2025/369

25.2.2025

COMMISSION DECISION (EU, Euratom) 2025/369

of 21 February 2025

establishing the role of the Chief Risk Officer overseeing the financial risks arising from the Union’s financial operations

THE EUROPEAN COMMISSION,

Having regard to the Treaty on European Union,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249 thereof,

Having regard to the Treaty establishing the European Atomic Energy Community, and in particular Article 106a thereof,

Whereas:

(1) Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council (the ‘Financial Regulation’) (1) provides for the possibility that the Union provides loans backed by the budget and budgetary guarantees where these prove to be the most appropriate way to achieve policy objectives of the Union and in accordance with the definitions laid down in their respective basic act. The Union’s financial operations undertaken to implement these instruments might give rise to a range of financial risks (such as credit, market, liquidity, operational, reputational and compliance) with possible consequences for the Union budget.

(2) The Union’s financial operations have expanded significantly – in volume and scope – over the course of the present Multiannual Financial Framework. Loans, budgetary guarantees and financing of EU policies through issuance of debt securities have been used on a large scale to fund responses to emerging challenges and successive crises. In view of these developments, the Commission’s financial risk management and compliance framework developed and implemented in respect of the Union’s borrowing, lending and debt management operations should be enhanced and its coverage extended also to financial risks arising from asset management operations and budgetary guarantees.

(3) The role of the Chief Risk Officer under this Decision is a continuation of developments in financial risk management which started with the establishment of the role of Chief Risk Officer by Commission Implementing Decision C(2021) 2502 of 14 April 2021 for borrowing, debt management and lending operations under NextGenerationEU. Following the introduction of the diversified funding strategy as a general borrowing method, the Chief Risk Officer oversight was then extended to all borrowing, debt management, liquidity management and lending operations with Commission Implementing Decision (EU, Euratom) 2022/2544, (2) which was subsequently amended by Commission Implementing Decision (EU, Euratom) 2023/2825 (3).

(4) The financial risks arising from the implementation of the Union’s financial operations should be properly identified, mitigated, managed and communicated. The risk framework should be robust and provide a comprehensive, rigorous and independent capacity for supervising the financial risks arising across all the Union’s financial operations undertaken. The framework should ensure that the Union’s financial operations should be conducted in a manner consistent with the highest standards of integrity and sound financial and risk management.

(5) In enhancing its financial risk management and compliance framework for the Union’s financial operations, this Decision establishes a specific Commission governance solely regarding the financial risks arising from the Union’s financial operations. The rules of this Decision should complement the Rules of Procedure of the Commission (4) of the financial risks arising from the Union’s financial operations and have the intention to align with best practices and standards in financial risk management and compliance as implemented by peer institutions engaged in the conduct of similar financial operations, while respecting the legal and institutional framework established by the Treaties.

(6) The Decision should therefore be based on the ‘three lines of defence’ model. The ‘first line of defence’ should be the Directorates-General responsible for the Union’s financial operations who should remain responsible for the design, implementation, management, planning and execution of operations under their responsibility in line with the Financial Regulation. The Chief Risk Officer should be an independent function, acting as the ‘second line of defence’ at a corporate level with primary responsibility to establish a sound financial risk management framework for the oversight of the Union’s financial operations and oversee its implementation. The ‘third line of defence’ should be the Internal Audit Service which should exercise its role in line with Article 118 of the Financial Regulation.

(7) In keeping with the model of three lines of defence, the Directorates-General responsible for the Union’s financial operations, acting in their capacity as first line of defence, should implement sound financial risk management processes and ensure compliance with the High Level Risk and Compliance Policy and thematic risk and compliance policies.

(8) The financial risk management and compliance framework is to be implemented together with other acts establishing Commission governance, in particular the Internal Rules (5), the Rules of Procedure of the Commission, the Communication from the President to the Commission P(2024)5 of 4 December 2024‘The Working Methods of the European Commission’ and the Commission Communication SEC(2000) 560 (6) announcing the establishment of the Internal Audit Service. The close cooperation from the very early stages of preparation, pursuant to the Working Methods of the European Commission, should be ensured also in relation to the financial risk management laid down in this Decision and in particular should involve the Chief Risk Officer.

(9) The Chief Risk Officer and the Directorates-General responsible for the Union’s financial operations should implement any steps under this Decision loyally, should establish and promote risk culture and apply the requirements of prudence and the principle of sound financial management in their approach to financial risks arising from the Union’s financial operations, ensuring close cooperation. This would entail developing policies through interservice working groups composed of participants of the Directorates-General responsible for the Union’s financial operations concerned, and working in a coordinated fashion from the outset. Furthermore, the work on financial risk management carried out pursuant to this Decision should take into account evaluations, lessons learned and experience gained by the services during the implementation of programmes and instruments authorising budgetary guarantees and loans, inclusive, as appropriate, existing risk frameworks, best market practices and international standards, as well as relevant legislation related to financial risk management and compliance.

(10) This Decision should accordingly extend the role, responsibilities and tasks of the Chief Risk Officer to all the Union’s financial operations concerned. The Chief Risk Officer should develop the financial risk management and compliance framework for all the Union’s financial operations including through the completion of specific tasks set out in this Decision, oversee the financial risks and report on them. In keeping with the function of second line of defence, the Chief Risk Officer should continue to act in full independence from the Directorates-General responsible for the Union’s financial operations and should not be hierarchically subordinated to the Director-General for the Budget and should continue to have a direct reporting line to the Member of the College responsible for the Budget.

(11) In line with the independence of the Chief Risk Officer from the Commission services implementing the Union’s financial operations, the post of Chief Risk Officer should be occupied by a senior manager with adequate professional experience in financial risk management who is to be supported by a dedicated team having relevant expertise. The function of the Chief Risk Officer should not be compatible with the functions of authorising officer by delegation for the Union’s financial operations and of the Accounting Officer.

(12) Despite the Chief Risk Officer not being a service within the meaning of Article 45(1) of the Rules of Procedure of the Commission, it is of essence for the independence of the function to be considered equivalent to a service responsible and service having legitimate interests for the purposes of respectively Articles 55 and 58 of the Rules of Procedure of the Commission. To this effect, the Chief Risk Officer should in particular be the service responsible for inter-service consultations on the High Level Risk and Compliance Policy and the thematic risk and compliance policies. As service having legitimate interests, the Chief Risk Officer should be consulted in interservice consultations in particular on legislative proposals for programmes or instruments authorising budgetary guarantees and loans, as well as on acts implementing programmes or instruments authorising budgetary guarantees and loans and on acts concerning any Union’s financial operations.

(13) The Chief Risk Officer should have general and specific tasks. The Chief Risk Officer should develop the framework governing the financial risk management and compliance for the different categories of the Union’s financial operations, consisting of High Level Risk and Compliance Policy and thematic risk and compliance policies in close cooperation with the Directorates-General responsible for the Union’s financial operations. The Chief Risk Officer should oversee the implementation and the compliance with the risk and compliance framework pursuant to this Decision. The High Level Risk and Compliance Policy should contain risk and compliance guidelines for the implementation of the Union’s financial operations. This over-arching framework should define the risk objectives, the risk management governance, should identify the main risks and the principles for sound financial risk management to manage and mitigate those risks.

(14) In addition to these tasks of a general nature, the Chief Risk Officer should be assigned specific tasks relating to the main processes for planning important categories of the Union’s financial operations. This Decision should set out a non-exhaustive list of specific tasks which should be accomplished. This should include the issuance of opinions on the funding plan for borrowing and debt management operations, internal acts, and measures for the implementation of the Union’s borrowing, debt management, liquidity management and asset management operations. Furthermore, the Chief Risk Officer should develop, in close cooperation with the Directorates-General responsible for the Union’s financial operations, guidelines and common tools to underpin the methodologies and systems needed for effective risk management and reporting on the Union’s budgetary guarantees and loans whether provisioned or not. On the basis of the information provided by the Directorates-General responsible for the Union’s financial operations, the Chief Risk Officer should also provide relevant input on financial risks arising from the Union’s financial operations and contingent liabilities to reports encompassing these issues adopted by the Commission, in particular those referred to in Articles 41(5) and 256 of the Financial Regulation.

(15) The thematic risk and compliance policies should set out the details for the risk management and compliance related to the financial risks, such as credit, market, liquidity, operational, reputational and compliance risks arising from the Union’s financial operations, in accordance with their specificities at the programme or instrument level. These policies should set the risk appetite framework, and define the risk methodologies, which are used to assess, quantify, evaluate, and report on the relevant financial risks. For budgetary guarantees and loans, in view of the need to continuously assess the risks, it is appropriate that the thematic risk and compliance policies establish particular tools, define risk methodologies, including risk parameters, and ensure Commission-wide consistency as appropriate and to measure the level of financial risks to be provisioned.

(16) The internal rules and procedures, including internal guidelines, technical guidance and manuals put in place by Directorates-General responsible for the Union’s financial operations should permit the early and accurate identification of risks and the implementation of relevant risk mitigation and management measures and reliable and timely reporting to the Chief Risk Officer. With a view of ensuring coherent implementation of the High Level Risk and Compliance Policy and thematic risk and compliance policies, it should be possible for the Directorates-General responsible for the Union’s financial operations to consult the Chief Risk Officer on the internal rules and procedures, including internal guidelines, technical guidance, and manuals on their compliance with those policies.

(17) The Chief Risk Officer should provide advice, where necessary to the Directorates-General responsible for the Union’s financial operations on the implementation of the High Level Risk and Compliance Policy, thematic risk and compliance policies, and the management of specific risks. The Directorates-General responsible for the Union’s financial operations should address such advice and provide explanations on the measures taken.

(18) To enable effective and efficient monitoring by the Chief Risk Officer, the respective Directorates-General working with third parties, notably implementing partners for budgetary guarantees, should obtain the necessary input about financial risks related to the Union’s financial operations from the implementing partners and share this upon request with the Chief Risk Officer.

(19) To ensure that all relevant actors are consistently informed on the financial risk management of the Union’s financial operations, appropriate reporting obligations for the Chief Risk Officer should be established. The Chief Risk Officer should in particular report regularly to the Member of the College for the Budget, the Members of the College responsible for the Union’s financial operations, and to the Director-General of the Directorate-General for the Budget and the Directors-General responsible for the Union’s financial operations. Reporting by the Chief Risk Officer should build on the programme-specific reporting by the Directorates-General responsible for the Union’s financial operations. The financial risk reporting and monitoring should enable the early identification of any emerging financial risks arising from the Union’s financial operations.

(20) The Chief Risk Officer should be supported by a Compliance Officer. The latter should report directly to the Chief Risk Officer and act under their authority. Compliance functions should comprise matters regarding (i) compliance of the institution and conduct of the Union’s financial operations by Commission services and their counterparties with rules and procedures and (ii) prevention of money laundering, terrorist financing, tax avoidance, tax fraud or tax evasion. With respect to the Union’s financial operations implemented in indirect management, the compliance officer should not directly provide recommendations and guidelines, as these operations already benefit from a robust system of controls, and the rules of entrusted entities are pillar assessed under Title VI of the Financial Regulation.

(21) Currently, three different committees co-exist. Firstly, the Steering Committee on Contingent Liabilities was established by Commission Decision C(2020) 5154 (7) to provide coordination and oversight of a common risk management framework for contingent liabilities. Secondly, for borrowing, debt management, liquidity management and lending operations, the Chief Risk Officer, as currently in place, is supported by the Risk and Compliance Committee, as defined in Implementing Decision (EU, Euratom) 2023/2825. Thirdly, within the Directorate-General for the Budget, an internal risk committee oversees the functioning of the asset management operations, with transmission of outputs to the Asset Management Board. With a view to creating an integrated risk and compliance management framework, a single Risk and Compliance Committee, replacing the above-mentioned committees, should be established to support the Chief Risk Officer with respect to all Union’s financial operations. Decision C(2020) 5154 establishing the Steering Committee on Contingent Liabilities should accordingly be repealed.

(22) The composition of the Risk and Compliance Committee should bring together expertise in matters of financial risk and budgetary management, as well as the policy and operational perspectives and the risk management expertise of Directorates-General involved in the implementation of the Union’s financial operations. The Members of the Risk and Compliance Committee should be representatives having senior management function of the Directorate-General for the Budget, of the Secretariat-General and from each Directorate-General responsible for managing the Union’s financial operations.

(23) The Risk and Compliance Committee should support the Chief Risk Officer in the conduct of their duties related to financial risk management and oversight and the development and implementation of the relevant risk framework applicable for the Union’s financial operations.

(24) The High-Level Risk and Compliance Policy and the thematic and risk compliance policies should be adopted by the Commission. With a view to drawing on the expertise of the Risk and Compliance Committee and in view of the need to involve all the services concerned from early stages of preparation of the High Level Risk and Compliance Policy and the thematic and risk compliance policies, the Chief Risk Officer should submit the draft of the policy to the Risk and Compliance Committee for discussion ahead of the interservice consultation.

(25) To ensure a smooth transition from the current governance setup which includes three committees, all existing risk management governance arrangements including the Steering Committee on Contingent Liabilities should remain in place until the first meeting of the Risk and Compliance Committee foreseen in this Decision. Several manuals and documents of the Directorate-General for the Budget as well as of the Directorates-General responsible for the Union’s financial operations set out the financial risk management rules for asset management operations and budgetary guarantees, including the risk management frameworks applicable to programmes or instruments authorising budgetary guarantees already adopted at the date of entry into force of this Decision. In the field of borrowing and lending, a High Level Risk and Compliance Policy and several supporting thematic policies have been adopted by the Commissioner for the Budget. These documents are the basis for the execution of ongoing financial operations and they should remain in force pending review by the Chief Risk Officer and until such time as replaced by the High Level Risk and Compliance Policy, as well as thematic risk and compliance policies adopted in accordance with this Decision. To take account of the requirements of legal certainty and legitimate expectations of implementing partners and counterparts implementing already concluded guarantee agreements, it is appropriate to provide that the decisions approving the High Level Risk and Compliance Policy and thematic risk and compliance policies provide for transitory provisions. Those transitory provisions should ensure that the risks are managed within the risk appetite as defined for the programmes or instruments authorising budgetary guarantees adopted before the entry into force of this Decision. When developing and implementing agreed risk measurement methodologies in respect of budgetary guarantees and loan programmes established before the entry into force of this Decision, the Chief Risk Officer and the Directorates-General in charge of the Union’s financial operations should respect the risk appetite as well as results from the programme or instrument authorising the budgetary guarantee or a loan and relevant implementing measures. This should also apply to any signed guarantee agreements, as well as to agreements that are yet to be signed based on programmes or instruments authorising budgetary guarantee already adopted at the date of entry into force of this Decision.

HAS ADOPTED THIS DECISION:

SECTION 1

SUBJECT MATTER AND DEFINITIONS

Article 1

Subject matter

1. This Decision defines the role, responsibilities and tasks of the Chief Risk Officer for the Union’s financial operations (the ‘Chief Risk Officer’). The Chief Risk Officer, as a second line of defence at corporate level, shall have the mandate to develop, implement and monitor the Commission’s risk management and compliance framework for financial risks arising from the Union’s financial operations. The Chief Risk Officer provides an independent assessment of the risks associated with the Union’s financial operations and performs an ongoing monitoring of the portfolio to monitor credit, market and liquidity risks and to identify appropriate risk management actions.

2. The Decision shall be based on the standard financial risk management practice of the ‘three lines of defence’ model, under which the first line of defence shall be the Directorates-General responsible for the Union’s financial operations, the corporate second line of defence shall be the Chief Risk Officer and the third line of defence shall be the Internal Audit Service.

Article 2

Definitions

For the purposes of this Decision, the following definitions apply:

(a) ‘Union’s financial operation’ means loans provided directly by the Union, whether provisioned or not, the Union’s budgetary guarantees covering operations on the basis of guarantee agreements with the implementing partners, debt issuance and debt management including related liquidity management, asset management operations and tasks related to the function of asset management designated service for outsourced portfolio management;

(b) ‘programmes or instruments authorising budgetary guarantees and loans’ means the basic act within the meaning of Article 2(4) of the Financial Regulation which authorises financial liability from budgetary guarantee or a loan in accordance with Article 213(1)(b) and (c) of the Financial Regulation;

(c) ‘financial risk’ means a risk of losses or other adverse events that arise or may arise in the design, execution and management of different categories of the Union’s financial operations due to materialisation of, in particular, credit, market, liquidity, funding, counterparty, operational, reputational and compliance risk;

(d) ‘contingent liability’ means contingent liability as defined in Article 2(16) of the Financial Regulation;

(e) ‘thematic risk and compliance policy’ means a policy, guideline, methodology or any other act referred to in Article 9, which sets out specific procedures and limits related to the Union’s financial operations that shall be followed by the Directorates-General responsible for the implementation of the Union’s financial operations;

(f) ‘risk methodologies’ means the quantitative approach and risk parameters for the assessment, measurement, monitoring and reporting of the financial risks arising from the Union’s financial operations which is implemented in risk management tools and risk management models;

(g) ‘risk appetite’ means the level of risk that the Commission is prepared to accept in order to achieve its policy objectives. The risk appetite per type of risk is to be defined, as appropriate, in the relevant legal acts, the risk management framework, internal policies and manuals and other documents that complement the relevant legal acts and the High Level Risk and Compliance Policy;

(h) ‘risk tolerance’ means the quantified acceptable deviation from the level of risk that shall not be exceeded. The tolerance levels for a specific type of risk and metrics shall allow measuring of and reporting on the risk exposure when implementing the relevant Union’s financial operations. The risk tolerance may be set from zero to full acceptance, depending on the legal framework, policy mandate and the availability and strength of the risk mitigation measures applied to the different identified risks, the framework governing the financial risk management and compliance for the different types or categories of the Union’s financial operations.

Article 3

Close cooperation on financial risk management

1. The Chief Risk Officer and the Directorates-General responsible for the Union’s financial operations shall implement any steps under this Decision, ensuring close cooperation, shall establish and promote risk culture and apply the requirements of prudence and the principle of sound financial management in their approach to financial risks arising from the Union’s financial operations.

2. The development of the High Level Risk and Compliance Policy and thematic risk and compliance polices shall take place through interservice working groups composed of participants of the Directorates-General responsible for the Union’s financial operations concerned.

3. The services of the Directorates-General responsible for the Union’s financial operations and of the Chief Risk Officer shall, from the outset, work in close cooperation and in a coordinated fashion within the Risk and Compliance Committee and its sub-committees on all tasks resulting from the implementation of this Decision, in particular in the preparation of the draft High Level Risk and Compliance Policy referred to in Article 8, of the thematic risk and compliance policies referred to in Article 9 and during the process on assessment of financial risks of programmes or instruments authorising budgetary guarantees and loans referred to in Article 10.

4. The work on financial risk management pursuant to this Decision shall in particular take into account evaluations, lessons learned and experience gained during the implementation of programmes and instruments authorising budgetary guarantees and loans, including, as appropriate, existing risk frameworks, feedback received from counterparts, implementing partners and other stakeholders, best market practices and international standards, as well as relevant legislation related to financial risk management and compliance.

SECTION 2

ROLE OF THE CHIEF RISK OFFICER

Article 4

Status and independence of the Chief Risk Officer

1. The Chief Risk Officer shall serve as the corporate second line of defence for the financial risk assessment of the Union’s financial operations. The Chief Risk Officer shall enjoy autonomy in carrying out the tasks and responsibilities set out in this Decision.

2. The post of the Chief Risk Officer shall constitute a specific function which shall be occupied by a senior manager with adequate professional experience in financial risk management and shall be supported by a dedicated team having relevant expertise. The Chief Risk Officer shall report directly to the Member of the College responsible for the Budget with respect to the responsibilities set out in this Decision.

3. The Chief Risk Officer shall exercise its role independently of functions and tasks related to the design, planning, implementation, management, execution of, and accounting for the Union’s financial operations. The function of the Chief Risk Officer shall not be compatible with the functions of an authorising officer by delegation for the Union’s financial operations and of the Accounting Officer.

4. The Chief Risk Officer shall be considered equivalent to the service responsible within the meaning of Article 55 of the Rules of Procedure of the Commission in respect of the High Level Risk and Compliance Policy and the thematic risk and compliance policies. The Directorates General responsible for the Union’s financial operations shall be services with a legitimate interest who shall be consulted in interservice consultations on the High Level Risk and Compliance Policy and on those thematic risk and compliance policies which concern them.

5. The Chief Risk Officer shall be considered equivalent to the service with legitimate interest within the meaning of Article 58 of the Rules of Procedure of the Commission and shall be consulted in interservice consultations in particular on legislative proposals for programmes or instruments authorising budgetary guarantees and loans, as well as on acts implementing programmes or instruments authorising budgetary guarantees and loans and on acts concerning any Union financial operation. This shall include interservice consultations on draft guarantee agreements and loan agreements as well as decisions approving the main elements of guarantee agreements. When being consulted, the Chief Risk Officer shall exclusively assess aspects of the financial risk management and compliance with the High Level Risk and Compliance Policy and the thematic risk and compliance policies.

Article 5

General tasks of the Chief Risk Officer

The Chief Risk Officer shall oversee the financial risks stemming from the Union’s financial operations and shall be responsible for the following general tasks:

(a) lead the development of the risk framework governing the financial risk management and compliance for the Union’s financial operations, in particular drawing up a High Level Risk and Compliance Policy, supplemented by thematic risk and compliance policies;

(b) set up and lead interservice working groups on the development of the High Level Risk and Compliance Policy and the thematic risk and compliance policies with participation of the Directorates General responsible for the Union’s financial operations and other Directorates General concerned;

(c) oversee the implementation of the risk framework, including systems and processes needed to give effect to the High Level Risk and Compliance Policy and thematic policies by Directorates-General responsible for the Union’s financial operations concerned;

(d) assess the financial risks arising from borrowing operations, liquidity management operations and programmes or instruments authorising budgetary guarantees and loans before proposals for these programmes or instruments are adopted by the Commission;

(e) independently assess, consolidate, and report on the risks arising from the Union’s financial operations, taking into account the data and input from the Directorates General responsible for the Union’s financial operations, and on compliance with the risk management framework and specified limits, including any relevant provisions set out in the basic acts establishing the individual programmes and the Financial Regulation;

(f) identify potential breaches of and non-compliance with the High Level Risk and Compliance Policy, thematic risk and compliance policies or other risk related guidelines, legal acts and policies and provide advice on mitigation measures where necessary, and/or review management and mitigating measures implemented or proposed by the Directorates-General responsible for the Union’s financial operations;

(g) promote best practices, risk culture, consistent and harmonised risk approaches across Commission services in the management of the risks arising from the Union’s financial operations.

Article 6

Specific tasks in respect of EU borrowing, debt management, liquidity management and asset management operations

In addition to the general tasks, the Chief Risk Officer shall have the following tasks in respect of EU borrowing, debt management, liquidity management and asset management operations:

(a) define within the relevant thematic risk policy, where feasible, the risk appetite, and risk tolerance applicable for the different types of financial operations;

(b) issue an opinion on the draft funding plan and its subsequent amendments;

(c) issue an opinion on the liquidity management strategy for liquidity management operations prior to their adoption or amendment;

(d) be consulted on the asset management guidelines, the strategic asset allocation, and the applicable benchmarks for asset management operations, before their adoption by the Directorate-General responsible for these operations;

(e) define eligibility criteria for authorised counterparties and potential issuers that may be considered for investment opportunities;

(f) define appropriate risk limits to ensure that the credit risk, market risk and liquidity risk undertaken through the asset management and liquidity management operations remain compliant with the risk objectives, risk capacity, risk appetite and risk tolerance set in the relevant investment guidelines, the High Level Risk and Compliance Policy and the thematic policies. The risk limits may be set up at counterparty level or instrument level, or set up at the level of the aggregated exposures;

(g) assess, consolidate and report on risk exposures, executed by the Directorate-General for the Budget or, when relevant, outsourced to a third party.

Article 7

Specific tasks related to assessment of financial risks of programmes or instruments authorising budgetary guarantees and loans

The Chief Risk Officer shall in respect of programmes or instruments authorising budgetary guarantees and loans:

(a) conduct regular and independent portfolio risk assessments based on the approved risk methodologies and based on data provided by Directorates-General responsible for the Union’s financial operations;

(b) provide relevant input on financial risks and contingent liabilities to reports adopted by the Commission on these issues, such as the risk assessment for reporting under Article 41(5) and Article 256 of the Financial Regulation based on information from the Directorates General responsible for the Union’s financial operations.

Article 8

The High Level Risk and Compliance Policy

1. In furtherance of the general task referred to in Article 5(1)(a), the Chief Risk Officer shall prepare a High Level Risk and Compliance Policy.

2. The High Level Risk and Compliance Policy shall:

(a) set the strategic risk objectives guiding the management of the different categories of financial risk arising from the implementation of the Union’s financial operations;

(b) describe the risk governance framework which outlines the main roles and responsibilities related to the risk management and compliance framework of the Union’s financial operations;

(d) identify the principal risks to the financial interests of the Union arising from the implementation of the Union’s financial operations and provide a high-level risk management and compliance framework for the assessment, measurement, mitigation and monitoring of those risks.

Article 9

Thematic risk and compliance policies

1. The thematic risk and compliance policies shall set out the systems, rules, risk methodologies, procedures and processes for the risk management, reporting and compliance related to the main categories of financial risks arising from the Union’s financial operations and shall describe the roles and responsibilities of the different services involved in the management of the identified risks. Those policies shall take into account the specificities of different categories of the Union’s financial operations.

2. The thematic risk and compliance policies shall be in line with the High Level Risk and Compliance Policy.

Article 10

Specific elements of thematic risk and compliance policies establishing risk framework for the Union’s budgetary guarantees and loans

1. The relevant thematic risk and compliance policy in respect to budgetary guarantees and loans shall:

(a) establish the risk methodologies, including risk parameters and tools to evaluate potential losses resulting from budgetary guarantees and loans, which shall, inter alia, constitute guidance for the setting of the provisioning rate;

(b) define the risk methodologies as appropriate to ensure Commission-wide consistency and convergence relevant in the process of the designing, negotiating, implementing and monitoring of budgetary guarantees and loans;

(c) define the methodology to measure the level of financial risks to be provisioned as adequate safety buffer referred to in Article 214(2), second subparagraph of the Financial Regulation.

2. The risk methodologies and tools established in the thematic risk and compliance policies shall be used by both the first and second lines of defence when assessing envisaged programmes or instruments authorising budgetary guarantees and loans.

Article 11

Implementation of the High Level Risk and Compliance Policy and thematic risk and compliance policies

1. The Chief Risk Officer shall oversee the implementation of the High Level Risk and Compliance Policy and the thematic risk and compliance policies by the Directorates-General responsible for the Union’s financial operations.

2. The Directorates-Generals responsible for the Union’s financial operations shall monitor the risks related to the respective Union’s financial operations and ensure compliance with the High Level Risk and Compliance Policy and thematic risk and compliance policies. To this effect, the Directorates-Generals responsible for the Union’s financial operations shall in particular:

(a) take all necessary measures to implement controls and reporting systems needed to comply with the systems, methodologies and processes resulting from those policies;

(b) ensure in the implementation of the Union’s financial operations that financial risks remain within the risk appetite and risk limits defined, where relevant, for the programme or instruments establishing the budgetary guarantee and loans;

(c) provide regular reports to the Chief Risk Officer on compliance with the High Level Risk and Compliance policy and thematic risk and compliance policies;

(d) document thoroughly the implementation of the Union’s financial operations which they oversee, report on situations where the risk of the portfolio of operations deviates or may deviate from the set risk levels;

(e) respond in a timely manner to requests for additional information from the Chief Risk Officer, including relevant information available on operations guaranteed by the Union budget and conducted by implementing partners and counterparts, where this is required to enable the Chief Risk Officer to establish an independent assessment of the risks;

(f) when working with third parties, notably implementing partners and counterparts, obtain the necessary information, available in particular in line with the respective guarantee agreements, about financial risks related to the Union’s financial operations.

3. The Directorates-General responsible for the Union’s financial operations shall establish the rules and procedures to ensure effective compliance with the High Level Risk and Compliance Policy and the relevant thematic risk and compliance policies for the Union’s financial operations for which they are responsible. The Chief Risk Officer may be consulted on these rules and procedures with a view to review their compliance with the High Level Risk and Compliance Policy and the thematic risk and compliance policies.

Article 12

Advice to mitigate financial risks

1. The Chief Risk Officer may advise the Directorates-General responsible for the Union’s financial operations on the implementation of the High Level Risk and Compliance Policy or thematic risk and compliance policies or on the management of specific risks. Such advice may include appropriate remedial measures.

2. The Directorates-General responsible for the Union’s financial operations shall, without undue delay, address the advice or, as applicable, other non-compliance or breach of limits as referred to in the Article 5(f) and provide to the Chief Risk Officer explanations on the measures taken.

3. The Chief Risk Officer may, as appropriate, inform the Member of the College responsible for the Budget and the Member(s) of the College responsible for the Union’s financial operations concerned about the advice referred to in paragraph (1) and, where relevant, about the deliberations of the Risk and Compliance Committee. Such information may also include assessment of the rules and procedures referred to in Article 11(3).

4. The Chief Risk Officer shall regularly inform the Risk and Compliance Committee on the advice provided and on the follow up by the Directorates-General responsible for the Union’s financial operations.

Article 13

Reports and information on financial risks

1. The Chief Risk Officer shall submit regular reports to the Member of the College responsible for the Budget, the Members of the College responsible for the Union’s financial operations, to the Risk and Compliance Committee, to the Director-General of the Directorate-General for the Budget, to the Accounting Officer and to the Directors-General responsible for the Union’s financial operations, respectively for their areas of competence, on financial risks arising from the Union’s financial operations in accordance with this Decision.

2. The Chief Risk Officer shall promptly inform the Member of the College responsible for the Budget in the event of material developments which call for urgent consideration. In addition, the Directorates-General concerned shall be timely and duly informed.

3. The Chief Risk Officer shall regularly inform the Risk and Compliance Committee, the Director-General of the Directorate-General for the Budget, the Accounting Officer and the Directorates-General responsible for the Union’s financial operations, on risks and non-compliance with rules and procedures or breaches of limits in respect of the Union’s financial operations, respectively for their areas of competence.

4. The Chief Risk Officer shall submit a report on the implementation and functioning of the High Level Risk and Compliance Policy to the College once per year, which may be accompanied by a proposal to review the policy.

SECTION 3

SUPPORT TO THE CHIEF RISK OFFICER

Article 14

Compliance Officer

1. A staff member entrusted with the role of Compliance Officer shall report directly to the Chief Risk Officer on matters regarding conformity with the High Level Risk and Compliance Policy and thematic risk and compliance policies, and rules for anti-money laundering and terrorist financing in respect of the Union’s financial operations and shall perform the compliance function.

2. The compliance function shall in particular include:

(a) in respect of the Union’s financial operations:

(i) compliance related support to relevant services responsible for the operational implementation and execution of the Union’s financial operations; and

(ii) support for the observance of the Commission-wide rules on ethical behaviour and integrity applicable to relevant services involved in the Union’s financial operations;

(b) in respect of the Union’s financial operations other than operations implemented in indirect management, guidance addressing the prevention of money laundering and countering terrorism financing, tax avoidance, tax fraud or tax evasion for the execution of the Union’s financial operations other than budgetary guarantees in indirect management, by entities incorporated in or established in jurisdictions listed under the relevant policy on non-cooperative jurisdictions or that are identified as high-risk third countries pursuant to Article 9(2) of Directive (EU) 2015/849 or that do not effectively comply with the Union or internationally agreed tax standards on transparency and exchange of information, breach sanction regimes or perform other relevant financial irregularities.

3. Guidelines on compliance shall be adopted in accordance with Article 18. These guidelines shall apply to financial operations other than those implemented in indirect management.

The Compliance Officer may also, under the authority of the Chief Risk Officer, where necessary and appropriate, provide advice in line with Article 12.

Article 15

Risk and Compliance Committee

1. A Risk and Compliance Committee shall be established to support the Chief Risk Officer in the conduct of responsibilities of that officer.

2. The Risk and Compliance Committee shall:

(a) discuss the draft High Level Risk and Compliance Policy and thematic risk and compliance policies prepared by the Chief Risk Officer, as well as their amendments;

(b) support the Chief Risk Officer in the tasks referred to in Article 5 of this Decision;

(c) support the Chief Risk Officer in evaluating, monitoring and approving practices regarding the implementation of the High Level Risk and Compliance Policy and relating to the financial risk management and compliance of the Union’s financial operations;

(d) support the Chief Risk Officer in managing of the financial risks in connection with the Union’s financial operations and be consulted by the Chief Risk Officer about non-compliance with the High Level Risk and Compliance Policy or breaches of other related guidelines, thematic risk and compliance policies and limits.

3. The Chief Risk Officer may decide to establish sub-committees for specific topics, in particular for specific categories of the Union’s financial operations or for a specific category of risk.

4. The sub-committees shall facilitate the efficient functioning of the Risk and Compliance Committee through:

(a) assisting the Chief Risk Officer in assessing and mitigating risks elaborated in thematic risk and compliance policies;

(b) preparing matters to be brought to the Risk and Compliance Committee;

Article 16

Members and organisation of the Risk and Compliance Committee and the sub-committees

1. The Chief Risk Officer chairs the Risk and Compliance Committee.

2. The Risk and Compliance Committee shall be composed of the following members:

(a) the Chief Risk Officer;

(b) the Accounting Officer of the Commission;

(c) a representative from the Directorate-General for the Budget overseeing the issuance of debt to finance Union programme;

(d) the Compliance Officer;

(e) a representative from the Secretariat-General designated by the Secretary-General;

(f) a representative from each Directorate-General responsible for budgetary guarantees or loans programmes.

3. The representative from the Directorate-General for the Budget in charge of the multiannual financial framework and a representative from the Directorate-General for the Budget in charge of the annual budget shall be permanent observers to the Risk and Compliance Committee.

4. The Chief Risk Officer may invite other observers to the Risk and Compliance Committee whose opinion and functions is deemed appropriate for the matters discussed at the Risk and Compliance Committee.

5. The level of the representatives under points (c), (e) and (f) of paragraph 2 of this Article shall be Director-General or Deputy Director-General, who may appoint an alternate at the level of senior manager to ensure compliance with the mandate and responsibilities laid down in this Decision.

6. The Compliance Officer referred to in point (d) of paragraph 2 of this Article shall be a non-voting member of the Risk and Compliance Committee.

7. The Chief Risk Officer shall appoint up to three external experts to participate in the meetings of the Risk and Compliance Committee. The external experts shall give opinions and participate in deliberations without voting rights on matters brought before the Committee.

8. The decision to establish a sub-committee pursuant to Article 15(3) shall determine the members which shall participate. A member of the Risk and Compliance Committee, if designated as a sub-committee member, may either be a member of the sub-committee themself or designate the members of the sub-committee from the staff of the respective Directorate-General. The designated members shall possess adequate knowledge and competencies in areas relevant for the work of the sub-committee. A sub-committee shall be chaired by the Chief Risk Officer or by a chair designated by the Chief Risk Officer.

9. The Risk and Compliance Committee shall adopt by a majority of two thirds of its members its rules of procedure and the rules of procedure of sub-committees established in accordance with Article 15(3). The majority vote shall include votes of the members referred to in points (a) and (e) of paragraph 2 of this Article.

Article 17

Secretariat of the Risk and Compliance Committee

The staff of the Chief Risk Officer shall ensure the secretariat of the Risk and Compliance Committee covering at least the following tasks:

(a) contacting and consulting with relevant Commission services when preparing input for the Risk and Compliance Committee;

(b) organising meetings of the Risk and Compliance Committee, including the preparation of the agenda, documents, and minutes of those meetings;

(c) performing other administrative and organisational tasks related to the organisation of the Risk and Compliance Committee.

Article 18

Pre-consultations on the High Level Risk and Compliance Policy and of thematic risk and compliance policies

1. The draft High Level Risk and Compliance Policy and draft thematic risk and compliance policies shall be drawn up by the Chief Risk Officer and discussed in an interservice working group in which the Directorates General responsible for the Union’s financial operations shall participate. The Secretariat-General and the Legal Service shall be invited to such a working group.

2. Prior to initiating the interservice consultation, the Chief Risk Officer shall present the draft High Level Risk and Compliance Policy and draft thematic risk and compliance policies for discussion in the Risk and Compliance Committee in accordance with Article 15(2), point (a).

3. When submitting the draft policies to the interservice consultation and to the Commission for adoption, the Chief Risk Officer shall provide information regarding the outcome of the discussion in the Risk and Compliance Committee referred to in Article 15(2)(a) and its assessment.

4. The members’ comments shall be given due and fair consideration and the Chief Risk Officer shall provide information on how the comments have been reflected, or not, in the High Level Risk and Compliance Policy or the thematic risk and compliance policies.

SECTION 4

FINAL AND TRANSITIONAL PROVISIONS

Article 19

Repeal

1. Decision C(2020) 5154 on establishing the Steering Committee on Contingent Liabilities arising from Budgetary Guarantees is repealed.

2. References to the repealed Decision shall be construed as references to this Decision.

3. Decision C(2024) 745 on the adoption of a Charter of tasks and responsibilities for the Commission’s Chief Risk Officer for borrowing, debt management and lending operations is repealed.

Article 20

Transitional provisions

1. The High Level and Risk Compliance Policy adopted under Decision (EU) 2023/2825 shall remain valid in respect to categories of the Union’s financial operations covered therein until replaced by the High Level and Risk Compliance Policy referred to in Article 8.

2. Manuals and other relevant documents relating to the risk management of asset management operations adopted prior to the entry into force of this Decision shall be reviewed by the Chief Risk Officer. The manuals and other relevant documents approved by the Steering Committee on Contingent Liabilities as well as the manuals and documents of the Directorates-General responsible for the Union’s financial operations setting out the financial risk management rules for existing programmes shall remain valid until their replacement by thematic risk and compliance policies.

3. Appointments of the members of the Risk and Compliance Committee pursuant to points (c), (e) and (f) of Article 16(2) shall be notified to the Chief Risk Officer within one month from the entry into force of this Decision or from the date a Directorate-General receives authorising officer responsibilities for the Union’s financial operations.

4. The decision adopting the High Level Risk and Compliance Policy and thematic risk and compliance policies shall provide for transitory provisions to ensure that the risks are managed within the risk appetite as defined for the programmes or instruments authorising budgetary guarantees adopted before the entry into force of this Decision.

5. Without prejudice to the risk appetite determined by the legislative acts establishing those programmes, the

ex post

assessment, monitoring and reporting on financial risks of programmes and instruments authorising budgetary guarantees and loans adopted before the entry into force of this Decision shall be carried out by using the methodologies set out in the thematic risk and compliance policies adopted on the basis of this decision.

Article 21

Entry into force and application

1. This Decision shall enter into force on the third day following that of its publication in the

Official Journal of the European Union

2. Article 18 and paragraph 1 of Article 19 shall apply as of the day of the first meeting of the Risk and Compliance Committee, which shall be duly convened by the Chief Risk Officer.

Done at Brussels, 21 February 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1) Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council of 23 September 2024 on the financial rules applicable to the general budget of the Union (

OJ L, 2024/2509, 26.9.2024, ELI: http://data.europa.eu/eli/reg/2024/2509/oj

(2) Commission Implementing Decision (EU, Euratom) 2022/2544 of 19 December 2022 establishing the arrangements for the administration and implementation of the EU borrowing and debt management operations under the diversified funding strategy and related lending operations (

OJ L 328, 22.12.2022, p. 109

, ELI:

http://data.europa.eu/eli/dec_impl/2022/2544/oj

(3) Commission Implementing Decision (EU, Euratom) 2023/2825 of 12 December 2023 establishing the arrangements for the administration and implementation of the Union borrowing and debt management operations under the diversified funding strategy and related lending operations (

OJ L, 2023/2825, 18.12.2023, ELI: http://data.europa.eu/eli/dec_impl/2023/2825/oj

(4) Commission Decision (EU) 2024/3080 of 4 December 2024 establishing the Rules of Procedure of the Commission and amending Decision C(2000) 3614 (

OJ L, 2024/3080, 5.12.2024, ELI: http://data.europa.eu/eli/dec/2024/3080/oj

(5) Commission Decision C(2024) 6814 final of 30 September 2024 on the internal rules for the implementation of the Commission section of the general budget of the European Union.

(6) Commission Communication SEC(2000) 560 of 11 April 2000 ‘The Reform of Financial Management and Control in the Commission’.

(7) Commission Decision of 24 July 2020 on establishing the Steering Committee on Contingent Liabilities arising from Budgetary Guarantees.

ELI: http://data.europa.eu/eli/dec/2025/369/oj

ISSN 1977-0677 (electronic edition)