This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 3 minute read
Reposted from Linklaters - Financial Regulation Insights

ECB tells EU banks to submit AI defence plans

The European Central Bank has written to CEOs of significant euro area banks asking to see their plans for addressing AI-enabled cybersecurity threats. The ECB expects these to cover not only short-term priorities to respond to Mythos-class AI models but also longer-term actions. Firms should submit their action plans by 31 October 2026. The ESRB, ESAs and European Commission have also published papers relating to AI-powered threats.

ECB leverages DORA to turn spotlight on cyber resilience

In its letter, dated 7 July 2026, the ECB explains that emerging AI models can identify software vulnerabilities at unprecedented speed (read our previous blogpost: What Claude Mythos means for financial services firms’ operational resilience). The Digital Operational Resilience Act requires EU financial entities to meet prescriptive standards for managing ICT risks. Among other things, DORA requires firms to have board-approved ICT risk management frameworks which assess and detect cyber threats and respond to ICT-related incidents.

Citing DORA, the ECB calls on significant institutions to assess the threat landscape and outline measures to strengthen controls, allocate resources and assign responsibilities in an action plan. In the short term, firms should focus on vulnerability and patch management, including externally exposed ICT assets. In the longer term, firms should take structural measures to reinforce cyber hygiene, modernise infrastructure and improve response and recovery mechanisms.

The ECB also flags the importance of managing third party risks. This includes identifying reliance on third-party software, getting assurance from ICT service providers about their preparedness and reviewing ICT change management arrangements in service level agreements. DORA specifies contractual terms that firms should have in place with their ICT vendors.

Firms should submit their action plans by 31 October 2026. As well as monitoring progress made by individual firms, the ECB will share feedback about the trends and areas for improvement it identifies across all the action plans it receives.

ESRB fears strain to financial system’s cyber resilience

The European Systemic Risk Board, which is chaired by the President of the ECB, has welcomed the ECB’s letter and has issued its own statement warning that frontier AI models are a source of systemic risk to the financial system in the short to medium term.

The ESRB monitors and assesses systemic macroprudential risks in the EU financial system and issues warnings and recommendations to firms. Its latest warning underlines the imperative for institutions – and in particular systemically important payment and settlement systems and financial market infrastructures – to update their cybersecurity frameworks in response to the latest threats.

The warning identifies three main concerns or “asymmetries”:

  1. The concentration of leading AI providers overseas exposing the EU to strategic dependency and geopolitical risks

  2. Frontier AI models changing the balance between cyber attackers and defenders (decreasing costs for the former and increasing costs for the latter)

  3. Differences in how financial institutions are resourced, with the weakest link of the chain potentially affecting the stability of the system

ESAs urge firms to adapt cyber approach

The European Supervisory Authorities have responded to agree with the ESRB’s warning. In a statement the ESAs say that DORA and the AI Act provide a solid foundation for managing cyber and AI risks and urge firms to adapt their cybersecurity capabilities in response to the latest threats. The ESAs say they are also engaging with ICT service providers designated as critical under the DORA oversight framework.

Commission releases policy plan on cybersecurity and AI

Meanwhile, the European Commission has published an Action Plan on Cybersecurity and AI. The paper explains that, while currently concentrated in a small number of models, frontier capabilities are expected to become more accessible over time. The Commission sets out actions to address the immediate underlying issues and opportunities brought by AI in cybersecurity.

Among other things, the Commission and the EU Agency for Cybersecurity (ENISA) will develop, by Q4 this year, a blueprint for access to advanced AI capabilities for cybersecurity purposes. This would be a guidance document explaining how AI providers can grant access to EU organisations, including companies, to support their mitigation of cyber risks.

Looking ahead

These interventions by EU authorities underline how responding to the latest round of frontier models is not a one-off exercise. At the same time as firms address immediate vulnerabilities they also need to plan strategically for responding to future AI advances.

To complicate matters further, AI is not the only emerging technology which could put firms’ operational resilience at risk. Firms are starting to invest in post-quantum cryptography to anticipate a future in which quantum computers put traditional encryption methods at risk. The ECB will address these risks in a letter to firms in due course. 

To stay up to date with the latest tech developments - subscribe now!

Tags

eu, fintech, operational resilience, payments, dora, cyber, ai, artificial intelligence