The frame
The German banking sector’s 2026 supervision cycle is no longer only a question of whether institutions can complete the right forms. It is becoming a test of whether governance, data quality and technology controls describe the same risk reality.
Two official documents anchor that shift. The first is the Bundesbank’s national supervisory programme for 2026-28, which says the priorities are jointly defined each year by BaFin and the Bundesbank for institutions under national supervision. The second is the Bundesbank’s April 2026 Monthly Report article on the Banking Directive Implementation and Bureaucracy Relief Act, published on 21 April 2026, which frames BRUBEG as Germany’s implementation vehicle for CRD VI.
Together, they point to a narrower but more demanding supervisory proposition: less tolerance for ritualised process, and more attention to the quality of the controls underneath it.
The 2026 priorities are operational
The 2026 supervisory programme lists three priority areas: the economic environment, IT security and governance. That ordering matters because it places cyber and organisational control issues beside conventional credit and market risk.
On the economic side, the Bundesbank says credit risk indicators are deteriorating in many segments for both enterprises and households. It also points to elevated risks in commercial real estate and says supervisors will monitor lending standards, credit default ratios and collateral values on an ongoing basis. The less significant institution stress test is due to be carried out in 2026.
But the sharper signal for bank management boards is outside the classic credit cycle. Under IT security, the programme says supervisors aim to identify cyber and IT risks, including concentrations on third-party providers, especially cloud providers. It also says implementation of DORA requirements will be checked through thematic reviews and supporting analyses at selected institutions and their IT service providers, with gaps addressed on a risk-oriented basis.
That is a concrete examination posture. A bank cannot treat DORA as a completed implementation file if supervisors are still planning selected reviews of both institutions and their service providers. The question becomes whether outsourcing registers, incident escalation, resilience testing and board reporting all point to the same operational map.
BRUBEG as governance calibration, not just procedural easing
In the April Monthly Report, the Bundesbank describes BRUBEG as transposing extensive CRD VI changes into German supervisory law. It says the act generally entered into force on 1 April 2026, with the stated aim of implementing European requirements with minimum bureaucracy and without going beyond those requirements. At the same time, the Bundesbank says the act includes targeted regulatory relief while preserving prudential standards.
That is a useful distinction for the German market. Relief from unnecessary process does not mean relief from accountability. It means supervisors are trying to reduce redundant burden while keeping the pressure on the control system that remains.
The same Monthly Report article notes that BRUBEG adds new supervisory powers to the Banking Act. It also discusses ESG risk integration, changes around third-country branches and the eventual discontinuation of reporting for loans of EUR 1 million or more from 30 December 2026, while pointing to AnaCredit and other datasets as meaningful alternatives for supervisors.
The policy direction is not simply “less regulation.” It is a move from legacy reporting channels and legal transposition work toward a more data-driven supervisory model. If supervisory information can be drawn from more granular datasets, the quality of banks’ underlying data architecture becomes more important, not less.
Governance is now a data question
The 2026 programme is explicit that governance weaknesses can lead to risks being misassessed or to bad decisions. Under the governance priority, it says supervisors will identify and sanction institutions with governance vulnerabilities and misconduct. It also says the focus is increasingly on ensuring that top management and supervisory bodies are qualified, partly through special audits with specific audit modules.
That language moves governance away from soft culture commentary. It makes board competence and organisational design part of the prudential risk picture.
The same section also says supervisors will review specialist and technical data quality in reporting, especially at network institutions. That is the bridge between governance and operations. A board can approve a risk appetite statement, but if the reporting data below it is inconsistent, delayed or hard to reconcile, the institution cannot demonstrate control under stress.
For German savings bank and cooperative networks, that point is especially relevant. Network structures can create advantages in shared infrastructure, but they can also create ambiguity over ownership of data definitions, escalation paths and third-party technology dependencies. The programme’s reference to network institutions indicates that supervisors are alert to that complexity.
The AI and cloud angle
The Bundesbank’s supervisory programme also links banking digitalisation to blockchain and artificial intelligence. It does not frame AI as a separate novelty topic. Instead, it places AI inside a broader risk picture that includes cyberattacks, outsourcing and dependence on a small number of service providers.
That framing is important. German banks are not only being asked whether they use AI responsibly. They are being asked whether a more digital bank can still explain its control environment when technology dependence increases.
This is where DORA, cloud concentration and AI governance converge. A model deployed in a credit process or operational workflow may sit on outsourced infrastructure, rely on third-party software components and feed into reporting data used by management. If the bank cannot explain that chain, the problem is not only technology risk. It is governance risk.
What banks should read into it
The forward implication is a more integrated supervisory logic:
- institutions must show that governance structures can operate under stress,
- operational data must be credible and auditable at line level,
- cyber and IT risks must be treated as central to prudential stability,
- and outsourcing oversight must be connected to board-level accountability.
For readers outside Germany, the local lesson is simple: national transposition is not merely legal copy-out. BRUBEG supplies part of the legal calibration after the EU banking package. The 2026 supervisory programme shows where BaFin and the Bundesbank intend to test the system in practice.
German supervisors are not signalling a retreat from supervision. They are signalling a preference for fewer unproductive layers and stronger evidence that boards, risk owners and technology functions understand the same control picture.
That is a harder standard than form completion. It asks whether a bank can run its risk model under pressure and explain why it still works.
Sources
- Deutsche Bundesbank, “National supervisory programme 2026-28”: supervisory priorities jointly defined by BaFin and Bundesbank; 2026 priorities include economic environment, IT security and governance; DORA reviews, data-quality review and medium-term digital transformation/AI priorities are named. URL: https://www.bundesbank.de/en/tasks/financial-supervision/individual-aspects/supervision-priorities/priorities-of-banking-supervision-800890
- Deutsche Bundesbank Monthly Report, “The Banking Directive Implementation and Bureaucracy Relief Act,” published 21 April 2026: BRUBEG transposes CRD VI into German supervisory law, generally entered into force on 1 April 2026, and is framed as proportionate implementation without lowering prudential standards. URL: https://publikationen.bundesbank.de/publikationen-en/reports-studies/monthly-reports/monthly-report-april-2026-993254?article=the-banking-directive-implementation-and-bureaucracy-relief-act-993246
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.