The Supervisory Framework of the ECB for 2025-2027 indicates its medium-term strategy for the next three years. The new priorities are of a similar nature to the 2024-2026 objectives set out last year. In this article, we review the ECB's actions in response to the 2024 priorities and outline the objectives of the 2025-2027 strategies.
ECB Strategic priorities 2025-2027
The European Central Bank’s (ECB) priorities 2025-2027 was set after a holistic assessment of main risks and vulnerabilities facing banks. These included ongoing geopolitical tensions, macroeconomic uncertainty, shortcomings from earlier supervisory reviews and technological advancement in digitalisation. Accordingly, the ECB decided upon three main priorities:
These priorities are discussed in greater detail here
Actions taken in 2024 and objectives for 2025
Priority 1: Banks should strengthen their ability to withstand immediate macro-financial threats and severe geopolitical shocks.
In 2024, the ECB proposed steps to counter potential vulnerabilities in credit risk and counterparty credit risk management frameworks, and to address shortcomings in asset and liability management frameworks.
Actions taken during 2024 included:
- The ECB drafted a new guide on Governance and Risk Culture to provide banks with a roadmap to create a more effective internal governance and risk culture. The guide includes the roles and responsibilities of internal control functions and expectations on how to design and implement a Risk Appetite Framework (RAF).
- As part of its review of credit models, the ECB imposed a €3.5 million sanction on a bank for failing to apply the credit risk floors set by the ECB, which resulted in the bank underestimating its risk-weighted assets.
- During the year, the ECB conducted asset quality reviews of two banks (FinecoBank S.p.A. and AS LHV Group) finding that neither of the banks faced a capital shortfall as their Common Equity Tier (CET1- which measures financial solvency) ratios were not below the 8% threshold.
For 2025, due to the growing macroeconomic uncertainty and geopolitical tensions, it is imperative for banks to manage their credit risk, maintain proper provision levels and withstand increasing cybersecurity risks. Key priorities include:
Prioritised Vulnerability: Deficiencies in credit risk management frameworks
- Past supervisory reviews have shown shortcomings in banks’ IFRS 9 frameworks to capture emerging risks. Supervisors will continue to perform on-site inspections of IFRS 9 staging, credit loss models, collateral valuations and provisioning deficits. The ECB will conduct a follow up of the reviews and monitor banks’ progress in regard to prior concerns and use escalation measures where needed.
- The ECB will continue to monitor asset quality and provisioning practices to counter emerging geopolitical risks through on-site inspections of credit provisioning models and policies in SME, retail, and commercial real estate portfolios.
Prioritised Vulnerability: Deficiencies in operational resilience frameworks regarding IT outsourcing and cybersecurity
- Cyber attacks are increasing due to digitisation of banks, geopolitical tensions and reliance on third-party providers. To counter this, the ECB will conduct reviews of risk management and cyber resilience frameworks.
- Supervisory reviews found that at least 10% of contracts with third party ICT providers are not compliant with relevant regulations. Due to this concern, the ECB will collect data on third party ICT providers to identify weaknesses in banks’ outsourcing arrangements.
- Supervisors will continue to assess banks’ compliance with DORA and conduct a follow-up on the findings of the cyber resilience stress test which showed improvement was needed in business continuity frameworks, incident response planning, back-up security and management of third-party providers.
Special Focus: Incorporating geopolitical risks into supervisory priorities
- Geopolitical risk will be a key component of the 2025 EU-wide stress test which will assess banks’ counterparty credit risk under adverse scenarios. Supervisors will also evaluate risk appetite frameworks to evaluate and mitigate geopolitical risks through targeted benchmarking exercises.
Priority 2: Banks should remedy persistent material shortcomings in an effective and timely manner.
In its 2024 work programme, the ECB aimed to address deficiencies in the functioning of management bodies, risk data aggregation and reporting, and material exposures to climate-related physical and transition risks. The ECB took the following steps during the year to address these concerns:
- The ECB launched a consultation on revised policies regarding options and discretions available in EU law on prudential rules, including own funds and capital requirements. The final policy, expected in 2025, will outline how supervisory authorities can use these options.
- A Joint Bank Reporting Committee (JBRC) was established by the EBA and ECB to improve efficiency and reduce costs in data reporting. The Committee includes the ECB, the EBA, the European Commission, EEA Member States, and the Single Resolution Board (SRB). The main aim being to develop common definitions and standards used in new and existing reporting.
- At an ECB conference ,selected banks and ECB supervisors discussed the challenges faced with collecting energy performance data in the real estate sector and their solutions to achieve zero emission stock by 2050. As the value of buildings is increasingly being influenced by climate-related factors; energy performance data is important for the banks who hold the buildings as collateral. Solutions identified included reducing the average primary energy use of residential building stock by 16% by 2030 and by 20-22% by 2035 and renovating the 16% worst-performing buildings by 2030 and the 26% worst-performing buildings by 2033. This Directive will become a National regulation by May 2026 which will lead to an increase in renovations across Europe.
In its 2025 work programme, the ECB noted that previous reviews had identified weaknesses in banks’ management of climate and environmental (C&E) risks, as well as in their risk data aggregation and reporting (RDARR) capabilities. The priorities for 2025 include:
Prioritised Vulnerability: Deficiencies in business strategies and risk management as regards climate-related and environmental risks
- Due to extreme climate changes, a key ECB focus is to ensure banks are aligned with EU climate objectives. The ECB will use sanctions if banks fail to comply with the same.
- ECB supervisors will continue to review banks compliance with the C&E expectations including its integration into the internal capital adequacy assessment process and stress testing.
- The ECB will continue to review Pillar 3 disclosures of entities and the upcoming CRR3/CRD6 obligations will require banks to develop prudential transition plans. The ECB will also continue to assess C&E aspects through targeted on sight reviews of credit, operational and business model risks.
Prioritised Vulnerability: Deficiencies in risk data aggregation and reporting
Targeted and onsite reviews of entities have shown that many entities are not complying with the Basel Committee report on principles for effective RDARR. The reviews have shown weaknesses in (i) management bodies,’ (ii) RDARR frameworks, (iii) data architecture and IT infrastructure, (iv) IT systems, and (v) management of data quality. The ECB will conduct a follow-up review on the targeted review and use penalties where necessary.
Priority 3: Banks should strengthen their digitalisation strategies and tackle emerging challenges stemming from the use of new technologies.
In 2024, the ECB aimed to address deficiencies in operational resilience frameworks, digital transformation, and IT security risks.
Actions taken during 2024 included:
- The ECB conducted a stress test to assess banks' resilience to cyberattacks, involving 109 banks, with 28 undergoing more extensive testing. The test focused on how banks communicate with external stakeholders, implement mitigation measures, and activate crisis response plans.
- The G7 Cyber Expert Group organised a cross-border cybersecurity exercise to ensure effective communication and coordination among G7 countries in the event of a cyber-attack.
- The ECB launched a public consultation on banks' use of cloud computing services provided by third-party providers. These services, while cost-effective, can expose banks to IT disruption risks. To mitigate this, the EU introduced the Digital Operational Resilience Act (DORA) and the Capital Requirements Directive.
For 2025, the ECB highlights that rapid digital transformation requires banks to implement safeguards to manage cyber threat risks effectively. It is essential for ECB supervisors to understand how banks are using generative AI and other emerging technologies. Key priorities include:
Prioritised Vulnerability: Deficiencies in digital transformation strategies
- The ECB will use targeted onsite inspections on key technologies and business-related models to further improve their supervisory approach and assess risks relating to digitisation of banking sector. Supervisors will also focus on banks’ digital activities on their business models to better understand the risks arising from use of advanced technologies such as AI and cloud services.
How can we help?
Our Prudential Risk experts understand that regulations are a key driver for financial institutions' strategic priorities. We assist clients in navigating the complex regulatory landscape, helping them identify their regulatory responsibilities and develop strategies for full compliance.
This is the third in a four-part series of articles outlining the strategic priorities of European Supervisory Authorities for the financial sector. Read article four on ‘ESMAs Strategic Priorities for 2025’.