SREP 2.0: How the EBA is recalibrating supervision

With the EBA/CP/2025/21* consultation paper, the European supervisory authority has provided far-reaching impetus for the further development of the banking supervisory framework. The new guidelines are to apply from 1 January 2027 and will have a profound impact on existing processes, sharpen methodological principles and set clear expectations for institutions of all sizes. This is particularly clear: The supervisory authority is aiming for more proportionality, a noticeable streamlining of procedures and a closer integration of key elements of the SREP. At the same time, the focus is shifting away from pure checklists towards a more effective, cause-orientated assessment – including clear escalation paths.

The adjustments affect numerous core areas: from the more structured communication of SREP results to the full integration of ESG and governance topics, through to the embedding of operational resilience and ICT risks in the existing operational risk framework – not least with a view to DORA. The interactions between Pillar 1, Pillar 2 and the output floor are also being reorganised. In addition, the EBA is specifying its expectations regarding stress tests and Pillar 2 requirements (P2G), while a series of special innovations, such as in the treatment of transfer pricing in market risk or for third-country branches, will result in further adjustments for the affected institutions.

This article provides an initial overview of the key content and the regulatory thrust. In-depth analyses and deep dives on the individual topics will follow in the coming weeks – practical, structured and with a view to the impact on different types of institutes.

Guiding principle: Proportionality, streamlining and stronger integration

The revision emphasises the proportionality principle as the core of the supervisory commitment and thus aims to achieve more risk-focused supervision and a more efficient use of supervisory resources. At the same time, topics such as operational resilience, ESG risks, the integration of requirements for third-country branches and output floor cases as well as the integration of ICT risk assessment into the general SREP guidelines are emphasised as key innovations.

For institutions, this means in practice:

Scoring and supervisory effectiveness: away from checklists and towards causes and escalation

The draft guidelines emphasise that the tabular “considerations” for assigning scores are not a mechanical checklist, but are to be applied by means of supervisory judgement in the context of the institution’s individual relevance and interactions. At the same time, an “F” assessment (“failing or likely to fail”) is explicitly provided as an additional score for the overall SREP score, including an impetus to involve resolution authorities. A high-level and flexible escalation framework is also described, which is intended to help supervisors select suitable measures and explicitly addresses the causes of identified deficits.

However, the supervisory authority does not see the order of measures as a rigid sequence model. The extent to which an institution is willing and able to remedy identified weaknesses effectively and promptly (an aspect that will be included in the governance assessment in future) will be assessed more closely. This creates clear pressure for institutions to act: Remediation governance (ownership, milestones, verification, reporting to the management body) will itself become a subject of supervisory assessment and can have a noticeable influence on the intensity of supervision and choice of measures.

Communication of SREP results: more structure, more burden of justification

The EBA emphasises that expectations regarding the communication of SREP results should be bundled, specified in the draft guidelines as a formal letter to the management body. In terms of content, the communication should contain at least a summary of the results and the overall SREP score and, where appropriate, scores for relevant (sub)elements.

Particularly important for institutions:

In addition, the communication of relevant changes to the Pillar 1 framework must explicitly reflect the interaction check. This increases the requirements for comprehensible, risk type-related derivations and consistent “storylines” between ICAAP / ILAAP, SREP dialogue and capital planning.

ESG and governance: integration instead of a separate module

ESG risks are not treated as a separate risk class, but are integrated across the business model, governance and management as well as the capital and liquidity dimension. In the draft guidelines, this is operationalised, among other things, by explicitly taking ESG risks (in particular physical and transitory risks) into account in the governance assessment. For institutions, this means that ESG data, risk drivers, limits, policies and the strategic embedding must be prepared in such a way that they can be consistently integrated into several SREP strands. Otherwise, there is a risk of findings not only in the ESG context, but also in business model and governance scores.

Operational resilience and ICT: integration into operational risk – with reference to DORA

The EBA describes a holistic perspective on operational resilience and integrates the ICT risk assessment into the operational risk assessment, including third-party dependencies, incident management and cyber security. Consistent with this, the draft guidelines also provide for explicit references to DORA remedial measures in the case of supervisory measures. The implication for institutions is twofold: (1) the “separation” of ICT SREP and operational risk SREP is no longer part of the expectation logic, (2) DORA-compliant ICT controls and third-party risk management will have a stronger impact as resilience factors relevant to supervisory law in scoring and the cascade of measures.

Interaction between Pillar 1, Pillar 2 and the output floor

If a change to the P1R methodology or its application potentially leads to a noticeable effect on the capital profile, supervisors must check the connection with Pillar 2 and adjust it if necessary in order to rule out double counting. If an institution is bound by the output floor for the first time, the requirements should be temporarily applied to the unlimited Total Risk Exposure Amount (TREA) and then checked to ensure that there are no double counting and arithmetic effects that distort the results. Institutions should address an expected output floor commitment at an early stage (on the basis of estimates).

Stress tests and Pillar 2 guidance

The recommendation for the capital level (P2G) and the leverage ratio (P2G-LR) should be determined on the basis of the results of the supervisory stress tests and address supervisory concerns regarding the sensitivity of the institution to these scenarios. At the same time, however, this should not cover any risks (or leverage aspects) that are already covered by the fixed P2R requirements. The determination can also be made every two years (provided an appropriate interim review is carried out, including additional sensitivity analyses). Among other things, credible and highly certain management measures can be included in the final calibration. If an institution is restricted by the output floor, a review of the P2G calibration may be arranged.

Special innovations: Transfer pricing market risk and third country branches

For intra-group market risk transfers, the draft provides a methodology for deriving the P2R in the form of a multiplier. However, if a market risk regime of a third country that does not correspond to the EU Pillar 1 framework is used, a corresponding mark-up must be applied. At the same time, the use of equally robust alternative methods remains expressly possible. Third-country branches are treated as a separate SREP component, whereby the minimum audit intensity is based on the categorisation in Class 1 or Class 2. The assessment focuses in particular on the business model, governance and control framework, capitalisation and liquidity as well as booking arrangements. In addition, both the dependency on the Group and the required degree of operational independence in terms of sustainable viability are taken into account.

General assessment of the innovations

The consultation paper illustrates the increasing complexity of the supervisory requirements. The proposed adjustments range from a significant deepening of the SREP methodology to greater integration with the supervisory stress tests and specific requirements for individual risk types and organisational forms. In doing so, the EBA is not only setting new technical priorities, but is also raising the level of expectations of institutions with regard to governance, risk management and capital planning.

In-depth insights into the specific requirements and changes in the SREP process as well as in the regulatory stress tests will follow in the upcoming articles in this series – with detailed deep dives into SREP calculation, output floors, ICT aspects and ESG topics!