabilities in the global financial system, issues recommendations and monitors implementation of agreed standards. Its outputs are a prominent example of soft law: influential and widely followed, but not directly enforceable.

The Basel Committee on Banking Supervision (BCBS) functions as the primary global standard-setter for bank regulation. Hosted at the Bank for International Settlements (BIS) in Basel, Switzerland but institutionally independent, it brings together central banks and supervisory authorities from 28 jurisdictions. Germany is represented by Deutsche Bundesbank and BaFin; at the European level, the ECB and the Single Supervisory Mechanism (SSM) participate. The BCBS develops the internationally agreed capital and prudential standards — most notably the Basel framework, including the current package commonly referred to as Basel IV. These standards are not themselves binding; they acquire legal force only once transposed into EU or national law.

2.2 European Institutions

Within the European Union, a layered structure exists comprising legislative institutions, macroprudential oversight and microprudential supervision. The architecture of EU financial rulemaking follows the Lamfalussy framework, which organises the legislative process across four levels: primary legislation (Level 1), technical standards and delegated acts (Level 2), supervisory convergence through guidelines and Q&As (Level 3), and enforcement (Level 4).

Legislative process. The European Commission holds the exclusive right to propose legislation. Its Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA) is the main body responsible for financial sector legislation. The European Parliament and the Council of the European Union — through its Economic and Financial Affairs Council (ECOFIN) formation — jointly adopt binding legislation in the ordinary legislative procedure. The output of this process is hard law: EU Regulations (directly applicable in all Member States) and Directives (requiring national transposition).

Macroprudential oversight. The European Systemic Risk Board (ESRB) monitors systemic risk across the EU financial system. Chaired by the ECB President, it encompasses representatives of national central banks and the chairs of the three European Supervisory Authorities. The ESRB can issue warnings and recommendations, but these are not legally binding. Non-compliance must, however, be explained publicly — a 'comply or explain' mechanism that gives soft law instruments practical weight.

Microprudential supervision and the European Supervisory Authorities. Three European Supervisory Authorities (ESAs) carry out the day-to-day regulatory and standard-setting work at EU level. For the banking sector, the European Banking Authority (EBA) is the central institution; the European Securities and Markets Authority (ESMA) covers capital markets and securities supervision; and the European Insurance and Occupational Pensions Authority (EIOPA) covers insurance and occupational pensions.

• The EBA works towards a coherent and effective supervisory regime across the EU banking sector. Its primary tool is the Single Rulebook: a unified set of prudential rules applicable to all credit institutions in the EU. The EBA contributes to the Single Rulebook by drafting Binding Technical Standards (BTS), comprising Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), which are submitted to the Commission for adoption and, once adopted, become legally binding. Beyond binding standards, the EBA issues Guidelines and Q&As that do not have the force of law in themselves, but which national competent authorities are expected to comply with or explain why they do not.
• ESMA fulfils a comparable function for securities markets. It participates in the legislative process through recommendations for delegated acts, drafts technical standards, and exercises direct supervisory authority over specific entities such as credit rating agencies and trade repositories.
• EIOPA completes the ESA framework. While its mandate does not directly extend to banking supervision, its work on conglomerate supervision and the implementation of Solvency II is relevant for financial groups operating across both sectors. This article focuses on EBA and ESMA as the ESAs most directly relevant to banks and investment firms.

Banking Union and the Single Supervisory Mechanism (SSM). The SSM represents the framework for banking supervision across participating EU Member States. It comprises the ECB and the national competent authorities of the participating countries — in Germany, BaFin and the Bundesbank. The ECB directly supervises significant institutions, currently more than 100 banks across the euro area, which account for approximately 80% of total banking assets. Supervision of less significant institutions remains primarily with national authorities, subject to ECB oversight. Joint Supervisory Teams (JSTs), composed of ECB and national authority staff, conduct ongoing supervision of significant banks.

Resolution. The Single Resolution Board (SRB) is the resolution authority of the European Banking Union. Its mandate is to ensure that failing banks can be wound down in an orderly manner with minimal costs to taxpayers. It prepares resolution plans, assesses resolvability, sets minimum requirements for own funds and eligible liabilities (MREL), and may initiate resolution proceedings jointly with the ECB. The SRB works closely with national resolution authorities, issuing instructions to them within the Single Resolution Mechanism (SRM).

2.3 National Authorities

At the national level in Germany, the Federal Financial Supervisory Authority (BaFin) and Deutsche Bundesbank share responsibility for banking supervision. BaFin is the competent authority for licensing, enforcement and macroprudential measures such as setting the countercyclical capital buffer and capital surcharges for other systemically important institutions. The Bundesbank is responsible for ongoing monitoring, including the review of regulatory reporting, assessment of capital adequacy and evaluation of risk management.

BaFin is also the designated national resolution authority, acting in coordination with the SRB for institutions within the SRM. For data protection matters, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the state-level data protection authorities share supervisory responsibilities, with the BfDI representing Germany in the European Data Protection Board (EDPB).

3. Hard Law and Soft Law: A Practical Distinction

The distinction between hard law and soft law is central to understanding how supervisory obligations arise and how institutions must respond to them.

3.1 Hard Law

Hard law comprises measures that are legally binding and enforceable. In the EU context, the principal forms are:

• EU Regulations
• EU Directives (not directly applicable, instead need to be transposed into binding national law)
• Binding Technical Standards (RTS and ITS) adopted by the European Commission on the basis of ESA drafts
• National legislation implementing EU Directives (e.g. the German KWG, WpHG or ZAG)

Hard law creates direct obligations. Non-compliance exposes institutions to supervisory action, including formal orders, fines or, in serious cases, licence withdrawal. The Capital Requirements Regulation (CRR) and the Capital Requirements Directive (CRD), together implementing the Basel framework in the EU, are the most significant hard law instruments for banks. The Markets in Financial Instruments Regulation and Directive (MiFIR/MiFID II), the Payment Services Directive (PSD2), currently being succeeded by PSD3 and the Payment Services Regulation (PSR), and the Anti-Money Laundering framework are further core examples.

3.2 Soft Law

Soft law instruments do not themselves create legally enforceable obligations in the traditional sense. However, they are far from optional in practice. The principal categories include:

• EBA and ESMA Guidelines: National competent authorities are required to notify the ESAs whether they comply or intend to comply. Non-compliance must be publicly explained ('comply or explain'). In practice, the vast majority of guidelines are incorporated into supervisory expectations across all Member States.
• Q&As: Responses by the ESAs to questions from national authorities and market participants on the interpretation of EU rules. These do not formally bind courts but carry significant interpretive weight in supervisory practice.
• ESRB warnings and recommendations: Subject to a 'comply or explain' obligation at the level of the addressee (typically the Council, the Commission or national macroprudential authorities).
• FSB and BCBS standards: Politically committed to by G20 leaders and finance ministers, transposed into EU law through the legislative process, but not directly binding on institutions until so transposed.
• ECB and SSM supervisory expectations: Published in the form of guides, frequently asked questions and letters. While formally supervisory guidance rather than binding rules, they directly inform the supervisory review and evaluation process (SREP) and failure to follow them typically results in supervisory dialogue and may affect capital add-ons.

A practical consequence of this structure is that institutions must monitor both hard and soft law developments. Supervisory expectations formulated in EBA guidelines or ECB guides often anticipate future binding requirements and shape the supervisory assessment in the period before formal rules enter into force. Auditors conducting annual audits and any special audits mandated by supervisory authorities also pay close attention to the relevant soft law.

4. Why the Distinction Matters Operationally

For compliance and legal functions, the hard law/soft law distinction has several practical implications.

First, enforcement risk differs. Breach of a binding regulation creates direct legal exposure. Deviation from an EBA guideline triggers the comply-or-explain mechanism and may result in supervisory findings, but does not automatically constitute a legal violation in the same sense. That said, supervisory findings arising from deviation from soft law can be escalated to formal measures if the supervisor concludes that the overall risk management or governance framework is inadequate.

Second, implementation timelines differ. Binding EU Regulations typically include transitional provisions and phased implementation schedules. Soft law guidance may come into effect with shorter notice and can evolve more rapidly through supervisory Q&A processes, ECB letters or updates to guidelines.

Third, geographic scope may differ. EU Regulations apply uniformly across the EU. National transposition of Directives can introduce variations. Soft law instruments issued by national authorities — such as BaFin circulars or interpretive letters — apply only domestically, even when they purport to implement EU-level guidance.

Fourth, the boundary between hard and soft law is becoming less distinct. The progressive adoption of EBA guidelines into supervisory expectations, the embedding of soft law standards in the SREP process, and the increasing use of Q&As to fill gaps in binding rules have created a landscape where the formal legal category of an instrument does not fully capture its practical weight. The AI Act further complicates this picture by imposing obligations that cut across sectoral boundaries, applying to financial institutions not as banks but as deployers of AI systems — creating a need to coordinate compliance across regulatory frameworks that were developed independently and are supervised by different authorities.

5. Conclusion

The European supervisory framework is a multi-layered system in which global standard-setters, EU institutions and national authorities interact across different levels of legal authority. Financial institutions must engage with this landscape in its entirety — tracking legislative developments at EU level, monitoring ESA guidelines and technical standards, and responding to supervisory guidance issued by the ECB, BaFin and the Bundesbank.

The hard law and soft law distinction remains analytically important, but institutions that treat soft law as genuinely optional do so at operational risk. Supervisory expectations embedded in guidelines and guidance documents carry real compliance weight. A structured approach to monitoring and implementing both categories is therefore an essential element of a sound governance and compliance framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.