Response to consultation on revised Guidelines for common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing
Q1. What are the respondents’ views on the overall amendments and clarifications made to the revised guidelines (across Titles 2 – 12)?
Regarding the entry into force of the Guidelines, we welcome the clear application date of January 2027. However, the final sentence creates legal uncertainty. If competent authorities may introduce selected elements of the revised framework earlier, institutions cannot know in advance which specific aspects might be applied already in the 2026 SREP cycle. Clarification on the scope and limits of such early implementation would therefore be highly appreciated to avoid legal uncertainty and heterogeneity across jurisdictions.
Q3. What are the respondents’ views on the enhanced simplification and proportionality aspects?
We appreciate EBA’s efforts to stronger enhance proportionality, sequencing and effectiveness of the supervisory process as well as perceiving simplification as a key driver to the revision of the SREP GL.
In this sense, we support Para 12 according to which for the smallest institutions (Category 4) the minimum frequency for assessing all SREP elements may be extended from three to five years, provided they maintain a stable low risk profile, sound financial metrics and healthy margins, and quarterly monitoring does not raise material concerns.
We also welcome the provisions included in para. 12, according to which large institutions (under the CRR) that are not G-SIIs may be allocated to Categories 1, 2 or 3 depending on their business model and risk profile. This is a significant improvement for O-SIIs, which will no longer automatically be considered Category 1 banks for the SREP anymore.
However, it would be even more purposeful to design Para 12 in a more prescriptive manner for the competent NCAs as follows:
12. As an additional element of proportionality, large institutions (under the CRR) that are not GSIIs may be allocated to Categories 1, 2 or 3 depending on their business model and risk profile. For a subset of the smallest Category 4 institutions, the minimum frequency for assessing all SREP elements shall be extended from three to five years, provided they maintain a stable low risk profile, sound financial metrics and healthy margins, and quarterly monitoring does not raise material concerns. We suggest to delete the following sentence "Competent authorities retain discretion to increase the frequency of engagement whenever warrented."
Q10. What are the respondents’ views on the integration of the EBA GL on ICT risk assessment under the SREP (EBA/GL/2017/05) and DORA aspects?
We welcome the integration of DORA, ICT Risk and Operational Resilience into a consolidated guideline. However, there seems to be a wide thematic overlap between Operational Resilience, Digital Operational Resilience, Operational Risk and ICT Risk and it is unclear which aspects of these concepts are overseen under which title. More clarity would be appreciated in form of a consistent taxonomy, indicating how these concepts are connected.
Q11. What are the respondents’ views on the introduction of operational resilience (section 6.4.5)?
We welcome the introduction of operational resilience as a holistic approach to ensuring the continuity of critical and important functions during disruptions. The proposed framework rightly emphasizes the integration of operational risk management, business continuity, ICT resilience, and third-party risk management into a consolidated supervisory perspective. This alignment is essential to strengthen institutions’ ability to anticipate, withstand, and recover from severe operational events.
However, we would like to highlight the following considerations:
Clarity on Scope and Taxonomy
Operational resilience is presented as a holistic framework that draws on existing regulatory components such as DORA, EBA Guidelines on Internal Governance, and recovery and resolution planning. However, the boundaries between operational resilience, operational risk, ICT risk, and digital operational resilience remain ambiguous. This lack of clarity can lead to overlapping supervisory expectations and duplicative implementation efforts. We would appreciate establishing a consistent taxonomy that explicitly defines each concept, outlines their interrelationships, and specifies which elements fall under the operational resilience assessment versus other frameworks. Such clarity would enable institutions to structure governance, reporting, and resource allocation efficiently while ensuring compliance.
Governance and Reporting Expectations
We support the emphasis on the management body’s active role in overseeing operational resilience maturity. However, guidance on what constitutes “timely reporting” and “major deficiencies” would help institutions design effective escalation and governance processes.
In summary, we agree with the holistic approach and believe that operational resilience is a necessary evolution of existing risk management practices. Greater clarity on scope, proportionality, and integration with existing frameworks will be key to successful implementation.
Q12. What are respondents’ views on the additional section on CSRBB and the combined score for IRRBB and CSRBB?
The additional section on CSRBB gives a bit more clarity on the regulator´s focus and underlines the importance of CSRBB.
The combined score for IRRBB and CSRBB is understandable from the regulator´s point of view. For the banks it is important, that sub-scores for both risk types is transparently displayed and explained.
Q13. What are the respondents’ views on the proposed assessment of the interaction between Pillar 1 and Pillar 2 requirements and on the proposed approach for operationalizing concerning cases where an institution becomes bound by the output floor?
We welcome the consideration of any interaction between Pillar1 and Pillar2 requirements within the SREP capital assessment. We recommend including examples within the SREP guidelines which explain material impacts stemming from regulatory changes and shall not be considered within the Pillar2 requirement setting as they are covered under Pillar1. The outcome of such assessment should be reflected in the SREP decision for the sake of transparency and to help credit institutions understand the competent authority’s evaluation of such interaction between Pillar1 and Pillar2.
However, we notice that EBA still requires P2G to be held in CET1 only.
In terms of P2G, Art 104a CRD generally refers to own funds (CET 1, AT 1 and Tier 2). Hence, there are no specifications as to the quality of own funds required to meet the P2G. The only requirement is that the total amount of own funds is reached. EBA’s current approach leads to inconsistency with level I requirements.
We would like to reiterate that the EBA should not continue requiring that P2G should only be held in CET1. Under the CRD, P2G broadly refers to own funds, which include CET1, AT1 and T2. The legislation contains no specifications regarding the quality of own funds required to meet P2G. The only requirement is that the total amount of own funds be met.
Indeed, in contrast to Article 104a (P2R), Article 104b does not stipulate which type of own funds (CET1, AT1 or T2) must be used to satisfy P2G. The current approach therefore introduces an unnecessary inconsistency into the structure of the capital stacking order. In our view, coherence would be improved by applying to P2G the same default composition used for P2R, which mirrors the P1 requirements (i.e. T1: 75%, of which 75% CET1). Where necessary, competent authorities may prescribe a different composition for both P2R and P2G under the CRD (e.g. requiring CET1 only). However, such deviations should not be the default, given that Pillar 2 measures are intended to be institution-specific.
Hence, Para 25 should be aligned with Art 104a CRD allowing to meet P2G coverage with all elements of own funds as follows:
’25. To increase convergence and level the playing field between institutions, the SREP Guidelines specify the quality of capital competent authorities should require institutions to hold to meet their guidance on additional own funds, CET1, Tier 1 and 2 capital for P2G coverage, and Tier 1 for P2G-LR coverage, respectively.’