ECB Supervisory priorities 2026-28: banks face heightened scrutiny on geopolitical risks, digital resilience and ICT capabilities

European financial institutions continue to grapple with geopolitical tensions, technological transformation and the growing impact of climate and nature-related risks. As a result, the European Central Bank’s (ECB) supervisory priorities for 2026-2028 reflect a forward-looking and risk-based strategy designed to ensure stability and resilience in an era of heightened uncertainty.

A comprehensive assessment of the main risks and vulnerabilities faced by the sector is reviewed annually to adapt to the evolving risk landscape and to incorporate lessons learned from the 2025 Supervisory Review and Evaluation Process (SREP). This approach ensures that supervisory actions remain transparent, predictable and flexible allowing for efficient allocation of resources and timely adjustments. The overall SREP outcome reflects the focuses and reviews performed by the ECB in the course of 2025, highlighting key areas of attention and lessons learnt from the exercise.

As a result, the ECB has set out a clear roadmap for 2026–2028, centred on two overarching priorities: strengthening banks’ resilience to geopolitical and macro-financial uncertainties, and enhancing operational resilience through robust ICT (information and communication technologies) capabilities. These pillars will shape supervisory expectations and actions over the coming years, influencing everything from credit risk management and climate governance to digital resilience and compliance with emerging regulations. In the following sections, this article will explore these priorities in detail and what they mean for European banks.
 

SREP 2025: findings that are shaping the priorities for 2026

Despite the uncertain backdrop, the European banking sector enters the 2026–2028 period with a sound risk profile and robust fundamentals, with prudential ratios well above regulatory minimums and pre-pandemic levels. Even amid falling interest rates, supervised banks maintained strong capital and liquidity positions. For example, common equity tier (CET) 1 ratio stood at 16.1%, liquidity coverage ratio (LCR) at 158% and net stable funding ratio (NSFR) at 127%. At the same time, banks continued to show robust return on equity of 10.1% and an optimal cost-to-income ratio of 54.9% (as of Q2 2025).

In terms of credit risk, the non-performing loan (NPL) ratio was stable at 2.2%, a figure close to historical lows. These strengths are attributable  to enhancements in prudential and supervisory frameworks since the Global Financial Crisis, as well as through public measures that support the real economy during the pandemic. Indeed, the average overall SREP score improved to 2.5 from 2.6 in 2024, the best result since 2016. However, about one-quarter of banks remain in the weakest score categories (3-4), indicating the need for continued supervisory engagement.

The overall capital requirements and guidances for 2026 decreased slightly to 15.6% of risk-weighted assets (RWA), mainly due to a reduction in Pillar 2 guidance (P2G) for CET1 from 1.3% to 1.1%, whereas the Pillar 2 requirement (P2R) remained stable at around 2.1%.

The SREP 2025 identified four key areas of weakness: internal governance and risk management, credit risk controls, business model sustainability and operational and ICT risk management. The main drivers of the poorer SREP scores included the slowing down of net interest income (NII) and challenges related to structural cost and vulnerabilities in asset quality across some portfolios and regions. Other key deficiencies were identified in credit risk management and the need for further structural reform in areas such as board composition and risk culture, internal control functions, and risk data aggregation and risk reporting (RDARR) for internal governance and risk management.

Priority 1: reinforcing banks’ resilience to geopolitical risks and macro-financial uncertainties

ECB-supervised banks operate in a challenging environment driven by heightened geopolitical risks, as well as changing competition patterns due to digitalisation and the increased provision of financial services by non-bank financial institutions (NBFIs).

Prudent risk-taking and sound credit standards  

A key ECB focus for some years has been credit risk management. This remains particularly relevant during periods of heightened uncertainty, as the impact on borrowers’ creditworthiness may be amplified. As a result, timely identification of asset quality deterioration, prudent provisioning policies and sound underwriting standards are prerequisites for banks’ robustness.

As highlighted by supervisors during the SREP, banks must address deficiencies in their credit risk management frameworks to ensure resilience against external shocks. In that perspective, the ECB will perform targeted on-site inspections (OSIs) on loan pricing and loan origination, with a particular focus on new lending and high-volume export sectors to the US impacted by trade policies.

Supervisors will also pay particular attention to banks’ exposures to NBFIs, ensuring prudent provisioning and robust risk management frameworks. The ECB, together with the European Systemic Risk Board (ESRB), has enhanced its monitoring framework to identify and assess these risks. This includes improved data collection, stress testing and scenario analysis to capture exposures and potential spillovers from NBFIs to banks.

Adequate capitalisation and consistent implementation of CRR III

ECB-supervised banks showed strong liquidity positions and did not face any funding gaps in recent years, notably during the banking turmoil in spring 2023. To underpin banks’ robustness, the ECB will ensure adequate capitalisation and consistent implementation of the Capital Requirements Regulation 3 (CRR3) legislative package in force since January 2025, excluding market risk but including credit valuation adjustment (CVA) risk. Also, targeted OSIs and reviews will assess the calculation of risk-weighted assets (RWA) under the new standardised approaches for credit, CVA and operational risk, and will identify potential outliers.

Prudent management of climate and nature-related risk risks

The ECB considers climate and nature-related risks as central to its supervisory priorities for 2026–2028, signalling a decisive shift in regulatory expectations for banks across the euro area. In this context, banks are now expected to be fully compliant with its guide on climate and environmental (C&E) risk by integrating climate risk into their risk management, capital planning and strategic decision-making processes. This moves beyond mere compliance to demonstrate genuine resilience to both physical and climate transition risks.

The 2027 European Banking Authority (EBA) stress-testing cycle will mark a significant evolution in this regard, as it would require banks to embed climate-risk analysis at a much more granular, counterparty level. It would necessitate the collection, validation, and reporting of detailed climate and ESG data that far exceed previous requirements. Climate scenarios will become a core component of stress-testing, directly influencing capital requirements and shaping business strategy.

At the same time, the ECB will intensify its scrutiny of ESG data quality, taxonomy alignment and Pillar 3 disclosures, demanding robust data governance, validation and auditability across all ESG reporting. Pillar 3 disclosures encompass both qualitative and quantitative information, including taxonomy-aligned exposures and financed emissions. Banks must ensure that their disclosures are not only comprehensive but also able to withstand regulatory and market scrutiny, and particularly in terms of green-asset ratio (GAR) and banking book taxonomy-aligned ratio (BTAR) which are on hold until end 2026.

Finally considering the application of the Capital Requirement Directive’s (CRD) new article 87a, targeted exercises on prudential transition planning in the form of a thematic review will be launched in accordance with EBA guidelines on environmental, social and governance (ESG) risk management.

Geopolitical reverse stress test

For 2026 the ECB has announced that its will conduct a thematic reverse stress test focussed on geopolitical risk, requiring each bank to design a scenario in which specific geopolitical shocks could plausibly cause at least a 300-basis-point depletion of its CET1 capital ratio. Unlike traditional tests, a reverse stress test starts from a defined point of failure, such as a breach of capital, and works backward to identify the combination of events, such as conflict, sanctions or cyberattacks, that could possibly trigger that outcome.

The results will inform supervisory dialogue but not directly affect regulatory capital guidance. This methodology aims to uncover hidden vulnerabilities and foster a forward-looking risk management. Ultimately, this aims to prepare banks to navigate an era of unpredictable and complex geopolitical risks. Alongside this exercise, and as part of its regular activities, the supervisor will continue its supervisory reviews of banks’ Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP) and will also review funding planning processes, recovery plans, and internal stress-testing frameworks. The objective is to ensure that banks’ capital and liquidity strategies, as well as their contingency measures, are robust enough to withstand severe geopolitical shocks.

Priority 2: strengthening operational resilience and fostering robust ICT capabilities

The banking sector is increasingly exposed to digital risks and dependencies on external critical service providers. Past ECB reviews have identified persistent weaknesses in ICT risk management and incident response, while recent incidents have shown that operational disruptions can have systemic impacts. The Digital Operational Resilience Act (DORA), effective since 2025, provides a harmonised framework for digital operational resilience across the EU, setting clear requirements for banks and other financial actors.

The ECB will shift from risk identification to effective remediation, emphasising tangible improvements and robust controls through two key areas of focus, including digital operational resilience and risk data aggregation.

Implement robust and resilient operational risk management frameworks

The increasing reliance on digital infrastructure and third-party service providers heightens the importance of robust ICT frameworks. Banks must therefore maintain robust and resilient operational risk management frameworks to comply with the DORA and address cyber security and outsourcing risk shortcomings, which can threaten business continuity, operational resilience, and regulatory compliance if not properly managed. The ECB is conscious that concentration among a few service providers, many of which are headquartered outside the EU, heightens systemic risk and complicates oversight.

Therefore, the ECB’s supervisory priorities emphasise the need for robust governance, transparency and risk management frameworks to address these risks, especially as digitalisation and geopolitical tension accelerate. Effective third-party risk management ensures that banks can safeguard critical functions, respond to disruptions and maintain stability in a rapidly evolving risk landscape.

As a result, the ECB is planning targeted follow-ups on material shortcomings. In addition, OSI campaigns will focus on cyber security and third-party risk management, threat-led penetration testing, targeted reviews of ICT change management and deep dives into banks’ preparedness for potential cloud service disruptions in accordance with the ECB guide on cloud services.

Remedy deficiencies in risk reporting capabilities and information systems 

The ECB expects banks to remediate long-standing shortcomings in risk data aggregation and risk reporting (RDARR) and to align their practices with supervisory expectations outlined in the ECB guide. Through reviews and targeted OSIs, the ECB will follow up on remediation strategies and ensure that persistent deficiencies in banks’ RDARR frameworks are addressed to close any gaps.

Address medium to long-term risks stemming from digital and AI-related strategies

The ECB will continue exploring opportunities and risks stemming from digital and AI-related applications, with a focus on governance and risk management.

For instance, past supervisory scrutiny recognised the increased adoption of AI, particularly for credit scoring and fraud detection. The AI Act, effective since 2024, will see high-risk AI systems come under its scope. According to a recent ECB article, in 2024, 30% of significant institutions used AI for credit scoring and 62% for fraud detection, indicating that a significant part of the sector will be affected.

By August 2026, banks should be compliant, although we may see a new application date coming from the “Digital Omnibus” that could be as late as the end of 2027, potentially giving banks more time to prepare for compliance. However, some banks have already started conducting self-assessments to spot high-risk use cases. Organisations will also need to map their AI models, align internal processes with expected regulatory standards and appoint chief AI officers to make sure that the second and third lines of defence adequately oversee the use of AI.

From a general perspective, the ECB will continue to monitor banks’ use of AI with a focus on strategies, governance and risk management. Monitoring will also include the recent development of stablecoins issued under the Markets in Crypto-Assets Regulation (MiCA) regulation. To this end, the ECB will organise targeted horizontal workshops on generative AI applications to strengthen supervisory understanding of how banks use these applications and to monitor the development of agentic AI.

In addition, workshops with the industry will help to improve cooperation with market surveillance authorities responsible for the AI Act and the EBA. Banks should look to implement robust governance, and risk management for AI and machine learning (ML) models, especially for high-risk applications such as credit scoring and fraud detection.

The simplification agenda and SREP reform

In October 2025, the EBA unveiled 21 recommendations aimed at reducing the burden of regulatory reporting, the number of technical standards/guidelines and streamlining the capital stack (Pillar 1, Pillar 2, buffers, eligible liabilities, etc.). It also started the third revision of its common SREP guidelines with a view to focusing on core assessments by reducing outdated or non-strictly necessary provisions without changing key areas of the SREP and updating the framework with the latest regulations that have entered into force.

In parallel, the ECB published in December 2025 its report on streamlining supervision and safeguarding resilience with a view to overhauling its banking supervision to make it more efficient, risk-focused and agile.

Key decisions include:

• The SREP will follow a multi-year cycle, with more targeted and risk-based reviews for each bank.
•  Joint supervisory teams (JSTs) will have more autonomy to focus on the most relevant risks for each institution.
• Fast-track procedures are being introduced for certain approvals (e.g. capital, securitisation).
• Reporting requirements are being reduced, especially for smaller banks.
• SupTech will help to automate routine tasks and focus supervisory resources on emerging risks.

Lastly, the ECB high-level task force on simplification recommendations have been released and delivered to the European Commission, ultimately help inform a legislative proposal to amend the regulatory framework.

Expected to be fully implemented by 2026, the new framework aims to streamline risk assessments, improve communication with banks and ensure that supervisory actions are both forward-looking and strategically orientated according to the ECB’s risk tolerance framework. Created in response to an evolving risk environment, the new framework introduces structural shifts in response to increased digitalisation, climate change and heightened geopolitical uncertainty. 

Conclusion: what is next up for banks

The ECB roadmap marks a new phase of supervision and strategic transformation for European banks. While the sector enters this period with robust capital, liquidity and profitability, the environment is defined by persistent geopolitical risks, rapid digital transformation as well as the growing weight of climate and environmental (C&E) risks. The ECB priorities are designed to ensure banks remain resilient, agile and forward-looking in the face of these challenges.

In that respect banks should:

• Expect more intrusive stress tests, scenario analyses and targeted reviews of credit risk, especially in vulnerable portfolios (e.g. real estate, SMEs, leveraged finance).
• Upgrade ICT infrastructure, strengthen cyber risk management and ensure compliance with new digital regulations. Supervisory focus will include third-party risk and AI adoption.
•  Accelerate climate risk integration, enhance data and reporting, and prepare for thematic reviews and OSIs.
• Expect tighter deadlines for remediation with progress closely monitored by JSTs.
• Expect more transparent methodologies (e.g. SREP, ICAAP), earlier communication of outcomes and a focus on efficiency.

In addition, Boards and executives should:

• Adopt strategic risk management: make sure the frameworks for credit, operational and climate risks are robust and regularly review risk appetite and capital planning in light of new stress scenarios.
• Accelerate digital and cyber resilience: map critical IT outsourcing and third-party dependencies, strengthen cyber security, incident response and business continuity plans to prepare for DORA supervisory reviews.
• Integrate climate and ESG risks: embed C&E risks into governance, strategy and risk management. As well as enhance climate risk data, scenario analysis and reporting.
• Remediate deficiencies promptly: prioritise and document remediation of all ECB-identified weaknesses, assign clear accountability and monitor progress at board level.
• Engage proactively with supervisors: maintain an open dialogue with JSTs and prepare for thematic reviews, OSIs and new reporting requirements.
• Leverage regulatory simplification: streamline internal processes in line with new ECB methodologies and use regulatory changes as an opportunity to boost efficiency and competitiveness.
• Give forward-looking considerations: respond rapidly to external shocks and regulatory shifts and approach risk integration holistically. Clearly articulate risk posture and strategic priorities to investors, regulators and customers.

Finally, conducting structured self-assessment exercises and remediating any material shortcomings will position banks to withstand any forthcoming ECB scrutiny. Importantly, robust preparation for the ECB’s supervisory priorities strengthens institutional stability and resilience in an era of heightened uncertainty.