SSM supervisory priorities 2026

November 2025

On Tuesday, 18 November, the European Central Bank (ECB) published its updated supervisory priorities for the years 2026-2028. As in previous years, the update is based on an extensive evaluation of the key risks and vulnerabilities facing significant institutions under its direct supervision. It also takes into account the advancements achieved in addressing priorities from previous years, alongside the findings of the 2025 Supervisory Review and Evaluation Process (SREP), which were published on the same day. The ECB also published their methodologies for some elements of the SREP, including their supervisory methodology 2025, thereby continuing their recent move towards more transparency of their supervisory processes.

The priorities once again start with a relatively positive tone: the ECB states that eurozone banks continue to report robust capital and liquidity positions, low levels of non-performing loans and historically strong profitability, despite the unprecedented challenging macro-financial and geopolitical backdrop. This resilience reflects not only strengthened prudential and supervisory frameworks since the global financial crisis, but also banks’ progress in cleaning up legacy asset quality issues and bolstering buffers over recent years.

At the same time, the ECB again emphasises that uncertainty remains elevated. As in prior year, the ECB references persistent geopolitical tensions, the potential for renewed macro-financial shocks, and shifting trade and policy dynamics that all increase the risk of abrupt, severe disruptions. The ECB therefore calls on banks to remain vigilant, regularly reassess the implications of geopolitical developments for their risk profiles and be prepared for tail-risk scenarios that may materialise more quickly than in the past.

As we noted in last year’s priorities, the ECB highlights the increasingly “cross-cutting nature” of geopolitical shocks. Thus, geopolitical risks would be part of both “prioritised and regular supervisory activity”, meaning that supervisors will embed geopolitical risks in their day-to-day work with banks.

Building on this holistic approach, the ECB calls for banks to further strengthen their efforts to address material shortcomings that have already been identified by supervisors in previous cycles. Unsurprisingly, risk data aggregation and risk reporting (RDARR) is again explicitly highlighted, as is the need for full alignment with the ECB’s expectations for climate- and nature-related (C&N) risks. The ECB also stresses that banks must ensure that governance, internal controls and data capabilities evolve in line with the growing complexity of emerging risks, including those arising from new technologies and changing operational-resilience demands. At the same time, the ECB underscores the continued importance of strengthening digitalisation strategies and enhancing the management of risks associated with advanced technologies. In particular, the ECB notes the accelerating adoption of artificial intelligence (AI) and the rapidly expanding reliance on third-party providers for critical services. Supervisors will therefore deepen their scrutiny of ICT risk management, cyber resilience, third party risk management arrangements and the implementation of digital-transformation strategies across banks of all sizes.

Against this background, the ECB priorities for 2026-2028 are twofold. Both priorities address a specific set of vulnerabilities – which the ECB has named “prioritised vulnerabilities” and for which dedicated strategic objectives have been set and work programmes have been developed, as was the case in prior year We have summarised both priorities and the associated vulnerabilities below:

A recurring theme across both priorities is the ECB’s special focus on geopolitical risks. Within the first priority, supervisors will assess how banks ensure prudent risk-taking and sound underwriting standards in an environment of elevated uncertainty, how they implement the new standardised approaches under CRR III, and how they manage climate and nature-related (C&N) risks over short-, medium- and long-term horizons. The ECB has announced that the 2026 thematic stress test will assess institution-specific geopolitical risk scenarios and their impact on solvency, funding and liquidity, and that geopolitical risks will be captured both in prioritised and regular supervisory activities – including reviews of ICAAP/ILAAP, recovery plans and internal stress-testing frameworks.

Within the second priority, the ECB builds on previous years’ work by insisting on the remediation of material shortcomings in operational risk, ICT risk and RDARR. Supervisors highlight recurring weaknesses in cybersecurity strategies, incident management and third-party risk management, and note that operational and ICT risk continue to receive comparatively weak SREP scores. The ECB has launched a system-wide strategy to address persistent RDARR deficiencies, backed by a clearly defined remediation and escalation process, and signals that targeted on-site inspection campaigns will continue, in some cases accompanied by the use of escalation tools where progress is not adequate.

Lastly, the ECB sets out a medium- to long-term strategic focus on banks’ digital and AI-related strategies, governance and risk management. While acknowledging that AI and digitalisation can deliver efficiency gains and better risk management, the ECB stresses that associated risks may become more pronounced as these technologies scale. Supervisors will therefore refine their assessment frameworks to evaluate banks’ AI strategies, promote good practices and ensure that appropriate safeguards are in place, while maintaining a technology-neutral perspective that focuses on use cases and risk management rather than specific tools. The document also takes note that the ECB will monitor developments in the area of stablecoins and any implications for banks, which could cause material risks if not adequate managed.

What do the priorities mean for banks and what do KPMG professionals recommend?

In alignment with the above, the ECB has outlined its key supervisory activities that it intends to undertake for each vulnerability. Banks have been requested to do the following – and KPMG Banking and Financial Services professionals have included, per priority, some key recommendations on what they can do now:

Priority 1: Banks should strengthen their resilience to geopolitical risks and macro-financial uncertainties

Prepare for the 2026 thematic stress test on institution-specific geopolitical scenarios covering solvency, funding and liquidity; you can read our insights on this exercise here: Reverse Stress Testing
Continue to ensure that ensure geopolitical risks are fully embedded in risk-identification processes, risk-appetite frameworks and internal (ad hoc) scenario analyses.
Ensure prudent risk-taking and sound underwriting standards in portfolios vulnerable to geopolitical and macro-financial shocks, and prepare for targeted reviews and OSIs on credit-risk management, including SME and CRE exposures and collateral-valuation practices.
Prepare for targeted reviews and OSIs on the implementation of CRR III standardised approaches, ensuring correct exposure classification, collateral treatment, data quality and the accurate calculation of RWAs.
Prepare for targeted follow-up and monitoring of remediation of shortcomings identified in the 2022 thematic review and the climate-risk stress test, ensuring all past actions are fully addressed and evidenced; expect the thematic review of transition planning in line with the CRD VI package, requiring banks to demonstrate credible prudential transition plans aligned with EBA ESG-risk guidelines.
Prepare for the horizontal assessment of Pillar 3 ESG disclosures, ensuring completeness, consistency and alignment of all C&N-related templates, methodologies and underlying data.
Integrate the output floor and the increased relevance of standardised approaches into ICAAP and capital planning, and prepare for horizontal benchmarking of capital-adequacy assessments under macro-financial and geopolitical stress.
Continue with advancing ESG programmes, include nature-related and biodiversity risk identification, analysis and management, include ESG risks in ICAAP, strategies, capital plans and scenario analyses.

Priority 2: Banks should strengthen their operational resilience and ICT capabilities

Ensure full implementation of DORA, including ICT governance, incident reporting, resilience testing and ICT third-party risk management, and prepare for targeted OSIs and follow-up supervisory work in areas where earlier reviews identified weaknesses. You can read our latest insights here Preparing for DORA Onsite Inspections (OSIs)
Strengthen cyber-security controls, detection capabilities and incident-management frameworks, and prepare for two targeted OSI campaigns on cyber risk and ICT third-party provider risk during the 2026–2028 cycle.
Update and execute RDARR-remediation plans in line with the ECB’s system-wide RDARR strategy, and prepare for continuation of the RDARR OSI campaign, including the potential use of escalation tools where material deficiencies remain. We have outlined some considerations for banks here: ECB ratchets up the pressure on risk data aggregation
Ensure operational-resilience frameworks can prevent, withstand and recover from disruptions to critical services, and prepare for thematic reviews focused on resilience to outages involving cloud and other critical infrastructure providers.
Improve ICT change-management processes and strengthen oversight of ICT outsourcing and cloud-provider arrangements; prepare for supervisory data collections and targeted reviews focused on concentration risks, interdependencies and exit strategies.
Get ready for upcoming targeted horizontal workshops with selected banks on generative AI applications, in order for the ECB to develop their understanding of how banks use such applications.

Finally, the ECB has included a section that describes how it will continue other supervisory activities and follow-up on past priorities in parallel with the 2026 – 2028 work programme. Taken together, the publication demonstrates the comprehensive way in which the ECB is approaching supervision over the next few years – integrating geopolitical risks, structural vulnerabilities, operational resilience and technological transformation into a single, medium-term framework. In short, at a minimum, KPMG professionals would advise banks to analyse the new priorities, identify the most challenging areas (and those where supervisory activities have already been communicated in their supervisory examination plans) and develop action plans in advance. As in prior years, the ECB reiterates its willingness to use the full supervisory toolkit – including escalation measures and sanctions – where progress is not adequate. The 2026 – 2028 priorities confirm that this is the new normal: banks should focus on persistent shortcomings in their own portfolios and employ strategies for swift, effective remediation while building resilience to an increasingly complex risk landscape.