The European Central Bank has called on the largest eurozone banks to urgently strengthen their cybersecurity measures, warning that the rapid development of artificial intelligence is significantly increasing the speed and scale of cyberattacks.
In a letter dated July 7, Claudia Buch, Chair of the ECB’s Supervisory Board, wrote to the chief executives of credit institutions, noting that modern artificial intelligence systems can now identify software vulnerabilities and generate functional exploitation tools at unprecedented speed, drastically shortening the time between the discovery of a weakness and its exploitation by malicious actors.
Frankfurt stressed that this is not a temporary technological development, nor a risk tied to any single AI tool. Instead, it described a permanent shift in the cybersecurity environment, one that significantly increases the speed and scale at which existing risks to banks’ information systems can materialise.
The ECB placed primary responsibility on bank management, calling on them to review their information technology investment strategies, resource allocation and risk tolerance frameworks, while also calling for stronger corporate governance and control mechanisms where needed.
The ECB also noted that outstanding issues identified in previous supervisory assessments, on-site inspections and the 2024 cyber resilience stress test must be addressed without delay, as the worsening threat environment could make them particularly critical to banks’ operational resilience. In this context, the ECB is asking all significant credit institutions to immediately assess the impact of the new threats and draw up a comprehensive action plan, to be submitted to the relevant Joint Supervisory Teams (JSTs) by October 31, 2026.
Among the immediate priorities set by the supervisor are accelerating vulnerability management and the installation of security updates, strengthening attack monitoring and detection capabilities through the use of artificial intelligence tools, and reviewing risks stemming from third-party technology providers, which play a critical role in banks’ supply chains.
Particular emphasis is also placed on protecting internet-facing systems, including third-party software and open-source applications, which are considered more likely targets for AI-driven attacks. On a longer-term level, the ECB is asking banks to modernise their infrastructure, replace outdated information systems, strengthen defence-in-depth measures, and improve crisis management, response and recovery mechanisms following cyberattacks.
The supervisor also noted that the requirements of the EU’s Digital Operational Resilience Act (DORA) remain the key reference framework for addressing the heightened risks, while calling on banks to close, without delay, the outstanding issues identified in previous supervisory reviews, since these could take on greater significance under the new threat environment.
Yesterday, the European Systemic Risk Board (ESRB) published a warning on the systemic cyber risks arising from advanced artificial intelligence models. The Central Bank said in a statement that it will continue to closely monitor these developments and expects financial institutions to take the necessary steps to strengthen their resilience against emerging risks.
Read more:

