The ECB's inspection machine is running at full capacity. Based on direct experience embedded in 15+ OSIs across European G-SIBs, here is what supervisors are targeting, how they score findings, and what you must do before the notification letter arrives.
Not all risk domains receive equal attention. This heatmap reflects our assessment of ECB inspection probability and finding severity across the five primary thematic areas in 2026.
| Risk Domain | Inspection Likelihood | Finding Severity | CET1 Impact Potential | Trend vs 2025 |
|---|---|---|---|---|
| Credit Risk (IRB Models) | Very High | Critical | 30–80 bps | INCREASING |
| Market Risk (FRTB Readiness) | High | High | 15–40 bps | NEW IN 2026 |
| Operational Risk & Resilience | High | High | 10–25 bps | INCREASING |
| IT / Cyber Risk | High | Critical | Qualitative + P2G | SHARP INCREASE |
| Governance & Data Quality | Medium | High | Indirect (P2G) | STABLE |
IT/Cyber risk has moved from a sub-theme within Operational Risk to a standalone inspection topic in 2026. The ECB has dedicated inspection teams for DORA compliance and cyber resilience. Banks that treat IT risk as an operational risk appendix will face standalone findings with direct Pillar 2 Guidance (P2G) consequences.
Based on aggregated data from 15+ OSIs we have participated in across 2024–2026. These finding types repeat with striking consistency.
| # | Finding Type | Frequency | Avg. Remediation | CET1 Impact | Severity |
|---|---|---|---|---|---|
| 1 | PD model calibration deficiencies under stress | 78% | 6–9 months | 20–50 bps | CRITICAL |
| 2 | Incomplete data lineage for capital calculations | 72% | 9–12 months | Indirect | CRITICAL |
| 3 | Insufficient operational risk loss data capture | 65% | 6–9 months | 10–25 bps | HIGH |
| 4 | Cyber resilience testing inadequacy | 60% | 6–12 months | P2G add-on | CRITICAL |
| 5 | Model backtesting performed for compliance only | 58% | 3–6 months | 15–30 bps | HIGH |
| 6 | Third-party/vendor risk management gaps | 55% | 6–9 months | Qualitative | HIGH |
| 7 | Rating system override governance deficiencies | 50% | 3–6 months | 10–20 bps | HIGH |
| 8 | LGD downturn estimation methodology weaknesses | 48% | 6–12 months | 15–35 bps | HIGH |
| 9 | Scenario analysis disconnected from risk appetite | 45% | 3–6 months | 5–15 bps | MEDIUM |
| 10 | Insufficient board reporting on model risk | 42% | 3 months | Qualitative | MEDIUM |
Understanding the inspection timeline is essential for resource planning. Each phase has distinct demands, and preparation windows are shorter than most banks assume.
The ECB sends a formal notification letter specifying the inspection scope, team composition, and preliminary data requests. Banks typically have 4–6 weeks to prepare data room materials, brief senior management, and assemble the internal response team. Use this window to run an internal pre-diagnostic — findings you discover before the ECB does are findings you can proactively remediate.
The inspection team (typically 4–8 ECB/NCA examiners) operates on-site, reviewing documentation, conducting interviews, and testing controls. They work from detailed inspection manuals with pre-defined assessment criteria. Daily interaction with your teams is expected. The quality of your engagement during this phase directly influences finding severity.
The ECB issues a draft report with preliminary findings. Banks have a formal window to challenge factual inaccuracies (not supervisory judgments). This is your only opportunity to correct misunderstandings. Treat it seriously — well-documented factual challenges can downgrade finding severity. Poorly argued challenges damage credibility.
Final findings carry formal remediation deadlines: Critical findings typically require remediation within 3 months, High within 6 months, Medium within 12 months. The ECB tracks remediation progress through follow-up letters and may schedule verification visits. Missed remediation deadlines trigger supervisory escalation and potential P2G increases.
The ECB enforces strict remediation deadlines. These are not negotiable unless extraordinary circumstances apply. Plan resource allocation accordingly.
Material capital impact, immediate supervisory attention. Requires dedicated remediation task force, weekly progress reporting to ECB, and CRO-level ownership. Failure to meet deadline triggers automatic P2G increase and potential public enforcement action.
Significant governance or methodology deficiency. Requires formal remediation plan with milestones, monthly internal tracking, and quarterly progress updates to the ECB. Most banks underestimate High finding remediation effort by 30–50%.
Process or documentation improvement required. Lower urgency but still tracked. Medium findings that remain open past deadline are automatically reclassified as High. Accumulating unresolved Medium findings signals weak governance to the ECB.
The data room is your first impression. A well-organised, pre-populated data room signals governance maturity. A disorganised one triggers deeper scrutiny.
Risk appetite framework, model governance policy, data governance framework, operational risk policy, IT security policy. All must be current (reviewed within 12 months) and board-approved. Missing or outdated policies are an immediate red flag.
Full model inventory with validation status. Technical model documentation for in-scope models. Most recent validation reports with finding status. Model change log for the past 3 years. Backtesting reports with management commentary on material deviations.
Data lineage documentation for capital calculation data flows. Data quality reports with exception tracking. Reconciliation evidence between source systems, risk engines, and reporting outputs. Data dictionary for key risk metrics and parameters.
Organisational charts for risk, compliance, and audit functions. Committee terms of reference (Risk Committee, Model Validation Committee, ALCO). Meeting minutes from the past 12 months showing material risk discussions. Escalation procedures documentation.
Complete register of prior ECB/NCA findings with remediation status. Evidence of remediation actions completed. Open findings with documented remediation plans and timelines. Internal audit reports on finding remediation effectiveness.
Internal diagnostic covering the announced inspection scope. Known gaps identified with remediation plans in progress. Management assessment of readiness. This demonstrates proactive governance and can materially reduce finding severity if gaps are already being addressed.
How you interact with the inspection team during the on-site phase directly influences outcomes. These tactics are derived from direct observation of what works and what fails.
The CRO or Deputy CRO must be visibly engaged. Not a brief opening speech — genuine involvement in key discussions and decision escalation. The ECB calibrates their assessment of governance maturity based on the seniority of engagement. Delegating OSI response entirely to middle management signals weak governance.
If you know about a weakness, say so. Explain what you are doing about it. The ECB respects honest self-assessment far more than defensive posturing. Attempting to conceal known issues is the single most damaging tactic — discovery of concealment escalates finding severity automatically.
When the inspection team requests data, deliver within 48 hours. If the request requires longer, communicate a realistic timeline immediately. Slow data delivery is interpreted as either disorganisation or evasion — both damage the relationship. Maintain a dedicated data fulfillment team during the on-site phase.
ECB teams conduct structured interviews with risk officers, model developers, and business line heads. Brief every interviewee on the inspection scope, known sensitivities, and messaging consistency. Contradictory statements between interviewees are a governance finding in themselves.
Run a 30-minute internal debrief at end of each on-site day. Track what the ECB team focused on, what data requests were made, and which areas showed heightened interest. This real-time intelligence allows you to prepare for the next day and identify emerging findings early enough to prepare contextual responses.
Use this framework to assess your readiness before notification arrives. Score each area honestly. Anything below 70% should trigger immediate remediation action.
Model inventory completeness, validation currency, backtesting quality, override governance, model change documentation
Target: >80% | Typical G-SIB range: 60–85%
End-to-end data lineage, quality monitoring, exception management, reconciliation evidence, data dictionary completeness
Target: >80% | Typical G-SIB range: 40–70%
Loss data capture, scenario analysis quality, RCSA integration, Key Risk Indicators, OpRisk capital model defensibility
Target: >75% | Typical G-SIB range: 50–75%
Penetration testing, DORA compliance, incident response, third-party IT risk, business continuity, recovery time objectives
Target: >80% | Typical G-SIB range: 35–65%
Risk committee effectiveness, board risk reporting quality, escalation procedures, three lines of defence independence
Target: >80% | Typical G-SIB range: 55–80%
Open findings register currency, remediation evidence quality, timeliness of closure, root cause analysis depth
Target: >90% | Typical G-SIB range: 50–80%
The banks most likely to receive a favourable inspection outcome are those who prepare as if the outcome will be unfavourable. Assume the ECB will find something. Your preparation should be oriented toward minimising the severity of what they find, not toward concealing that there is anything to find. Every bank has gaps. The question is whether your gaps are acknowledged, governed, and actively being remediated.