EBA Revised SREP Guidelines: What EU Banks Must Review in ICAAP, ILAAP and Pillar 2 Capital
Last updated: June 2026
The rulebook your ICAAP package, your ILAAP submission and your Pillar 2 reconciliation were written against is being repealed. On 26 June 2026 the European Banking Authority published its revised SREP guidelines (EBA/GL/2026/06), and from 1 January 2027 they replace both the existing SREP guidelines (EBA/GL/2022/03) and the standalone guidelines on ICT risk assessment under the SREP (EBA/GL/2017/05). For most EU banks the next supervisory review and evaluation process cycle that opens in 2027 will run on the new text.
The headline is efficiency, the same simplification drive running through the EBA’s wider supervisory reporting work. The EBA has stripped out duplicated provisions, folded the ICT assessment into the main document, and added dedicated treatment for third-country branches and for the CRR3 output floor. The practical effect for reporting and capital-planning teams is narrower and sharper: the way supervisors set the Pillar 2 requirement (P2R) changes when an institution becomes bound by the output floor, the four reliability tests your ICAAP calculations face are now explicit, and the assessment cycle itself can stretch to five years for stable small banks. None of that lands automatically. It lands in your next SREP decision letter, and the time to re-map the inputs is before the cycle starts, not after the letter arrives.
This is a change note, not a full SREP primer. It assumes you already file COREP own funds returns and submit an ICAAP and ILAAP, and it focuses on what moves under EBA/GL/2026/06 and what you should re-check in your processes.
Related reading: our guide to the ICAAP and ILAAP
What actually changed on 26 June 2026
The revised guidelines carry the reference EBA/GL/2026/06 and the full title “Guidelines (revised) on common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing under Directive 2013/36/EU”. They are addressed to competent authorities, not directly to banks. That distinction matters: the document tells your supervisor how to assess you, which is exactly why reporting teams should read it as a description of the questions coming their way.
The EBA developed the text on three legal mandates. Article 107(3) of the Capital Requirements Directive (Directive 2013/36/EU) requires the EBA to specify common procedures and methodologies for the SREP, with Article 100 covering harmonised supervisory stress testing. Article 48n(6) of CRD VI (Directive (EU) 2024/1619) requires guidelines on the SREP for third-country branches. Article 104a(7) of the same directive requires guidelines to operationalise the cases where an institution becomes bound by the output floor. The guidelines are aligned with the wider banking package, meaning CRR3 (Regulation (EU) 2024/1623) and CRD VI, and with DORA (Regulation (EU) 2022/2554).
Three structural moves define the revision. First, the EBA consolidated everything into a single set: the separate ICT SREP guidelines are repealed and their ICT risk-assessment content is now part of the operational risk assessment in Title 6, new guidance for third-country branches sits in a new Title 12, and the output-floor considerations are integrated into the capital assessment in Title 7. Second, the EBA moved cross-references to obligations that already live in other legal acts out of the guidelines and into a separate companion document, the “List of legal acts facilitating SREP assessments”. Third, operational resilience and environmental, social and governance (ESG) factors are woven across the existing SREP elements rather than bolted on as a new risk category.
Here is the trap in the second move. The guidelines are shorter, and the EBA states the page count was reduced, but the EBA is explicit that pulling cross-references into a separate list does not reduce any obligation. The provisions still apply through the underlying legal acts. If your ICAAP narrative leaned on the old guidelines as a single checklist, the slimmer text still carries the same standard, now pointing elsewhere for the detail, and your supporting documentation needs to follow the pointers.
The new capital stack and where Pillar 2 sits
The SREP capital assessment in Title 7 keeps the architecture practitioners already know, but it is worth restating because the output-floor change only makes sense against it. There are two parallel stacks of requirements, and available own funds can be used to meet both at the same time.
The risk-weighted stack builds from the Pillar 1 requirement (P1R) under Article 92(1) CRR. On top sits the P2R for risks other than the risk of excessive leverage, set where the supervisor identifies a situation under Article 104a(1) CRD. P1R plus P2R is the Total SREP Capital Requirement (TSCR). Add the combined buffer requirement and you reach the Overall Capital Requirement (OCR). Pillar 2 guidance (P2G) then sits above the OCR.
The leverage stack runs in parallel. The leverage ratio requirement under Article 92(1) point (d) CRR carries a P2R for the risk of excessive leverage (P2R-LR) under Article 104a(3) and (4) CRD, giving the Total SREP Leverage Ratio Requirement (TSLRR). Add the G-SII leverage ratio buffer under Article 92(1a) CRR and you reach the Overall Leverage Ratio Requirement (OLRR), with P2G-LR above it. The guidelines confirm the two stacks are separate, so the same own funds can satisfy both the risk-weighted and the leverage-based requirements.
On composition, the default quality split for P2R remains at least 56.25% Common Equity Tier 1 and at least 75% Tier 1, with competent authorities able to require a higher quality where the institution’s circumstances justify it. The reconciliation rule is unchanged in principle but stated plainly: a competent authority should not set P2R or P2G for a risk that a specific capital buffer already covers, and Pillar 2 should be institution-specific rather than covering macroprudential or systemic risk. That is the line teams most often blur when they map a SREP letter to a COREP own funds return.
Pillar 2 and the output floor: the change that matters most
This is the part of EBA/GL/2026/06 that reporting and capital teams should read first. The output floor under CRR3 raises an institution’s total risk exposure amount once its modelled risk-weighted assets fall below a set share of the standardised calculation. Without intervention, a P2R expressed as a percentage of risk exposure would mechanically generate a larger nominal capital number the moment the floor bites, even though no new risk has appeared. The guidelines operationalise the CRD VI safeguards against exactly that.
When I tie a COREP own funds return back to a SREP decision letter, the figure that always needs a footnote is the P2R expressed as a percentage of the total risk exposure amount. Once the floor starts to bind, that same percentage applied to a larger floored figure inflates the nominal P2R without any change in the underlying risk. Paragraph 317 of the guidelines now tells supervisors to deal with that in two steps.
The first step is a temporary cap. When an institution becomes bound by the output floor under Article 92(3) CRR, the supervisor should ensure the nominal amount of P2R does not automatically increase as a result, in line with Article 104a(6) point (a) CRD. The mechanism is specific: the P2R percentage communicated after the last SREP cycle is applied to the institution’s unfloored total risk exposure amount (the U-TREA under Article 92(4) CRR), not to the floored figure. That cap holds until the supervisor performs the review in the second step.
The second step is a double-counting review. Without delay, and no later than the end of the next SREP, the supervisor reviews the P2R under Article 104(1) point (a) CRD to remove any part of it that covers regulatory model deficiencies already captured by the output floor, and to strip out the arithmetic effect where the nominal increase comes only from applying a percentage to a now-larger TREA. After that review the temporary cap falls away and the P2R applies to the floored TREA. The principle behind it is set in Article 104a(8) CRD: while an institution is bound by the output floor, no additional own funds requirement should double-count risks the floor already covers fully. The EBA drew these considerations from its Opinion on the interaction between Pillar 2 requirements and the output floor (EBA/Op/2025/01).
Two practical points fall out of this. The guidelines encourage institutions to tell their supervisor early, on the basis of their own estimates, when they expect to become bound by the floor, so the double-counting review can be done in time. And competent authorities may require institutions to disclose, as part of Pillar 3, the impact of either the temporary cap or the double-counting review on the reported P2R at the reference date. If your bank is anywhere near the floor, the Pillar 3 disclosure workstream and the capital-planning workstream now need to talk to each other.
The error to avoid is assuming the floor pushes your P2R up on its own. The guidelines say the opposite for the nominal amount: the increase is capped, then reviewed for double counting. Reading the floor as an automatic P2R add-on will overstate your capital plan and misstate your disclosures.
What the revised SREP guidelines expect from your ICAAP
P2R for the risk of unexpected losses is set risk by risk. The supervisor identifies, assesses and quantifies each material risk and the capital considered adequate to cover it, then deducts the relevant part of P1R. The ICAAP is one of the key inputs to that work, and the revised guidelines are explicit about when supervisors may rely on the ICAAP calculations and when they may not.
The first thing I look for in an ICAAP submission is whether the economic capital number disaggregates by risk type or arrives as a single blended figure. The guidelines now make that test explicit. Paragraph 306 sets four reliability criteria. ICAAP calculations should be granular, so they can be broken down by risk type rather than presented as one economic-capital number. They should be credible, covering the risk they claim to address with calculations that are stable, risk-sensitive and conservative. They should be understandable, with key assumptions specified, because a “black box” calculation is not acceptable. And they should be comparable, stating the holding periods, risk horizons and confidence levels so the supervisor can adjust for benchmarking against peers.
Two qualifiers are worth flagging to anyone preparing an ICAAP package. First, an ICAAP calculation can be treated as partially reliable where it misses some of the four criteria but still looks highly credible, though only on an exceptional basis and with a plan to fix the gaps. Partial reliability is not full reliability, and it comes with strings. Second, supervisors develop their own risk-specific benchmarks to challenge ICAAP figures, especially where the institution’s own calculations are unavailable or judged unreliable. If your numbers diverge sharply from the supervisory benchmark, expect that to drive the dialogue.
On diversification, the guidelines hold a firm line. Intra-risk diversification effects, meaning diversification within a single risk category, should not reduce the minimum own funds requirements calculated under Article 92 CRR. Inter-risk diversification, across different risk categories including those covered by the CRR, should not be considered at all in the determination of P2R. A bank that builds a large diversification benefit into its economic capital and expects it to lower P2R will be disappointed.
ILAAP and the merged liquidity assessment
The liquidity side moves in structure as well as substance. Title 8 now runs as a single assessment of risks to liquidity and funding together with the SREP liquidity and funding assessment, covering inherent liquidity risk, inherent funding risk, and the liquidity and funding risk management and control framework in one place. For teams that previously tracked liquidity and funding as separate threads, the consolidation is a prompt to align the ILAAP narrative to the merged structure.
The supervisory expectation for the ILAAP mirrors the ICAAP. Competent authorities review the soundness, effectiveness and comprehensiveness of the process and the reliability of the institution’s internal estimates that support the supervisory determination of liquidity adequacy, and they assess the adequacy of the institution’s stress-testing programme, including scenarios, assumptions and outcomes. The supporting evidence your ILAAP relies on, the regular LCR, NSFR and ALMM returns covered in our liquidity reporting guide, feeds the inherent-risk view, but the ILAAP itself is judged on whether your internal estimates are reliable enough to lean on. A clean set of liquidity returns does not, on its own, make the ILAAP estimates reliable.
P2G, stress testing and the every-second-year option
P2G addresses supervisory concerns about an institution’s sensitivity to the adverse scenarios used in supervisory stress tests, including the EU-wide exercise, over a forward-looking horizon of at least two years. It should not cover risks already captured by P2R. The level of P2G is meant to protect against a potential breach of the TSCR under an adverse scenario, and where the stress test outcome shows no expected breach of the TSCR, the supervisor may decide not to set P2G at all. The same logic applies to P2G-LR against the TSLRR.
Calibration is spelled out. P2G should cover at least the anticipated maximum stress impact, measured as the change in the CET1 ratio in the worst year of stress, that is the difference between the lowest CET1 ratio in the adverse scenario over the horizon and the actual CET1 ratio at the starting point. P2G-LR works the same way on the leverage ratio.
The offset rules are where teams most often overstate the stack. P2G should be offset against the capital conservation buffer, because the two overlap in nature. It may be offset against the countercyclical capital buffer only in exceptional, case-by-case circumstances and after liaising with the macroprudential authority. It should not be offset against the systemic risk buffers, meaning the G-SII and O-SII buffers and the systemic risk buffer, because those cover the risk an institution poses to the system rather than to itself. P2G-LR should not be offset against the G-SII leverage ratio buffer. Treating P2G as a clean additive layer on top of every buffer will misread your usable capital headroom.
On cadence, the guidelines give supervisors flexibility that capital planners should not mistake for a fixed annual rhythm. P2G and P2G-LR are determined in line with the minimum engagement model, and competent authorities may set them only every second year rather than annually, including for SREP Category 1 institutions, provided they check in the off year whether the existing guidance still holds. There is also a backstop running the other way: where an institution repeatedly fails to maintain enough own funds to meet its P2G, the supervisor should set a P2R to cover that risk no later than two years after the breach of guidance. Persistent operation below P2G can convert soft guidance into a hard requirement.
DORA, ESG and operational resilience folded into the SREP
The consolidation of the ICT SREP guidelines is not just filing tidiness. ICT risk assessment now sits inside the operational risk assessment in Title 6, and the governance assessment in Title 5 expects supervisors to evaluate compliance with DORA for the ICT services received from ICT third-party providers, and with the EBA guidelines issued under Article 74(3) CRD for non-ICT services from third-party providers. Risk data aggregation and risk reporting through ICT systems are assessed against the relevant Basel principles. Business continuity management has been grouped to reflect the latest standards and the DORA framework.
Title 6.5 now covers credit spread risk from non-trading book activities (CSRBB) alongside interest rate risk in the banking book (IRRBB), and the supervisor reflects the CSRBB assessment in a combined IRRBB/CSRBB score. The market risk assessment adds an approach, with a quantitative formula in the annex, for the capital adequacy of subsidiaries of third-country groups subject to transfer pricing arrangements that redistribute market risk losses, with any resulting requirement set under Pillar 2.
Here is the point teams misread. ESG factors and operational resilience are integrated across the existing SREP elements, in the business model analysis, in governance, and in the risks to capital, rather than carved out as a separate element or a standalone risk score. Climate-related and other environmental risks, operational resilience, and the ability to withstand geopolitical risk must show up inside the assessments you already produce, including in the management body’s knowledge and skills on ESG and ICT risk.
Proportionality: the five-year cycle and what stays annual
The revised guidelines keep the four categories of institution, defined by size, systemic importance, nature, scale and complexity, and built around Article 97(4) CRD. Category 1 covers large institutions as defined in Article 4(1) point 146 CRR, and Category 4 covers small and non-complex institutions as defined in Article 4(1) point 145 CRR. Large institutions that are not global systemically important institutions may be placed in Category 2 or 3 for proportionality, and categorisation can apply at group or individual entity level.
The new flexibility sits in the engagement model. The minimum frequency for a full assessment of all SREP elements stretches to every two years for Category 2, every three years for Category 3, and three years extensible to five years for a subset of Category 4 institutions. The extension to five years applies only where the institution keeps a stable low-risk profile, stable financial metrics and healthy margins, and where quarterly monitoring of key risk indicators raises no concerns. Supervisors keep discretion to increase the frequency whenever warranted, and they may run thematic SREP assessments across institutions with similar risk profiles or use tailored methodologies under Article 97(4a) CRD.
The confusion point is the phrase “five-year SREP”. It does not mean five years of supervisory silence. Under the engagement model, monitoring of key indicators stays quarterly for every category, the summary of the overall SREP assessment stays annual for every category, and engagement with the management body remains continuous or risk-based depending on category. What stretches is the full re-evaluation of every SREP element, and only for stable Category 4 banks that meet the conditions. A small bank that reads the extension as a licence to let its ICAAP and ILAAP go stale will still face quarterly monitoring and an annual overall view, and any anomaly in the indicators can pull the full assessment forward.
Third-country branches get a dedicated SREP title
CRD VI brought third-country branches into a harmonised EU framework, and Article 48n(6) required the EBA to specify how the SREP applies to them. The revised guidelines deliver that as a new Title 12, setting out the application of the SREP to third-country branches and the related summary of findings, scoring and supervisory measures. Banking groups that run EU operations through third-country branches now have a defined supervisory assessment to prepare for, rather than an analogy borrowed from the institution framework. The detail of that title is its own subject, but the structural point is clear: third-country branches are inside the SREP, on their own terms, from 2027.
What reporting and capital teams should do before the 2027 cycle
The practical work breaks into a handful of tasks. Re-map your ICAAP and ILAAP documentation to the revised Title structure, and check your economic-capital methodology against the four reliability tests in paragraph 306, with particular attention to granularity and to any “black box” components. Model the output-floor interaction: if your bank is near the floor, work through the temporary cap on U-TREA, the double-counting review, and the Pillar 3 disclosure that may be required, and build the early-notification step into your capital-planning calendar. Tie your P2G assumptions back to the stress-test calibration and the offset rules, so your usable-headroom view does not double count buffers. Confirm your SREP category and whether the engagement-model frequency changes anything in your internal planning. And treat ESG, operational resilience and DORA as inputs to the assessments you already run, not as a new return.
The thread running through all of it is timing. The guidelines apply from the start of the 2027 SREP cycle, competent authorities have two months after the EU-language translations are published to report whether they comply, and supervisors are encouraged to start reflecting the revised guidance earlier where they can. The institutions that fare best in a SREP change-over are the ones whose ICAAP, ILAAP and capital narrative already speak the supervisor’s new language when the cycle opens.
Frequently Asked Questions
When do the revised SREP guidelines apply?
The guidelines (EBA/GL/2026/06) apply from 1 January 2027, aligned with the start of the SREP cycle. The EBA will translate them into the official EU languages, and competent authorities have two months after the translations are published to report whether they comply with the guidelines. Supervisors are encouraged to reflect the revised guidance earlier where possible.
Which guidelines do they replace?
On application, EBA/GL/2026/06 repeals and replaces the existing SREP guidelines (EBA/GL/2022/03) and the standalone guidelines on ICT risk assessment under the SREP (EBA/GL/2017/05). The ICT risk-assessment content is integrated into the operational risk assessment in Title 6 rather than removed.
Does the output floor automatically increase my P2R?
No. When an institution becomes bound by the output floor under Article 92(3) CRR, the guidelines require the supervisor to apply a temporary cap so the nominal P2R does not automatically rise, by applying the previously communicated P2R percentage to the unfloored TREA. The supervisor then reviews the P2R to remove any double counting of risks the floor already covers and to strip out the pure arithmetic increase, in line with Articles 104a(6), 104a(7) and 104a(8) CRD.
What makes an ICAAP calculation reliable under the new guidelines?
Paragraph 306 sets four criteria: the calculations should be granular (broken down by risk type), credible (covering the risk with stable, conservative methods), understandable (no “black box”, with key assumptions specified), and comparable (stating holding periods, risk horizons and confidence levels). A calculation can be treated as partially reliable on an exceptional basis where it is still highly credible, accompanied by a plan to fix the gaps.
Can diversification benefits reduce my Pillar 2 requirement?
Intra-risk diversification cannot reduce the minimum own funds requirements calculated under Article 92 CRR, and inter-risk diversification across risk categories is not considered in the determination of P2R. Diversification assumptions that lower an economic-capital number will not, by themselves, lower P2R.
Is P2G set every year?
Not necessarily. Competent authorities may determine P2G and P2G-LR every second year rather than annually, including for SREP Category 1 institutions, provided they assess in the off year whether the existing guidance remains appropriate. Where an institution repeatedly fails to maintain enough own funds to meet its P2G, the supervisor should set a P2R to cover that risk no later than two years after the breach.
What does the five-year assessment cycle for small banks actually mean?
For a subset of Category 4 institutions with a stable low-risk profile, stable financial metrics and healthy margins, the minimum frequency for a full assessment of all SREP elements extends from three to five years. Quarterly monitoring of key indicators and the annual summary of the overall SREP assessment continue regardless of category, and supervisors can increase frequency whenever the indicators or the risk profile warrant it.
Is there a new ESG SREP score?
No. ESG factors and operational resilience are integrated across the existing SREP elements, including the business model analysis, governance and the risks to capital, rather than introduced as a separate element or a standalone risk score.
Related Articles
- ICAAP and ILAAP Explained – How the internal capital and liquidity adequacy assessment processes feed the SREP and what supervisors expect in the submission.
- ECB SREP 2026 Priorities – What the ECB’s supervisory priorities mean for banks preparing for liquidity and prudential reviews.
- CRR3 Output Floor Phase-In – How the output floor changes total risk exposure amounts and the transitional caps that apply.
- COREP Reporting Explained – The own funds and capital adequacy returns that tie back to the SREP capital decision.
- Pillar 3 Disclosure Requirements – The disclosure framework that may carry the impact of the output-floor P2R adjustments.
- EBA Supervisory Reporting Simplification – The wider efficiency agenda that the revised SREP guidelines form part of.
Key Takeaways
- The EBA’s revised SREP guidelines (EBA/GL/2026/06) were published on 26 June 2026 and apply from 1 January 2027, replacing EBA/GL/2022/03 and EBA/GL/2017/05.
- The guidelines consolidate the SREP and ICT risk-assessment rulebooks into one, add a new Title 12 for third-country branches, and integrate the output floor into the capital assessment in Title 7.
- When an institution becomes bound by the output floor, the nominal P2R is temporarily capped against unfloored TREA, then reviewed to remove double counting, under Articles 104a(6), 104a(7) and 104a(8) CRD.
- ICAAP calculations are assessed against four reliability tests: granular, credible, understandable and comparable. A “black box” calculation is not acceptable.
- Diversification cannot reduce the Article 92 CRR minimum, and inter-risk diversification is excluded from the P2R determination.
- P2G protects against an adverse-scenario breach of the TSCR, is offset against the capital conservation buffer but not the systemic buffers, and may be set every second year rather than annually.
- The full SREP assessment can extend to five years for stable Category 4 banks, but quarterly indicator monitoring and the annual overall SREP summary continue for every category.
- ESG and operational resilience are integrated across existing SREP elements, with no separate ESG score; DORA compliance is assessed within the governance and operational risk assessments.
Sources and References
- EBA press release, “The EBA reaches another important milestone in enhancing supervisory efficiency with its revised SREP Guidelines” (26 June 2026): eba.europa.eu
- EBA Final Report, Guidelines (revised) on common procedures and methodologies for the SREP and supervisory stress testing under Directive 2013/36/EU (EBA/GL/2026/06): Final Report (PDF)
- EBA, List of legal acts facilitating SREP assessments (June 2026): List of legal acts (PDF)
- EBA, Supervisory review and evaluation process (SREP) activity page: eba.europa.eu
- Directive 2013/36/EU (CRD), including Articles 97, 100, 104, 104a and 104b: EUR-Lex
- Directive (EU) 2024/1619 (CRD VI), including Article 48n: EUR-Lex
- Regulation (EU) No 575/2013 (CRR), including Article 92 and the output floor: EUR-Lex
- Regulation (EU) 2024/1623 (CRR3): EUR-Lex
- Regulation (EU) 2022/2554 (DORA): EUR-Lex
Reading the 2027 SREP cycle the way your supervisor will
The revised guidelines are written for competent authorities, but the institutions that come through the 2027 cycle cleanly will be the ones that read them as a preview of the questions coming their way. The output-floor mechanics, the four ICAAP reliability tests, the offset rules on P2G and the engagement-model frequencies are the criteria your next SREP decision letter will be built on, and each one maps to evidence your reporting and capital teams already hold or can prepare. Start the re-mapping against EBA/GL/2026/06 now, while the cycle is still ahead of you.
Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.