Submit RFP

      On 18 November 2025, the ECB published the results of its Supervisory Review and Evaluation Process (SREP) for 2025.

      The results of 2025 SREP confirm a broadly stable risk environment, where slight shifts in capital requirements stem from structural vulnerabilities rather than from the emergence of new widespread risks.

      The overall SREP scores converged around the central bands (i.e. 2-, 3+ and 3). Banks that had previously weaker profiles showed some improvements, while those rated stronger experienced marginal deterioration.

      At an aggregate level, results appear broadly in line with the 2024 SREP cycle, with an average overall SREP score improving slightly to 2.5 from 2.6 in prior year. In terms of capital: the overall capital requirement and guidance applicable in 2026 stand at about 15.6 % of risk-weighted assets, with the CET1 capital requirement at 11.2 %. The average Pillar 2 Requirement (P2R) remains around 2.1 % of total capital, while the Pillar 2 Guidance (P2G) was reduced by 20bps on average to 1.1 % (CET1). The ECB also continues to apply specific add-ons to further tailor capital requirements for individual risk profiles. In this SREP cycle: six banks received a P2R add-on for leveraged finance, 14 banks were subject to a P2R leverage-ratio add-on (P2R-LR), and ten banks were subject to an NPE-related P2R add-on. In addition, 5 banks were subject to a Pillar 2 Guidance leverage ratio add-on (P2G-LR).

      As anticipated in our previous article, supervisory attention in 2025 remained focused on key structural areas: credit risk, ICT (and operational resilience) risk, and internal governance and risk management, including risk data aggregation and risk reporting (RDARR) capabilities.

      Navigating supervisory challenges

      Below we have outlined key weaknesses for SSM banks identified in SREP 2025; KPMG Banking and Financial Services professionals offer the following recommendations for what banks can do now to improve their ability to meet supervisory expectations in these areas going forward.

      Supervisors highlighted challenges in the sustainability of bank business models, including ambitious strategies, reliance on concentrated income sources and weaknesses in business planning and cost management. In our view, banks should reinforce governance practices around their strategic steering, ensure that business plans are based on realistic bank capabilities and undergo robust challenging processes, supported by credible financial projections and a clear link with risk appetite levels. Additionally, banks should enhance the granularity of cost allocation procedures to support profitability analysis and further enable informed decisions. Accelerating digitalisation will help to streamline processes, boost execution capacity and support more resilient business models.

      Supervisors identified persistent shortcomings particularly around RDARR, board effectiveness and internal control functions. To address them, banks should:

      • maintain their focus on RDARR related topics as a key priority at Board level; this includes adequately investing in data architecture, IT infrastructure and data-quality controls, ensuring at the same time clear executive oversight;
      • reinforce board composition with specialised expertise (e.g. on IT and digital risks) and promote a stronger risk culture to enhance decision-making capabilities;
      • strengthen internal control functions by equipping them with the necessary resources, skills and authority to deliver effective and well-informed challenge and oversight across all key risk areas.

      Supervisors noted that the average credit risk score for SSM banks has only marginally improved in SREP 2025. Weaknesses remain in asset quality across specific portfolios and regions, and persistent deficiencies in credit risk management for some banks. Given these weaknesses, banks should consider reviewing credit-risk identification and monitoring procedures by e.g. enhancing early-warning systems, improving sectoral risk assessments and ensuring more timely identification of deteriorating exposures, particularly in light of potential further NPL inflows. Banks should also strengthen their credit-risk management frameworks by tightening underwriting standards, improving the consistency of provisioning practices, e.g. by reviewing IFRS9 methodologies, and enhancing periodic borrower reviews.

      In SREP 2025, ICT risk continued to be the SREP category with the worst average score (3). Supervisors highlighted vulnerabilities in bank ICT frameworks, driven by accelerating digitalisation, greater reliance on outsourced service providers and challenges from stricter DORA requirements. To improve in this area, banks should strengthen ICT governance by e.g. clarifying accountability for IT-risk decisions and ensuring a more robust oversight of outsourced services and 3rd party arrangements. Institutions should also step up efforts to meet DORA requirements by improving key elements such as risk controls, documentation standards, resilience testing, IT-security and incident-response capabilities.

      Regarding C&E risks, gaps persist in integrating them into risk management frameworks, KPIs and IT systems. A small number of banks also showed slower progress in linking C&E risks to operational-risk processes and broader risk frameworks.

      Banks should intensify their effort to address identified gaps, by both improving data, metrics, methodologies and systems used to assess and manage C&E risks, and ensuring that these risks are properly embedded into governance, risk assessment and decision-making processes. Strengthening these capabilities is key for institutions to demonstrate credible progress and avoid further supervisory escalation by the ECB.

      Looking ahead

      Overall, KPMG Banking and Financial Services professionals recommend that banks should take decisive actions to address persistent weaknesses — most notably when it comes to their RDARR capabilities and investing in robust IT and cyber resilience frameworks. When it comes to identified gaps, banks should accelerate their remediation, particularly in governance and risk management areas. As emphasized in our previous article, proactive engagement with supervisors and credible progress in remediation will be critical to avoid escalation and potential capital impacts.

      Banks that navigate the next SREP cycle effectively, adapt to evolving expectations and address supervisory pressure on key topics will be well placed. Those making steady, credible progress will strengthen their governance, embed a stronger risk culture across the organisation and build the agility needed to keep pace with supervisory developments.

      KPMG European Central Bank Office

      KPMG ECB Office offers you information and solutions for dealing with the ECB supervisory approach under the SSM.

      Read more

      Our people

      henning dankenbring
      Dr. Henning Dankenbring

      Partner, Head of KPMG ECB Office

      KPMG in Germany

      Omar Mauri
      Omar Mauri

      Manager, KPMG ECB Office

      KPMG in Germany