ECB SREP 2026 Priorities: What Banks Should Prepare for in Liquidity and Prudential Reviews

ByOfficer

Last updated: April 2026

A bank that misreads the ECB SREP 2026 priorities will not just face a higher Pillar 2 add-on. It will scramble through Q4 trying to retrofit capital plans, restate COREP templates, and explain to the board why the Joint Supervisory Team flagged problems that should have been caught six months earlier. The 2026-28 supervisory priorities, published by the ECB in November 2025, restructure the entire SREP focus into two overarching priorities with five specific vulnerability targets. For reporting and prudential teams, the practical question is: what changes in your day-to-day work?

I have been through several SREP cycles from the reporting side. The shift for 2026 is real. The ECB has compressed its previous three priorities into two, but the scope has not narrowed. Credit underwriting standards, CRR III implementation accuracy, climate risk management, DORA compliance, and risk data aggregation all sit inside those two priorities. Each one generates reporting deliverables. If your team treats the SREP as a once-a-year exercise that produces a P2R letter and nothing else, this cycle will be uncomfortable.

Related reading: ICAAP and ILAAP: What Luxembourg Banks Need to Know

How the ECB SREP 2026 Priorities Are Structured

The 2026-28 supervisory priorities consolidate the supervisory focus into two priorities, down from three in the previous cycle. Priority 1 covers strengthening banks’ resilience to geopolitical risks and macro-financial uncertainties. Priority 2 targets operational resilience and ICT capabilities. A medium-to-long-term strategic objective on AI and digitalisation sits alongside these as ongoing work.

Under Priority 1, the ECB identifies three specific vulnerabilities:

  • Prudent risk-taking and sound credit standards
  • Adequate capitalisation and consistent CRR III implementation
  • Prudent management of climate and nature-related risks

Under Priority 2, the vulnerabilities are:

  • Robust operational risk management frameworks (including DORA compliance)
  • Deficiencies in risk reporting capabilities and related information systems (RDARR)

The consolidation from three to two priorities does not mean less work. The real change is that geopolitical risk now acts as a cross-cutting lens across everything. The 2026 reverse stress test on geopolitical risk uses an inverted methodology: banks start from a prescribed 300 basis point CET1 depletion outcome and work backwards to identify which geopolitical scenarios could cause that level of capital erosion. Banks must also assess how those scenarios affect funding and liquidity conditions. The ECB has explicitly stated that this exercise carries no Pillar 2 Guidance (P2G) implications. Results will inform the SREP assessment qualitatively, not mechanically through P2G buckets.

Teams that previously treated geopolitical risk as a qualitative paragraph in the ICAAP narrative should expect JSTs to push harder. The ECB’s stated position is that “risks once considered remote are becoming more likely,” and the reverse stress test is designed to test whether banks can trace a path from severe capital loss back to specific geopolitical triggers, rather than simply running a top-down adverse scenario.

Credit Underwriting: The Thematic Review Returns

The ECB is running a new thematic review of credit underwriting standards, building on the 2019 exercise. The last time they did this, the published results showed that many institutions had weakened lending standards during the low-rate period without fully recognising the risk build-up.

This time, the review focuses on new lending. The ECB wants to see how banks intend to mitigate potential future credit losses through their credit lending frameworks. A follow-up targeted review of loan pricing will assess whether pricing practices align with sustainable profitability goals. Targeted credit risk on-site inspections will cover loan origination and underwriting frameworks.

What does this mean for reporting teams? If your institution uses COREP templates for large exposures (C 27.00 through C 29.00) and credit risk (C 07.00, C 08.01), the data feeding those templates will face additional scrutiny. JSTs will want to see consistency between what the institution reports in COREP and what the underwriting review finds on the ground. I have seen cases where the COREP credit risk templates showed healthy risk-weight distributions, but the underwriting files told a different story: outdated collateral valuations, missing affordability assessments, and approval exceptions that were never flagged as exceptions.

The common mistake here is treating the thematic review as a compliance exercise that sits with the credit department. It does not. If the review finds weak underwriting and your reported COREP numbers do not reflect that risk, you have a data quality problem that will feed into the RDARR assessment under Priority 2. These are not separate workstreams. They connect.

CRR III Implementation and the Standardised Approach

CRR III entered into force on 1 January 2025. The ECB’s SREP 2026 priorities make clear that consistent and accurate implementation of the new standardised approach is a first-order concern. The supervisory focus is on whether risk-weighted asset calculations under the revised standardised approach are correct.

Past targeted analyses already found “material shortcomings stemming from incorrect exposure classifications, risk-weight allocations, collateral valuations or weak controls by risk control functions.” Those are the ECB’s own words from the priorities document. They are telling you where the OSIs will look.

For credit risk, supervisors will combine targeted OSIs with targeted reviews to assess the adequacy of banks’ capital frameworks. For operational risk, CRR III introduces a new non-model-based approach (the Business Indicator Component, or BIC) applicable to all banks, replacing the previous basic indicator, standardised, and advanced measurement approaches. The ECB will conduct an initial review to identify potential outliers based on reported risk-weighted assets and qualitative assessments, then perform targeted reviews of higher-risk institutions.

The market risk Fundamental Review of the Trading Book (FRTB) gets a temporary reprieve. Given the postponement of the first application date, targeted supervisory reviews will only happen on a JST-by-JST basis. But do not confuse postponement with cancellation. If your trading book is material, expect your JST to keep the dialogue alive.

The practical trap for reporting teams: the output floor. CRR III introduces a floor that limits how much benefit banks can get from internal models compared to the standardised approach. The floor phases in gradually, but its impact on risk-weighted assets will increase over time. If your COREP submissions do not correctly reflect the output floor calculation, you are building an error that compounds with each reporting period. I have seen institutions where the output floor logic was implemented in a spreadsheet sitting outside the main reporting system. That is exactly the kind of control weakness the ECB’s OSIs are designed to find.

Liquidity Assessment: What JSTs Actually Look At

The SREP’s Element 4 (risks to liquidity) has not changed structurally, but the emphasis has shifted. The ECB’s 2026 priorities explicitly state that the reverse stress test on geopolitical risk will examine how geopolitical scenarios could impact banks’ funding and liquidity conditions. Banks participating in the exercise must assess not only which geopolitical triggers could deplete CET1 by 300 basis points, but also how those same scenarios would stress their funding sources, deposit stability, and access to wholesale markets. Regular supervisory activities will review banks’ internal liquidity adequacy statements, liquidity and funding planning processes, recovery plans, and internal stress-testing frameworks.

The SREP methodology assesses liquidity from two angles: short-term liquidity risk (can you meet obligations in the next 12 months?) and funding sustainability risk (can you roll over and increase liabilities over the medium to long term?). Both feed into the liquidity adequacy assessment, which can result in quantitative measures such as a higher LCR requirement or a longer survival period.

Where banks get this wrong: many institutions treat the LCR and NSFR as the entire liquidity story. They report clean ratios in COREP (C 72.00 for LCR, C 80.00 for NSFR), meet the regulatory minimums, and consider liquidity done. The JST sees it differently. The SREP liquidity assessment goes beyond regulatory ratios. It looks at counterbalancing capacity, concentration in funding sources, currency mismatches, asset encumbrance trends, and the realism of the institution’s own ILAAP stress scenarios.

The common failure I see in ILAAP documentation is that institutions run stress scenarios that are severe in name but mild in practice. They model a “geopolitical shock” that results in a 15% deposit outflow when the ECB’s own scenarios assume much worse. If your ILAAP stress test survival period is 90 days in your internal adverse scenario but 45 days in the ECB’s top-down liquidity stress test, expect a difficult supervisory dialogue.

For LCR, NSFR, and additional monitoring metrics reporting, the data quality angle matters more than ever. The ECB’s RDARR focus under Priority 2 means that liquidity data feeding into COREP templates and internal ILAAP models will be tested for accuracy, completeness, and timeliness. A liquidity report that arrives two weeks after month-end is not useful for crisis management, and JSTs know this.

Climate and Nature-Related Risks in the SREP

The ECB’s climate risk expectations have moved from identification to remediation. The 2022 thematic review and climate risk stress test set interim deadlines for 2023 and final deadlines for end-2024. As of the November 2025 priorities document, the ECB notes that 90% of surveyed banks consider themselves having material risk exposures to climate and nature-related risks, up from around 50% in 2021.

What is new for 2026-28: prudential transition planning. In line with CRD VI, banks will develop prudential transition plans. The ECB will review these plans in accordance with the EBA guidelines on the management of ESG risks. The approach is gradual: informal dialogues first, then a formal thematic review.

The ECB will also continue monitoring Pillar 3 disclosure requirements for ESG-related issues and perform a targeted review of physical risk disclosures. Targeted OSIs will focus on climate and nature-related risk management either standalone or embedded in credit risk OSIs.

Where reporting teams need to pay attention: the intersection of climate risk and COREP/FINREP data. If your institution classifies a commercial real estate exposure as “low risk” but the underlying asset sits in a flood zone with no insurance, that disconnect will surface in the credit risk thematic review. The ECB has explicitly flagged the insurance protection gap (only about 25% of natural hazard losses insured in Europe) as a risk driver. I have reviewed institutions where physical risk overlays existed in the IFRS 9 model but were not reflected in COREP risk-weight calculations. That is a gap the ECB’s climate OSIs are designed to close.

DORA Compliance and Operational Risk Frameworks

DORA entered into force on 17 January 2025. The ECB’s SREP 2026 priorities treat DORA compliance as a Priority 2 vulnerability. Operational risk and ICT risk continue to receive the worst average scores in the SREP, and the ECB is not expecting that to improve quickly.

The specific supervisory activities planned include:

  • Targeted follow-up for banks with material shortcomings in ICT security and cyber resilience
  • Two OSI campaigns: one on cybersecurity management, one on third-party risk management
  • Threat-led penetration testing (TLPT) under DORA
  • Targeted review of ICT change management
  • Deep dive into cloud service provider dependencies

For reporting teams, the DORA connection is less obvious but real. DORA requires a register of information on ICT third-party arrangements. If your regulatory reporting systems depend on third-party vendors (and they almost certainly do), those vendors now appear in the DORA register. If a vendor fails and your reporting pipeline breaks, that is simultaneously a DORA incident and a data quality failure under the RDARR framework.

The ECB published a Guide on outsourcing cloud services to cloud service providers in 2025. Banks heavily reliant on a single cloud provider for data warehousing, reporting engines, or calculation platforms should expect the cloud dependency deep dive to look at exactly this.

Reported significant cyber incidents have doubled in recent years, according to the ECB. If an incident disrupts your ability to submit COREP or FINREP on time, you now have a DORA incident, a reporting failure, and a RDARR deficiency all at once. The teams that handle these three workstreams need to be connected.

Risk Data Aggregation and Risk Reporting: The Persistent Problem

RDARR has been on the ECB’s priority list for years. The 2025 SREP outcomes show no improvement in the relevant average sub-score compared with the prior year. The ECB’s language in the priorities document is unusually direct: “progress made by supervised entities to address structural deficiencies in their RDARR frameworks remains slow.”

In December 2024, the Supervisory Board approved a system-wide RDARR strategy covering all supervised entities. The approach starts with management body accountability for RDARR oversight and implementation, then expands to data quality management and IT/data architecture. A defined remediation and escalation process will guide supervisory actions, and the ECB has said it will use the existing supervisory toolkit, including enforcement, “if required.”

The specific RDARR issues identified by OSIs and targeted reviews include:

  • Data governance frameworks: incomplete or inadequate involvement of management bodies
  • Data infrastructure and IT architecture: systems that cannot aggregate risk data accurately or quickly
  • Data accuracy and integrity: gaps against the BCBS 239 principles

Where I see this hit reporting teams hardest: the gap between what the management body thinks the data shows and what it actually shows. A bank might report a healthy CET1 ratio in COREP. But if the data feeding that ratio comes from three different systems with manual reconciliation steps and no automated controls, the ECB’s RDARR review will flag the process even if the final number happens to be correct. Getting the right answer by accident is not the same as having a sound framework.

For Luxembourg-based institutions supervised directly by the ECB (significant institutions), the RDARR findings feed directly into the SREP score. For less significant institutions supervised by the CSSF, the ECB’s priorities still set the tone. The CSSF applies SREP methodology proportionately, and RDARR expectations cascade down. If you are a smaller bank thinking this does not apply to you, look at the COREP reporting framework and ask whether your data lineage documentation would survive an inspection.

The SREP Multi-Year Assessment: What Changed

The SREP now operates under a multi-year assessment (MYA) framework. Instead of assessing every module every year, JSTs conduct a core assessment annually and evaluate specific SREP modules on a multi-year cycle. The period depends on the complexity of the bank: larger, more complex institutions get reviewed more frequently.

This does not mean anything gets skipped. It means the JST can concentrate resources on emerging risks in a given year. In practice, the Risk Tolerance Framework (RTF) guides which modules get deeper scrutiny. The RTF combines top-down Supervisory Board guidance on prioritised vulnerabilities with bottom-up JST assessments for each bank.

The catch: if your bank has idiosyncratic issues, the MYA framework actually increases the chance of a deeper review. The RTF empowers JSTs to override the default cycle and prioritise whatever they consider the biggest risk. So while a standard bank might have its market risk module reviewed every two years, a bank with concentrated trading book positions in geopolitically sensitive sectors could get a full review annually.

For reporting teams, the practical impact is that data requests from JSTs may arrive at any point in the year, not just during the traditional SREP window. Be ready to produce ad hoc data extractions, reconciliation evidence, and methodology documentation on short notice.

Pillar 2 Requirements and Guidance: How the Numbers Work

The SREP produces two capital outputs: Pillar 2 Requirements (P2R) and Pillar 2 Guidance (P2G). P2R is binding. It sits on top of the Pillar 1 minimum (8%) and is part of the total SREP capital requirement (TSCR). P2G is not binding, but failing to meet it triggers supervisory attention and potential measures.

P2G is calibrated using EBA EU-wide stress test results. The ECB maps stress test capital depletion into P2G buckets through a two-step approach: first, banks are allocated to buckets based on maximum CET1 depletion in the adverse scenario; second, JSTs adjust for bank-specific factors. Most P2G outcomes fall within the bucket range, but exceptions are possible.

The 2026 reverse stress test on geopolitical risk is a different exercise. Unlike the EBA EU-wide stress test, the reverse stress test does not feed into P2G calibration. The ECB has explicitly stated there are no P2G implications from this exercise. Instead, the reverse stress test informs the SREP qualitatively: it tests whether banks can identify which geopolitical scenarios would cause a prescribed 300 basis point CET1 depletion and how those scenarios would affect funding and liquidity conditions. JSTs will use the results to sharpen their risk assessment, but there is no mechanical link to P2G buckets.

This distinction matters for capital planning. If your institution is projecting a P2G increase based on the reverse stress test, that assumption is wrong. P2G recalibration depends on EBA EU-wide stress test results. The reverse stress test may prompt supervisory questions, additional ICAAP scrutiny, or qualitative SREP findings, but it will not directly change your P2G number.

For Pillar 3 disclosure requirements, the connection is direct. P2R and P2G drive the capital stack that institutions must disclose. If the SREP results in new requirements, the Pillar 3 templates need to reflect them accurately. I have seen institutions that updated their capital adequacy disclosures based on the prior year’s SREP decision rather than the current one, creating a timing mismatch that external auditors flagged.

What Luxembourg Banks Should Focus On

Luxembourg’s banking sector includes both ECB-supervised significant institutions and CSSF-supervised less significant institutions. The SREP priorities apply directly to significant institutions, but the ECB explicitly states that the priorities help national supervisors set their own priorities for less significant institutions “in a proportionate manner.”

For significant institutions in Luxembourg, the key exposures to watch are:

  • CRR III standardised approach implementation, especially for institutions with large wealth management or fund-related credit exposures where exposure classification under the new framework may differ from the prior approach
  • Geopolitical risk scenarios in ICAAP and ILAAP, given Luxembourg’s role as a hub for cross-border fund administration and private banking with global client bases
  • DORA compliance for outsourced IT and reporting functions, common in Luxembourg’s fund and banking infrastructure
  • RDARR framework remediation, particularly for institutions with complex group structures where Luxembourg is the subsidiary and data aggregation depends on the parent

For less significant institutions, the CSSF will apply the ECB’s priorities proportionately. The CSSF reporting calendar already reflects COREP and FINREP deadlines that align with SREP data needs. Do not assume that smaller size means lower scrutiny. The CSSF has been increasingly active on RDARR and ICAAP/ILAAP quality for LSIs.

Preparing Your Reporting Team for the 2026 SREP Cycle

The ECB communicates Supervisory Examination Programmes (SEPs) to banks at the start of the supervisory cycle. By the time you receive the SEP, the priorities are set. Preparation needs to happen before the letter arrives.

Practical steps:

  • Review your CRR III implementation for the standardised approach. Verify exposure classifications, risk-weight assignments, and the output floor calculation against the actual regulatory text, not just vendor defaults. Document any judgement calls.
  • Stress test your ILAAP scenarios against the ECB’s stated geopolitical focus. If your adverse scenario does not include trade disruption, sanctions escalation, or funding market stress, it is probably too mild.
  • Map your RDARR framework against the BCBS 239 principles. Document data lineage for every COREP and FINREP template. Identify manual steps and reconciliation gaps.
  • Connect DORA compliance with reporting continuity. If a critical ICT provider goes down, how quickly can you still submit regulatory reports? Test this.
  • Ensure management body involvement in RDARR is documented and real, not a paragraph in a policy document that nobody reads.

The SREP is not a compliance checkbox. It is a supervisory process that directly determines your capital and liquidity requirements. Getting it wrong costs real money and real credibility with your supervisor.

Frequently Asked Questions

What are the main ECB SREP 2026 priorities?

The ECB’s 2026-28 supervisory priorities have two main pillars: Priority 1 focuses on strengthening banks’ resilience to geopolitical risks and macro-financial uncertainties, covering credit underwriting, CRR III implementation, and climate risk management. Priority 2 targets operational resilience and ICT capabilities, including DORA compliance and risk data aggregation. A medium-to-long-term strategy on AI and digitalisation runs alongside these.

How does the SREP affect Pillar 2 capital requirements?

The SREP assessment determines both the Pillar 2 Requirement (P2R), which is binding and adds to the Pillar 1 minimum, and Pillar 2 Guidance (P2G), which is non-binding but closely monitored. P2G is calibrated using EBA EU-wide stress test results, where the ECB maps capital depletion in the adverse scenario to P2G buckets. The 2026 reverse stress test on geopolitical risk is a separate exercise with no P2G implications. The ECB has explicitly stated that reverse stress test results inform the SREP qualitatively but do not feed into the mechanical P2G calibration. Banks should not project a P2G change based on the reverse stress test alone.

What is the 2026 reverse stress test on geopolitical risk?

Unlike a conventional top-down stress test, the 2026 reverse stress test starts from a prescribed outcome: a 300 basis point CET1 depletion. Banks must work backwards to identify which geopolitical scenarios could cause that level of capital erosion. They must also assess how those scenarios would affect funding and liquidity conditions. The exercise has no P2G implications. Results inform the SREP assessment qualitatively, helping JSTs evaluate whether institutions understand their geopolitical vulnerabilities.

What is the SREP multi-year assessment framework?

The MYA allows JSTs to assess SREP modules on a multi-year cycle rather than annually. A core assessment still happens every year. The frequency of module reviews depends on the bank’s complexity. The Risk Tolerance Framework guides which areas get deeper scrutiny in any given year. This does not reduce oversight; it concentrates resources where risks are highest.

How does CRR III affect the SREP 2026 cycle?

CRR III entered into force on 1 January 2025, introducing a revised standardised approach for credit risk and a new non-model-based approach for operational risk. The ECB will conduct targeted reviews and OSIs to assess whether banks have implemented these correctly. The output floor, which limits benefits from internal models, phases in gradually but will increasingly affect risk-weighted asset calculations and COREP reporting.

What liquidity measures can result from the SREP?

The SREP can impose institution-specific quantitative liquidity requirements, including a higher LCR than the regulatory minimum, longer survival periods, and other tailored measures. The 2026 reverse stress test on geopolitical risk requires banks to assess how geopolitical scenarios affect their funding and liquidity conditions, providing JSTs with additional qualitative input for the liquidity adequacy assessment.

How does DORA relate to the SREP?

DORA compliance is assessed as part of SREP Priority 2 on operational resilience. The ECB plans two OSI campaigns (cybersecurity and third-party risk management), threat-led penetration testing, a review of ICT change management, and a deep dive on cloud service provider dependencies. Operational risk and ICT risk continue to receive the worst average SREP scores.

What is the ECB’s RDARR system-wide strategy?

Approved by the Supervisory Board in December 2024, the RDARR strategy covers all supervised entities. It starts with management body accountability, then expands to data quality management and IT architecture. A remediation and escalation process guides supervisory actions. The ECB has stated it will use enforcement tools if banks fail to remediate material RDARR deficiencies.

Do ECB SREP priorities apply to less significant institutions?

Not directly, but the ECB states the priorities help national supervisors set their own priorities for LSIs proportionately. In Luxembourg, the CSSF applies SREP methodology and has been increasingly focused on RDARR, ICAAP/ILAAP quality, and CRR III implementation for smaller institutions. The ECB’s priorities set the direction even if the CSSF adjusts the intensity.

Related Articles

Key Takeaways

  • The ECB’s 2026-28 SREP priorities consolidate into two pillars: geopolitical/macro-financial resilience and operational/ICT resilience, with five specific vulnerability targets underneath.
  • A thematic review of credit underwriting standards will assess new lending and is directly connected to how institutions report credit risk in COREP.
  • CRR III standardised approach implementation is a first-order supervisory concern. Targeted OSIs will look at exposure classifications, risk-weight allocations, collateral valuations, and the output floor calculation.
  • The 2026 reverse stress test on geopolitical risk uses an inverted methodology: banks start from a prescribed 300bp CET1 depletion and identify which geopolitical scenarios could cause it, including the impact on funding and liquidity conditions. The ECB has stated there are no P2G implications; results inform the SREP qualitatively.
  • RDARR deficiencies show no improvement year-on-year. The ECB has approved a system-wide escalation strategy that starts with management body accountability and may use enforcement tools.
  • DORA compliance is assessed under Priority 2 with two OSI campaigns, TLPT, and cloud dependency deep dives planned.
  • The SREP multi-year assessment framework allows JSTs to concentrate resources on emerging risks, meaning data requests can arrive at any point, not just during the traditional SREP window.
  • Luxembourg banks should focus on CRR III implementation accuracy, geopolitical ICAAP/ILAAP scenarios, DORA compliance for outsourced functions, and RDARR framework remediation.

Sources and References

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts