Why financial institutions should now consider data architecture, auditability and AI governance together.
Regulatory reporting is still often viewed as a downstream obligation: data is collected, prepared, validated and submitted to the competent authorities. However, the latest ESMA Report on Quality and Use of Data (published on 29 May 2026) makes it clear that this perspective is no longer sufficient.
The ESMA Report Focuses on Data Usage and Quality
Supervisory data is no longer a static reporting outcome. It is actively used – for market surveillance, risk analysis, transparency calculations, crisis monitoring, data quality assessments and increasingly for automated and AI-supported analytics. This fundamentally changes the role of regulatory data.
Data quality is no longer merely an operational requirement in reporting. It is becoming an essential component of governance, control capability and digital resilience.
The ESMA Report makes it clear that data quality and data usage are directly connected. The more supervisory authorities use data for analysis, market monitoring and regulatory decision-making, the more important completeness, consistency, timeliness and traceability of reported information become.
This applies to a wide range of regulatory data domains, including EMIR, MiFIR, SFTR, AIFMD, MMFR, prospectus data, MiFIR reference data, ESMA registers and – for the first time – DORA-related reporting on major ICT incidents.
For financial institutions, this means that the quality of regulatory data does not only become visible at the point of submission. It is created much earlier – in master data, reference data, interfaces, business rules, control processes and system architectures.
Incorrect or inconsistent data is therefore not just a reporting problem. It can affect supervisory communication, risk management, internal controls and regulatory accountability.
Simplification Requires Standardisation
A central theme of the ESMA Report is the simplification of regulatory reporting obligations. Initiatives such as “report once”, integrated data models and the reduction of unnecessary reporting complexity point in a clear direction: supervisory data flows should become more efficient, more consistent and easier to reuse.
From the perspective of market participants, this development is welcome. However, it does not automatically reduce the demands placed on institutions’ data environments. On the contrary: the more often data is reused and shared across authorities, the more important clear definitions, harmonised data models and robust data lineage become.
Simplification can only succeed if data structures are sufficiently robust. A “report once” approach requires the data reported once to remain factually correct, technically unambiguous and traceable across different uses. This places data architecture at the centre of regulatory efficiency.
Generative AI Increases the Need for Traceability
The increasing use of generative AI and other SupTech approaches is particularly relevant. ESMA describes how AI applications are no longer viewed merely as experimental, but are increasingly supporting operational processes – for example internal analyses, supervisory assessments or the detection of potential market abuse patterns.
For financial institutions, this has an important consequence: where AI is used in regulatory processes, its use must remain controllable. It is not enough for an AI system to produce plausible results. What matters is whether it can be traced which data was used, which process was affected, which expert review took place and whether the result fed into a regulatory decision, analysis or report.
This question becomes particularly important in the context of DORA. DORA strengthens the requirements for ICT risk management, governance, control mechanisms, third-party management and digital operational resilience. Even though DORA does not treat generative AI as a separate topic, its use in ICT-supported processes must be assessed from a risk perspective and controlled appropriately.
For institutions, this means that generative AI must not become invisible in regulated processes. Its use must remain identifiable, manageable and auditable – especially where sensitive data, regulatory analyses or reporting processes are concerned.
Excursus: Generative AI from the US – Permitted, but Subject to Conditions
The current debate around the use of generative AI services from non-European providers, particularly from the US, highlights another dimension of regulatory data processing. For European financial institutions, the use of such services is not only a technical or commercial decision, but part of a comprehensive risk assessment.
What matters is not only where a provider is based. The decisive questions are which data is processed, where this data is stored or analysed, which subcontractors are involved, which access rights exist and whether contractual, technical and organisational controls enable auditable use.
The selection of generative AI services therefore becomes part of ICT risk management and third-party governance. Institutions must be able to assess whether data protection requirements, DORA-relevant control obligations, information security, exit capability and auditability are sufficiently covered.
The use of generative AI from the US is therefore not categorically excluded. It must, however, be deliberately designed, documented and controlled – especially where sensitive data, regulatory analyses or essential or regulated processes are involved.
Auditability Does Not Begin with the Audit
The ability to audit regulatory processes does not arise from retrospective documentation. It is created through systems and processes that are designed to be traceable from the outset. This includes clear responsibilities, authorisation concepts, logging, versioning, business validation rules, documented data flows and a robust separation between data creation, data processing and data approval.
These requirements are not new. What is new, however, is their significance in an environment in which data is increasingly processed automatically, reused multiple times and, prospectively, supplemented by AI-supported procedures.
Anyone seeking to design regulatory data processes that are efficient and resilient in the future must be able to answer three questions:
- Where does the data come from?
- Which business and technical checks were performed?
- And how can the process be traced afterwards?
These questions are simple to formulate – but demanding to implement in complex system landscapes.
What Financial Institutions Should Take from This
The ESMA Report shows a clear development: regulatory data is being used more intensively, quality-assured more systematically and increasingly integrated into automated supervisory and analytical processes.
For financial institutions, this creates several areas for action. Master data and reference data must be maintained consistently. Data quality checks should not only take place at the end of a reporting process. Interfaces and data flows must be documented transparently. And the use of new technologies such as generative AI must be integrated into existing governance and control frameworks.
The objective is not only regulatory compliance. It is about the ability to use data reliably, identify risks at an early stage and remain accountable to supervisors, internal audit and management.
Conclusion
The ESMA Data Quality Report confirms a development that has long been visible in practice: data quality is becoming a central factor for regulatory efficiency, digital resilience and trustworthy automation.
Institutions that continue to treat regulatory data processes as an isolated reporting task will struggle to meet rising expectations. Integrated data architectures, robust reference data, clear control mechanisms and auditable process chains are required.
Data quality is therefore becoming more than a technical discipline. It is a prerequisite for effective supervision, resilient IT processes and the responsible use of AI in the financial sector.
Quellen
- ESMA, 2025 Report on quality and use of data, 29 May 2026
- Regulation (EU) 2022/2554, Digital Operational Resilience Act (DORA)
- BaFin, DORA – Digital Operational Resilience Act, Overview
