The European Central Bank (ECB) has published its supervisory priorities for 2026 to 2028 for significant EU credit institutions.
There are two overarching priorities that reflect a challenging environment characterised by heightened geopolitical risks and changing patterns of competition due to increased digitalisation and innovation in the banking sector:
strengthening banks’ resilience to geopolitical risks and macro-financial uncertainties
strengthening banks’ operational resilience and fostering robust ICT capabilities
The ECB has set strategic objectives that directly support its two overarching priorities. To achieve these objectives, the ECB has outlined a series of planned supervisory activities, which are detailed below.
Priority 1 – Strengthening banks’ resilience to geopolitical risks and macro-financial uncertainties
A) Supervisory activities to ensure prudent risk-taking and sound credit standards to address credit risk:
thematic review of credit underwriting standards, focusing on new lending to assess how banks intend to mitigate potential future credit losses
targeted review of loan pricing to assess banks’ loan pricing practices and standards
targeted credit risk on-site inspections (OSIs), including on banks’ loan origination and credit underwriting frameworks
B) Supervisory activities to ensure adequate capitalisation and consistent implementation of CRR 3:
targeted reviews and targeted OSIs focusing on the calculation of risk-weighted assets under the standardised approach for credit risk
targeted reviews of the calculation of the business indicator component to aid the calculation of the corresponding capital requirements for operational risk
C) Supervisory activities to ensure prudent management of climate and nature-related (C&N) risks:
targeted follow-up and monitoring of banks’ remediation of remaining shortcomings stemming from the stress test on climate-related risks and thematic review of C&N risks conducted in 2022
thematic review of banks’ transition planning for C&N risks in line with CRD 6 amendments – this has been a significant issue in the market given the 11 January 2026 implementation deadline
horizontal assessment of banks’ compliance with Pillar 3 disclosure requirements for ESG-related issues
deep dive into banks’ capabilities to address on-going challenges, including physical risk
targeted OSIs of C&N risk management, either on standalone basis or as part of planned reviews of other risk areas
Priority 2 – Strengthening banks’ operational resilience and fostering robust ICT capabilities
A) Supervisory activities to ensure implementation of robust and resilient operational risk management frameworks:
targeted follow-up on remediation strategies for banks that report material shortcomings in ICT security, cyber resilience and ICT outsourcing
OSIs on cybersecurity management and third-party risk management in line with DORA requirements
threat-led penetration testing to identify banks’ vulnerabilities and improve their cybersecurity resilience
targeted review of ICT change management
deep dive into banks’ dependency on cloud service providers to assess their preparedness for potential service disruptions
B) Supervisory activities to remedy deficiencies in risk reporting capabilities and related information systems:
system-wide strategy and related supervisory reviews to monitor banks’ compliance with the supervisory expectations for risk data aggregation and risk reporting (RDARR) frameworks and remediation of material findings
targeted OSIs on RDARR frameworks for banks requiring further assessment, and targeted OSIs on previously identified severe findings
C) Supervisory activities focusing on banks’ medium to long-term digital and AI-related strategies, governance and risk management:
targeted horizontal workshops with a selected number of banks on generative AI applications to strengthen supervisory understanding of how banks use these applications
co-operation with market surveillance authorities responsible for the AI Act and with the European Banking Authority
The ECB’s supervisory priorities for 2026 to 2028 underscore its focus on strengthening both financial and operational resilience in an increasingly complex risk landscape. By addressing geopolitical uncertainties, climate-related challenges and ICT vulnerabilities, the ECB aims to ensure that significant credit institutions remain robust, adaptable and well-prepared for emerging threats. Banks should proactively engage with these priorities, as early alignment will be critical to meeting supervisory expectations and maintaining long-term stability and resilience.
These updated priorities come at a time when the ECB is also increasing its enforcement activity, not only in relation to contraventions of directly applicable EU prudential requirements, but also in the context of supervisory penalties for contravening institution-specific decisions, such as the recent penalty imposed in relation to climate-related and environmental risk (see our previous client insight for details). It is therefore critical for SSM institutions to review and assess the impact of these priorities on their own operations, risk management and compliance programmes.
For further information on the supervisory and regulatory framework applicable to significant EU credit institutions, please contact Dario Dagostino, Partner, Patrick Brandt, Partner, Mark Devane, Partner, Chloe Culleton, Partner, Sarah Lee, Senior Knowledge Lawyer or your usual ALG contact.
