SREP Update: 2025 insights and the impact of reform

October 2025

The 2025 SREP cycle is now well advanced. Banks have already discussed preliminary findings with the ECB, final decision letters will arrive by the end of October, and the publication of SSM results is planned in the second half of November – sooner than in prior years.

These accelerated timeframes reflect the ECB’s ongoing SREP reforms, which began in 2022. The reforms aim to achieve a simpler, shorter, and more flexible SREP via initiatives including:

• A flexible risk assessment system (RAS) to prioritise key areas of focus.
• Streamlined SREP decisions – which have become shorter and directly address key risks and supervisory expectations.
• A new approach to follow-up on supervisory findings.
• Greater use of technology and data analytics, including gen-AI.

Based on conversations with clients, our impression is that overall SREP scores for Significant Institutions (SIs) in 2025 are clustered around scores of 2-, 3+ or 3. This implies less dispersion and fewer outliers – a change that, if confirmed, could increase pressure to demonstrate improvements on the minority of SIs receiving a score of 3- or 4. Considering individual SREP elements, also this year Internal Governance and Risk Management seems to be a key area of supervisory scrutiny and challenge for banks, with many SIs clustered around scores of 3 and 3+, indicating persistent shortcomings and the need for continued improvement in related areas.

Additionally, banks have generally welcomed the new layout and structure of the SREP decision, perceiving it as clear, well-organized and easier to navigate, and most of them appear internally prepared to handle the new tiered approach to follow-up on supervisory findings effectively.

Given the risk-oriented focus of the SREP reforms, it is interesting to note the areas of greatest concern to Joint Supervisory Teams (JSTs). Our initial understanding is that key areas of supervisory focus during the current SREP cycle include:

• Data management: Persistent weaknesses in compliance with the BCBS 239 Principles and supervisory expectations for Risk Data Aggregation and Risk Reporting (RDARR), such as weaknesses in the aggregation capabilities and reporting procedures of risk data, shortcomings in data governance, scope of application, and in some instances poor data quality levels.
• IT and third-party risk management: Fragmented infrastructures and a lack of centralised processes that weaken governance or pose risks to resilience are a concern. So is dependency on third party providers, especially where oversight is weak or concentration risk is elevated. This highlights existing gaps in aligning bank frameworks and controls with the requirements set out under the Digital Operational Resilience Act (DORA), in particular around resilience testing and third-party risk management.
• Cyber risks: Underinvestment and weak cyber resilience undermining cybersecurity capabilities and expertise, including for institutions which may be particularly threatened by geo-political risks, with limited capacity for cyber threat detection and incident response.
• Business models: The sustainability of business models exposed to cyclical or structural changes in specific markets, including those with higher potential geo-political or geo-economic risks.
• Credit risk management: Some increases of NPL inflows in specific sectors, coupled with inadequate credit risk monitoring and early warning systems that increase vulnerability to credit losses and limit proactive risk management.
• Climate & Environment (C&E) risks: Lack of compliance with ECB’s expectations for C&E risks, given shortcomings such as C&E risks not being integrated into risk management and stress testing frameworks, absence of economic capital considerations, and the need for enhanced treatment within the ICAAP. In this context, some banks have now received supervisory letters asking for remedial action, with deadlines ranging from late 2025 to the second half of 2026.

Looking at the SREP process more broadly, we expect the ECB’s ongoing reforms to noticeably change banks’ experience of the annual cycle. At present, three of the most impactful changes appear to be:

• New tiered approach to follow-up: The ECB’s new approach to SREP follow-up gives banks the responsibility to address and prioritise the remediation of less severe findings. However, supervisors retain the right to perform random spot checks and escalate findings where necessary. As before, the most severe findings will be actively monitored by the ECB.
• Greater use of supervisory powers: The ECB will use the full range of the tools at its disposal to escalate remediation if necessary. Banks that fail to address findings will run the risk of incurring negative responses, including binding requirements and sanctions.
• New P2R methodology: So far, the ECB has released limited information about the new, simpler P2R framework. More detail is expected this year, and the new methodology – intended to improve the transparency and consistency of capital setting - will apply from 2026.

Based on the initial insights on ECB’s specific focus areas in the current SREP, and the broader impacts of the SREP reforms, we believe that many banks could benefit from:

• Ensuring remediation management processes are robust, with governance mechanisms, resource allocations, controls and documentation that can withstand supervisory scrutiny.
• Achieving timely and effective remediation, particularly for persistent or structural weaknesses, and engaging proactively with JSTs to communicate progress.
• Preparing for the new P2R framework, focusing on remediating shortcomings or addressing risks and weaknesses that have the potential to push up capital requirements or make capital reductions less likely.

Taken together, these priorities highlight that the success of banks within the evolving SREP framework will depend on their ability to remediate longstanding structural weaknesses in areas such as data quality and data management, IT capabilities and C&E risks management, as well as their capability and readiness to effectively address emerging operational and cyber threats. Strong and effective governance mechanisms will be equally important, as strengthening remediation management, demonstrating credible progress, and engaging proactively with supervisors will be critical not only to meet supervisory expectations, but also to limit potential capital impacts and avoid escalations in future supervisory engagements.

In this context, and in light of the importance of having effective governance arrangements, banks should also remember that the ECB’s final Guide on Governance and Risk Culture is expected soon. Given the ongoing ECB’s focus on areas related to internal governance, it will be important for banks to align their risk frameworks and procedures with the final Guide.