The ECB forces large banks to define their strategy against advanced AI risks before October

The ECB demands that large banks present a detailed plan against the risks of advanced AI and other emerging technologies before October 31, 2026.

2 minutes

fotonoticia 20260707114616 1920

fotonoticia 20260707114616 1920

Add DEMÓCRATA to Google

Ask FREN

Published

2 minutes

Most read

The European Central Bank (ECB), in its role as the single supervisor, has ordered the main financial institutions in the euro area to submit "by October 31, 2026" a detailed action plan with specific measures to address new cybersecurity threats linked to next-generation AI models, such as Mythos, developed by Anthropic.

In a letter sent by Claudia Buch, Chair of the ECB's Supervisory Board, to the CEOs of significant banks in the eurozone, the German official warns that the ability of emerging AI models to detect vulnerabilities and create operational 'exploits' has potentially profound consequences for the confidentiality, integrity, and resilience of the information and communication technology (ICT) systems of the institutions.

"This is a long-term shift in the threat landscape, rather than a temporary phenomenon or a risk linked to a single tool," she emphasizes in the letter, released this Friday by the ECB itself.

At the end of May, the ECB held a meeting with European institutions to study the impact of cutting-edge AI models on banking business. Following that meeting, Frank Elderson, a Dutch representative on the ECB's Executive Board and Vice-Chair of the Supervisory Board, had already announced that the body would send a formal communication to all CEOs of significant banks to demand the adoption of preventive measures aimed at ensuring the robustness and security of their infrastructures in the face of this new scenario.

In this regard, Claudia Buch requests in her letter that the most relevant institutions promptly assess the effect of the new threat environment and develop "a comprehensive action plan outlining concrete measures" to strengthen necessary controls, allocate appropriate resources, precisely define roles and responsibilities, and set clear execution timelines.

This action plan, which must be submitted to the relevant Joint Supervisory Team (JST) by October 31, 2026, will need to build upon the existing cyber risk strategy of each bank and consider both urgent actions and long-term strategic elements.

In the short term, the ECB calls for accelerating massive vulnerability and patch management; enhancing AI-based monitoring, detection, and defense capabilities; and verifying that third-party risk management is adequate in the current context, considering the weight of ICT service providers within critical supply chains.

Alongside these immediate actions, the ECB emphasizes that operational and cyber resilience must be underpinned by structural measures, such as strengthening defense in depth and cyber hygiene, as well as modernizing technological infrastructure by replacing or updating obsolete, unsupported, or end-of-life systems.

At the same time, the institution has announced that it will conduct a cross-cutting analysis of the action plans submitted by entities to identify common patterns, challenges, and areas for improvement, and that it will share the conclusions with banks to support them in strengthening their ICT resilience.

Beyond cutting-edge AI models, the ECB also focuses on other emerging technologies, including quantum computing, which, in its view, will significantly alter the cybersecurity landscape. In this regard, it anticipates addressing the incipient risk it poses to traditional encryption methods in a new letter to be published soon.

"While these advances do not introduce completely new risks, they do significantly amplify the speed and scale at which they materialize," concludes Buch, who warns that existing vulnerabilities that remain uncorrected could gain prominence and become significant risks to the operational resilience of financial institutions.

Hola, soy Fren. ¿Cómo te ayudo?