The European Central Bank (ECB) has published the supervisory priorities of the Single Supervisory Mechanism (SSM) for the next three years, reflecting the most structural challenges and vulnerabilities in the sector.


Supervisory Priorities for 2026 - 2028

Watch video

Executive summary

Financial institutions are expected to strengthen their resilience to geopolitical risks and macro-financial uncertainties; strengthen their operational resilience and information and communication technology (ICT) capabilities; and develop robust digital strategies supported by appropriate governance and risk management frameworks. These priorities are based on the results of the latest Supervisory Review and Evaluation Process (SREP) cycle, which provides a comprehensive overview of the sector and identifies areas requiring specific supervisory action. For each of these priorities, the ECB has identified a set of vulnerabilities and defined corresponding supervisory work programs.

Main content

This Technical Note summarizes the SSM's supervisory priorities for 2026-2028, as well as the work programs planned to address the identified vulnerabilities and the results of the 2025 SREP:

  • Priority 1. Strengthening banks' resilience to geopolitical risks and macro-financial uncertainties. The ECB emphasizes that banks need to strengthen their ability to withstand an increasingly uncertain operating environment, marked by rising geopolitical tensions, trade fragmentation, climate and nature-related risks, demographic changes and rapid technological transformation. Although banks currently have sound fundamentals, these structural forces increase the likelihood of severe extreme risk scenarios and call for continuous monitoring and forward-looking risk management.

    Key vulnerabilities identified:

    • Ensuring prudent risk-taking and sound credit standards: banks are expected to maintain sound credit standards and risk-based pricing to prevent asset quality deterioration and the accumulation of non-performing loans (NPLs).
    • Ensuring adequate capitalization and consistent application of the Capital Requirements Regulation (CRR) III: institutions must prepare to correctly apply the new standardized approaches to ensure sufficient capital levels under stress conditions.
    • Ensuring effective management of climate and nature-related risks: banks should strengthen their ability to assess and manage risks arising from climate and natural events in the short, medium and long term, addressing persistent weaknesses in their management frameworks.

  • Priority 2. Strengthen banks' operational resilience and develop robust information and communication technology (ICT) capabilities. The ECB highlights the need for banks to address long-standing deficiencies in their operational resilience and ICT risk management frameworks. This priority supports the broader supervisory shift from identifying risks to ensuring that banks remedy material deficiencies in a timely and effective manner.

    Key vulnerabilities identified:

    • Implementing robust and resilient operational risk management frameworks: banks are expected to strengthen their operational risk frameworks, including incident response, business continuity planning, third-party dependency management and cybersecurity resilience. Ensuring compliance with the Digital Operational Resilience Act (DORA) is a key element of this expectation.
    • Addressing deficiencies in risk reporting capabilities and related information systems: institutions must address deficiencies in data governance, fragmented IT infrastructures, insufficient data quality controls, and delays in risk reporting, all of which hinder effective risk identification and decision-making.

  • Medium- and Long-Term Priority. Digital (and artificial intelligence – AI-related) strategies, as well as their governance and risk management. In addition to the two main priorities, the ECB identifies a medium- and long-term strategic focus on the digital transformation of banks, particularly in relation to the adoption and governance of advanced technologies such as AI and cloud services. As digitalization accelerates in the banking sector, institutions must ensure that their strategic initiatives are supported by robust governance, adequate risk controls, and appropriate supervisory frameworks.

    Key vulnerabilities identified:

    • Overcoming fragmentation or insufficient definition of digital strategies: some banks may lack fully articulated transformation plans and governance structures capable of supporting the scale and complexity of digital and AI-based initiatives.
    • Strengthening governance and oversight of emerging technologies: institutions need to strengthen their capacity to monitor, assess and manage the prudential implications of adopting AI, using cloud services and other advanced technologies, ensuring their alignment with business models and risk profiles.
  • SREP 2025 results. The ECB's aggregate SREP 2025 results provide a detailed assessment of the sector's main strengths and vulnerabilities. The findings show improvements in profitability and business model scores, although concerns remain about the long-term sustainability of these gains amid macro-financial and geopolitical uncertainties. Capital adequacy remains stable, with supervisors placing greater emphasis on the planning of ICAAP and stress-testing processes. Deficiencies persist in internal governance and risk management, with slow progress in RDARR and a need to strengthen the risk culture. Operational and ICT risk remains the weakest component, marked by shortcomings in cybersecurity, outsourcing, and business continuity. In terms of credit risk, although retail credit remains resilient, vulnerabilities persist in commercial real estate (CRE) and SMEs, and scores show significant variations. Climate and environmental (C&E) risks remain a priority, with supervisors assessing progress in climate risk integration and addressing persistent weaknesses.

Download the technical note on the Supervisory Priorities for 2026 - 2028 available in English and Spanish.