ECB Requires 110 Banks to Develop AI Cyberattack Response Plans Within Four Months
Claire Weston
The ECB wrote to CEOs of 110 eurozone banks on July 7, demanding a comprehensive action plan against AI-driven cyber threats by October 31 — the first time European bank supervision has elevated AI cyberattacks from an operational issue to a systemic financial-stability concern.
What exactly is the ECB asking banks to do?
Supervisory board chair Claudia Buch sent letters to 110 bank CEOs requiring a "comprehensive action plan" covering controls, resource allocation, accountability, and an implementation timeline.
The letter states that frontier AI models — next-generation models far more capable than earlier AI — already have a "potentially far-reaching impact" on the confidentiality, integrity, and resilience of banks' IT systems.
This means → this is not a routine compliance notice; it is a supervisory directive with a hard deadline and a defined set of deliverables.
Why is AI cyberattack risk suddenly systemic?
The European Systemic Risk Board (ESRB) — the EU body that monitors threats to financial stability — issued an independent warning on the same day, classifying AI cyber threats as a "source of systemic risk to the financial system."
The ESRB said the latest AI can discover and exploit vulnerabilities "at a speed, scale, and precision far beyond previous AI models," and that IT weaknesses could be weaponized in minutes or hours — a "paradigm shift" in cybersecurity.
In plain terms = finding a vulnerability in a bank's system used to take weeks of human effort; now AI can do it in minutes — and hit multiple targets at once.
Which AI models is the letter pointing at?
According to the *Financial Times*, the letter does not name specific models but explicitly refers to "frontier artificial intelligence models." Markets have linked this to models such as Anthropic's Mythos.
These models' cyberattack capabilities are already strong enough that access has been partially restricted; eurozone banks are currently excluded from access.
This reflects a regulatory concern that goes beyond "bad actors misusing AI" — the models' own capabilities constitute a threat, even under restricted conditions.
How far could the damage spread?
The ESRB outlined scenarios ranging from smaller banks losing market confidence to state-sponsored espionage and coordinated attacks on payment, clearing, and settlement systems, potentially amplified by disinformation campaigns.
The critical contagion path: banks share many of the same technology vendors and software, so a breach at one could spread rapidly. A large-scale disruption might even trigger a "run" on institutions or countries perceived as less secure.
In plain terms = banks' underlying tech suppliers overlap heavily; once one is breached, panic can spread like a bank run — toward whichever peers look weakest.
Is four months enough? What concessions has the ECB made?
To ease the resource burden, the ECB postponed the annual IT-risk questionnaire originally due in September; banks may now submit it by February next year.
The ECB also said it would make case-by-case adjustments to other supervisory activities such as on-site inspections.
This means → regulators know the four-month window is tight, so they cleared space by deferring other compliance tasks — but the action-plan deadline itself is non-negotiable.
Content is for reference only, not financial advice.