Resilience Redefined: ECB’s Supervisory Priorities for 2026-2028

Introduction

For the first time in five years, the ECB has streamlined its focus to two supervisory priorities rather than the traditional three. Nonetheless, these priorities build directly on themes that have been consistently present since 2022: (1) strengthening banks’ resilience to geopolitical risks and macro financial uncertainties, and (2) strengthening banks’ operational resilience and fostering robust ICT capabilities.

This consolidation signals the ECB’s view that several structural risk themes, such as digitalisation, climate and environmental risk, and governance, have moved from emerging concerns to ongoing, embedded areas of supervisory attention.

At the same time, the risk landscape has shifted decisively towards heightened external shocks and accelerating technological and operational vulnerabilities, prompting a sharper supervisory lens.

The ECB recognises that the European banking sector continues to demonstrate solid resilience, reporting strong capital and liquidity positions and healthier asset quality indicators. At the same time, the ECB also notes that global uncertainties have surged to exceptional levels, driven by a combination of geopolitical tensions, shifting trade policies and climate and nature (C&N) related crises, have surged to exceptional levels.

Hence, banks are expected to demonstrate that they can navigate this environment proactively, ensuring that their risk management frameworks, governance and capital planning are robust enough to address both current and emerging challenges.

Priority 1: strengthening banks’ resilience to geopolitical risks and macro-financial uncertainties

Geopolitical risk continues to be a prominent theme in the 2026 – 2028 priorities. Under the first priority, the ECB will assess: how banks ensure prudent risk-taking and sound credit underwriting standards in an environment of elevated uncertainty; and how banks adequately implement CRRIII and manage C&N risks.

The 2026 thematic stress test will assess institution-specific geopolitical risk scenarios and their potential to have a significant impact on banks’ solvency. In particular, scenarios are expected to explore the impact of various factors such as supply-chain disruptions, sanctions regimes, trade fragmentation, conflict-related shocks and climate-related shocks.

Given its cross-cutting nature, geopolitical risks will be captured during both prioritised and regular supervisory activities. Banks should anticipate deeper scrutiny of credit portfolios, country risk concentrations and the integration of geopolitical considerations within ICAAP and strategic planning, among others.

Priority 2: strengthening banks’ operational resilience and fostering robust ICT capabilities

In the second priority, the ECB highlights the need to: (1) implement a robust and resilient operational risk management framework; and (2) remedy deficiencies in risk reporting capabilities and related information systems. Operational and ICT risks remain among the weakest-scoring categories in the SREP, underscoring the need for accelerated and sustained remediation.

The ECB has launched a system-wide strategy to address persistent Risk Data Aggregation and Risk Reporting (RDARR) deficiencies, as slow progress in this area has been repeatedly flagged. We expect banks’ RDARR capabilities will face intensified scrutiny, including assessments on data governance, architecture and the reliability of management information.

The ECB has also set out a medium-to-long-term strategic focus on digital and Artificial Intelligence (AI)-related strategies, governance and risk management. As rapid technological changes are reshaping the banking industry, banks must act strategically to capture long-term value and adapt their business models.

However, associated risks may start to emerge. Hence, the ECB needs to refine their assessment frameworks within their supervisory focus to better evaluate banks’ AI-related strategies, promote the adoption of industry best practices and ensure that appropriate safeguards are in place.

In addition, the ECB will monitor developments in the increasing use of stablecoins and engage with banks in a targeted manner to ensure robust risk management is applied.

How banks can prepare

The ECB’s 2026–2028 supervisory focus requires banks to adopt a structured and pragmatic response. Banks consider the following preparation roadmap aligned to the two priority pillars.

Priority 1 –Resilience To Geopolitical and Macro Financial Uncertainties

• Review and stress-test business strategies, credit portfolios, and capital plans against geopolitical shock scenarios and macro-financial uncertainties (e.g. trade policy escalations)
• Ensure credit underwriting standards are robust. Banks may need to revisit credit risk frameworks, particularly for vulnerable sectors (e.g. SMEs, commercial real estate, and sectors exposed to export energy risks)
• Assess implementation of the new capital regime (CRRIII/CRDVI), especially the standardised approaches for credit risk, operational risk and impact of the output floor.
• Expand and embed C&N-related risk frameworks and ensure transition plans are in place. Banks should ensure that Pillar 3 disclosures for ESG are accurate and up-to-date.

Priority 2 – Operational Resilience and ICT Capabilities

• Perform gaps assessment against DORA requirements, especially ICT third-party risk, incident response, outsourcing/cloud concentration risk, and threat-led penetration testing. A strong DORA posture will be a key supervisory expectation.
• Enhance the risk data aggregation and risk reporting (RDARR) frameworks, including improving data governance, IT architecture, data quality/accuracy, and management body oversight of data. The ECB has explicitly flagged slow progress in this area.
• Review digital strategy, including AI adoption. Banks need to ensure that AI use cases are governed, risks assessed (generative AI, model risk, cyber risk), and their architecture is aligned with supervisory expectations.
• Establish or refine remediation programmes for previous supervisory findings. Banks should anticipate targeted OSIs, deep dives, and thematic reviews by JSTs. By ensuring timely remediation of these findings, banks benefit by reducing supervisory escalation risks.

Banks should also:

• Ensure governance and management bodies must show clear ownership of the risk programmes (geopolitical risk, ICT resilience, data governance, climate risk).
• Incorporate stress testing scenarios (e.g. macroeconomic/ecological/tech scenarios) and reverse stress tests into internal processes.
• Map supervisory findings and have action plans with milestones and governance. Banks should communicate proactively with JSTs.
• Ensure appropriate staffing, expertise (especially in tech, AI, cloud and data) and invest in enhancing control frameworks.

By acting early and decisively across these dimensions, banks can position themselves ahead of supervisory focus, reduce the risk of regulatory friction and turn it into a strategic advantage.