Supervisory Priorities for 2025 - 2027

The European Central Bank (ECB) has revised its supervisory priorities for the next three years to reflect the more structural challenges and vulnerabilities in the sector.

Supervisory Priorities for 2025 - 2027

Watch video

Executive summary

The ECB has published its supervisory priorities for the next three years. Financial institutions should strengthen their resilience to macro-financial threats and severe geopolitical shocks; address persistent material weaknesses in an effective and timely manner; strengthen digitization strategies; and address the challenges of using new technologies. For each of these priorities, the ECB has identified a number of vulnerabilities for which it has set specific objectives and work programs.

Main content

This Technical Note provides a summary of the ECB´s priorities for the next three years, as well as the work programs envisaged to address the identified vulnerabilities:

• Priority 1. Strengthen resilience to macro-financial threats and severe geopolitical shocks.
  • In terms of vulnerabilities, the focus is on credit risk, operational resilience, and cyber risk, to prioritize: i) addressing weaknesses in credit risk management frameworks, as well as early detection of asset quality deterioration and maintaining adequate provisioning levels; and ii) evolving operational resilience frameworks in an environment of increasing geopolitical risks, in particular taking into account cyber risks.
  • With regard to credit risk, the following key activities will be undertaken: assessing asset quality, monitoring portfolio management, and strengthening measures to mitigate potential impairments. Regarding operational Resilience and cyber risk, the following main activities will be carried out: data collection from Information and Communications Technology (ICT) providers to identify relationships with supervised entities, concentration risks and contractual weaknesses; review of vendor risk management (VRM) and cyber risk control frameworks; follow-up on the findings of the 2024 Cyber Stress Test ; assessment of on-site inspections (OSIs) of operational risk and Information Technology (IT) Resilience frameworks; and implementation of the Digital Operational Resilience Regulation (DORA).
• Priority 2. Effectively and timely address persistent material weaknesses.
  • The identified vulnerabilities are i) addressing gaps related to climate risk strategy and management; and ii) enhancing capabilities to improve data aggregation and risk reporting (RDARR).
  • For environmental, social and governance (ESG) risks, key activities include monitoring alignment with regulatory expectations, assessing compliance with Pillar 3 ESG, managing reputational and legal risks, reviewing transition plans under the Capital Requirements Directive (CRD) 6 and developing ESG OSIs, both on a stand-alone basis and linked to other risks. For RDARR, measures include the monitoring of specific reviews (TRs) to ensure compliance with the guidance and remediation of findings, the assessment of OSIs related to data governance and IT infrastructure, and the preparation of an annual report to ensure the accountability of  management bodies for the quality and management of information.
• Priority 3. Strengthen digitization strategies and address the challenges of using new technologies.
  • The third and last priority is to strengthen digitization strategies and to tackle the challenges posed by the use of new technologies, in an effort to address the vulnerabilities identified in this area.
  • Regarding the business model (BMA), actions will mainly focus on assessing the impact of digital transformation on business models and strategies, as well as on the risks associated with the use of new technologies, in particular artificial intelligence and cloud services. Digital transformation OSIs will also be developed, analyzing the impact of technology and new business models on institutions’ strategies.

Access the technical note on the Supervisory Priorities 2025 - 2027 in Spanish and English.