The ECB’s 2026 priorities signal an intensification of on-site activity, tighter SREP scoring, and zero tolerance for implementation delays. Banks that misread the supervisory temperature will pay in capital add-ons.
Each priority assessed across three dimensions: capital impact potential, inspection likelihood, and typical bank readiness. Severity reflects the combined risk of supervisory action if deficiencies are found.
| Priority | Capital Impact | OSI Likelihood | Bank Readiness | Overall Severity |
|---|---|---|---|---|
| P1: Credit Risk Under Macro Uncertainty | CRITICAL | VERY HIGH | MODERATE | CRITICAL |
| P2: Operational & Digital Resilience | HIGH | HIGH | MODERATE | HIGH |
| P3: CRR3 Implementation Readiness | CRITICAL | HIGH | LOW | CRITICAL |
The ECB’s top priority reflects concern that benign recent conditions have bred complacency in credit risk governance. Expect deep scrutiny of provisioning models, sector concentrations, and IFRS 9 implementation quality.
Expected on-site inspection (OSI) frequency by risk area and bank type. G-SIBs face the most intensive scrutiny, but large and medium banks should not assume they are below the radar — the ECB’s 2026 plan expands OSI coverage to smaller SIs.
| Risk Area | G-SIB (8 banks) | Large SI (>€100bn) | Medium SI (€30–100bn) | Smaller SI (<€30bn) |
|---|---|---|---|---|
| Credit Risk / IFRS 9 | Annual OSI | Annual OSI | Every 2 years | Thematic review |
| IT / Cyber Risk | Annual OSI | Every 2 years | Every 2–3 years | Thematic review |
| IRB Models | Continuous (IMI) | Annual OSI | Every 2 years | As needed |
| CRR3 Readiness | Quarterly check-ins | Semi-annual | Annual review | Annual review |
| Governance & Risk Appetite | Every 2 years | Every 2–3 years | Every 3 years | As needed |
| Third-Party / Outsourcing | Annual (DORA) | Every 2 years | Thematic review | Thematic review |
Each priority area feeds directly into SREP Pillar 2 requirements. Deficiencies translate into capital add-ons (P2R/P2G), qualitative measures, and operational restrictions. Understanding the SREP transmission mechanism is critical for capital planning.
Deficiencies in provisioning adequacy, IFRS 9 implementation, or sector concentration management directly impact SREP Element 2 scores. A downgrade from score 2 to score 3 on credit risk alone can trigger 25–75 bps P2R increase. Banks with CRE concentrations >200% CET1 face automatic enhanced scrutiny and potential targeted Pillar 2 capital guidance (P2G) of 50–150 bps.
Cyber incidents, third-party failures, and IT governance weaknesses feed into SREP Element 4. The ECB has increasingly used qualitative measures (restrictions on IT projects, mandatory remediation timelines) alongside capital add-ons. Severe operational resilience deficiencies can trigger 15–50 bps P2R and operational restrictions that constrain business growth.
CRR3 implementation delays signal weak project governance and inadequate forward capital planning. The ECB views implementation readiness as a proxy for management quality. Banks materially behind schedule face combined P2R increases of 25–100 bps plus mandatory implementation milestones with supervisory monitoring. Failure to meet milestones can trigger further escalation including restrictions on distributions.
Banks with deficiencies across all three priority areas face compounding P2R increases of 75–200+ bps. At a €100bn RWA bank, 100 bps P2R equals €1bn additional capital requirement. The supervisory incentive to address all three priorities proactively is not theoretical — it is directly capital-relevant.
Based on publicly available SREP data and supervisory communications, here is a benchmarking framework for self-assessment against peer expectations in each priority area.
Automated SICR triggers calibrated quarterly. CRE collateral revalued semi-annually with market-based inputs. Management overlays governed by committee with formal sunset dates. ECL sensitivity analysis published to board with scenario ranges. IFRS 9 models validated annually with documented backtesting.
SICR triggers based on rating downgrades with annual recalibration. CRE collateral revalued annually. Management overlays exist but governance is informal. ECL sensitivity analysis conducted but not systematically presented to board. IFRS 9 validation conducted but challenge is limited.
Annual red team cyber exercises with documented lessons learned. Multi-cloud strategy with tested failover. DORA-compliant ICT risk framework in production. Third-party risk scored and monitored with automated alerts. Incident response tested quarterly with board involvement.
Annual penetration testing but no red team exercises. Single cloud provider with contractual SLA but untested failover. DORA gap assessment complete but implementation in progress. Third-party risk register maintained but monitoring is manual. Incident response plan exists but last tested 18+ months ago.
All CRR3 workstreams on track with documented milestones. IRB model change applications submitted to ECB by Q2 2026. Output Floor impact integrated into capital planning. Parallel run for SA reporting completed. Data quality framework meeting CRR3 requirements.
CRR3 programme established with governance but 2–3 workstreams behind schedule. Some IRB model change applications submitted, others still in preparation. Output Floor impact quantified but not yet integrated into capital planning. Data quality remediation in progress with known gaps.
For each priority area, is your bank in the top quartile, median, or bottom quartile? If you cannot confidently answer this question with evidence, that itself is a finding — and one the ECB will also identify during supervisory engagement.
Prioritised actions mapped against urgency and resource requirements. Focus on Q1–Q2 actions first — these are the items where delay creates the most supervisory risk.
| Action | Priority | Urgency | Resource (FTE) | Timeline |
|---|---|---|---|---|
| IFRS 9 model recalibration & SICR trigger update | P1 | IMMEDIATE | 4–6 FTE | Q1–Q2 2026 |
| CRE collateral revaluation programme | P1 | Q1 2026 | 3–5 FTE + external | Q1–Q3 2026 |
| Submit priority IRB model change applications | P3 | IMMEDIATE | 6–10 FTE | Q1–Q2 2026 |
| Cyber red team exercise | P2 | Q1 2026 | 2–3 FTE + vendor | Q1 2026 |
| Third-party resilience testing (cloud failover) | P2 | Q2 2026 | 3–4 FTE | Q2 2026 |
| CRR3 data quality remediation | P3 | Q1 2026 | 8–12 FTE | Q1–Q4 2026 |
| Output Floor integration into capital planning | P3 | Q2 2026 | 2–3 FTE | Q2–Q3 2026 |
| Board briefing on ECB priorities & SREP impact | ALL | IMMEDIATE | 1–2 FTE | Q1 2026 |
Aligned to the ECB’s supervisory cycle: SREP letters in Q1, on-site inspections Q2–Q3, and SREP scoring in Q4. Each phase maps to the supervisory calendar to ensure readiness before engagement.
Banks that proactively share progress on ECB priority areas during regular JST interactions build supervisory credibility. This translates into more collaborative (vs. confrontational) SREP discussions and moderates the risk of punitive capital add-ons. The investment in proactive supervisory engagement has a measurable ROI in capital terms.