European Central Bank (ECB) supervisory priorities for 2025-2027

On 18 December 2024, The European Central Bank (ECB) published its supervisory priorities for 2025-2027, which reflect the Bank’s medium-term strategy.

Forvis Mazars interviewed Patrick Montagner, member of the ECB Supervisory Board, to discuss the ECB’s supervisory priorities for 2025-2027 and the 2025 stress test. The conversation highlights how the ECB is adapting its supervisory focus and practices to address the evolving risks faced by the banks it supervises, including geopolitical shocks, climate change, and digital transformation. It offers critical insights for banks as they align with the ECB’s evolving expectations, while also emphasising the potential supervisory measures to address severe deficiencies.  The interview can be found here.

Highlights of the priorities 2025-2027

These priorities are set by the Supervisory Board of the ECB, reviewed annually and are based on a comprehensive assessment of the main risks and vulnerabilities for supervised entities. The priorities have also taken into account the outcome of the Supervisory Review and Evaluation Process (SREP). As a whole, the supervisory priorities for the next three years support efficient allocation of the available supervisory resources and can be adjusted flexibly if warranted by changes to the risk landscape.

The supervisory priorities focus on banks’ resilience to immediate macro financial threats and severe geopolitical shocks and are outlined below.

The ECB’s priorities include:

  1. Banks should strengthen their ability to withstand immediate macro-financial threats and severe geopolitical shocks
  2. Banks should remedy persistent material shortcomings in an effective and timely manner
  3. Banks should strengthen their digitalisation strategies and tackle emerging challenges stemming from the use of new technologies
(Source: European Central Bank – Supervisory Priorities 2025-2027 Figure 1)

Priority 1: Banks should strengthen their ability to withstand immediate macro-financial threats and severe geopolitical shocks

The persistent uncertainty surrounding the macroeconomic outlook and the increasing intensity of geopolitical threats warrant heightened supervisory scrutiny of banks’ ability to withstand any related shocks. Owing to their cross-cutting nature, geopolitical risks can result in adverse macro-financial developments and impact the broader operating environment for banks.

Prioritised vulnerability: Deficiencies in credit risk management frameworks

Banks should identify deteriorations in asset quality in a timely manner and translate them into prudent provisions and capital levels. They should step up their efforts to address relevant shortcomings identified by supervisors under previous years’ priorities in a timely and effective manner.

Main activities planned:

  • Follow-up on the targeted review of IFRS 9 (focus on the use of overlays and coverage of novel risks, incl. geopolitical risks)
  • Continuation of credit risk OSIs (focus on IFRS 9 collective staging and provisioning for corporates/SMEs, retail and commercial real estate portfolios, incl. collateral valuations)
  • Targeted review of SME portfolios (focus on early identification and handling of potential borrower distress, SME models and governance of exposure to SMEs)

Prioritised vulnerability: Deficiencies in operational resilience frameworks as regards IT outsourcing and IT security/cyber risks

Banks should comply with the legal requirements stemming from the Digital Operational Resilience Act (DORA) as regards ICT risk management, incident reporting, the testing of digital operational resilience and third‑party service providers. They should step up their efforts to address previously identified shortcomings in a timely and effective manner, particularly as regards the management of cybersecurity and outsourcing risks.

Main activities planned:

  • Collection of data on third-party ICT providers
  • Targeted reviews of risk management frameworks for outsourcing risks and of cyber resilience frameworks and risk controls
  • Follow-up work on findings from the cyber resilience stress test
  • Targeted OSIs on operational risk and IT resilience frameworks
  • Implementation of DORA in the supervisory framework

Special focus: Incorporating the management of geopolitical risks in supervisory priorities

The recent escalation of geopolitical tensions requires banks to adopt robust risk management and risk controls and calls for heightened supervisory scrutiny in the short and medium term.

To strengthen their understanding of how banks approach geopolitical risks and further clarify the supervisory expectations in this area, supervisors will review current practices, focusing on risk management frameworks, capital and liquidity planning, and internal stress testing.

Priority 2 – Banks should remedy persistent material shortcomings in an effective and timely manner

The progressive shift in focus from risk identification to risk remediation is an essential feature of the SSM-wide supervisory strategy. Accordingly, banks with unresolved material shortcomings will be asked to step up their efforts to fully comply with supervisory expectations and implement sound remedial action plans in a timely manner.

Prioritised vulnerability: Deficiencies in business strategies and risk management as regards climate-related and environmental risks

Banks’ ability to adequately manage C&E risks remains high on the supervisory agenda owing to rising physical and transition risks. Banks should fully comply with supervisory expectations relating to the management of C&E risks as well as the requirements stemming from the new CRR3/CRD6 banking package (including those related to prudential transition plans).

Main activities planned:

  • Monitoring of full alignment with supervisory expectations and implementation of escalation ladder
  • Horizontal assessment of banks’ compliance with Pillar 3 disclosure requirements relating to environmental, social and governance-related (ESG) risks
  • Deep dives on banks’ ability to address reputational and litigation risks associated with C&E-related commitments
  • Review of banks’ transition planning in line with mandates expected from CRD6
  • Targeted OSIs on C&E aspects, either on a standalone basis or as part of planned reviews of individual risks (e.g. credit, operational and business model risks)

Prioritised vulnerability: Deficiencies in risk data aggregation and reporting

Banks should remediate standing shortcomings in their RDARR frameworks and align their practices with supervisory expectations. If banks fail to meet supervisory expectations, this could trigger escalation measures.

Main activities planned:

  • Follow-up work on the targeted review of RDARR practices and adherence to the supervisory expectations set out in the “Guide on effective risk data aggregation and risk reporting”, and remediation of previously identified findings.
  • Targeted OSIs looking at overarching governance and IT infrastructure issues, risk data aggregation capabilities and risk reporting practices
  • Management Report on Data Governance and Data Quality (i.e. annual questionnaire).

Priority 3 – Banks should strengthen their digitisation strategies and tackle emerging challenges stemming from the use of new technologies

Banks face many structural and longer-term trends, and digitalisation is one of them. The rapid advances observed in technology (e.g. generative artificial intelligence – AI), and the strong increases seen in the deployment of such technology in banks call for a structured approach.

Prioritised vulnerability: Deficiencies in digital transformation strategies

Banks should strengthen their digitisation strategies, and the related execution plans, to properly mitigate the underlying risks, including risks stemming from the use of new/advanced technologies such as cloud services and AI.

Main activities planned:

  • Targeted activities focusing on the impact that banks’ digital activities have on their business models/strategies and the risks stemming from the use of innovative technologies
  • Targeted OSIs on digital transformation, looking at both IT-related and business model-related aspects of banks’ strategies