Book a demo

Navigating Financial Uncertainty: Key Takeaways from the ESAs’ Autumn 2025 Report

Financial institutions across Europe are navigating some of the most uncertain conditions in recent memory. Inflation may have eased, but high interest rates continue to weigh on households and corporates, while growth prospects remain limited. Add to that the volatility triggered by geopolitical tensions, supply chain shifts, and increasingly complex cyber threats, and the picture is clear: stability can no longer be taken for granted. 

 

The European Supervisory Authorities’ (ESAs) Autumn 2025 Joint Committee Report provides a timely assessment of the risks and vulnerabilities facing the EU financial system. Its findings underscore a simple but sobering reality, today’s challenges are not only financial but also structural, spanning cyber resilience, operational continuity, and even reputational integrity.  

 

For financial institutions, the report is both a warning and a guide. It highlights where vulnerabilities are most acute, and it emphasizes the need for a forward-looking, integrated approach to risk management. Navigating this landscape isn’t just about weathering market cycles; it’s about building resilience across every layer of the organization. 

.

Key Takeaways

  • Ongoing financial pressures – lower growth, higher sensitivity 

The EU economy is still under strain. Growth is weak, and while banks currently look healthy on paper – with strong capital buffers and low bad-loan levels – things could turn quickly if businesses or households start defaulting on loans. This means that proactive monitoring of credit exposures and liquidity buffers is essential to avoid being caught off guard.

 

  • Geopolitical uncertainty and global dependencies 

Instability abroad is hitting home. Trade tensions with the US (like tariff increases) and conflicts in Ukraine and the Middle East have made energy and supply chains less predictable. Even more worrying: Europe relies heavily on non-EU providers for critical services. For example, two US firms handle the bulk of EU financial clearing, and just three cloud providers dominate digital infrastructure. If access to these services were disrupted, many Europe would feel it immediately. These structural dependencies mean operational resilience isn’t only about technology, but it’s also about geopolitics. Institutions should map their critical suppliers and infrastructures and plan for “what if” scenarios where access is suddenly cut off. 
 

  • Cyber and digital risks 
    Cyberattacks are growing more frequent and sophisticated. Ransomware, DDoS attacks, and AI-driven phishing campaigns are all mentioned in the report. At the same time, financial firms increasingly depend on the same small group of third-party tech providers, which creates systemic risk: one outage or breach could ripple across the entire sector. Regulators are pushing firms to implement the EU’s new Digital Operational Resilience Act (DORA) to strengthen defences. The challenge is twofold: defending against attackers while also ensuring resilience if a core service provider fails. Security teams must therefore balance prevention with continuity planning. 
     
  • Vulnerable sectors 
  • SME’s face affordability challenges due to high interest rates 
  • Commercial real estate is seeing falling property values and refinancing difficulties 
  • Insurers and pension funds are sensitive to sudden market swings, which could force them to find large amounts of cash quickly to cover losses 

 
These vulnerabilities act as pressure points: shocks in one area can cascade into others, meaning risk managers should track sector interconnections rather than treating them in isolation. 

 

  • Crypto and emerging risks 
    Crypto markets have ballooned, peaking at over €3 trillion before dropping back. While still not fully “systemic,” links between traditional finance and crypto are deepening. This means risks in digital assets can no longer be dismissed as isolated from the mainstream system. For now, the main concern is operational and reputational: institutions need to understand where they are exposed, directly or indirectly, and ensure governance frameworks cover this fast-moving space. 

 

  • Supervisory expectations 
    Supervisors expect financial firms to plan for compound crises and polycrises – not just a market downturn, not just a cyberattack, but scenarios where these happen together. Forward-looking stress tests, better third-party oversight, and cyber resilience are top of the list. This is a clear signal that regulators are moving beyond narrow compliance checks; they want to see evidence of integrated resilience planning that spans finance, operations, and technology. 
     
     

What This Means for Security Risk Professionals

  • Geopolitics is now an operational risk. 

Trade wars, sanctions, or geopolitical disputes don’t just hit markets; they can disrupt critical services your institution relies on, especially when those services are run by non-EU providers. Security teams should map these dependencies, ask “what if this service is suddenly cut off?”, and prepare workarounds. 

  

  • Cyber resilience isn’t optional. 

The report treats cyber incidents as financial-stability events – meaning a big enough cyberattack could threaten the system like a banking crisis. Security professionals should double down on red teaming, supply chain risk assessments, and aligning with DORA. Stress-testing isn’t just about IT uptime; it’s about showing the organisation can keep operating under digital siege. 

  

  • Third-party concentration is a hidden weak spot. 

Relying on a handful of global cloud or clearing providers creates single points of failure. This is like having one supplier for a mission-critical part: efficient until the day it breaks. Institutions should push for contingency contracts, diversify providers where possible, and demand clear resilience commitments from vendors. 

  

  • Polycrises are the new normal. 

The ESAs stress that shocks rarely come alone. A cyberattack during a financial downturn, or a supply-chain disruption alongside an energy crisis, could magnify damage. Scenario planning should reflect this reality: not “if this happens,” but “if this and that happen at the same time, what’s our response?” 

  

  • Liquidity and continuity matter. 

The numbers in the report show insurers and pensions could face sudden cash calls in stress scenarios. This is a reminder to ensure continuity plans cover liquidity access: how will the organisation fund critical operations if markets lock up or collateral calls spike? 

  

  • Culture and governance are part of resilience. 

Supervisors are signalling that resilience isn’t just technical. Failures in ESG disclosures, greenwashing, or misconduct can create reputational crises with profound impact. Embedding a culture of accountability and transparency is a crucial form of risk control. 

Looking Ahead

The ESAs’ Autumn 2025 report makes one thing clear: uncertainty is not going away. Financial institutions will continue to face pressure from slow growth, volatile markets, geopolitical tensions, and increasingly complex cyber threats. What’s changing is the level of supervisory expectation – regulators are no longer satisfied with static risk assessments or narrow compliance exercises. They want to see that firms are anticipating compound shocks and actively building resilience across systems, people, and processes. 

 

For security risk professionals, this is both a challenge and an opportunity. The challenge lies in managing risks that no longer fit neatly into silos: geopolitical disruption can quickly trigger cyber incidents; market downturns can amplify liquidity and reputational risk. The opportunity is that effective risk management can move from a defensive function to a strategic advantage, helping institutions maintain trust and continuity where others falter. 

 

Looking ahead, organizations that invest in scenario planning, third-party oversight, and integrated stress-testing will be far better positioned to adapt and recover. The takeaway is simple: resilience must be treated not as a one-time project, but as a living capability: continuously tested, improved, and embedded into the culture of the organization. 

About Human Risks

Human Risks is a comprehensive security risk management platform designed to help security teams drive effective engagement with asset owners from the ground up.

 

Across eight core modules, Human Risks helps organisations proactively embed security risk management into everyday business processes: providing clarity on risk accountability, streamlining collaboration, and supporting a dynamic, living risk assessment approach.

 

Interested in learning more? Connect with the team to see how we’re working with leading organisations to foster proactive security cultures and drive strategic engagement.

Connect with the Team
Human Risks Logo

Read more?

More blog posts

We can help you today

If you want to see what the Human Risks platform can do, for your company.  Contact us today

Contact us
Contact
Updates from the Human Risks Team

Get the latest updates on new and upcoming features in Human Risks

Subscribe to our newsletter

Product

Resources

Company

Legal Disclaimer

Data security

Privacy

Human Risks LinkedIn
Human Risks YouTube

© Human Risks 2022