The frame
The German banking sector’s post-2025 governance burden is no longer only a question of how much a bank holds, but how reliably it can explain risk controls when conditions deteriorate.
Two official documents now anchor this message. First, the Bundesbank’s national supervisory programme for 2026-28, jointly defined with BaFin. Second, the Bundesbank’s April 2026 monthly report article on the Banking Directive Implementation and Bureaucracy Relief Act, published on 21 April 2026, which explains BRUBEG as Germany’s transposition vehicle for CRD VI.
Together they suggest a shift from process complexity toward control quality, especially where market risk, governance quality and IT-security posture intersect.
Supervisory priorities: what is actually in the focus
In the 2026 supervisory priorities, BaFin and the Bundesbank list governance vulnerabilities, misconduct, and the qualification of top management and supervisory bodies as direct supervisory concerns, not abstract best-practice concerns. They also identify specialist and technical data quality in reporting, especially at network institutions, and keep IT security under national supervisory scrutiny.
The practical signal is clear: it is no longer enough for institutions to have separate silos for risk, internal audit and information technology. Supervisory scrutiny is increasingly about the coherence between these silos.
BRUBEG as governance calibration, not just procedural easing
In the April monthly report, BRUBEG is presented as the mechanism by which CRD VI requirements are carried into national rules. The Bundesbank says the act generally entered into force on 1 April 2026 and is intended to implement the European requirements without going beyond them, while adding targeted regulatory relief and preserving prudential standards.
The article framing is important for the German market. A bank can now expect less tolerance for fragmented governance and less ambiguity about where responsibility sits when digital incidents, credit risks and reporting failures overlap.
That does not erase rules work. It changes the point where compliance quality is judged: less around output volume, more around explainability, control design and continuity.
The timing matters because the two documents point in the same direction from different angles. BRUBEG supplies the national-law calibration after the EU banking package. The supervisory programme describes where German supervisors will spend attention in 2026 and over the medium term to 2028. For banks, governance reform is not a one-off legal implementation file; it is becoming part of the ordinary supervisory conversation.
The least useful response would be to treat simplification as a relaxation signal. The more realistic reading is narrower: supervisors want fewer unproductive process layers, but stronger evidence that boards, risk owners and technology functions understand the same control picture.
Why this matters for institutions
There are three immediate effects.
1) Board competence becomes part of prudential review
Supervision language now puts management qualification and supervisory board quality in the same frame as traditional capital and risk checks. It is no longer optional leadership style; it is an operational control input.
2) Data quality is no longer an internal KPI only
The emphasis on reporting quality in the supervisory priorities and the post-CRD VI architecture means institutions that treat risk data as “finance operations only” are likely to face recurring friction. The same data now feeds governance conversations, cyber-resilience planning and macro-risk interpretation.
3) IT security is embedded in banking quality
Keeping IT security as an ongoing focus line item in the supervisory priorities is not a marginal choice. It aligns with the post-DORA operational shift: financial resilience now depends as much on cyber-control design and escalation logic as on capital buffers.
The forward implication for German banks
What is emerging is a more integrated supervisory logic:
- institutions must show that governance structures can operate under stress,
- operational data must be credible and auditable at line-level, and
- cyber risks must be treated as central to prudential stability.
For readers outside Germany, the local lesson is simple: transposition reform is not merely legal copy. It is a control reweighting.
Supervisors in Frankfurt and Berlin are increasingly judging banks by whether they can run this system under pressure, not merely whether forms are complete.
Sources
- Bundesbank, “National supervisory programme 2026-28”: supervisory priorities jointly defined by BaFin and Bundesbank; sections on IT security, governance, data quality, DORA implementation checks and medium-term priorities to 2028. URL: https://www.bundesbank.de/en/tasks/banking-supervision/individual-aspects/supervision-priorities/priorities-of-banking-supervision-800890
- Bundesbank Monthly Report, “The Banking Directive Implementation and Bureaucracy Relief Act,” published 21 April 2026: BRUBEG transposes CRD VI into German supervisory law, generally entered into force on 1 April 2026, and is framed as proportionate implementation without lowering prudential standards. URL: https://publikationen.bundesbank.de/publikationen-en/reports-studies/monthly-reports/monthly-report-april-2026-993254?article=the-banking-directive-implementation-and-bureaucracy-relief-act-993246
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.