ESMA compliance internal audit funds review flags governance gaps

ESMA compliance internal audit funds has become a much sharper issue for Europe’s asset-management sector after the bloc’s markets regulator published the results of its 2025 Common Supervisory Action. The review found that most fund managers are meeting key rules under AIFMD and UCITS. However, it also flagged weaker areas in oversight, internal policies, and the independence of key control functions.

That mix matters for the European funds market. On one side, the European Securities and Markets Authority pointed to broad baseline compliance across the EU and EEA. At the same time, the findings show that meeting the basic standard is not the same as having strong governance everywhere.

Published on 11/05/2026, the review brings together work by all EU and EEA national supervisors. As a result, it offers one of the clearest cross-border snapshots yet of how compliance and internal audit functions are operating inside the funds sector.

ESMA’s 2025 supervisory review of fund managers

The European Securities and Markets Authority said the 2025 Common Supervisory Action focused on the compliance and internal audit functions of fund managers across the EU and EEA. This was not a narrow sample. Every EU and EEA national supervisor took part, giving the exercise broad reach across the regional funds market.

What the AIFMD UCITS review covered

The review examined whether fund managers’ compliance and internal audit functions were working as required under the AIFMD and UCITS frameworks. National competent authorities used a common assessment framework, which helped align how firms were judged across jurisdictions.

Throughout 2025, supervisors relied on desk-based reviews and, where appropriate, on-site inspections. That detail matters because ESMA was not simply collecting broad impressions. Instead, the exercise used shared supervisory methods, which gives the findings more weight for firms operating across multiple European markets.

Why participation across the EU and EEA matters

Every EU and EEA national supervisor participated in the action. Notably, that level of involvement reinforces ESMA’s long-running push for EU supervisory convergence, especially in funds regulation, where national practices can still vary even under common rules.

For fund managers, the message is therefore not coming from a single regulator acting alone. Rather, it is coming from a coordinated supervisory network across the region.

Most fund managers met core AIFMD and UCITS requirements

The headline result from the AIFMD UCITS review was broadly positive: most fund managers complied with key requirements under both frameworks. For investors and markets, that supports confidence that the basic compliance architecture is in place across much of Europe’s funds industry.

Still, ESMA did not present a clean bill of health. While many firms had the right structures on paper, the quality of those structures and the way they worked in practice varied meaningfully.

Where the review found differences

National competent authorities observed significant differences in policy quality and implementation. According to the review, those gaps were linked to the size, nature, and complexity of the firms involved.

That is one of the more revealing parts of the findings. In practice, supervisory concerns are not just about whether a control exists, but whether it is proportionate and effective for the business using it. In other words, fund managers governance remains uneven even when firms appear technically compliant.

That is why the ESMA compliance internal audit funds review goes beyond a checklist exercise. More importantly, it becomes a deeper test of how well controls actually function inside fund managers.

Governance gaps now need closer follow-up

The most serious concerns were tied to governance. The Common Supervisory Action identified weaknesses in the independence of control functions, in internal policies, and in oversight by senior management and boards.

Those are not minor housekeeping issues. Independence in compliance and internal audit is central to whether problems can be identified early and escalated properly. When that independence is weak, controls may exist but still fail to challenge decision-makers effectively.

Control function independence and board oversight

ESMA highlighted governance weaknesses particularly around the independence of control functions. The report also includes examples of good and poor practices across compliance and internal audit, showing where controls worked and where they need strengthening.

The review also raised concerns about how senior management and boards exercise oversight. That matters because board and management attention often determines whether compliance and internal audit are treated as meaningful control functions or merely as routine support roles.

For the market, this is where the findings become more than a technical regulatory update. Weak board oversight can turn isolated policy flaws into broader governance vulnerabilities. And because the review covered the EU and EEA through a shared framework, those findings are likely to shape future inspections and follow-up actions.

What ESMA wants national supervisors to do next

ESMA is encouraging national competent authorities to follow up on the breaches and vulnerabilities identified, understand their root causes, and make sure effective remedial actions are implemented quickly.

The regulator also said it will continue promoting exchanges among NCAs, including through follow-up supervisory actions, to strengthen EU supervisory convergence in the funds sector.

• Follow up on breaches and vulnerabilities identified during the review
• Assess the root causes behind those weaknesses
• Push for effective remedial actions without delay
• Continue coordination among national competent authorities

That next phase could be just as important as the review itself. The immediate message is that most firms cleared the main compliance bar under AIFMD and UCITS. The longer-term message, however, is tougher: regulators now want more consistency in how those standards are supervised, interpreted, and enforced across Europe.

For fund managers, the ESMA compliance internal audit funds findings are less about a one-day headline and more about where scrutiny is likely to tighten next.