ECB’s AI wake-up call for Europe’s banks

10 July 2026
EU Policy

By Sergio Boccadutri.

Artificial intelligence is changing cybersecurity faster than many organisations can adapt. The European Central Bank wants Europe’s largest banks to catch up.

On 7 July, the ECB sent a formal letter, signed by Supervisory Board Chair Claudia Buch, to the chief executives of every significant euro area bank. Its message was unusually direct: by 31 October 2026, each institution must submit a detailed action plan explaining how it will prepare for cyber threats accelerated by artificial intelligence. The plans must include concrete measures, clear timelines, dedicated resources and named executives responsible for delivery. 

When European banking supervision writes simultaneously to every CEO on a single issue, and sets a deadline, it is signalling that the challenge is no longer a technical concern for IT departments. It is now a strategic risk that belongs in the boardroom.

Finding software flaws is now cheaper and faster

Start from a fact that needs no jargon. Every piece of software contains errors. Some are harmless, others can be exploited to break into a system. These are vulnerabilities. Until recently, finding them took rare specialists and weeks of work, and writing the code that turns a flaw into an entry point, an exploit, took even rarer skills. The latest AI models have changed everything. They can find vulnerabilities and generate working exploits at unprecedented speed. Not by chance, CERT EU titled a recent analysis: AI is changing the economics of vulnerability discovery.

The consequence is that the window between the discovery of a flaw and its exploitation shrinks almost to nothing. Cybersecurity has always been a race between those who find errors to fix them and those who find them to abuse them, with a structural asymmetry: the attacker needs one open door, the defender must close them all. That race once played out over weeks. Now it plays out in hours.

The letter is explicit on method. This is not a temporary phenomenon or a risk tied to a single tool, but a long term shift in the threat landscape. And it contains a clarification worth more than many analyses: these developments introduce no new risks, they amplify the speed and scale at which known risks materialise. In plain terms, the weaknesses banks have carried for years, obsolete systems, delayed updates, poorly supervised suppliers, suddenly become more dangerous, because something out there now hunts for them far faster. Hence the request to close without delay the findings still open from inspections and the 2024 cyber resilience stress test. A known, unresolved weakness is no longer a risk one can accept while awaiting budget.

What the ECB asks: the perimeter first, then the foundations

The plans move along two horizons. In the short term there are three priorities. First, accelerate vulnerability management and patching at scale. If vendors and open source communities fix more flaws faster, partly thanks to AI, banks will have to install updates at a frequency and volume far above current levels. 

The UK National Cyber Security Centre calls this preparing for a vulnerability patch wave, one requiring adequate staffing, fast change procedures and supplier contracts matching the new speed. Second, stronger monitoring and intrusion detection, including AI based defensive tools, which the ECB encourages provided they follow a serious assessment of benefits and risks and remain under human oversight. Third, external providers. Banks remain fully responsible for outsourced IT services and must verify that suppliers are themselves ready for accelerated patching. Across everything runs one transversal priority: protect internet facing assets first, the perimeter, including the open source components and third party software embedded in it.

Then come the foundations, built on an assumption worth taking seriously: sooner or later someone will get in, so defences must assume the perimeter will be breached. Network segmentation, which works like a ship’s watertight compartments: flooding one does not sink the hull. Zero trust principles, meaning nothing is trusted merely for being inside the corporate network, and every access is continuously verified. The daily hygiene of security: knowing which systems you own, granting each only the access it needs, requiring a second check beyond the password, logging everything. 

The replacement of obsolete or unsupported technologies, the most fragile attack surface. And the capacity to react: regularly tested response and recovery plans, plus exercises on high speed, high volume scenarios, from ransomware to zero day flaws to the outage of a major cloud provider. And one addition beyond the single institution: structured sharing of threat information among banks, because resilience, in an interconnected system, is a collective good.

Responsibility sits at the top

One message runs through the letter: primary responsibility lies with management bodies, not technical departments. Boards must review strategic IT decisions, starting with investments, and verify that budgets, staffing and tools match accelerated patching, infrastructure modernisation and stronger defences. They must also revisit risk tolerance frameworks, the thresholds a board sets for how much cyber risk it will accept. 

Thresholds designed for a world where flaws were found slowly must be recalibrated for one where they are found fast, considering both the internal use of AI models and indirect exposure to them. Then there are people: risk proportionate training for all employees, not only technical staff, and where needed for clients, counterparties and suppliers.

The rules do not change, the urgency does

The letter introduces no new rules. The framework remains DORA, the EU regulation on digital operational resilience, applicable since January 2025 and fully valid in the new scenario. What changes is the urgency. And here supervision makes a rare gesture of realism. To free up banks’ IT resources, the ECB postpones the annual IT risk questionnaire from September 2026 to February 2027 and stands ready to defer, case by case, inspections unrelated to the priority areas. A supervisor giving up its own deadlines is telling you how seriously it takes the problem. It will also run a horizontal analysis of all plans to identify common trends and gaps.

Nor is Frankfurt alone. The European Systemic Risk Board has issued a formal warning on systemic cyber risks from frontier AI models, and convergent alerts have come from UK, Singaporean, Canadian and Australian authorities and the Five Eyes agencies. The systemic point is the heart of the matter. When banks share the same cloud providers, open source components and market software, a flaw is never one bank’s problem but a crack running through the whole system.

One final note. The letter warns that quantum computing will also reshape security, since future quantum computers will break current encryption. Migrating to post quantum cryptography will take years and must start now. A dedicated letter is coming. Anyone who lived through the DORA transition knows better than to wait for it.

Beyond banking, the same arithmetic

The Frankfurt letter speaks to banks, but its logic reaches well beyond finance. Any organisation that runs critical infrastructure or handles large volumes of data, public administration included, faces the same arithmetic. 

Flaws are now found faster than they are repaired, unless the repairing accelerates as much as the attacking. The ECB document is, in effect, a replicable template: an inventory of exposed assets, patching at industrial pace, defences that assume the perimeter will be breached, suppliers under control, realistic exercises, shared information. Nothing the letter asks for is specific to banks. Software vulnerabilities do not distinguish between a credit institution, a power grid and a hospital, and the cloud providers, the open source components and the legacy systems are the same across all the sectors that the NIS2 directive on critical infrastructure already classifies as essential. 

If the ECB’s premise is correct, if artificial intelligence really has compressed the time between the discovery of a flaw and its exploitation, then energy, transport and health regulators face the same problem as banking authorities and can find in the Frankfurt letter an approach that is already on the table.

Related posts

by Beatrice Telesio di Toritto | 06 July 2026

Washington and Brussels are rewriting the rules of their partnership

by Gianni Pittella | 06 July 2026

Bernie Sanders wants an AI dividend