Banking Supervision
Banking Supervision
Search
Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by

1 Introduction

The supervisory priorities for 2026-28 reflect ECB Banking Supervision’s medium-term strategy for the next three years. The Supervisory Board of the ECB sets these priorities based on a comprehensive assessment of the main risks and vulnerabilities for supervised entities. They are reviewed annually to reflect changes to the risk landscape and the outcome of various supervisory exercises, in particular the Supervisory Review and Evaluation Process (SREP)[1]. These priorities are also reviewed to assess the progress made by banks against the previous years’ priorities and regulatory requirements. This type of annual review is conducive to a risk-based and forward-looking strategy that fosters an efficient allocation of supervisory resources, makes supervisory actions more transparent and predictable for banks, while still ensuring sufficient flexibility to adjust the priorities if warranted.

The European banking system has a sound risk profile and robust fundamentals, positioning it well to navigate today’s highly uncertain geopolitical and macro-financial environment and to support the European economy effectively. Over the past year, the sector has continued to report strong capital and liquidity positions and low levels of non-performing loans, with profitability levels thus far proving resilient to the falling interest rates. These solid fundamentals, which result in part from the enhancement of the prudential and supervisory frameworks since the global financial crisis, have allowed the sector to weather the economic headwinds stemming from the escalation of global trade tensions and conflicts, as well as the periods of high financial market volatility that followed. Moreover, the banking sector’s resilience has benefited over the past few years from public measures aimed at supporting the real economy and mitigating the impact of adverse shocks. The overall resilience of the banking sector to an adverse scenario induced by geopolitical tensions is also shown by this year’s EU-wide stress test exercise.

That said, banks need to be ready to manage the challenges that lie ahead. Global uncertainties have surged to exceptional levels, creating an environment of heightened fragility, where risks once considered remote are becoming more likely. Geopolitical tensions and shifting trade policies, climate and nature-related crises, demographic change and technological disruptions are exacerbating structural vulnerabilities, making the likelihood of extreme, low probability events (tail risks) unprecedently high. Uncertainty is elevated. This combination of factors heightens the risk of sudden and severe disruptions with far-reaching consequences for economies, financial markets and banks alike. It echoes the call to banks over the past years to remain vigilant and to avoid complacency.

Given this challenging outlook, the supervisory priorities for 2026-28 reflect the need for banks to remain resilient in the face of geopolitical risks and macro-financial uncertainties (Priority 1), at the same time as ensuring strong operational resilience and ICT capabilities (Priority 2).

Figure 1

Supervisory priorities for 2026-28, addressing identified vulnerabilities in banks

Source: ECB.
Notes: This figure shows the two supervisory priorities for the period 2026-28 and the corresponding vulnerabilities that banks are expected to address over the next three years. ECB Banking Supervision will carry out targeted activities assessing, monitoring and following up on the vulnerabilities identified. The right-hand side of the figure shows the overarching risk category that is associated with each vulnerability.

Each supervisory priority targets a specific set of vulnerabilities in the banking sector for which dedicated strategic objectives have been set and tailored work programmes developed. Figure 1 lists five objectives for addressing key vulnerabilities in banks and outlines a medium to long-term strategy focusing on banks’ digital and, in particular, AI-related strategies, governance and risk management. These two priorities reflect ECB Banking Supervision’s commitment to fostering a robust, resilient and sustainable European banking sector capable of navigating an increasingly complex risk landscape.

The supervisory priorities aim to address the most relevant and overarching vulnerabilities faced by banks and to contribute to the broader work of ECB Banking Supervision. In parallel, ECB Banking Supervision continues to conduct regular supervisory activities to address other relevant risk areas to further support the resilience of the European banking sector to institution-specific risks. Follow-up work on past priorities will also remain a key focus, in conjunction with ongoing supervisory engagement with banks.

The supervisory priorities promote effectiveness and consistency in the planning work of the Joint Supervisory Teams (JSTs) and support the efficient allocation of resources in line with predefined risk tolerance levels. [2] They also help national supervisors to set their own priorities for the supervision of less significant institutions in a proportionate manner. Transparent communication of these priorities plays a critical role in clarifying expectations for banks, strengthening the impact that this supervision has in further increasing the resilience of the European banking sector and levelling the playing field across institutions.

The following sections provide an overview of the 2025 risk assessment along with a detailed outline of the supervisory priorities and the work programmes for the 2026-28 period.

2 Risk assessment and supervisory priorities for 2026-28

2.1 Macroeconomic and operating environment for supervised entities

Over the past year, the macroeconomic environment has been characterised by an escalation in global trade tensions and broader geopolitical risks, leading to shifting trade policies and higher overall uncertainty. The announcement of the new US import tariffs in early April 2025 triggered a sharp market sell-off of bonds that intensified global recession fears. Policy uncertainty, particularly on the international trade front, surged to unprecedented levels, resulting in significant volatility in the financial markets.[3] Subsequent announcements – first of a temporary pause in tariff hikes and, later, of a trade agreement that averted a trade war between the United States and the EU – sparked a rally in equity markets. Although initial losses were reversed, equity markets remain volatile and vulnerable to further repricing owing to elevated valuations and risk concentration.[4]

Despite fluctuations in economic activity, conditions remain supportive for euro area real GDP growth to strengthen over the projection horizon, and inflation is projected to stabilise around the medium-term target of 2%.[5] Stronger than expected economic activity in the first quarter of 2025, partly driven by the frontloading of exports in anticipation of higher tariffs, is projected to give way to weaker growth in the second half of the year. However, euro area real GDP growth is projected to increase over the medium term, supported by improving real disposable income, reduced uncertainty, stronger foreign demand and fiscal stimulus related to defence and infrastructure. Survey indicators also suggest a modest expansion in both the manufacturing and services sectors, signalling a positive underlying momentum in the economy. Headline inflation is projected to remain around the medium-term target of 2%, while core inflation is expected to decline as a result of declining labour cost pressures and the appreciation of the euro.

While uncertainty moderated somewhat in the second half of the year, it still remains elevated compared with historical norms, posing risks to the economic outlook.[6] Risks to economic growth have become more balanced as trade agreements have reduced uncertainty.[7] Nevertheless, a renewed escalation in global trade tensions could weigh on export growth and dampen investment and consumption. Ongoing geopolitical tensions remain a major source of risk to the macroeconomic outlook. A potential deterioration in financial market sentiment may result in tighter financing conditions, increasing risk aversion and weakening growth. Moreover, a combination of weaker than expected growth, higher defence spending needs and structural challenges – such as low productivity, ageing populations, climate change and digitalisation – could undermine sovereign debt sustainability, particularly in heavily indebted countries.[8]

So far, financial markets and the European banking sector have demonstrated strong resilience to external shocks, sometimes helped in this regard by a set of supportive public measures, including fiscal and monetary policies. Ample liquidity within the financial system played a critical role in containing the number of positions that unwound during April’s market sell-off of bonds. While the tariff-related turmoil and the accompanying spike in macroeconomic volatility were material, they proved short-lived. Equity markets swiftly rebounded following the announcement of the temporary pause in tariff increases, with European bank asset prices supported by their solid fundamentals. In the wake of shocks stemming from trade policies, the likelihood of further geopolitical and macro-financial tensions remains elevated, increasing the risk of sudden market repricing which could have adverse implications for financial stability in the euro area and the global economy. This risk could in turn be exacerbated by the growing interconnection between bank and non-bank financial institutions.[9]

Furthermore, high public spending needs coupled with limited available fiscal space could raise concerns about the sustainability of sovereign debt in some countries, leading to increasing funding costs and spillovers to banks and corporates.[10] Going forward, this may also limit the policy space available to buffer shocks to the real economy.

2.2 Priority 1: Strengthening banks’ resilience to geopolitical risks and macro-financial uncertainties

The current macro-financial and geopolitical environment confirms the need for strong financial resilience in the European banking sector and warrants increasing supervisory attention in selected areas. In particular, banks should ensure prudent risk-taking and sound credit standards to prevent the accumulation of new non-performing loans. In addition, supervisors will pay close attention to how banks implement the new, more risk-sensitive standardised approaches which are designed to assist the calculation of the capital requirements under the CRR III/CRD VI banking package. These new capital requirement frameworks better align capital requirements with banks’ actual risks and their impact on the risk-weighted asset calculations is expected to increase over time with the phasing-in of the new output floor. Finally, the growing frequency of climate-related disasters and slow progress towards the net-zero goals under the Paris Agreement require banks to further strengthen their management of climate and nature-related (C&N) risks.

As a key driver of macroeconomic uncertainty, geopolitical risks remain the focus of the ECB’s supervisory priorities. In this vein, the 2026 thematic stress test will assess institution-specific geopolitical risk scenarios and their potential to have a significant impact on banks’ solvency.[11] It will also help to ascertain how the geopolitical risk scenarios considered by the banks could have an impact on banks’ funding and liquidity conditions. Given their cross-cutting nature, geopolitical risks will be captured during both prioritised and regular supervisory activities. As part of their regular activities, supervisors will assess banks’ ability to withstand geopolitical shocks and will review banks’ internal capital and liquidity adequacy statements, their liquidity and funding planning processes, recovery plans and internal stress-testing frameworks.

Prioritised vulnerability: Ensure prudent risk-taking and sound credit standards

Strategic objective: To foster prudent risk-taking, supervised entities should have in place and maintain sound credit standards and risk-based pricing, while adjusting to changes to the macro-financial environment and their institution’s specific circumstances.

Supervised entities’ asset quality has, overall, remained stable over the past year, supported by household and corporate resilience to higher interest rates. While non-performing loan volumes rose slightly over the past year, predominantly in the consumer and small and medium-sized enterprise segments, the non-performing loan ratios of most supervised entities improved. The euro area’s economic outlook remains broadly supportive, with lower interest rates and healthier debt levels expected to ease pressure on debt servicing. Residential real estate markets are also expected to remain resilient, benefiting from favourable labour market conditions, and there are signs of stabilisation emerging in the commercial real estate segment, albeit with the subprime office sector remaining weak amid persistent lower demand.[12] At the same time, significant downside risks persist, particularly as a result of US-EU trade tensions and broader geopolitical risks, which could affect sectors with high export volumes to the United States, such as the automotive, chemicals or pharmaceutical sectors, potentially causing asset quality to decline. In response to these global uncertainties, some banks began increasing their provisions, but the aggregate cost of risk and provisioning levels remained stable overall. Given the possibility of deteriorating macroeconomic conditions as a result of escalating geopolitical and global trade tensions, it is therefore key to ensure that banks apply sound underwriting standards to new loans production.[13]

Supervisory assessments show that, despite progress, some banks still face shortcomings in their IFRS 9 and credit risk management frameworks for their more vulnerable portfolios. On-site and off-site reviews revealed improvements in capturing evolving risks[14], such as C&N risks, but persistent issues such as arbitrary overlays and inadequate risk capture remain[15]. Supervisors identified weaknesses in provisioning and IFRS 9 frameworks in the 2025 SREP and will continue to follow up on the remaining deficiencies as part of their regular supervisory work. Furthermore, supervisors continued to closely monitor banks’ management of more vulnerable debtors. A targeted review of the portfolio of small and medium-sized enterprises revealed material shortcomings in the areas of governance (including banks using outdated data to make assessments), early warning systems (often solely dependent on ratings) and preparedness for borrowers’ financial distress. Credit risk on-site inspections (OSIs) of small and medium-sized enterprises, as well as other vulnerable portfolios such as commercial real estate, continued to reveal issues relating to provisioning, credit risk management processes (including collateral valuation), governance and data quality.

Going forward, supervisors will prioritise prudent risk-taking and sound credit underwriting standards in banks to prevent the emergence of future non-performing loans. A thematic review, building on the 2019 exercise[16], will be carried out to assess how banks mitigate potential losses through their credit lending frameworks. This will be followed by targeted initiatives, including remediation measures and credit risk OSIs covering underwriting standards. For those banks where the thematic review identifies issues regarding loan pricing or cost management, additional reviews shall be performed to assess whether lending practices are in line with sustainable profitability goals.

Main activities as part of the work programme for these supervisory priorities

  • Thematic review of credit underwriting standards, focusing on new lending to assess how banks intend to mitigate potential future credit losses
  • Targeted review of loan pricing, as a follow-up to the thematic review, to assess banks’ loan pricing practices and standards
  • Targeted credit risk OSIs, including banks’ loan origination and credit underwriting frameworks

Prioritised vulnerability: Ensure adequate capitalisation and consistent implementation of CRR III

Strategic objective: To maintain adequate capitalisation, supervised entities need to implement the new standardised approach for calculating their minimum capital requirements under CRR III, consistently and accurately.

The final Basel III framework developed in response to the global financial crisis aims to make banks better equipped to absorb economic shocks at the same time as maintaining their ability to finance economic activity and support growth. In the EU, this framework was implemented through the CRR III/CRD VI package, which came into force on 1 January 2025. This legislative package strengthens European banking supervision and governance requirements and introduces key changes to the calculation of banks’ risk-weighted assets across all prudential risk categories.

It is there therefore critical that banks consistently and accurately implement the new standardised approach to ensure that capital requirements are closer aligned with banks’ actual risks. Although the relevant supervisory reviews conducted in the past have been somewhat limited, targeted JST and OSI analyses of banks’ implementation of the standardised approach commonly pointed towards material shortcomings stemming from incorrect exposure classifications, risk-weight allocations, collateral valuations or weak controls by their risk control functions.

Closer supervisory scrutiny going forward will be required to account for the increasing role that the standardised approach will play in determining banks’ solvency, including through the calculation of the new output floor. For credit risk, supervisors will assess banks’ implementation of the standardised approach following the relevant changes introduced by CRR III. Supervisors will combine targeted OSIs with targeted reviews to assess the adequacy of banks’ capital frameworks. Remediation of the associated findings will be addressed through regular JST follow-up. For operational risk, CRR III introduces a new non-model-based approach applicable to all banks, which replaces the previous approach. Similar to credit risk, supervisors will conduct an initial review to identify potential outliers, based on banks’ reported risk-weighted assets and other qualitative assessments, and will subsequently perform a targeted review of those banks with a higher risk of miscalculation. For market risk, given the postponement of the first application date of the Fundamental Review of the Trading Book, the relevant targeted supervisory reviews will only be performed upon the request of the JSTs, depending on the outcome of their ongoing dialogue with banks in this domain.

Main activities as part of the work programme for these supervisory priorities

  • Credit risk: targeted reviews and targeted OSIs, focusing on the calculation of risk-weighted assets under the standardised approach
  • Operational risk: targeted reviews of the calculation of the business indicator component to aid the calculation of the corresponding capital requirements

Prioritised vulnerability: Ensure prudent management of climate and nature-related risks

Strategic objective: Banks should effectively assess and manage short-, medium- and long-term risks stemming from the climate and nature crises, and remedy persistent shortcomings in their related risk management frameworks.

With global temperatures surpassing 1.5°C above the pre-industrial average and with Europe being the fastest-warming continent on earth[17], severe C&N events are becoming more frequent and costly. Events such as the recent floods and wildfires across Europe demonstrate the growing human and economic toll stemming from the C&N crises.[18] At the same time, the high and growing insurance protection gap, with only around 25% of natural hazard losses being insured, poses further risks to GDP growth and potentially to banks’ balance sheet exposures.[19] Moreover, the lagging progress of global economies to move towards the net-zero targets under the Paris Agreement is increasing transition risk.[20] A disorderly “run on brown” transition scenario[21] coupled with a recession could result in significant credit and market risk losses for European banks.[22]

Significant institutions have made sound progress and are in a good position to meet prudential transition planning requirements. European banks have made significant headway in addressing the risks stemming from the C&N crises. Whereas in 2019 less than one-quarter of euro area banks had reflected on these risks, they now have an increasing number of advanced practices in place to identify, monitor and – most importantly – manage C&N risks. In 2022, almost 80% of banks had either only basic risk management practices in place or none at all. Based on their modest levels of preparedness at the time, following the 2022 thematic review on climate-related and environmental risks and the 2022 climate risk stress test, ECB Banking Supervision encouraged banks to speed up their progress, setting clear interim deadlines for 2023 and final deadlines for the end of 2024 to align their practices with supervisory expectations taking into account their specificities. On a positive note, the number of banks lacking foundational elements has decreased sharply over the past few years.[23] Moreover, progress achieved by banks in their management of C&N risks allows them to strengthen their internal capabilities to effectively manage other risks, like geopolitical risks. Supply-chain and concentration risk analysis – e.g. understanding clients geographic footprints, dependencies and vulnerabilities – and scenario planning and a stress-testing framework – e.g. designing and testing plausible but uncertain scenarios – are just a few areas that have benefited from the enhancement of banks’ C&N risks management in the past years and can be applied to monitor and assess impact from other, cross-cutting risk drivers, such as geopolitical risks.

That said, sustained effort remains critical. The changing risk landscape already indicates that C&N risks are on an upward trend[24] and that, unlike cyclical risk drivers, climate risk is a permanent shock heading in one direction only, with serious long-term effects on house prices and other asset values.[25] This trend is also reflected by the latest advancements in banks’ materiality assessments, revealing that 90% of the banks surveyed consider themselves having material risk exposures to C&N risks, up from around 50% in 2021. Moreover, C&N risks modelling and quantification remain nascent and are subject to significant underestimations, for instance in physical risk models.[26] ECB Banking Supervision also observes ongoing challenges, including physical C&N risks, and the accumulation of institution-specific weaknesses in individual banks, particularly in terms of the comprehensiveness of their practices. Supervisors will therefore follow up on these shortcomings as part of their regular supervisory activities.

Going forward, supervisors will continue to monitor banks’ progress and remediation of shortcomings, while focusing targeted supervisory exercises on prudential transition planning requirements and persisting challenges to banks’ compliance with the supervisory expectations and regulatory requirements for managing C&N risks. In line with CRD VI, banks will be asked to develop prudential transition plans, which will be reviewed by supervisors in accordance with the EBA guidelines on the management of ESG risks. ECB Banking Supervision will take a gradual and targeted approach, focusing on the new elements from these guidelines, first via informal dialogues with the banks that will be followed by a thematic review. Supervisors will also continue to monitor banks’ compliance with Pillar 3 disclosure requirements for environmental, social and governance-related issues and perform a targeted review of their physical risk disclosures. ECB Banking Supervision will conduct further analyses of banks’ capabilities to address continuing challenges, including those regarding physical risk. Furthermore, targeted OSIs will also focus on banks’ management of C&N risks, either on a standalone basis, with the emphasis primarily on C&N risks, or as part of risk-specific OSIs, such as those on credit risk. Finally, ECB Banking Supervision aims to update its compendium of good practices for C&N risks in due course.

Main activities as part of the work programme for these supervisory priorities

  • Targeted follow-up and monitoring of banks’ remediation of remaining shortcomings stemming from the 2022 thematic review and climate risk stress test
  • Thematic review of banks’ transition planning in line with the CRD VI package
  • Horizontal assessment of banks’ compliance with Pillar 3 disclosure requirements for environmental, social and governance-related issues
  • Deep dive into banks’ capabilities to address ongoing challenges, including physical risk
  • Targeted OSIs of C&N risk management, either on standalone basis or as part of planned reviews of other risk areas

2.3 Priority 2: Strengthening banks’ operational resilience and fostering robust ICT capabilities

Robust and resilient operational risk management frameworks and strong ICT capabilities are crucial in mitigating emerging risks and avoiding disruptions to critical operations and services. With the Digital Operational Resilience Act (DORA) entering into force at the beginning of 2025, banks must now ensure that they consistently and swiftly implement the relevant requirements, particularly those for ICT third-party risk and incident response management. Furthermore, addressing material shortcomings identified as part of past supervisory reviews of cybersecurity, third-party risk management and risk data aggregation and risk reporting (RDARR) remains vital. In addition, as part of a medium-to-longer term strategy and as banking operations become increasingly digital, ECB Banking Supervision will gradually step up its effort to engage with banks on how they use new technologies, and in particular AI, to exploit the potential gains while also being aware of the associated risks. This will assist the development of a future supervisory approach.

Prioritised vulnerability: Implement robust and resilient operational risk management frameworks

Strategic objective: To foster their ability to prevent, withstand and recover from disruptions to critical operations and services, banks should develop and maintain robust and resilient operational risk management frameworks. They should continue their efforts to swiftly and effectively address previously identified shortcomings in the area of cybersecurity and third-party risk management and fully comply with DORA.

The rapidly evolving cyber threat landscape, amplified by geopolitical risks, continues to challenge banks’ cybersecurity and third-party risk management capabilities. Reported significant cyber incidents have doubled in recent years[27], with ransomware attacks growing more sophisticated and state-sponsored activities posing persistent threats, including hybrid threats such as information manipulation, warranting ongoing vigilance.[28] While banks proved resilient to such attacks – as well as to other incidents of an operational nature – and were able to avoid major disruptions, recent events such as the power outages that have occurred within Europe underline the importance for banks to develop mitigants and deploy effective contingency plans for the risks posed to their critical infrastructures, covering all critical information systems and a multitude of plausible scenarios. [29] Advancements in the development of AI applications may also significantly put banks’ cybersecurity to the test, as any underestimation of the related security risks prior to their deployment could introduce critical vulnerabilities to their ICT systems.[30] Additionally, regular supervisory reporting show that banks are heavily dependent on a handful of third-party service providers, many of which are based outside the EU. [31] This increases the complexity of banks’ outsourcing arrangements and exposes them to heightened vulnerabilities, particularly given geopolitical tensions.

The 2025 SREP aggregated results and insight from supervisory activities confirm the need to strengthen banks’ ICT risk management practices. Operational risk and ICT risk continue to receive the worst average scores in the SREP. Supervisory reviews have revealed recurring weaknesses in cybersecurity strategies, shortcomings in cyber incident management and gaps in third-party risk management frameworks. [32] ECB Banking Supervision recently finalised its Guide on outsourcing cloud services to cloud service providers to address banks’ increasing use of cloud-based solutions. The guide outlines the supervisory expectations for implementing DORA-related requirements. It provides examples of good practices for effective cloud outsourcing risk management while aiming to ensure a level playing field among all supervised entities.

Going forward, ECB Banking Supervision will foster a sound and consistent implementation of the DORA-related requirements. Compliance with DORA will be assessed across a broad range of activities. Following past supervisory reviews of IT security/cyber resilience and IT outsourcing risk management, targeted follow-up will now take place with those banks with material shortcomings in these areas to foster their effective and timely remediation. To this end, two OSI campaigns focusing on cybersecurity and third-party risk management will be carried out targeting more vulnerable banks, as identified by the JSTs. As part of the new supervisory mandate under DORA, threat-led penetration testing will also take place to promote improvements in banks’ cyber resilience strategies. Based on the published guide on outsourcing cloud services, supervisors will also conduct a deep dive to evaluate targeted banks’ preparedness for potential service disruptions caused by a major cloud service provider. Finally, as the primary root cause of unplanned downtime in banks often lies in ICT system changes, ECB Banking Supervision will conduct a targeted review of ICT change management to identify gaps in basic control frameworks and improve banks’ change management capabilities.

The oversight of critical third-party providers under the DORA oversight framework will be launched in January 2026. ECB Banking Supervision strongly supports this new oversight framework, which will help strengthen digital operational resilience across the EU financial sector. Institutions’ oversight of critical third-party providers is meant to complement but not substitute sound third-party risk management.

Main activities as part of the work programme for these supervisory priorities

  • Targeted follow-up on remediation strategies for those banks that report material shortcomings in ICT security/cyber resilience and ICT outsourcing
  • Two OSI campaigns on cybersecurity management and third-party risk management, in line with the new DORA requirements
  • Threat-led penetration testing to identify banks’ vulnerabilities and improve their cybersecurity resilience
  • Targeted review of ICT change management
  • Deep dive into banks’ dependency on cloud service providers to assess their preparedness for potential service disruptions

Prioritised vulnerability: Remedy deficiencies in risk reporting capabilities and related information systems

Strategic objective: To support sound risk management and effective decision-making, banks should strengthen their effort to effectively and timely remedy material weaknesses identified in their RDARR frameworks and bring them into line with the supervisory expectations laid down in the relevant ECB Guide.

The uncertain geopolitical environment and the rapid digitalisation of banks’ operations and services underline the need for resilient internal information systems and robust RDARR capabilities. Timely and accurate risk information are essential for efficient steering, timely strategic decision-making and effective crisis management. Moreover, a strong RDARR framework positions banks to exploit digitalisation tools and technologies such as AI and advanced analytics.[33]

However, the progress made by supervised entities to address structural deficiencies in their RDARR frameworks remains slow and supervisory activities over the past year’s cycle reveal the need to continue strengthening their remediation efforts to close gaps as against the supervisory expectations. The SREP 2025 outcomes point to persistent deficiencies in banks’ RDARR frameworks, with no improvement in the relevant average sub-score as compared with last year. The 2022-24 OSI campaign and the 2024 targeted reviews of RDARR frameworks unveiled weaknesses in banks’ (i) data governance frameworks, including comprehensiveness or adequacy of involvement of management bodies; (ii) data infrastructure and IT architecture; and (iii) data accuracy and integrity. The 2024 targeted reviews also pointed to gaps against the BCBS 239 principles and relevant supervisory expectations, as outlined in the ECB Guide on effective risk data aggregation and risk reporting.

Supervisory efforts will intensify to ensure banks improve their RDARR frameworks and capabilities and meet the relevant supervisory expectations. In December 2024, the Supervisory Board of the ECB approved a system-wide strategy, covering all supervised entities, to monitor their compliance with the supervisory expectations, as well as to follow up on their remediation strategies, where applicable. This strategy initially focused on management bodies’ accountability for the oversight and implementation of the RDARR framework, before gradually expanding to other supervisory expectations, such as data quality management and IT/data architecture. A clearly defined remediation and escalation process will guide supervisors’ actions and they will use the existing supervisory toolkit, if required. Targeted OSIs will take place to procure additional information on banks’ progress in closing the gap for high severity and more complex findings.

Main activities as part of the work programme for these supervisory priorities

  • System-wide strategy and related supervisory reviews to monitor banks’ compliance with the supervisory expectations for RDARR frameworks, as well as effective remediation of most material findings
  • Targeted OSIs of RDARR frameworks for those banks requiring further assessment, as well as targeted OSIs of previously identified severe findings

Medium to long-term priority strategy focusing on banks’ digital and, in particular, AI-related strategies, governance and risk management

Strategic objective: When leveraging new technologies, and in particular AI, to enhance efficiency and innovation, banks shall have strategies that effectively reflect opportunities and risks stemming from the related applications and set up robust governance and risk controls to manage the underlying risks.

Supervised entities should prioritise their digitalisation efforts to strengthen their competitiveness and effectively manage risks stemming from new technologies. Rapid technological changes, particularly in the area of AI, are reshaping the banking sector and institutions must act strategically to capture long-term value and adapt their business models. Both supply-side factors, including more affordable and broader availability of technical resources such as model development and cloud storage, and demand-side factors, including expected efficiency gains and increased competition, are leading to the wider use of AI in banks, often building on internally established modelling capabilities. While AI has the potential to improve risk management and information processing, as well as provide efficiency gains through automation, associated risks may become more noticeable as the corresponding AI applications are more widely used. In this respect, generative AI tools are a significant technological leap forward, with a potentially high impact on banks. While technology is constantly evolving, the supervisory focus will remain technology-neutral and focused on the use cases and risks. The growing use of AI tools across both prudential and non-prudential institutions thus calls for a structured and holistic approach that integrates AI-related strategy, governance and risk management. Supervisors, in turn, need to refine their assessment frameworks within their supervisory focus to better evaluate banks’ AI-related strategies, promote the adoption of industry best practices and ensure that the appropriate safeguards are in place. This priority aims to help adopt a strategic supervisory stance on both the opportunities and the risks inherent in AI-driven applications and to pave the way for potential adjustments to the supervisory toolkit. This way, ECB Banking Supervision can help banks to proactively address the emerging risks, while effectively bridging the usual short- to medium-term focus of the supervisory priorities with a longer-term strategic perspective.

Over recent years, ECB Banking Supervision has identified important aspects for steering banks’ digitalisation transformation in a sustainable, well-governed and risk-aware manner. ECB Banking Supervision’s report published last year on the key assessment criteria and good practices in the area of digitalisation revealed a significant increase in the adoption rate of AI in banking services. The targeted reviews and OSIs conducted during 2024-25 confirmed this development. While AI use cases span a wide range of activities, past supervisory scrutiny emphasised the importance of the increased adoption of AI for credit scoring and fraud detection, as well as the still nascent but highly disruptive potential of generative AI. [34] In 2025, ECB Banking Supervision intensified its monitoring of the use of AI and generative AI by collecting data from banks. In addition, supervisors further engaged with banks to better understand specific use cases and assess their impact and relevance from a microprudential risk perspective.

Going forward, ECB Banking Supervision will continue to monitor the general use of AI, while taking a more targeted approach to focus on banks’ generative AI applications. The focus on generative AI aims to widen the scope of the ongoing investigations into those banks’ AI applications with prudential implications. This should lead to a broader assessment of the prudential significance of banks’ current and future developments in this field and to the adoption of a supervisory stance on the materiality of these AI applications and the inherent risks, setting the stage for future reviews. In parallel, ECB Banking Supervision is also active in the discussions surrounding the implementation of the EU Artificial Intelligence Act and intends to cooperate with market surveillance authorities at the national level as well as with the European Banking Authority.

Beyond AI, ECB Banking Supervision will keep performing its horizon scanning activities to stay ahead of the curve. As the banking sector is operating in a fast-changing landscape driven by both technological innovation and the emergence of non-banks, these activities allow identifying and understanding structural trends and risk drivers expected to shape the future of banks in the medium to long term. They also foster a stepwise integration of the underlying findings into its supervisory frameworks and strategy. Against this background, the rapid growth of stablecoins and the increasing number of use cases and underlying complexity, but also implications for banks – including the provision of financial services to stablecoin issuers – may pose material risks if not properly understood and managed. Supervisors will accordingly monitor developments in this area as well, and engage with banks in a targeted manner, to ensure robust risk management is applied here too.

Main activities as part of the work programme for these supervisory priorities

  • Targeted horizontal workshops with a selected number of banks on generative AI applications to strengthen supervisory understanding of how banks use these applications
  • Cooperation with market surveillance authorities responsible for the Artificial Intelligence Act and with the European Banking Authority

Box 1
The supervisory cycle – integrated planning of supervisory activities

The development of supervisory priorities and strategic planning are critical to ensuring effective supervision and facilitate an efficient planning process for banks. Through an integrated approach, the supervisory priorities inform the planning of supervisory activities for the upcoming cycle. Key components include the planning of horizontal activities, on-site missions and JST initiatives.[35]

Integrated planning encompasses all supervisory activities, including off-site and on-site, horizontal and bank-specific activities. Once the overall supervisory priorities have been set and horizontal activities selected, JSTs define the key objectives and activities for each supervised entity. This is summarised in the Supervisory Examination Programme (SEP). This process includes assessing the relevance of each risk in light of the bank’s own vulnerabilities and determining supervisory actions in line with the supervisory priorities and risk tolerance levels. Based on these assessments, supervisors develop work programmes, tailored to the risk profile of the supervised entity and encompassing all supervisory activities. To ensure transparency and predictability, the SEPs are communicated to the banks at the start of the supervisory cycle each year.

The different elements of the work programmes are chosen to ensure that ECB supervision is risk-based and proportionate, and that resources on the side of banks and supervisors are used as efficiently as possible. This means that levels of supervisory engagement vary across different institutions − the riskier a bank, the more intense the supervision. There is a direct link between an institution’s overall risk profile and the level of supervisory engagement.

In its ongoing reforms to enhance the efficiency and effectiveness of banking supervision, while maintaining a clear risk focus, the ECB is refining its supervisory planning process. The enhancements aim to better align and integrate supervisory activities, ensuring greater complementarity while avoiding duplication of effort. Tangible improvements benefiting banks and supervisors include (1) the definition of supervisory priorities targeting specific vulnerabilities of banks and the subsequent development of more streamlined supervisory activities aimed at delivering on the corresponding strategic objectives; (2) the strengthening of synergies between horizontal activities, on-site missions and JST activities, resulting in a reduction of overlapping requests to banks on similar issues; and (3) the earlier communication of the SEPs, allowing for better planning and sequencing of banks’ remediation efforts.

Supervisory activities included in the work programmes

  • Thematic reviews: Thematic reviews are centrally coordinated activities that cover most supervised entities. They focus on fact-finding and benchmarking related to the supervisory priorities defined by the Supervisory Board. Outcomes of thematic reviews may be used to help the ECB develop supervisory guidance,[36] enhance system-wide risk identification and promote good practices.
  • Targeted reviews: Targeted reviews have similar objectives to the thematic reviews but focus on a more specific set of issues and cover fewer supervised entities, following a risk-based approach. The sample of institutions is chosen in accordance with the risk tolerance defined by each JST for the supervised entity in question.
  • Deep dives: Deep dives typically involve in-depth analyses of idiosyncratic topics selected by a JST to address specific concerns.
  • On-site inspections: On-site inspections aim to provide an in-depth analysis of various risks, internal control systems, business models and governance. Inspections are conducted by the ECB and national supervisory authorities within a predefined scope and timeframe, at the premises of the legal entities inspected. They are carried out as part of the overall supervisory process and must be risk-based, proportionate, forward-looking and action-oriented. The use of on-site inspections is closely coordinated with JSTs that contribute to the planning of inspections (e.g. via SEP), the preparation of recommendations for the bank and the follow-up on any remedial actions or supervisory measures.

The outcomes of all the reviews listed above are used to inform the annual SREP or other supervisory activities. The relevant findings may result in the development of institution-specific qualitative and/or quantitative measures.

When developing work programmes to support the supervisory priorities and determining the most appropriate supervisory tools to achieve its objectives, the ECB follows a “risk identification-risk remediation” approach. This involves first reviewing and benchmarking supervised entities’ practices. The findings from these reviews are then assessed for materiality, and supervised entities are subsequently requested to address them according to modalities and timelines discussed with the supervisors. If deviations occur, the ECB may take binding measures to ensure timely remediation of the material findings and may exercise its enforcement and sanction powers to ensure that remediation is completed effectively and within the stipulated timeframe.[37]

European Central Bank, 2025

Postal address 60640 Frankfurt am Main, Germany
Telephone +49 69 1344 0
Website www.bankingsupervision.europa.eu

All rights reserved. Reproduction for educational and non-commercial purposes is permitted provided that the source is acknowledged.

For specific terminology please refer to the SSM glossary (available in English only).

PDF ISBN 978-92-899-7464-6, ISSN 2599-8420, doi:10.2866/9317889, QB-01-25-230-EN-N
HTML ISBN 978-92-899-7463-9, ISSN 2599-8420, doi:10.2866/0409681, QB-01-25-230-EN-Q

  1. See “Aggregated results of the 2025 SREP”, ECB, November 2025.

  2. See “Box 1: The supervisory cycle – integrated planning of supervisory activities” for further information on the supervisory planning process.

  3. See the European Commission’s Spring 2025 Economic Forecast, May 2025.

  4. See the section entitled “Financial markets”, Financial Stability Review, ECB, May 2025.

  5. See ECB staff macroeconomic projections for the euro area, ECB, September 2025.

  6. See ECB staff macroeconomic projections for the euro area, ECB, September 2025.

  7. See the ECB’s monetary policy statement, ECB, 11 September 2025.

  8. See Financial Stability Review, ECB, May 2025.

  9. ibid.

  10. ibid.

  11. See “Introductory statement by Claudia Buch, Chair of the Supervisory Board of the ECB, at the Hearing of the Committee on Economic and Monetary Affairs of the European Parliament”, 15 July 2025.

  12. See Financial Stability Review, ECB, May 2025.

  13. See EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06).

  14. Evolving risks are difficult to capture/model with traditional expected credit loss models due to their uncertain nature and lack of historical data.

  15. See “IFRS 9 overlays and model improvements for novel risks”, ECB, July 2024.

  16. The outcomes of the 2019 exercise were communicated to the wider public in a dedicated publication to the industry; see “Trends and risks in credit underwriting standards of significant institutions in the Single Supervisory Mechanism”, ECB, June 2020.

  17. See “European state of the climate: Report 2024”, Copernicus Climate Change Service (C3S) and World Meteorological Organization (WMO), 2025.

  18. See “Climate change impacts, risks and adaptation”, European Environment Agency, June 2025.

  19. See “Insurance protection gaps”, European Insurance and Occupational Pensions Authority (EIOPA), February 2024.

  20. A large percentage of publicly listed companies are misaligned with the pathway to reduce global warming to 2°C or less; see MSCI Transition Finance Tracker, March 2025.

  21. The “run on brown” scenario focuses on short-term climate-related risks that materialise in the form of asset price corrections triggered by a sudden reassessment of transition risk.

  22. See “Fit-for-55 climate scenario analysis”, ESA and ECB, November 2024.

  23. See Annual Report on supervisory activities 2024, ECB, March 2025.

  24. See Swiss Re Institute, “Natural catastrophes: insured losses on trend to USD 145 billion in 2025”, sigma report, No 1, 29 April 2025.

  25. See Clark, P., “How the next financial crisis starts”, Financial Times, 26 June 2025.

  26. Trust, S. et al., “Planetary Solvency – finding our balance with nature”, Institute and Faculty of Actuaries, University of Exeter, January 2025.

  27. See Tuominen, A., “Operational resilience in the digital age”, The Supervision Blog, ECB, 17 January 2025.

  28. See Montagner, P., “Information and communications technology resilience and reliability”, speech at the Frankfurt Banking Summit, Frankfurt am Main, 2 July 2025.

  29. See “What we can learn about building a resilient energy grid from the Iberian power outage”, World Economic Forum, 16 May 2025.

  30. See the report entitled “Global Cybersecurity Outlook 2025”, World Economic Forum, 13 January 2025.

  31. See “Outsourcing trends in the banking sector”, Supervision Newsletter, ECB,19 February 2025.

  32. For further information, see “Aggregated results of the 2025 SREP”, ECB, November 2025.

  33. See “Sound risk data reporting: key to better decision-making and resilience”, Supervision Newsletter, ECB, February 2025.

  34. For further information, see “Aggregated results of the 2025 SREP”, ECB, November 2025.

  35. For further information on the supervisory cycle and the integrated approach, see Supervisory Manual, ECB, January 2024; for further information on on-site inspections, see the Guide to on-site inspections and internal model investigations, ECB, September 2018.

  36. See, for example, ECB supervisory guides.

  37. See also Supervisory measures on the ECB’s banking supervision website.

Whistleblowing