ft.com web signal

ECB gives eurozone banks four months to plan for AI cyber threats

TL;DR

  • The ECB has given eurozone banks until October 31 to submit plans countering AI-enabled cyberattacks.
  • The European Systemic Risk Board called frontier AI 'a source of systemic risks to the financial system.'
  • Banks are told to prioritise internet-facing systems, third-party software and open-source components, and speed up vulnerability fixes.

The European Central Bank has put a four-month clock on its eurozone lenders to produce a plan for AI-driven cyberattacks, and the framing is unusually blunt. As the Financial Times reported, the deadline is October 31, and it landed alongside a warning from the European Systemic Risk Board that developments in frontier AI are "a source of systemic risks to the financial system." That is regulator language for don't wait.

The specific model in the room, per Reuters coverage carried on Yahoo Finance, is Anthropic's Mythos, whose cyber capabilities have become powerful enough that access to it has been restricted, and euro-area banks are outside that access. Frank Elderson, Vice Chair of the ECB's bank supervision arm, was direct about what that means: "Lack of access is not an excuse for inaction. On the contrary, it makes it even more critical that banks step up and act now."

The instructions themselves read as an operational punch list rather than a strategy paper. Banks are told to prioritise internet-facing systems, third-party software and open-source components, to speed up vulnerability fixes and to strengthen monitoring. The ESRB's parallel warning went further, sketching scenarios in which large-scale cyber disruptions could erode institutional trust and even trigger bank runs on lenders perceived as less secure.

The honest caveat is that the reporting doesn't give you the enforcement mechanism. What the ECB actually does with an October 31 submission it considers thin, whether that means capital add-ons, activity restrictions, or just another letter, isn't spelled out. Nor does the coverage say how a small lender is supposed to red-team a class of AI it cannot buy, run or observe.

The bigger read is that supervisory tone has shifted. Frontier AI has moved from a talking point in ECB speeches to a dated deliverable on a bank CEO's desk, and the institutions best placed for the next four months are the ones already running mature vendor-risk inventories, formal patch-speed metrics and DORA-style resilience programmes. For everyone else, the compliance sprint has started.