European regulator ESMA on Friday launched a Common Supervisory Action with national competent authorities across the EU to review risk management functions at UCITS management companies and Alternative Investment Fund Managers.
The exercise will run through 2026 and 2027, with a final report planned for 2028.
ESMA said the CSA is intended to examine whether firms comply with the risk provisions in the UCITS and AIFMD frameworks, focusing on the effectiveness of the risk management function, its separation from business lines, and whether staff have enough expertise.
What NCAs will check
National regulators will focus on governance and organisation of the risk function, how risks are identified and monitored, and reporting to senior management and governing bodies. NCAs will rely on a common assessment framework developed by ESMA that lays out the scope, methodology and supervisory expectations.
Under AIFMD Level 2 rules, the risk management function must be permanently established and functionally and hierarchically separate from operating units and portfolio management.
Earlier findings on control functions
The CSA follows ESMA’s January 2026 report on a separate review of compliance and internal audit functions at fund managers. That exercise found broad compliance but flagged governance weaknesses around the independence of control functions and oversight by senior management and boards.
Luxembourg’s CSSF had already signalled a risk-management CSA for the second half of 2026 in its March supervisory priorities.



