ECB-SSM Annual Report on Supervisory Activities 2024: Key developments, supervisory priorities and regulatory implications

RegCORE Client Alert | Banking Union

QuickTake

The European Central Bank (ECB) published its Annual Report on Supervisory Activities for 2024 (the Report) in March 2025, marking the tenth anniversary of the Single Supervisory Mechanism (SSM). The Report provides a comprehensive overview of the resilience and stability of the European banking sector, supervisory priorities for 2024–26 and the evolving risk landscape, including geopolitical tensions, climate change, digital transformation and operational resilience.

As explored in this Client Alert, the Report also details supervisory priorities for 2025-27 See also standalone coverage on the ECB-SSM’s supervisory priorities here and how these interact with plans of other EU authorities here.Show Footnote as well as reforms, risk management initiatives, direct and indirect supervision of Banking Union supervised institutions (BUSIs), categorised as significant (SI) or less significant institutions (LSIs) along with specific measures addressing cyber risk, climate risks and outsourcing.

Key takeaways from the Report

The Report focuses on a number of headline issues that the ECB-SSM advanced during 2024. These include:

Banking sector resilience and performance

European banks under ECB supervision demonstrated robust financial resilience in 2024, maintaining strong capital and liquidity positions. The aggregate Common Equity Tier 1 (CET1) capital ratio for significant institutions (SIs) stood at 15.7%, with less significant institutions (LSIs) at 18.4%. Liquidity coverage ratios were 158.5% for SIs and 216.8% for LSIs. Profitability remained solid, with SIs reporting a return on equity of 10.2% and LSIs at 8.2%. Asset quality was broadly stable, with the overall non-performing loan (NPL) ratio for SIs at 1.9%, though pockets of risk were noted in SME and commercial real estate portfolios.

SSM supervisory priorities for 2024–26

The ECB-SSM’s supervisory agenda for 2024–26 is structured around the following three core priorities:

1. Strengthening resilience to macro-financial and geopolitical shocks: Supervisors focused on credit risk and counterparty credit risk management, particularly in portfolios sensitive to interest rate changes and macroeconomic uncertainty. Targeted reviews and on-site inspections addressed loan origination, risk classification, and expected credit loss modelling, with a particular emphasis on commercial real estate, leveraged finance, and SME exposures. Asset and liability management frameworks were scrutinised, with emphasis on liquidity risk, contingency funding plans, and collateral management. The ECB also conducted joint analyses with other major regulators on counterparty credit risk exposures to non-bank financial institutions.
2. Remediation of governance and climate-related risk management: The ECB-SSM continued to address structural deficiencies in banks’ governance, internal controls, and risk data aggregation and reporting (RDARR). Progress was observed in management body composition and diversity, though further improvements are required, particularly in management body functioning, gender representation, IT expertise and succession planning. The ECB-SSM published a final Guide on effective RDARR and imposed qualitative requirements on several institutions to address identified gaps. The ECB-SSM equally issued binding decisions on climate and environmental (C&E) risks, including the potential for periodic penalty payments for non-compliance.  Banks are expected to fully integrate C&E risks into governance, strategy, and risk management frameworks by the end of 2024.
3. Advancing digital transformation and operational resilience: With significant cyber incidents involving third parties rising by 50%, supervisory attention intensified on digitalisation strategies, IT risk and cyber resilience. The ECB-SSM adjusted its supervisory framework to align with the Digital Operational Resilience Act, including enhancements to incident reporting and outsourcing registers. The ECB-SSM conducted targeted reviews of digitalisation activities and operational resilience frameworks, including cyber risk and third-party outsourcing.  The 2024 cyber resilience stress test involved 109 banks and assessed crisis response and recovery capabilities.  The ECB also launched a public consultation on a draft Guide for outsourcing cloud services, aiming to clarify supervisory expectations under the Digital Operational Resilience Act.

Supervisory reforms and methodological enhancements

The Supervisory Review and Evaluation Process (SREP) underwent significant reform in 2024, aiming to streamline processes, enhance efficiency, and focus on bank-specific risks.  The reformed SREP, to be fully implemented by 2026, will allow for more flexible, risk-based and multi-year assessments, better integration of supervisory activities, improved use of IT and data strategy and more effective escalation of supervisory measures.  The ECB-SSM’s risk tolerance framework, in place since 2023, allows for prioritisation of critical risk areas and more flexible, risk-based supervision.

The 2024 SREP outcomes indicated overall stability, with the average SREP score at 2.6 and capital requirements slightly increasing to 15.6% of risk-weighted assets.

Direct and indirect supervision for EU and non-EU banks

Direct supervision of SIs included both off-site and on-site activities, with 165 on-site inspections and 78 internal model investigations launched in 2024. Key findings highlighted weaknesses in credit risk quantification, collateral valuation, market risk management, liquidity risk measurement, and IT/cybersecurity frameworks.  Internal model investigations revealed deficiencies in risk quantification and IT infrastructure, particularly for credit risk models.

The LSI sector continued to consolidate, with the number of entities declining to 1,912. LSIs remain relevant, accounting for approximately 15.5% of total banking assets. The ECB-SSM and national competent authorities (NCAs) conducted targeted reviews of funding plans and stress testing, confirming the overall resilience of the LSI sector.

The ECB-SSM oversaw 14 subsidiaries of non-EU banks, focusing on compliance with EU requirements and addressing challenges arising from parent strategies not always aligned with EU rules. The ECB-SSM also monitored the reduction of exposures to Russia, with SIs reducing such exposures by 5.6% during 2024. Geopolitical risks remain a key supervisory focus, with the ECB-SSM’s assessing banks’ risk management frameworks and incorporating geopolitical risk into stress testing and capital planning.

Macroprudential policy and crisis management

The ECB-SSM coordinated macroprudential policy across the euro area, with all Banking Union countries implementing some form of releasable capital buffer. No significant institutions were assessed as failing or likely to fail in 2024. The ECB-SSM and the Single Resolution Board (SRB) continued close cooperation, including joint liquidity exercises and crisis simulation exercises. For LSIs, the ECB-SSM received 11 notifications of financial deterioration, with crisis management contact groups established to coordinate supervisory actions and one licence withdrawal during the year.

Authorisation, fit and proper and enforcement

In 2024, the ECB was notified of 742 authorisation procedures and 1,557 fit and proper assessments. The ECB continued to promote diversity and collective suitability in management bodies, with increased use of ancillary provisions to address concerns. As explored in a separate Client Alert on the ECB-SSM’s Annual Report on enforcement and sanctioning activity 2024 saw the issuance of numerous enforcement actions and the issuance of both pecuniary and non-pecuniary fines. The ECB also issued 13 binding decisions on climate-related risks, envisaging periodic penalty payments for non-compliance.

Interinstitutional and international cooperation

The ECB-SSM strengthened cooperation with EU and non-EU supervisory authorities, concluding new memoranda of understanding and participating in international forums. The ECB-SSM contributed to the work of the Financial Stability Board, Basel Committee on Banking Supervision, and European Banking Authority, with a focus on climate-related financial risks, digital operational resilience and regulatory harmonisation.

Organisation, digitalisation and budget

The ECB advanced its SSM tech strategy, investing in supervisory technology and digital tools to enhance efficiency and reduce reporting burdens, focusing on integrating supervisory technology applications and enhancing data analytics. Investments in IT systems (including IMAS) and SupTech tools aim to streamline supervision and reduce reporting burdens for banks. Training and capability-building initiatives were expanded, with a focus on IT risk, cyber resilience, and climate risk.

Actual expenditure on supervisory tasks in 2024 was €680.6 million, a 4.2% increase from 2023, reflecting intensified supervisory activities and IT investments. The planned budget for 2025 is €703.8 million, with continued investment in technology and preparations for the biennial EU-wide stress tests.

Outlook

The Report marks a significant milestone, celebrating a decade of the SSM and providing a comprehensive overview of the evolving regulatory and supervisory landscape for EU-regulated financial institutions. The report underscores the resilience of the European banking sector but also highlights a series of emerging challenges and regulatory expectations that will have profound implications for regulated firms in the coming years.

A central theme of the Report is the continued emphasis on financial resilience. This strength has enabled BUSIs to support the real economy and absorb macroeconomic shocks, including those stemming from geopolitical instability and the aftermath of the COVID-19 pandemic. However, the ECB-SSM cautions that the external environment remains volatile, with persistent geopolitical risks, including the war in Ukraine and tensions in the Middle East, as well as subject to ongoing macro-financial uncertainties. For BUSIs, this means that capital and liquidity management will remain under intense supervisory scrutiny and there will be little tolerance for complacency in risk management practices let alone for poor governance.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.