The European Central Bank’s Banking Supervision arm has laid out its supervisory priorities for 2026-2028, and the message to Europe’s biggest lenders is clear: brace for impact. The framework zeroes in on geopolitical instability, macro-financial shocks, and the increasingly tangled web of digital and cyber risks facing the continent’s banking sector.

Published on November 18, 2025, the priorities reflect a central bank that sees storm clouds on multiple horizons.

Stress tests with teeth

The centerpiece of the new supervisory cycle is a 2026 thematic reverse stress test. Unlike a traditional stress test, which asks “how bad does it get under this scenario,” a reverse stress test flips the question: “what would it take to break you?”

In this case, 110 banks will be required to model specific scenarios that could deplete at least 300 basis points of their Common Equity Tier 1 capital. Results from this exercise are expected by summer 2026. They won’t just be academic, either. The findings will feed directly into qualitative assessments within the Supervisory Review and Evaluation Process, known as SREP, and will shape Pillar 2 Guidance, which determines how much extra capital individual banks need to hold above minimum requirements.

This builds on previous EU-wide stress tests and cyber resilience exercises, creating a layered approach to understanding where European banks are vulnerable. The ECB has described the European banking sector as having a “sound risk profile and robust fundamentals” with strong capital and liquidity.

DORA kicks in and digital oversight expands

The second major priority is operational resilience, specifically around Information and Communication Technology. Starting in January 2026, the Digital Operational Resilience Act, or DORA, brings critical third-party ICT providers under direct regulatory oversight for the first time.

The ECB’s priorities explicitly call out the need for banks to improve their digital transformation strategies and IT outsourcing practices. The priority list also includes follow-up on credit standards, climate and nature-related financial risks, artificial intelligence strategies, and IT security and cyber resilience.

What’s notably absent: crypto

For anyone in the digital asset space scanning this announcement for signals, the takeaway is what the ECB didn’t say. There are no substantial references to cryptocurrencies or digital assets in the supervisory priorities.

Observers have noted no major updates from the ECB regarding cryptocurrencies during the period leading up to this announcement. The focus remains squarely on traditional banking resilience.

What this means for investors

The DORA implementation adds a layer of compliance cost for banks that rely heavily on third-party technology providers. Institutions that have already invested in operational resilience and diversified their ICT supply chains will be at an advantage.

Summer 2026, when those reverse stress test results land, will be the first real test of whether European banks can deliver on the resilience the ECB is demanding.