ECB orders banks to submit AI cyber-security plans
ECB ordered major banks to deliver AI cyber-security action plans to their Joint Supervisory Teams by 31 October, detailing how they will detect, prevent and respond to AI-driven threats.
The European Central Bank has instructed major banks it supervises to submit action plans addressing AI-driven cyber threats by 31 October. The plans must be sent to each bank’s Joint Supervisory Team at the ECB and set out measures for detection, prevention and response.
In a letter to bank chiefs, Claudia Buch, chair of the ECB’s supervisory board, wrote that banks must “assess the impact of the evolving threat landscape without delay” and identify how AI changes operational risk profiles. Buch said AI’s ability to reveal weaknesses quickly means longstanding unresolved vulnerabilities can present greater risks to operational resilience.
Buch asked banks to provide concrete measures, allocate necessary resources, assign clear roles and set implementation timelines. The ECB specified priority areas for the plans: accelerating vulnerability and patch management at scale; strengthening monitoring and detection tools, including AI-enabled defensive capabilities; and ensuring third-party risk management is fit for purpose.
The regulator made clear that responsibility for the measures rests with bank management and that strategic ICT decisions, such as investment priorities and resource allocation, may need to be revisited.
To give firms more time to respond, the ECB extended the deadline for completing its annual Risk Questionnaire from September 2026 to February 2027.
The letter follows an episode earlier this year in which an AI model called Mythos rapidly identified thousands of security flaws in software and systems. Pip White, Anthropic’s European head, stated that Mythos had been made available to several organisations and had found vulnerabilities across operating systems and web browsers. She added, “Mythos has really showed us that there are a lot of very severe vulnerabilities right now.”
Buch also noted developments in quantum computing that could threaten current encryption methods and said the ECB will address that risk in a separate letter. She said adoption of post-quantum cryptography will require sustained, long-term investment.
Industry specialists warned that AI will change how cyber threats are carried out. Jonathan Frost, director of global advisory for EMEA at cyber security firm BioCatch, warned that agentic AI could make fraud cheaper to run and easier to scale, creating automated fraud pipelines that learn and adapt in real time.
The UK’s Financial Conduct Authority published a review this week, led by director Sheldon Mills, concluding that AI is likely to reshape retail financial services and could amplify risks to consumers and markets.
The ECB’s directive sets a clear short-term obligation for banks to submit action plans by 31 October and indicates regulators will provide further guidance on encryption risk in subsequent communications.








