ECB orders banks to file AI cybersecurity action plans

The ECB ordered major eurozone banks to submit action plans by 31 Oct to its Joint Supervisory Team detailing measures, resources, roles and timelines against AI-driven cyber threats.

The European Central Bank has told major eurozone banks to submit detailed action plans by 31 Oct to its Joint Supervisory Team, outlining how they will defend against AI-driven cyber threats. The plans must describe measures to be taken, the resources allocated, the roles responsible and specific timelines for implementation.

Claudia Buch, chair of the ECB’s supervisory board, wrote to bank executives that firms must assess the impact of the evolving threat landscape without delay. She warned that AI’s capacity to identify vulnerabilities rapidly can turn unresolved weaknesses into material risks for operational resilience.

The ECB expects plans to accelerate vulnerability and patch management at scale, strengthen monitoring and detection, deploy AI-enabled defensive tools and verify that third-party risk management is fit for purpose. The letter places responsibility for the response on bank management and notes that strategic ICT decisions, including investment and resource allocation, may need to be revisited.

To give firms more time to prepare, the ECB extended its annual Risk Questionnaire deadline from September 2026 to February 2027.

In April, Anthropic’s Mythos model rapidly identified thousands of previously undetected security flaws across multiple operating systems and web browsers. Pip White, Anthropic’s European head, reported that Mythos found severe vulnerabilities in those environments.

Cyber-security firms have warned that agentic AI could make fraud cheaper and easier to scale, enabling automated campaigns that adapt in real time. Jonathan Frost, director of global advisory for EMEA at BioCatch, warned that banks relying on fixed-rule systems risk being overwhelmed as attackers automate fraud pipelines.

Buch’s letter also highlighted the potential impact of progress in practical quantum computing on current encryption methods and urged adoption of post-quantum cryptography, saying the work will require sustained, long-term investment. The ECB said it will issue a separate communication on quantum-related risks to traditional encryption.

UK regulators published a review this week examining the impact of AI on retail finance and warning of increased risks to consumers and markets. The ECB’s deadline and parallel regulatory activity require banks to document specific plans for defending networks, applications and customer systems against rapidly changing AI-enabled threats.

Articles by this author