1. Bank regulation

1.1 PRUDENTIAL REGULATION

a) Genera

(i) Germany

BaFin: Report regarding Risks in BaFin's Focus 2026 (Bericht über Risiken im Fokus 2026)

Status: Final

BaFin published its yearly update on its report regarding Risks in BaFin's Focus, accompanied by a press release. The report identifies the following six top risks for financial institutions, arising from: (i) significant corrections on the international financial markets; (ii) corporate loan defaults; (iii) commercial real estate markets; (iv) cyber incidents with serious consequences; (v) market concentration due to the outsourcing of ICT services; and (vi) insufficient measures to prevent money laundering and terrorist financing

It also lists three trends that are changing the financial sector: (i) digitalisation; (ii) sustainability; and (iii) geopolitical turmoil. This time, the analysis also includes three top risks for consumers: (i) "buy now, pay later" schemes; (ii) investment decisions fuelled by social media; and (iii) endowment life insurance policies with excessive costs.

Date of publication: 28/01/2026

(ii) EU

ESRB: Summary Compliance Report 2026

Status: Final

The ESRB published a second summary compliance report assessing the implementation of recommendation ESRB/2019/18 on the exchange and collection of information for macroprudential purposes regarding branches of credit institutions having their head office in another member state or in a third country. The recommendation, issued on 26 September 2019, is divided into three parts (A, B and C):

Recommendation A, addressed to the relevant authorities, concerns cooperation and the exchange of information on a need-to-know basis for macroprudential and financial stability tasks.

Recommendation B, addressed to the European Commission, focuses on identifying and removing potential obstacles in European Union legislation that may prevent authorities responsible for macroprudential policy or other financial stability tasks from obtaining the information required on branches to carry out their functions.

Recommendation C, addressed to the EBA, concerns the development of Guidelines for monitoring the exchange of information.

The ESRB concludes that this final assessment indicates a high level of compliance with recommendation ESRB/2019/18 across all addressees, i.e., the ECB, the EC and the EBA. At this stage, the ESRB considers it sufficient to continue monitoring the effectiveness and efficiency of the information-exchange on branches between authorities. If any material issues are identified, the ESRB calls for the EBA to carry out a specific assessment of their root causes and determine whether issuing Guidelines would address the problem.

Date of publication: 23/01/2026

ESRB/ECB: Financial stability risks from geoeconomic fragmentation

Status: Final

The ESRB and ECB published a joint report on financial stability risks from geoeconomic fragmentation withtechnical annex, which examines how rising geopolitical risks and heightened uncertainty can affect financial stability in the euro area and across the EU. The report identifies the key transmission channels through which geopolitical shocks can propagate to the financial system.

Date of publication: 22/01/2026

EBA: Final report on Guidelines on ancillary services undertakings specifying the criteria for the identification of activities referred to in Article 4(1)(18) CRR

Status: Final

The EBA published its final Guidelines on ancillary services undertakings. It specifies criteria for identifying activities referred to in Article 4(1)(18) CRR, which was amended by Regulation 2024/1623 (CRR III), to clarify the definition of ancillary services undertaking. The Guidelines define how to identify: (a) activities that should be considered a "direct extension of banking"; (b) activities that should be considered "ancillary to banking"; and (c) "other similar activities" that the EBA may consider similar to those referred to in the CRR.

Following feedback to the July consultation, the main changes include: (i) removing two proposed criteria for identifying "direct extensions of banking", specifically the references to activities involving maturity/liquidity transformation, leverage or credit-risk transfer, as these were viewed as circular and vague; and (ii) removing the specific provision for undertakings jointly owned by institutional protection scheme members, meaning they will be assessed under the general rules. The Guidelines will be translated into all official EU languages and published on the EBA website. The deadline for competent authorities to report whether they comply with the Guidelines will be two months after the publication of the translations.

The EBA also published a report on the prudential consolidation framework, setting out targeted recommendations that may support the European Commission in considering further legislative adjustments to the CRR framework. These include:

Simplification of sub-consolidation requirements, to reduce complexity for groups with multiple consolidation layers.

mproved alignment with accounting standards, both in terms of undertakings included within the scope of consolidation and relevant methods to be applied.

Refinement of the definition of control, to ensure consistent interpretation and convergence across jurisdictions.

Further clarity on how to determine the perimeter of prudential consolidation, especially when an insurance undertaking within a bank-led financial conglomerate acquires a financial institution and the so-called "Danish compromise" (Article 49 of the CRR) is applied by the parent institution.

Date of publication: 09/01/2026

b) Solvency/Own funds issues

(i) Germany

BaFin: Updated list on the countercyclical capital buffer: indicator values, time series and indicator description (Angepasste Liste zum antizyklischen Kapitalpuffer: Indikatoren, Zeitreihen und Erläuterungen)

Status: Final

BaFin updated its Excel spreadsheet on the countercyclical capital buffer with regard to the indicator values, time series and indicator description concerning the decision about setting the buffer. This is available in German and English.

Date of publication: 30/01/2026

(ii) EU

EBA: Consultation on draft Guidelines amending EBA/GL/2020/13 on the appropriate subsets of sectoral exposures to which competent or designated authorities may apply a systemic risk buffer in accordance with Article 133(5)(f) CRD IV

Status: Consultation

Deadline for the submission of comments: 30/04/2026

The EBA launched a consultation proposing updates to existing Guidelines (EBA/GL/2020/13) on the use of systemic risk buffers (SyRB) to address climate-related and broader environmental risks under Article 133 of the CRD, as amended by CRD VI. The EBA notes that climate risks, both transition and physical, are expected to have a material impact on individual institutions and the wider financial system. Article 133 permits relevant authorities to apply a SyRB where climate-related risks could have serious negative consequences for the financial system and the real economy. The current Guidelines, published in 2020, were not designed to target exposures subject to climate risk. The consultation therefore proposes revisions to enable SyRB measures to better capture climate risks of both types. It also incorporates some changes based on lessons learned from national authorities that have previously implemented SyRB measures, with the aim of improving their design and monitoring.

The Guidelines are expected to be finalised by mid-2026 and are expected to apply six months after publication.

Date of publication: 29/01/2026

EBA: Report on IRRBB heatmap implementation

Status: Final

The EBA published its second-phase report outlining the medium- to long-term objectives of the Interest Rate Risk in the Banking Book (IRRBB) heatmap, including key recommendations for institutions and supervisors. The report completes the heatmap milestones launched after the scrutiny of the IRRBB standards and builds on the guidance reflected in the first-phase implementation report published in February 2025.

This second-phase report provides analytical findings and recommendations in four priority areas:

Application of the five-year cap on the repricing maturity of non-maturity deposits (NMD) – this continues to serve as a harmonising benchmark with limited impact observed so far. Institutions that seek a longer horizon should demonstrate, within their Internal Measurement System (IMS), how such treatment better reflects product characteristics or client behaviour, substantiate it with historical evidence and integrate it into hedging practice, in line with Q&A 2023_6807. Any approved deviation should be disclosed under Pillar 3.

Commercial margin modelling – constant-spread modelling remains widely used across most products except for non-maturing deposits (NMD), due to their behavioural features.

Credit Spread Risk in the Banking Book (CSRBB) perimeter – CSRBB should be included in banks' internal capital adequacy assessment processes if it is considered material and firms are advised to work towards consistency across both Economic Value of Equity and Net Interest Income unless strong, risk-based arguments justify divergence. Institutions should not limit the scope by accounting classification nor by the availability of market observations. No instruments can be excluded simply because the institution intends to hold them. Derivatives should not be excluded solely because they are subject to credit valuation adjustment (CVA) or counterparty credit risk treatments. Own issuances other than equity should be included when they are sensitive to market spreads.

Hedging strategies – Interest Rate Swap (IRS) remains the main principal derivative instrument used to mitigate IRRBB exposures. The EBA recommends that hedge designation should align with product characteristics, economic-hedging frameworks must be well-governed, and effectiveness should be evidenced through regular back-testing and documentation.

The EBA will continue assessing the impact of the IRRBB regulatory package. It will also evaluate the effect of the Basel Committee's recalibrated July 2024 interest rate shock scenarios to determine whether updates to existing technical standards are needed.

Date of publication: 26/01/2026

ECB: Response to targeted consultation on the market risk prudential framework

Status: Final

The ECB published its staff contribution to the EC's targeted consultation on the application of the market risk prudential framework (FRTB). The ECB welcomes the proposal to have the FRTB enter into force in the EU on 1 January 2027. It argues that further delaying the implementation of the FRTB would come with clear costs from a risk management and operational perspective. The ECB favours the three-year period of stability in the applicable market risk framework proposed by the EC. With respect to the temporary measures proposed for the delegated act, the ECB believes there is room to make these proposed amendments more risk-based and sound without adversely affecting the EC's objective of maintaining a level playing field with other jurisdictions. Regarding internal model-related requirements, the ECB agrees with using the Profit and Loss Attribution Test (PLAT) as a monitoring tool only, on the understanding that banks work on remediation in the event of highly concerning results. It considers the measures regarding the Risk Factor Eligibility Test (RFET) could be too far-reaching in their current form and would prefer this relief measure be limited to new risk factors. Equally, with regard to collective investment undertakings (CIUs), the ECB continues to consider that the proposal allowing banks to carry out the look-through on a quarterly basis for material exposures under both FRTB-AIMA and FRTB-ASA, rather than on a weekly basis as currently foreseen in the Capital Requirements Regulation, would not be sufficient to adequately capture the underlying risks of CIU exposures.

The ECB believes that level playing field concerns regarding the requirements applicable to CIUs are sufficiently addressed by the proposal to allow banks to calculate their own funds requirements on CIU exposures with a partial look-through if they are able to look through at least 90% of the CIU exposures. The ECB suggests that it may be necessary to apply a floor to the total possible reduction of market risk RWAs from which banks can benefit, given that the cumulative impact of the proposed amendments could be disproportionate for some banks and significantly water down the regulatory intent of introducing the FRTB. On the calibration options for the multiplier for the capital requirements, which would aim to cap increases in capital requirements for market risk which certain banks could experience, the ECB explains that it prefers the bank-specific, static multiplier option suggested, but warns that each of the proposed multipliers would raise implementation challenges and could in theory have distributional effects within the banking sector.

Date of publication: 15/01/2026

c) Risk management/SREP/Pillar 2/Outsourcing/NPL

(i) EU

EBA: Two final draft RTS for third-country branches under CRD VI

Status: Draft

The EBA published two final draft RTS under CRD VI, relating to the regulatory requirements for third-country branches (TCBs). The RTS relate to: (i) cooperation and colleges of supervisors for TCBs; and (ii) the booking arrangements that TCBs are to apply. The revised drafts consider feedback from the July consultations, in particular:

The draft RTS on cooperation and colleges of supervisors for third-country branches under Article 48p(7) CRD IV contains a revised Article 14 on the information to be exchanged on the supervisory review and evaluation process (SREP). The elements of information to be exchanged are linked to the relevant provisions of CRD in order to accommodate future developments at the level of the SREP Guidelines (a revised version of which is currently under consultation).

In respect of the draft RTS specifying the booking arrangements that third-country branches are to apply for the purposes of Article 48h CRD IV, two amendments were made in response to concerns about operational challenges: (i) the obligation to implement systems separate from the head undertaking has been removed and the text now simply requires branches to "maintain systems"; and (ii) the requirement to record originated assets and liabilities where a transfer of risks, rewards or obligations has occurred to an entity outside the group is limited to the reporting period of the reporting year that the transfer of risk has occurred. The value to be reported should be the carrying amount as at the transfer date.

The RTS will now be submitted to the EC for endorsement, after which they will be subject to scrutiny by the EP and the Council of the EU.

Date of publication: 08/01/2026

d) Cyber security

(i) Germany

BaFin: Guidance on ICT risks in the use of AI at financial entities

Status: Final

BaFin issued guidance on ICT risks in the use of AI at financial entities. It serves as non-mandatory advice, designed to help financial entities implement regulatory requirements under DORA when using AI and will thus support the entities in effectively managing their ICT risks. The guidance is aimed in particular at institutions subject to the Capital Requirements Regulation and insurers supervised under Solvency II. The guidance gives particular consideration to ICT risk management and ICT third-party risk management. It examines the ICT risks throughout the AI life cycle. This includes data acquisition, model development and provision as well as ongoing operation and retirement. The security and resilience of an AI system must be guaranteed in every phase. In addition to specific safeguards for ICT assets, it is crucial for AI systems to also be included within the existing ICT risk management framework. The guidance also takes into account industry experience with the use of AI systems.

Date of publication: 30/01/2026

BaFin: Report regarding Risks in BaFin's Focus 2026 (Bericht über Risiken im Fokus 2026)

Status: Final

BaFin published its yearly update on its report regarding Risks in BaFin's Focus. For more information, please see section a) above

Date of publication: 28/01/2026

(ii) International

G7 Cyber Expert Group: Statement on advancing a coordinated roadmap for the transition to postquantum cryptography in the financial sector

Status: Final

The statement from the G7 Cyber Expert Group (CEG) setting out a high-level, non-binding roadmap for a coordinated financial-sector transition to post-quantum cryptography (PQC) was published online. Building on its previous 2024 statement, the CEG highlights while quantum computing promises significant new capabilities for financial services, these advanced computers will be capable of breaking widely used cryptographic protocols that protect systems and data. Therefore, the CEG explains how the financial sector should start preparing for this in advance of risks. The roadmap outlines a phased approach for both financial sector entities and public authorities for planning and coordination. It highlights key migration activities including awareness and preparation, discovery and inventory, risk assessment and planning, migration execution, testing and ongoing validation and monitoring. Although not legally binding, the CEG encourages firms to begin planning now. It notes that many jurisdictions currently reference 2035 as an overall target for full migration, with the most important systems ideally upgraded earlier (around 2030–2032). While the trajectory of quantum computing development is uncertain, the statement conveys it may be helpful for organisations to establish comparable migration timelines to ensure their milestones can be achieved prior to the availability of cryptographically relevant quantum computers. The CEG further encourages ongoing monitoring, cross-sector information sharing and close coordination with international standard setting bodies to support a harmonised transition to PQC.

Date of publication: 13/01/2026

e) Supervisory reporting

(i) EU

EBA: Updated risk assessment indicators

Status: Final

The EBA published its updated list of indicators for risk assessment and risk analysis tools, along with a revisedmethodological guide. This update does not introduce any additional reporting requirements for institutions or competent authorities. Instead, it clarifies how risk indicators are calculated in EBA publications, enabling users and competent authorities to interpret key banking figures consistently when conducting risk assessments and analyses. Reflecting the EBA reporting framework version 4.1, the update covers a broad range of indicators on institutions' profitability, solvency and operational risk, among others. It also introduces new sets of risk indicators linked to the MiCAR, and investment firms.

Date of publication: 28/01/2026

f) Disclosure

i) EU

BA: Announcement that its Pillar 3 data hub goes live

Status: Final

The EBA announced the launch of its Pillar 3 data hub, a new harmonised digital platform which, for the first time, provides public access to prudential information from all EEA credit institutions in a single location. The hub offers users access to official data alongside a tool to enable comparisons across institutions, reference dates and other dimensions. Bulk data downloads are also available.

The EBA expects the full data set for the first three reference dates (June, September and December 2025) to be available by June this year. In line with transitional arrangements under the final draft implementing technical standards published in February 2025, institutions must now submit, via the platform, the Pillar 3 reports for the 2025 reference date already published on their own websites. The transition period enables institutions to familiarise themselves with the platform and submission process, before moving to the steady state. The EBA provides a comprehensive user guide covering all features of the Pillar 3 data hub.

Date of publication: 28/01/2026

