Skip to main content



Search form



As the single supervisor for Credit Rating Agencies (CRAs), Securitisation Repositories (SRs), Trade Repositories registered under EMIR and/or SFTR (TRs), Tier 2 Third-Country Central Counterparties (Tier 2 TC-CCPs), EU Critical Benchmark Administrators and Recognised Third-Country Administrators (Benchmark Administrators) as well as Data Reporting Service Providers (DRSP) in the EU, ESMA has responsibilities and powers to deal with possible infringements.



CRAs, SRs, TRs, Tier 2 TC-CCPs, Benchmark Administrators and DRSP under ESMA’s supervision must comply with the requirements set out in the relevant sectoral legislation and they will be liable where they commit infringements specified under that legislation. Part of ESMA’s supervision on such entities involves the investigation of such possible infringements and taking enforcement action in appropriate cases. 

Where ESMA finds an infringement has been committed by CRAs, SRs, TRs, Tier 2 TC-CCPs, Benchmark Administrators and DRSPs, it adopts one or more supervisory measures, which may include: the issuing of a public notice, requiring the supervised entity to bring the infringement to an end, and withdrawing the registration/ recognition of the supervised entity. If ESMA finds that an infringement has been committed negligently or intentionally, it also imposes fines on the entity concerned.

Find out here why is ESMA doing this, who is subject to possible measures, and how are these imposed.

How enforcement works

The process of taking enforcement action involves three stages:

  • Supervisory investigation: ESMA teams perform supervisions and investigations with the purpose of ensuring that the entities under their supervision comply with the requirements under the applicable legislation. They may for instance request information, examine records and documentation, summon persons and conduct interviews, and inspect CRAs’, TRs’, SRs’, Tier 2 CCPs’, Benchmark Administrators’ or DRSPs’ business premises. Where, as part of their investigations in a given case, ESMA supervisors find serious indications of possible facts liable to constitute infringements of the CRA Regulation, EMIR, SFTR, Securitisation Regulation, BMR or MiFIR, the case is referred for further investigation to an independent investigating officer (‘IIO’) appointed within ESMA.


  • IIO investigation: The IIO has investigative powers whereby for example s/he may require information and documents, summon and interview persons, and execute on-site inspections. The IIO will make findings as to the commission of infringements and may recommend measures or fines to be imposed for those infringements. The supervised entity will be given the opportunity to make submissions on the IIO’s findings and the IIO will duly consider such submissions before submitting any findings and the file on which they are based to ESMA’s Board of Supervisors.
    ESMA's Enforcement Role - IIO investigation


  • Board decision: On the basis of the file and findings submitted by the IIO and after having heard the person subject to investigation, the Board of Supervisors independently decides whether any infringements have been committed, adopts appropriate supervisory measures for infringements found, and imposes fines for the infringements that have been found to be committed negligently or intentionally. Where the enforcement case concerns a Tier 2 TC-CCP, the CCP Supervisory Committee prepares the decision to be taken by the Board of Supervisors.
    ESMA's Enforcement Role - Board Decision


Since 2018, ESMA publishes more extensive and detailed public versions of its enforcement decisions, in order to provide more details on the reasons of its findings. This has a number of benefits, including more legal certainty for entities supervised by ESMA and a better understanding of ESMA’s enforcement role by stakeholders, including CRAs, TRs, SRs, Tier 2 TC-CCPs, Benchmark Administrators, DRSPs, investors and issuers.

The public versions of the enforcement decisions need to comply with the applicable rules regarding the protection of professional secrecy and personal data and so may be redacted compared to the non-public version. For that purpose, a confidentiality check takes place with the entity concerned before publication.