Skip to Content
Financial Regulatory Developments Focus
Blog
Filters
  • ECB calls significant institutions to draft an action plan against AI related cybersecurity threats

    7 July 2026

    The European Central Bank (ECB) has published an open letter to CEOs of significant institutions on AI related cybersecurity threats. The ECB warns that advances in AI are accelerating vulnerability discovery and exploitation, marking a long-term shift in the cyber threat landscape rather than a temporary or tool-specific risk. The letter identifies bank management bodies as primarily responsible for responding to the evolving cyber risk, suggesting they may need to revisit ICT investments, resource allocation and bank information and communication technology (ICT) risk-tolerance frameworks, and strengthen governance and control systems where necessary.

    The ECB expects significant institutions to assess the impact of the evolving threat landscape and to develop a comprehensive action plan to strengthen relevant controls. The plan should build on existing cyber-risk strategies, cover short- and longer-term measures, allocate resources, assign responsibilities and set implementation timelines. The action plan must be submitted to the respective joint supervisory team (JST) by 31 October after which the JST will discuss the plan with the bank and monitor progress.

    In the short term, the ECB expects banks to prioritise vulnerability and patch management, monitoring and detection, AI-enabled defensive capabilities, third-party ICT risk management, and protection of perimeter technologies and externally exposed ICT assets. Longer-term measures should include reinforcing defence-in-depth and cyber hygiene, modernising legacy or unsupported technology, and strengthening response, recovery, crisis-management and information-sharing arrangements.

    The ECB also urges banks to remediate outstanding ICT-related supervisory findings without delay, noting that unresolved weaknesses identified through prior supervisory activity may become increasingly material in the evolving threat landscape.

    The ECB confirms that DORA requirements remain highly relevant and that it will extend the deadline for the annual IT Risk Questionnaire from September 2026 to February 2027.  The ECB also notes that the responsible CERT (Computer Emergency Response Team) / CSIRT (Computer Security Incident Response Team) authorities may provide additional guidance. For more information, you may like to read our client bulletin titled "ECB requires significant institutions to address AI-enabled cybersecurity threats".

    Return to main website.