On 25 April 2026, the European Commission adopted a delegated regulation setting out the procedural rules for fines and periodic penalty payments that the European Securities and Markets Authority (ESMA) may impose on ESG rating providers under Regulation (EU) 2024/3005. The delegated act fills one of the final gaps in the EU’s ESG ratings supervisory framework ahead of its application date of 2 July 2026 — answering a question that has been open since the parent regulation was published in December 2024: precisely how will ESMA exercise its enforcement powers, and what safeguards will apply to providers subject to investigation?
This article breaks down the delegated regulation, maps the enforcement process, and explains what it means for ESG rating providers, asset managers, and compliance teams preparing for the new regime.
Maximum fine as share of annual net turnover
Limitation period for imposing and enforcing penalties
Application date for the ESG Rating Regulation
Why this delegated regulation matters
Regulation (EU) 2024/3005 established ESMA as the direct supervisor of ESG rating providers operating within the EU. It granted ESMA the authority to request information, conduct investigations and inspections, and — where infringements are found — impose fines of up to 10% of the provider’s total annual net turnover, as well as periodic penalty payments to compel compliance. However, Article 39(9) of the parent regulation required the Commission to adopt a separate delegated act specifying the procedural rules for how these enforcement powers would be exercised. Without those rules, ESMA’s ability to pursue infringement proceedings would have lacked a defined procedural framework — leaving providers uncertain about how investigations would be conducted and how their right to be heard would be protected.
The delegated regulation addresses all of these points. It defines the steps in infringement proceedings, codifies the rights of defence available to providers under investigation, sets limitation periods for both the imposition and enforcement of penalties, and establishes rules for the collection and transfer of fines to the EU general budget.
Enforcement process: from investigation to fine
The delegated regulation establishes a structured, multi-stage enforcement process. Each stage includes specific procedural safeguards designed to ensure that any provider subject to investigation has adequate opportunity to present its defence before a penalty is imposed.
Stage 1 — Investigation by ESMA’s investigating officer
Statement of findings. Upon completing investigations under Article 33 of the parent regulation, the investigating officer issues a written statement of findings setting out the facts considered to constitute the infringement, including any aggravating or mitigating factors.
Written submissions. The provider receives the statement and is given a reasonable time limit to submit a written defence, attach supporting documents, and propose witnesses. Legal counsel may assist throughout.
Optional oral hearing. The investigating officer may invite the provider to attend a private oral hearing. The provider may be represented by counsel.
Finalised statement. After considering submissions, the investigating officer sends the finalised statement of findings to the provider and transmits the complete file — statement, written submissions, and hearing minutes — to ESMA’s Board of Supervisors.
Stage 2 — ESMA Board of Supervisors decision
Completeness check. The Board reviews the file. If incomplete, it sends it back to the investigating officer with a reasoned request for additional documents.
No infringement path. Where the Board considers the facts do not disclose any possible infringement, it takes a formal decision stating so and notifies the provider.
Infringement confirmed. Where the Board agrees with the findings, it notifies the provider and allows further written submissions within a reasonable time limit. An additional oral hearing may be offered.
Decision and notification. If the Board concludes an infringement has been committed, it adopts a decision imposing supervisory measures and/or a fine, and notifies the provider immediately.
Stage 3 — Periodic penalty payments
Trigger. ESMA may impose periodic penalty payments where a provider refuses to submit to an investigation or to supply requested information (Article 37(1)(b)(iiii) of the parent regulation).
Statement of findings. Before imposing a periodic penalty, the Board issues a statement setting out the reasons and the daily penalty amount, with a time limit for the provider to respond in writing.
Cessation. The Board ceases the penalty once the provider has complied with the relevant obligation. An oral hearing may be offered at any stage.
Stage 4 — Collection of fines
Escrow arrangement. ESMA deposits fine and penalty amounts into separate interest-bearing accounts — one per fine or penalty — until the decision becomes final. These amounts are not entered into ESMA’s budget.
Finality condition. Amounts are only transferred to the European Commission once all appeal rights (ESMA Board of Appeal and the Court of Justice of the EU) have been exhausted or have lapsed.
Reporting. ESMA reports regularly to the Commission on all fines and periodic penalty payments imposed and their status.
Rights of defence under the new regime
A central feature of the delegated regulation is the codification of procedural safeguards for providers subject to investigation. These protections mirror established principles in EU securities supervision — drawing on ESMA’s existing experience with entities such as credit rating agencies and trade repositories — but are adapted specifically for ESG rating providers.
Providers have the right to receive a detailed written statement of findings before any penalty is imposed. At both the investigation stage and the Board decision stage, they may submit written responses within a set time limit, attach evidence, propose witnesses, and request oral hearings. Legal counsel may assist at every stage. Crucially, the Board is required to consider any written submissions received — including those submitted after the deadline — before adopting a final decision.
Access to the investigation file is also guaranteed. Once a statement of findings has been issued, the provider may request access to all documents in the file. However, documents obtained through file access may only be used for judicial or administrative proceedings related to the ESG Rating Regulation — a restriction designed to prevent information leakage into commercial disputes.
Limitation periods explained
The delegated regulation introduces two distinct five-year limitation periods, aligned with the approach used in other ESMA-supervised regimes. These periods define the outer boundaries within which ESMA must act.
| Limitation type | Duration | Starts from | Interruption | Maximum extension |
|---|---|---|---|---|
| Imposition of fines/penalties | 5 years | Day after the infringement is committed (or ceases, for continuing infringements) | Any investigative or procedural action notified to the provider | 10 years from original start (doubled period), plus any suspension time |
| Enforcement of penalties | 5 years | Day after the decision becomes final | Any enforcement action by ESMA | Restarted on each interruption; suspended during appeals |
The limitation period for imposing penalties is suspended for the duration of any appeal proceedings before the ESMA Board of Appeal or the Court of Justice of the EU. The enforcement limitation period is also suspended where time to pay has been allowed or where enforcement is paused pending an appeal decision. In practical terms, these provisions mean that a provider cannot avoid a fine simply by exhausting procedural timelines through repeated appeals — the clock stops while the matter is before a tribunal.
Key dates for ESG rating providers
12 December 2024
Regulation (EU) 2024/3005 published in the Official Journal of the EU
2 January 2025
ESG Rating Regulation enters into force
25 April 2026
Commission adopts delegated regulations on fines/penalties procedures and supervisory fees
2 July 2026
ESG Rating Regulation applies — full supervisory regime takes effect
2 August 2026
Deadline for existing large ESG rating providers to notify ESMA of intent to continue operating
2 November 2026
Deadline for small ESG rating providers to notify ESMA; deadline for all providers to submit authorisation or recognition applications
What this means for the market
The enforcement framework has several practical implications for ESG rating providers, the asset managers that rely on their ratings, and the broader sustainable finance ecosystem.
For ESG rating providers
Providers that have not yet begun preparing for authorisation face an increasingly compressed timeline. The delegated regulation confirms that ESMA’s enforcement powers will be fully operational from the application date, and the procedural framework now exists to exercise them. Providers operating without authorisation after 2 November 2026 must cease their EU activities — and any continued provision of ratings without authorisation would itself constitute an infringement subject to the penalty regime now codified.
Compliance functions within rating providers should take particular note of the investigative cooperation requirements. Periodic penalty payments are specifically triggered by a provider’s refusal to submit to an investigation or to supply requested information. The daily penalty accrues until compliance is achieved, creating a powerful incentive for prompt cooperation with ESMA requests.
For asset managers and financial institutions
The enforcement regime adds a layer of credibility to ESG ratings used in SFDR product disclosures and investment decision-making. Financial market participants relying on ESG ratings should verify that their rating providers are pursuing authorisation within the specified timelines. Ratings sourced from providers that are not authorised or in the application process after 2 November 2026 may carry regulatory risk for downstream users, particularly in the context of greenwashing scrutiny under SFDR and the evolving EU Green Bond Standard.
Broader regulatory integration
The ESG Rating Regulation does not operate in isolation. It amends the SFDR to require financial market participants that produce in-house ESG ratings to disclose them on the same basis as those sourced from external providers. It also feeds into the European single access point (ESAP), through which ESG rating information will be made publicly accessible alongside corporate sustainability reports under the CSRD and ESRS framework.
For organisations managing complex, multi-framework regulatory obligations, the new enforcement regime underscores the importance of robust ESG data management infrastructure — both for rating providers that must demonstrate methodology transparency and for financial institutions that must substantiate their use of ESG ratings in product-level and entity-level disclosures.
ESMA supervisory powers under the ESG Rating Regulation
Scrutiny and next steps
The delegated regulation now enters the scrutiny phase. Both the European Parliament and the Council of the EU have the right to object within a defined period. If neither institution raises an objection, the regulation will be published in the Official Journal and enter into force on the twentieth day following publication. Given the tight timeline before the 2 July 2026 application date, expedited scrutiny is expected.
ESG rating providers that have not yet engaged with the authorisation process should treat this delegated act as a signal that the supervisory architecture is now substantially complete. ESMA has already published a self-assessment tool to help entities determine whether they fall within the scope of the regulation, and a registration guide for the application process is available.
At Generation Impact Global, we help financial institutions and ESG professionals navigate the operational and data management challenges created by evolving EU sustainability regulation — from ESG strategy across jurisdictions to framework-specific reporting workflows.
Get in touchFrequently asked questions
What is the maximum fine ESMA can impose on an ESG rating provider?
Under Article 36 of Regulation (EU) 2024/3005, ESMA may impose fines of up to 10% of a provider’s total annual net turnover. The delegated regulation sets out the procedural rules for how these fines are determined, communicated, and collected.
When does ESMA’s enforcement power take effect?
ESMA’s full supervisory and enforcement powers apply from 2 July 2026 — the application date for the ESG Rating Regulation. The delegated regulation on fines procedures entered the scrutiny phase in April 2026 and is expected to be published before that date.
What rights do ESG rating providers have during an investigation?
Providers receive a written statement of findings, may submit a written defence, propose witnesses, request oral hearings, and be assisted by legal counsel at every stage. They also have the right to access the full investigation file once a statement of findings has been issued.
What are periodic penalty payments?
Periodic penalty payments are daily fines imposed when a provider refuses to cooperate with an ESMA investigation or fails to supply requested information. They accrue until the provider complies with the relevant obligation.
Does this regulation affect asset managers using ESG ratings?
Indirectly. Asset managers and other financial market participants that use ESG ratings in investment decisions or SFDR disclosures should verify that their rating providers are authorised or in the application process. Ratings from unauthorised providers after 2 November 2026 may carry regulatory and reputational risk.
