Banking and Finance Regulation in 2026: Basel IV (CRR3), DORA and the New Supervisory Landscape, Belgium

The landscape of banking finance regulation 2026 Basel IV represents a watershed moment for Belgian financial institutions, as three powerful regulatory currents converge simultaneously. The EU transposition of the Basel IV standards through CRR3 is reshaping capital requirements across the sector, while the Digital Operational Resilience Act (DORA), now fully in force, is compelling banks to overhaul their ICT risk management and third-party oversight frameworks. At the same time, supervisory authorities including the National Bank of Belgium (NBB) and the European Central Bank (ECB) have markedly intensified enforcement actions on financial crime, consumer protection and governance failures.
This article provides a Belgium-focused practical guide to the three pillars of this regulatory shift, including actionable compliance checklists, timelines and a structured comparison of obligations by institution type.

Basel IV (CRR3), What Changed and Who Is Exposed

Basel IV, formally known as the finalisation of Basel III, or Basel 3.1, is the most significant overhaul of prudential capital requirements 2026 has brought to the European banking sector. The Basel Committee on Banking Supervision (BCBS) finalised these standards in December 2017, and the EU has transposed them through CRR3 (Regulation (EU) 2024/1623) and the amended Capital Requirements Directive (CRD VI). For Belgian banks operating under joint NBB supervision and ECB Single Supervisory Mechanism oversight, the changes are substantial and ongoing.

What Basel IV / Basel 3.1 (CRR3) Changes

The headline reforms under Basel IV address longstanding concerns about variability in how banks calculate risk-weighted assets (RWAs). The key changes include:

• Output floor. Banks using internal models (IRB approaches) must now ensure their total RWAs are no lower than a specified percentage of the amount calculated under the standardised approach. This floor is being phased in, starting at 50% on 1 January 2025 and rising incrementally to 72.5% by 1 January 2030.
• Revised standardised approach for credit risk. The standardised approach has been recalibrated with more granular risk-weight categories for exposures to banks, corporates, retail clients and real estate, replacing the broad-brush buckets previously in use.
• Constraints on IRB models. Internal model usage has been restricted for certain exposure classes, particularly equity exposures and exposures to large and mid-sized corporates, where banks must now apply the standardised approach or foundation IRB.
• New standardised approach for operational risk. The previous Advanced Measurement Approaches (AMA) have been retired and replaced by a single, standardised measurement approach that combines a business-indicator component with an internal-loss multiplier.
• Revised market risk framework. The Fundamental Review of the Trading Book (FRTB) introduces more risk-sensitive capital charges for trading-book positions.

EU Transposition, CRR3 Overview and Phasing

CRR3 entered into force on 9 July 2024 and began applying from 1 January 2025 for most provisions, with important transitional arrangements that will phase in over several years. The European Commission designed the transposition to accommodate EU-specific features, including a transitional treatment for unrated corporates and adjustments to the output floor to reflect EU market structures. Belgian institutions supervised directly by the ECB (significant institutions) receive supervisory expectations and model approvals through the Joint Supervisory Teams, while less significant institutions are supervised by the NBB under the SSM framework.

The phased timeline for key CRR3 milestones is as follows:

Date
CRR3 / Basel IV Milestone
Implication for Belgian Banks

1 January 2025
CRR3 application date, revised standardised approaches, new operational risk framework, initial output floor (50%)
Banks must apply new RWA calculations; NBB and ECB reviewing model-change applications

1 January 2026
Output floor rises to 55%
Capital planning must reflect rising floor

1 January 2027
Output floor rises to 60%; FRTB reporting obligations for trading-book institutions now apply (postponed from 2026 by Commission Delegated Regulation (EU) 2025/1496); phased removal of transitional arrangements for certain exposures
Further capital buffer pressure on model-heavy Belgian banks; trading desks recalibrate risk models

1 January 2030
Full output floor at 72.5%
Final steady-state capital impact; all banks must be fully compliant

Who Is Most Exposed in Belgium

Belgian banks are not equally affected by these changes. The institutions most exposed to the capital impact of CRR3 and Basel IV are:

• Large internationally active banks using internal models. These institutions face the greatest output-floor impact, as the gap between their internal model outputs and the standardised equivalents is typically widest. Mortgage-heavy portfolios with historically low IRB risk weights are particularly affected.
• Regional and domestic banks on standardised approaches. While they avoid output-floor mechanics, they face material increases in risk weights for certain exposures, particularly specialised lending, equity holdings and unrated corporate loans.
• Investment firms and non-bank credit institutions. Many are drawn into the CRR3 perimeter with revised market-risk and operational-risk requirements, depending on their size and activities.

The following comparison table summarises how obligations differ across entity types for both CRR3 and DORA:

Entity Type
Basel IV / CRR3 Reporting & Capital Change
DORA / ICT Reporting Obligations & First-Line Checks

Large internationally active bank (model-based RWAs)
Significant recalibration; output floor impact; increased capital requirements for certain exposures, must re-run capital models and update internal governance. Expected earlier compliance deadlines (phased).
Full DORA scope, dedicated third-party register, major-incident reporting, advanced ICT risk testing; supervisors will check outsourcing governance and contractual SLAs.

Regional / domestic bank (standardised approach)
Material increase for portfolios previously underweighted; fewer model adjustments but higher capital charges for certain exposures.
DORA applies; simpler ICT setups still require incident reporting, third-party oversight and testing; supervisors examine vendor management.

Investment firm / non-bank credit institution
Many brought into the CRR3 perimeter; possible changes to market-risk and operational-risk calculations depending on size and activities.
Subject to DORA if providing or relying on ICT services within scope; third-party management and incident reporting expected.

Action Checklist for Compliance and Finance Teams

• Quantitative impact assessment. Re-run capital calculations under the new standardised approaches and output floor to identify shortfalls.
• Model inventory review. Catalogue all internal models affected by IRB restrictions and prepare model-change applications for ECB/NBB.
• Capital planning. Update ICAAP projections and dividend/distribution plans to reflect the phased output floor trajectory through 2030.
• Data and systems. Ensure granular data availability for the revised standardised approach risk-weight buckets, particularly for real estate and corporate exposures.
• Board reporting. Brief senior management and the board on the capital trajectory and any strategic implications for business lines.

DORA in Practice, What Belgian Banks Must Do Now

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) became applicable on 17 January 2025, bringing sweeping obligations for ICT risk management, incident reporting and third-party oversight to the entire EU financial sector. For DORA Belgium implementation, the NBB acts as the competent authority for credit institutions, payment institutions and electronic money institutions, coordinating with the ECB for significant banks and with the FSMA for investment firms and insurance companies.

Scope and Key Obligations

DORA applies to virtually all regulated financial entities in Belgium, including banks, insurers, investment firms, payment institutions, crypto-asset service providers and their critical ICT third-party service providers. The five core pillars of DORA are:

• ICT risk management framework. Institutions must maintain a comprehensive, documented ICT risk management framework with clear governance, risk identification, protection, detection, response and recovery capabilities.
• ICT-related incident reporting. Major ICT-related incidents must be classified and reported to the NBB (or ECB, for significant institutions) within prescribed timeframes, initial notification, intermediate report and final report.
• Digital operational resilience testing. Regular testing, including threat-led penetration testing (TLPT) for significant institutions, must be conducted at defined intervals.
• ICT third-party risk management. Financial entities must maintain a register of all ICT third-party arrangements, conduct due diligence, and include specific contractual provisions in all outsourcing and service agreements.
• Information sharing. Entities are encouraged to participate in voluntary cyber-threat information-sharing arrangements.

Practical Buildout: Registers, Contracts and Reporting Templates

The practical implementation of DORA demands considerable operational effort. Belgian banks should focus on three immediate workstreams. First, the ICT third-party register must catalogue every ICT service provider relationship, specifying the services provided, the criticality assessment, subcontracting chains and contractual terms. The European Supervisory Authorities (ESAs) have published templates for this register that the NBB expects institutions to adopt. Second, existing contracts with ICT providers must be reviewed and, where necessary, amended to include the mandatory clauses required by DORA, covering audit rights, exit strategies, service-level agreements, data location requirements and incident-notification obligations. Third, institutions must establish incident reporting procedures aligned with the regulatory technical standards published by the ESAs, including clear escalation pathways and internal classification criteria.
For a detailed analysis of what qualifies as an ICT service under DORA, see our explainer on the meaning of ICT services under DORA.

Where Supervisors Check First

Early supervisory reviews under DORA in Belgium have consistently focused on several areas of non-compliance. Industry observers note that supervisors prioritise examining the completeness and accuracy of third-party registers, the adequacy of contractual provisions with critical ICT providers (particularly around exit strategies and subcontracting controls), and the maturity of incident-classification and reporting processes. Institutions that relied on informal arrangements or legacy outsourcing agreements without updating them to DORA standards are likely to face remediation requests. The NBB supervision approach has also focused on governance, specifically whether the management body has formally approved the ICT risk management framework and whether there are clear lines of accountability for digital operational resilience.

The New Supervisory and Enforcement Landscape

Beyond Basel IV and DORA, the broader supervisory environment in 2026 is characterised by a marked increase in enforcement intensity. European and national regulators have signalled, and acted on, a lower tolerance for weaknesses in financial crime controls, consumer protection and corporate governance. This shift in financial crime enforcement 2026 is directly relevant to Belgian banks operating cross-border.

Enforcement Themes in H1 2026

The dominant enforcement themes across European supervisory authorities in the first half of 2026 have centred on three areas:

• Anti-money laundering and counter-terrorist financing (AML/CTF). Regulators have continued to impose significant penalties on institutions with inadequate customer due diligence, transaction monitoring and suspicious activity reporting. The establishment of the EU Anti-Money Laundering Authority (AMLA) has intensified cross-border supervisory coordination.
• Consumer protection and conduct of business. Supervisors have focused on product governance, fee transparency and the treatment of vulnerable customers, with several enforcement actions targeting unfair commercial practices and inadequate complaints handling.
• Governance and internal controls. Weaknesses in board oversight, risk management frameworks and internal audit functions have drawn regulatory scrutiny, particularly at institutions undergoing rapid digitalisation or organisational change.

Examples and Patterns

The pattern across European enforcement actions in H1 2026 reveals a clear trend: regulators are imposing larger fines with explicit remediation orders and, in some cases, requiring the appointment of independent monitors or the removal of responsible individuals. The ECB’s supervisory priorities for 2025–2026 explicitly highlight credit risk management, governance effectiveness and operational resilience as core focus areas. Industry observers expect these priorities to drive a sustained cycle of on-site inspections, thematic reviews and targeted data requests across the eurozone, including Belgium.

What Belgian Firms Should Expect from NBB and ECB Supervision

Belgian banks should anticipate heightened supervisory expectations Belgium-wide during 2026 and into 2027. The NBB has aligned its supervisory priorities with the ECB’s published framework, meaning Belgian significant institutions will face Joint Supervisory Team inspections focused on CRR3 implementation progress, DORA readiness and AML/CTF controls. Less significant institutions supervised directly by the NBB can expect thematic reviews on ICT risk and outsourcing governance, with specific documentation requests regarding third-party registers and incident response procedures. Belgium’s updated criminal law framework for corporate liability adds a further dimension, as regulatory failings may carry both administrative and criminal consequences for responsible officers.

AI in Banking: Emerging Regulatory Guidance and Liability Issues

The rapid adoption of artificial intelligence in banking is prompting regulatory bodies across Europe to issue guidance on acceptable use, governance and supervisory expectations. For Belgian banks, AI in banking regulation is no longer a future concern; it is an active area of supervisory attention.

Where AI Is Used in Banking

Belgian banks are deploying AI across a growing range of functions, including credit scoring and decisioning, fraud detection, anti-money laundering screening, customer-service automation through chatbots, and portfolio risk management. Each application raises distinct regulatory questions about model risk, bias, transparency and consumer protection.

What Regulators Are Signalling

The European Banking Authority (EBA) has issued thematic guidance emphasising that AI models used in credit decisioning must meet the same model-risk management standards as traditional statistical models, including documentation, independent validation, ongoing monitoring and clear governance. The EBA has further stressed the importance of explainability: institutions must be able to explain the factors driving an AI-based decision to both supervisors and affected customers. Bias testing and fairness considerations are increasingly required, particularly where AI is used in lending decisions that may have discriminatory outcomes. At the EU level, the AI Act creates a horizontal framework that classifies certain AI applications in financial services, such as creditworthiness assessments, as high-risk, triggering specific obligations around conformity assessment, human oversight and transparency.
Meanwhile, comparable regulators such as the UK’s Financial Conduct Authority (FCA) have emphasised outcome-based accountability, and US prudential agencies have focused on fair-lending implications.

Practical Legal Risks and Recommended Controls

For Belgian banks, the practical legal risks from AI adoption include supervisory challenge to model outputs, customer complaints about adverse automated decisions, GDPR data-protection claims and potential liability under the AI Act for non-compliant high-risk systems. Recommended controls include:

• Model governance framework. Treat AI models with the same rigour as IRB or market-risk models, document development, validation, monitoring and decommissioning.
• Explainability protocols. Ensure that every AI-driven customer-facing decision can be explained in plain language, both internally and to the affected individual.
• Bias and fairness testing. Conduct regular testing for discriminatory outcomes and document remediation actions.
• Human oversight. Maintain meaningful human intervention in high-impact decisions, as both the AI Act and EBA guidance require.
• Board accountability. Ensure the management body understands and has approved the institution’s AI strategy and associated risk appetite.

Belgium-Specific Compliance Roadmap and Priorities

Belgian financial institutions, whether supervised by the NBB directly or through the ECB SSM, should structure their compliance response around three time horizons, mapped to the key regulatory workstreams under banking finance regulation 2026 Basel IV and DORA.
Immediate (0–6 months):

• Treasury and Risk: Complete CRR3 quantitative impact assessment; recalculate output-floor impact on capital ratios; update ICAAP documentation.
• IT and Operations: Finalise DORA ICT third-party register; commence contract remediation with critical providers; implement incident-classification and reporting procedures.
• Legal and Compliance: Conduct gap analysis against DORA contractual requirements; review AI model governance documentation against EBA guidance.

Medium-term (6–18 months):

• Treasury and Risk: Submit model-change applications to ECB/NBB for IRB recalibrations; prepare for 2027 output-floor increase to 60%.
• IT and Operations: Complete first cycle of DORA resilience testing (including TLPT for significant institutions); build out cyber-threat information-sharing capabilities.
• Legal and Compliance: Update board-level reporting on operational resilience; ensure AI Act compliance for high-risk applications.

Long-term (18–36 months):

• All functions: Prepare for full output-floor phase-in to 72.5% by 2030; embed DORA operational resilience as business-as-usual; develop mature AI governance framework aligned with evolving supervisory expectations.

The interplay between these regulatory workstreams means that siloed compliance efforts are unlikely to succeed. Industry observers expect institutions that integrate CRR3 capital planning, DORA operational resilience and AI governance into a unified regulatory-change programme to manage costs and supervisory interactions more effectively. Comparative approaches in other jurisdictions, such as the RBI’s new banking rules in India, illustrate similar trends toward consolidated supervisory expectations, albeit with jurisdiction-specific features.

Conclusion

The regulatory environment for Belgian banks in 2026 is defined by the simultaneous implementation of Basel IV through CRR3, the operational demands of DORA and a supervisory landscape that has become materially more assertive. For in-house legal teams, compliance officers and senior management, the challenge is not merely understanding each regulation in isolation but managing their combined impact on capital planning, technology infrastructure, governance and risk culture. The institutions best positioned to navigate banking finance regulation 2026 Basel IV and DORA are those investing in integrated compliance programmes, robust data infrastructure and board-level engagement with the regulatory agenda.
As enforcement intensity continues to rise and AI governance expectations crystallise, proactive action, rather than reactive remediation, will distinguish well-managed Belgian financial institutions from those facing supervisory censure.

Need Legal Advice?
This article was produced by Global Law Experts. For specialist advice on this topic, contact Dominique Blommaert at Janson Baugniet, a member of the Global Law Experts network.

Sources