Article

ECB requires significant institutions to address AI-enabled cybersecurity threats

ECB requires significant institutions to address AI-enabled cybersecurity threats

On July 7, 2026, Claudia Buch, chair of the European Central Bank’s (ECB) Supervisory Board, addressed a letter to the CEOs of all significant institutions (SIs) supervised under the Single Supervisory Mechanism (SSM), calling for immediate and proactive measures to address the escalating cybersecurity threats enabled by frontier artificial intelligence (AI) models.

The letter, published simultaneously with a warning from the European Systemic Risk Board (ESRB) on systemic cyber risks stemming from frontier AI models, marks a material escalation of supervisory expectations regarding information and communication technology (ICT) resilience and cyber risk management. Significant institutions are required to submit a comprehensive action plan to their Joint Supervisory Team (JST) by October 31, 2026. While the letter is addressed exclusively to SIs, similar requirements are widely anticipated to follow for less significant institutions supervised by national competent authorities (NCAs), including the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht; “Bafin”).

AI regulation and cybersecurity: an accelerating supervisory focus

The regulatory focus on AI-related cybersecurity risks for financial institutions has intensified markedly in recent months, driven by rapid advances in the capabilities of frontier AI models—the most advanced versions of general-purpose AI. The emergence of highly capable new models (including Anthropic’s Claude Mythos model) has marked a step change in the speed and sophistication of AI-enabled threat vectors, compressing the timeline between vulnerability discovery and exploitation and enabling adversaries to operate at unprecedented scale. 

Multiple supervisory authorities across jurisdictions have identified these developments as a material driver of heightened cyber risk for financial institutions, triggering a wave of coordinated regulatory responses of which the ECB’s letter is the most direct expression within European banking supervision to date. Bafin has also significantly raised its supervisory focus on cybersecurity (as highlighted in our May 2026 client briefing on Bafin’s reinforcement of its supervisory activities in the anti-financial crime and cyber areas) and the authority has issued warnings regarding AI-enabled threats and has allocated additional supervisory resources to cyber risk oversight. 

The ECB’s latest action, requiring SIs to develop and submit a comprehensive cybersecurity action plan within months, represents a logical and anticipated supervisory response to the evolving threat landscape, and it is reasonable to expect that Bafin and other EU NCAs will issue comparable obligations for the banks and other institutions they directly supervise in the near to medium term.

The ECB’s letter of July 7, 2026: background and core message

The ECB’s letter identifies rapid advancements in AI systems as a “pivotal change” to the cybersecurity landscape. Emerging AI models are capable of identifying software vulnerabilities and generating “functioning exploits” (i.e., code that exploits a vulnerability) at unprecedented speed, compressing the timeline between vulnerability discovery and exploitation. The ECB stresses that this is a long-term structural shift in the threat landscape, not a temporary phenomenon or a risk tied to any single tool or model, and that, while these developments do not introduce entirely new risk categories, they significantly increase the speed and scale at which existing risks materialize. 

Responsibility for responding to this evolving environment lies primarily with banks’ management board (for German purposes, in line with the general prudential requirements under Section 25a and 25c of the German Banking Act (Kreditwesengesetz)) and requirements under Regulation (EU) 2022/2554 (Digital Operational Resilience Act; DORA), which are expected to revisit strategic ICT decisions, resource allocation and risk tolerance frameworks where necessary. 

The letter further underscores the continued relevance of DORA and calls on institutions to address, without delay, any open supervisory findings related to ICT and security risks identified in previous activities, including on-site inspections, targeted reviews and the 2024 cyber-resilience stress test. Last month, the European Supervisory Authorities (ESAs) published a report on major ICT-related incidents under DORA, which found a relatively low number of cybersecurity-related incidents suggesting systems were currently working well.

Nevertheless, the ESAs urged firms to maintain high cybersecurity standards to keep pace with the potential threat from highly capable AI-driven tools—a position they reiterated yesterday in response to the ESRB’s warning. Similarly, Bafin has repeatedly highlighted the escalating cyber risks facing banks in connection with new and highly capable frontier AI models, noting that tools such as Anthropic's Claude Mythos, OpenAI’s GPT-5.5, and Microsoft’s MDASH can discover and exploit vulnerabilities at unprecedented speed and scale, potentially threatening the stability of individual financial institutions and the financial system as a whole.

ECB expectations and action plan requirements

Each SI’s comprehensive cyber resilience action plan should outline concrete measures to strengthen relevant controls, allocate necessary resources, assign clear roles and responsibilities, and define implementation timelines. The ECB will conduct a horizontal analysis of the plans and share conclusions with SIs. 

In this context, the following is worth noting: 

  • In the short term, three priority areas are identified: (i) accelerating vulnerability and patch management at scale; (ii) enhancing monitoring, detection and AI-enabled defensive capabilities; and (iii) verifying that third-party risk management is fit for purpose given the critical role of ICT service providers in supply chains.
  • Over the longer term, structural measures should include reinforcing defense-in-depth and modernizing infrastructure, in particular by replacing or updating legacy technologies, and improving operational resilience through crisis management, recovery mechanisms and information-sharing arrangements. 

To enable institutions to focus resources on these priorities, the ECB will extend the deadline for the annual IT Risk Questionnaire from September 2026 to February 2027. More specifically, the ECB’s letter requests that SIs’ action plans address the following six focus areas, with separate objectives for the short and medium term:

In the short term: 

  • Prioritize protection of attack surfaces: Identify and monitor all ICT assets (including third-party software and open-source components), minimize internet-facing and externally exposed assets (including cloud environments), and prioritize perimeter technologies in remediation efforts.
  • Accelerate vulnerability and patch management at scale: Conduct prioritized vulnerability scanning, prepare for more frequent and higher-volume patching cycles, and ensure that ICT change management arrangements support rapid, risk-based remediation—including through appropriate contractual terms with ICT service providers.
  • Enhance monitoring, detection and AI-enabled defensive capabilities: Strengthen monitoring of application and access logs, network traffic and indicators of compromise, with a focus on internet-facing applications, cloud repositories and critical internal systems. AI-based defensive tools may be used where preceded by appropriate risk assessment and human oversight. 
  • Strengthen governance, training and supply chain assurance: Management bodies should assess the adequacy of ICT budgeting, staffing, tooling and change capacity. Training and awareness measures should be risk-commensurate and adjusted to the evolving threat landscape. Institutions remain fully accountable for risks stemming from outsourced ICT services and should maintain adequate supply chain assurance. 

In the medium term:

  • Reinforce defense-in-depth and modernize infrastructure: Apply segmentation and zero-trust principles, maintain strong baseline controls (including multi-factor authentication, least-privilege access and comprehensive logging), and replace or update legacy, unsupported, or end-of-life ICT systems. AI-native and AI-assisted defensive tools should be deployed with appropriate governance and human oversight.
  • Improve operational resilience, crisis management, and information-sharing: Maintain robust and regularly tested incident response, backup, failover, and recovery arrangements aligned with DORA. Conduct exercises covering high-speed, high-volume attack scenarios and supply chain or cloud service disruption. Participate in secure information-sharing frameworks for exchanging threat intelligence and defensive strategies across the sector.

The detailed focus areas set out in Annex 1 to the ECB’s letter are provided as an Annex to this briefing.

Implications for banks

For SIs, compliance with the letter is an immediate priority. The October 31, 2026 deadline for submitting a comprehensive action plan is fast approaching, and institutions should begin their gap assessment and remediation planning without delay. The requirements build on the existing DORA framework and reinforce the expectation that ICT governance, vulnerability management, and third-party risk arrangements are not merely compliant on paper, but substantively effective in practice. 

Institutions with open supervisory findings in ICT-related areas should treat closure of those findings as particularly urgent in light of the ECB’s explicit call to that effect. A range of further requirements will also need to be considered from a broader prudential perspective, including the intersection of AI deployment with data protection and operational resilience obligations.

For non-SIs (i.e., “Bafin-supervised” institutions), which fall outside the direct scope of the ECB’s letter, the developments are nonetheless a clear signal. Supervisory expectations regarding cyber and AI risks are converging across European regulators. As highlighted in our May 2026 Client Briefing on Bafin’s reinforcement of its anti-financial crime and cyber supervision, Bafin has already devoted significant additional resources to cyber risk oversight and has issued warnings regarding AI-enabled threats.

That said, in our view the ECB’s letter forms part of a broader European regulatory trajectory in relation to AI, and in particular to AI-related cyber risks. Relevant workstreams and legal aspects include, by way of example, prudential requirements, outsourcing rules, DORA, cybersecurity requirements under the AI Act (Regulation (EU) 2024/1689), requirements for data security under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679, including GDPR requirements for deploying AI-enabled defensive tools), the CERT-EU Threat Landscape Report 2025 and the European Commission’s Action Plan on Cybersecurity and AI. 

Beyond these immediate priorities, medium-term resilience planning should also account for emerging challenges such as post-quantum cryptography, which the ECB has signaled it will address in the future. The ECB’s letter, while primarily directed at ICT resilience and cyber risk, further raises a number of issues that sit at the intersection of cybersecurity, data protection under the GDPR and emerging AI regulation.

We recommend that all institutions, not just SIs, undertake the following actions as set out in more detail in the Annex: 

  1. A targeted gap analysis of their cyber resilience posture, benchmarked against both the supervisory expectations outlined above (mapping existing ICT resilience measures, vulnerability management processes and third-party arrangements against each of the six focus areas set out below and in Annex 1 to the ECB’s letter) and other applicable regulatory requirements in a wider sense.
  2. ICT budget. The ECB expects management bodies to evaluate whether current ICT budgeting, staffing, tooling and change capacity are sufficient to support. 
  3. Evaluate AI tool governance. Where institutions are deploying or considering AI-enabled defensive tools, ensure that deployment is preceded by a thorough risk assessment covering both the cybersecurity benefits and any associated data protection, EU AI Act compliance and model risk considerations. Establish appropriate human oversight mechanisms and document the governance framework.
  4. Begin post-quantum cryptography planning. Although the ECB will address this in a separate communication, it has signaled that the adoption of post-quantum cryptography must start now. Institutions should begin scoping the impact on their cryptographic estate and develop a roadmap for transition.

Please feel free to contact us to discuss what these developments mean for your institution, or how we can assist with the development of a tailored action plan or a preparatory health check.