ECB-SSM publishes its Annual Work Programme 2026

RegCORE Client Alert | Banking Union

QuickTake

Every year, usually during the fourth quarter, the Banking Union relevant authorities, comprised of the European Central Bank (ECB), acting at the helm of the Single Supervisory Mechanism (SSM) and the Single Resolution Board (SRB), at the steering wheel of the Single Resolution Mechanism (SRM), individually publish their Annual Work Programmes (AWPs) setting out their priorities and resourcing for the coming calendar year. The ECB-SSM’s AWP aims to foster cross-sectoral regulatory consistency and supervisory convergence and is thus of relevance to national competent authorities (NCAs) and more importantly the relevant firms within the scope of the ECB-SSM’s and the NCAs’ regulatory and supervisory mandates.

On18 November 2025, the ECB-SSM published its 17-page AWP outlining its key priorities for 2026 and longer-term focus through to 2028.Available here.Show Footnote

The ECB-SSM’s priorities, which are reviewed annually, reflect a forward looking, risk based approach and are designed to ensure the sector’s resilience amid heightened geopolitical, macro financial and technological uncertainties. The 2026–28 priorities focus on two overarching objectives: (i) strengthening banks’ resilience to geopolitical and macro financial risks and (ii) enhancing operational resilience and information and communication technology (ICT) capabilities, including the management of climate and nature related (C&N) risks. Concurrently with the publication of its AWP, the ECB-SSM released its 2025 methodologyAvailable here.Show Footnote for its Supervisory Review and Evaluation Process (SREP) as well as aggregated results of that exercise.Available here.Show Footnote

This Client Alert examines the key issues and regulatory considerations for market participants. For additional context, it should be read alongside our analyses of the 2026 work programmes from the European Commission, the ECB-SSM, the EU’s Anti-Money Laundering Authority and the European Supervisory Authorities (ESAs), the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA), both individually and through their Joint Committee (JC). Readers may also find value in other publications from PwC’s Risk Network, notably on the ECB-SSM’s SREP results for 2025 and PwC Legal’s “Navigating 2026,” an outlook on the regulatory and supervisory agenda.

Key takeaways from the ECB-SSM’s 2026 AWP

Persistent geopolitical tensions, volatile markets and rapid digital transformation shape the ECB-SSM’s 2026-28 agenda. Despite sound sector metrics, a fragile macro-financial environment-marked by geopolitical risk, trade policy volatility and tighter links to non bank finance—heightens tail risks. A 2026 thematic stress test will probe bank specific geopolitical scenarios, examining solvency, funding and liquidity. Supervisory plans will be recalibrated annually based on evolving risks and SREP results.

Supervisory resources will focus on two goals. First, preventing prudential slippage through disciplined underwriting, accurate capitalisation under CRR III/CRD VI and credible C&N risk management. Second, hardening operational, IT, cyber and data capabilities to meet DORA and BCBS 239 standards. Supervisory intensity will increase for banks with poor SREP outcomes, risk data (RDARR) gaps, or IT weaknesses, leading to earlier on-site examinations, tighter remediation deadlines and faster escalation.

The work programme, based on a full risk assessment, will guide the specific supervisory plans for banks. It aims for consistent and proportionate application across both significant institutions (SIs), supervised directly by the ECB and less significant institutions (LSIs), supervised by CAs. Key themes include:

• Strengthening resilience to geopolitical and macro-financial risks. Banks must maintain prudent underwriting and risk-based pricing to prevent asset-quality decline. Thematic reviews and on-site inspections (OSIs) will target new lending and vulnerable portfolios like small and medium-sized enterprises (SMEs) and commercial real estate (CRE). Supervisors will also scrutinise the implementation of CRR III standardised approaches and expect measurable progress on integrating C&N risks, including credible transition plans and better Pillar 3 ESG disclosures.
• Enhancing operational resilience and ICT capabilities. DORA implementation is a central focus, driving targeted follow ups, on-site inspections for cyber and third-party risk, penetration testing and reviews of IT change management and cloud dependencies. Persistent risk data (RDARR) deficiencies will trigger a system wide strategy, including targeted inspections and escalation.
• Supervisory approach and planning. Priorities translate into bank specific Supervisory Examination Programmes (SEPs). The supervisory toolkit blends on-site and off-site activities, with findings feeding into SREP results and potential enforcement.
• Key impacts for banks. Expect heightened scrutiny of credit risk and capital adequacy (CRR III), intensified focus on DORA and ICT/cyber resilience (including cloud and TPRM) and closer oversight of C&N integration and AI adoption. Institutions should proactively remediate vulnerabilities, strengthen frameworks and maintain constructive supervisory engagement.

Milestones and supervisory touchpoints (indicative)

• 2025: CRR III/CRD VI and DORA live; RDARR strategy in force; SREP 2025 flags ICT/RDARR deficits for many banks. 
• 2026: Thematic stress test on geopolitical risks; reviews of underwriting and loan pricing; targeted inspections on CRR III standardised approaches and the operational risk Business Indicator (BI); campaigns on cyber and third-party risk; reviews of IT change and cloud dependency; DORA oversight for critical third party providers begins.
• 2027–28: Continued targeted reviews, OSIs and escalation under the RDARR strategy; follow through on remediation outcomes and SREP linked measures. 

Supervisory planning and tools

Priorities translate into an annual Supervisory Examination Programme (SEP) for each bank. The SSM will blend thematic reviews, targeted deep dives and on-site inspections (OSIs). Findings drive SREP measures and failure to meet remediation timelines can trigger binding enforcement.

Bottom line: Supervisory engagement will intensify. The focus will be on disciplined credit origination, accurate capital calculations, credible C&N integration, DORA level operational resilience and safe AI adoption. The approach will be proportionate but with clear, enforceable outcomes for all banks.

Thematic priorities and impacts for firms to 2028

Thematic priorities that will drive supervisory engagement

The following themes will drive ECB-SSM supervisory engagement from 2026 to 2028:

A. Financial resilience: Underwriting discipline, capital accuracy and C&N integration

A1. Prudent risk taking and sound credit standards

Supervisors will intensify scrutiny of new lending to prevent future non-performing loan (NPL) formation. Focus areas include underwriting discipline, stress aligned affordability metrics and risk based pricing. Vulnerable portfolios—especially SMEs and commercial real estate—remain under the microscope, with weaknesses often seen in collateral valuation, early warning design and data quality. Expect a thematic review of underwriting standards, a targeted follow up on loan pricing and credit risk OSIs covering origination and provisioning.

A2. Adequate capitalisation and CRR III implementation

With CRR III/CRD VI in force and the output floor phasing in, the SSM will test the accurate application of standardised approaches. Common failings include exposure classification, risk-weight allocation and ineffective second-line controls. The operational risk regime's business indicator is a specific target for reviews. Market risk deep dives will be case-by-case, given timelines for the Fundamental Review of the Trading Book (FRTB). The Internal Capital Adequacy Assessment Process (ICAAP) must reflect output floor trajectories and adverse geopolitical scenarios.

A3. Climate and nature related (C&N) risks and prudential transition planning

The SSM is moving from assessing “awareness” to demanding “actionability”. Supervisors expect credible, Board owned prudential transition plans aligned with new EU frameworks, better quantification of physical risk and closure of gaps from the 2022 climate exercises. The programme includes thematic assessments of transition plans and targeted on-site inspections, with C&N expectations embedded across all credit and capital processes.

B. Operational resilience: DORA execution, ICT/cyber and third party risk

B1. DORA implementation and cyber resilience

DORA implementation is the centre of gravity for operational resilience. Supervisory work includes on-site inspection campaigns on cybersecurity and ICT third party risk, threat led penetration testing (TLPT) and targeted reviews of IT change management. Cloud dependencies will be probed through deep dives, including preparedness for major service provider disruption. From 2026, the EU’s direct oversight of critical third party providers will complement banks’ own risk management duties.

B2. Cloud and concentration risk

Supervisors will scrutinise concentration risk with a small number of non EU providers. They will examine contractual safeguards such as audit rights and chain outsourcing transparency, as well as testing exit strategies and operational readiness for disruption.

C. Data, reporting and digitalisation: RDARR transformation and AI governance

C1. RDARR (risk data aggregation and risk reporting)

A system wide strategy will drive multi year remediation of risk data capabilities. The initial focus is on management body accountability, followed by data quality management and IT architecture. Banks must provide evidence on data lineage, aggregation controls and the rationale for manual adjustments. Targeted on-site inspections will be deployed for severe findings, with clear escalation paths.

C2. Digital and AI adoption

The SSM is adopting a technology neutral stance on digital transformation and AI. Near term focus will be on high impact use cases, such as credit modelling and generative AI. Supervisors will address strategy, governance, model risk, data ethics and third party controls through workshops and coordinated engagement with other EU authorities, including in the context of the AI Act.

Key impacts for firms

I. Impacts common to all institutions

• Governance and accountability: Boards must own the delivery of DORA, RDARR and C&N integration. Supervisors will test the quality of management information (MI), the adequacy of resources and the timeliness of remediation. Clear accountability maps are essential.
• Credit risk and IFRS 9: Prepare for the underwriting thematic review and loan pricing follow-up. Strengthen affordability testing, risk-based pricing and early-warning systems. For SMEs/CRE, improve collateral valuation, sectoral monitoring and data quality. Tighten governance over provisioning overlays.
• Capital and ICAAP: Run end to end attestations of standardised approach implementations; remediate classification and collateral recognition defects; validate operational risk BI inputs/mappings. Update ICAAP to reflect output floor phasing, model/standardised interplay and geopolitical shocks; articulate feasible management actions and dividend capacity under stress.
• DORA and operational resilience: Demonstrate TLPT readiness, incident response maturity and change management controls. Map critical functions end to end, including all dependencies. For cloud services, show evidence of concentration analysis, exit plans and tested failover capabilities.
• RDARR: Treat risk data reform as a transformation, not a patch. Strengthen data ownership, lineage and aggregation controls. Demonstrate tangible progress against a Board-owned, time-bound plan.
• C&N and disclosures: Produce an actionable prudential transition plan that is integrated with strategy, risk appetite and capital planning. Improve physical risk quantification and Pillar 3 disclosure controls.
• AI governance: Maintain an AI register, risk tiering framework and clear guardrails (e.g., for explainability, privacy and third party controls). For generative AI, ensure human in the loop oversight and auditability.

II. Significant Institutions (SIs)

• Supervisory intensity and scope: Expect more granular supervisory plans and wider use of horizontal benchmarking. SIs will be prioritised for thematic reviews and on-site inspections (e.g., underwriting, CRR III, cyber and third-party risk).
• TLPT and cyber drills: Expect greater frequency and depth of penetration testing and cyber inspections, with explicit expectations to close findings on time and demonstrate measurable risk reduction.
• Cloud and third-party oversight: Deep dives will assess Cloud Service Provider (CSP) resilience, concentration risk and substitution feasibility. Supervisors will scrutinise negotiated contractual rights and tested disruption playbooks.
• RDARR escalation: The bar will be higher on BCBS 239 compliance. Systemic data quality weaknesses may trigger intrusive inspections and SREP measures if remediation lags.
• C&N transition: Expect more detailed assessment of prudential transition plans, scenario capabilities and portfolio steering, with closer linkage to ICAAP and risk appetite.

What ‘good’ looks like for SIs:

• Board level dashboards showing progress on DORA, RDARR and C&N programmes; robust second line challenge to CRR III calculations; mature model risk governance; and thoroughly tested CSP disruption scenarios with recovery metrics achieved in practice.

III. Less Significant Institutions (LSIs)

• Proportionality on scope, not outcomes: LSIs face proportionate but firm scrutiny on underwriting discipline, CRR III accuracy, DORA basics and RDARR fundamentals.
• Resource and capability expectations: Supervisors will look for credible remediation plans that fit an LSI's scale, such as simplified data governance, documented model policies and pragmatic exit strategies for critical vendors.
• Targeted engagement: LSIs with persistent ICT, data or credit risk deficiencies may be drawn into targeted reviews or OSIs, particularly where outsourcing concentrations are high or manual reporting adjustments are material.

What‘good’ looks like for LSIs:

• •    Right sized frameworks with clear ownership; simple, repeatable controls; documented evidence for underwriting decisions; pragmatic threat-testing preparations; and contracts that secure audit rights with critical vendors.

IV. Differentiated readiness priorities

 For SIs:

• Run a structured CRR III self assessment across all standardised risk types:  with challenger recalculations and defect logs linked to remediation.
• Establish a TLPT pipeline with a clear remediation and re test cadence; create a cloud concentration dashboard and exit plan drill schedule.
• Launch or reinforce a Board owned RDARR transformation office: with quarterly control effectiveness testing and lineage attestations.
• Build a prudential transition plan: with portfolio steering levers, KPIs and management actions integrated into ICAAP and risk appetite.

For LSIs:

• Document an underwriting and pricing playbook; improve collateral valuation independence and frequency for SME/CRE loans.
• Validate standardised RWA classification: both in logic and collateral recognition with sample re computations and second line checks.
• Implement DORA minimums: incident response, third party register with criticality ratings, exit/backup arrangements and change control essentials.
• Create a concise RDARR roadmap that defines data owners, golden sources, reconciliation processes and a plan to retire manual adjustments.
• Maintain an AI/advanced analytics inventory: and apply proportionate model risk controls to material use cases.

Applying the above and viewing it through a legal lens, regulated firms should prioritise a coordinated upgrade of contractual and policy frameworks that directly support execution to meet the ECB-SSM expectations and timelines. This may include the following: 

Contractual documentation priorities

1) ICT, outsourcing and third party contracts (DORA-centric)

Regulators will test whether contractual frameworks tangibly deliver DORA level resilience, oversight and supervisory access.

• Audit, access and cooperation rights:
  o    Include unconditional audit/inspection rights (remote and on site), data and systems access, vulnerability scans and cooperation undertakings for the firm and competent authorities.
  o    Ensure rights extend across subcontractor chains and affiliates; prohibit refusal on “security” or “confidentiality” grounds without robust alternative access mechanisms.
• Incident, cyber and TLPT cooperation:
  o    Time-bound incident notification aligned to DORA; root-cause analysis, interim updates, data required for reporting; SLA (Service Level Agreement, a contract that defines the level of service expected from a vendor) linked remedies.
  o    Contractual commitment to support threat led penetration testing (TLPT), red team activity on in scope assets and remediation/retesting at the provider’s cost where failures are material.
• Sub outsourcing and concentration risk:
  o    Prior approval/notification thresholds; transparency of fourth/fifth parties; ability to veto high risk chains; right to request diversification or additional controls where concentration risk rises.
• Cloud specific resilience:
  o    Multiregional availability, data portability, RPO/RTO commitments, sovereign/“trusted” cloud options where needed; customer managed keys or HSM (Hardware Security Module, a physical computing device that safeguards and manages digital keys) support; change controls for region moves.
  o    Contractual regulatory access to data and premises irrespective of data location; cooperation with resolution authorities and crisis playbooks.
• Exit, termination and step in:
  o    Detailed exit plans (asset/data inventories, formats, runbooks, migration assistance, capped transition pricing); dual running and extended termination assistance.
  o    Step in rights for material failure/threats to critical functions; escrow for key tools/artifacts; IP licences for continuity during exit.
• Information security and privacy baseline:
  o    Alignment to recognised frameworks; secure development and change controls; segregation of environments; breach indemnity beyond typical “fees paid” caps for critical functions.
  o    Define clear controller/processor roles, establish cross border transfer mechanisms and specify regulator led data access carveouts.
• Liability, caps and indemnities:
  o    Set high or no caps for data loss, cyber breaches and regulatory fines. Implement a super cap for business interruption of critical functions and avoid broad “indirect loss” exclusions for regulatory remediation costs.
• Financial resilience and continuity:
  o    Mandate minimum financial strength or insurance coverage. Set notification triggers for provider credit events and restrict assignment to protect service continuity.
• Intra group outsourcing add ons:
  o    Apply DORA standards consistently to intragroup agreements; service levels, audit rights, data access and resolution cooperation are non-negotiable.

2) Reinforcing Credit and Lending Documentation

Legal terms must align with the supervisory focus on underwriting discipline, provisioning and C&N integration.

• Covenants and information undertakings:
  o    Strengthen requirements for borrower MI, ESG/transition data, collateral reporting, early warning signal (EWS) triggers and access to non-public information for IFRS 9 staging.
  o    Implement sector-specific covenants for CRE, including LTV retests, DSCR maintenance and independent, frequent valuations.
• Pricing and margin mechanics:
  o    Clearly document risk based pricing logic, including rating-linked ratchets, floor mechanics and repricing for credit deterioration. Ensure interest recalculation clauses are tied to specific risk factors, observing consumer protection rules in retail.
• ESG/transition levers:
  o    Embed sustainability linked KPIs with auditable baselines, verification rights and remedies for misreporting. Use portfolio level transition alignment covenants where appropriate.
• Security, collateral and valuation:
  o    Secure rights for independent valuations, periodic reappraisals and data access. Include cure rights for value depletion and ensure robust collateral descriptions with control over perfection.

3) Trading and Treasury Documentation

• Update Credit Support Annexes and collateral terms to reflect output floor impacts, eligibility checks and concentration limits, harmonised with risk policy.
• Embed resilience, incident reporting and resolution cooperation clauses in clearing and FMI contracts. Validate portability and account segregation through legal opinions.

4) Contractual Resilience for Resolution and Recovery

• Ensure all vendor and financing contracts recognise bail-in and temporary stays. Prohibit termination for resolution events and mandate cooperation with resolution authorities.
• Incorporate continuity language for critical services, priority access to capacity during stress and mandatory participation in resolution testing.

5) Data, IP and AI Vendor terms

• Define data ownership, licence back and portability rights. Restrict provider data mining and model training using client data.
• Mandate AI vendor clauses covering model lineage, data provenance, performance warranties, bias testing, change notification, log retention, human override capabilities and IP indemnities for AI outputs.

Policy and governance documentation priorities

1) ICT, cyber and operational resilience (DORA)

• ICT risk policy suite:

o    Establish a third party risk policy defining concentration metrics, tiering, due diligence, continuous monitoring, sub outsourcing controls and a regular exit testing cadence.
o    Align incident management policy with DORA timelines and reporting thresholds. Implement playbooks and Board-overseen post-incident reviews.
o    Implement a change management policy with gated releases, segregation of duties, rollback capabilities and acceptance criteria linked to critical services.
o    Define a TLPT policy covering scope selection, threat intelligence, legal privilege management, remediation SLAs and evidence retention.

• Business continuity and crisis communications:

o    Map critical functions, define impact tolerances and establish a testing programme. Prepare for cross border coordination with pre-approved regulator notification scripts.

2) RDARR/BCBS 239 and data governance

•    Board approved RDARR policy and target operating model:

o    Define a data ownership model, metadata standards, lineage controls and a golden source architecture.
o    Implement a data quality policy with measurable KPIs, clear exception management processes and full audit trails.
o    Establish a reporting governance standard for regulatory reports, including change control, end to end testing and attestations.

3) Credit risk, underwriting and IFRS 9

• Credit risk policy:

o    Set clear underwriting standards by segment, including stressed affordability tests, robust collateral frameworks and a formal exception process with Board-level reporting.

• Pricing governance:

o    Establish a risk based pricing methodology with periodic back testing, peer benchmarking and conduct compliance overlays for retail products.

• IFRS 9 policy:

o    Overlays governance (entry/exit criteria, sensitivity), data lineage, model monitoring and alignment to macro scenarios; documentation for vulnerable portfolios (SME/CRE).

• Collateral valuation standard:

o    Independence requirements, frequency triggers, model calibration and quality assurance.

4) Capital and ICAAP/ILAAP documentation

• RWA policy for standardised approaches:

o    Classification rules, collateral eligibility mapping, control testing and defect remediation workflow; second line challenge procedures.

• Operational risk BI policy:

o    Input mapping sources, quality controls, reconciliations and governance.

• ICAAP and Internal Liquidity Adequacy Assessment Process (ILAAP):

o    Output floor trajectory governance, management action catalogue with feasibility/lead times, stress scenarios reflecting geopolitical channels and funding/liquidity transmission.

5) C&N related risk

• Prudential transition plan:

o    Board owned plan linking strategy, risk appetite, sectoral pathways, portfolio steering limits and client engagement triggers.

• C&N risk policy:

o    Integration into origination, collateral haircuts, provisioning overlays and recovery planning; hazard data usage and physical risk mapping.

• ESG disclosure governance:

o    Pillar 3 controls for dataset provenance, calculation checks and sign off; gap closure log for physical risk disclosures.

6) AI governance and model risk

• AI policy:

o    Establish a risk-tiering framework for AI use cases, a model inventory and standards for explainability, fairness testing, data governance and human in the loop controls.

• Vendor AI standard:

o    Create a due diligence checklist and define contractual minimums for vendor AI, including transparency, log access, testing support and ongoing monitoring.

• Interaction with model risk policy:

o    Ensure AI governance is fully aligned with the firm's established model risk management lifecycle, from development and validation to change control and review.

7) Resolution readiness and legal risk management

• Contractual recognition and continuity policy:

o    Maintain standard clauses for bail in, stays and resolution cooperation. Implement a periodic refresh cycle for all vendor and financing contracts.

• Playbooks:

o    Establish clear legal escalation trees, decision rights and evidence packs to ensure rapid and effective regulator engagement during a crisis.

Bottom line: Cross‑functional alignment across legal, treasury, finance, IT, HR and service companies is critical, as testing will surface practical frictions in how the BUSI is run. Supervisors will equally judge firms by the traceability from Board approved policy standards to enforceable contractual rights and the evidencing that those rights can be exercised in practice.  

Outlook

Looking ahead, the ECB-SSM’s sharpened supervisory focus will require institutions to demonstrate a strategic, forward-looking approach to risk management that goes beyond technical compliance. The increasing complexity of the regulatory landscape—driven by the interplay of CRR III/CRD VI, DORA and evolving ESG and AI frameworks—demands that banks embed these expectations into their core business models. Institutions should anticipate that supervisors will rigorously test the operational resilience of critical functions and the credibility of transition plans, particularly concerning climate, nature-related risks and digital transformation.

Supervisory methods will continue to evolve, with greater use of data analytics and thematic deep dives to identify outliers. Banks that invest early in data, reporting and ICT capabilities, underpinned by strong governance, will be best placed to turn regulatory pressure into a competitive advantage. The agenda signals a shift to dynamic, risk-sensitive supervision, where demonstrating resilience and responsible innovation is paramount.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.  

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” as well as the “2025 Regulatory, Governance and Compliance Technology Award”. 

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.