[stock-market-ticker symbols="FB;BABA;AMZN;AXP;AAPL;DBD;EEFT;GTO.AS;ING.PA;MA;MGI;NPSNY;NCR;PYPL;005930.KS;SQ;HO.PA;V;WDI.DE;WU;WP" width="100%" palette="financial-light"]

Cyber threat landscape for EU financial system – Letter to CEOs of significant euro area banks from ECB Banking Supervision: „improve operational resilience – assess the impact of the evolving threat landscape without delay, and develop a comprehensive action plan”

14 iulie 2026

The letter to CEOs of significant euro area banks from ECB Banking Supervision, sets out supervisory expectations for addressing the evolving AI-related cyber threat landscape. Please find below the official letter.

Rapid advancements in emerging technologies, namely artificial intelligence (AI) systems, represent pivotal changes to the cybersecurity landscape. Emerging AI models are capable of identifying software vulnerabilities and generating functioning exploits at unprecedented speed, compressing the timeline between vulnerability discovery and exploitation.

These developments have potentially profound implications for the confidentiality, integrity and resilience of banks’ information and communication technology (ICT) systems. This is a long-term shift in the threat landscape rather than a temporary phenomenon or a risk tied to any single tool. The increased pace and breadth of cyber threats underscore the importance of strengthening existing ICT resilience measures and accelerating efforts to mitigate vulnerabilities. While these developments do not introduce entirely new risks, they significantly amplify the speed and scale at which such risks materialise.

Responsibility for responding to the evolving cyber-risk environment primarily lies with banks’ management bodies. Strategic ICT-related decisions, including ICT investments, resource allocation and ICT risk-related risk tolerance frameworks (RTFs) may need to be revisited. In particular, governance and control systems are expected to be strengthened where necessary.

The ECB emphasises the importance of addressing, without delay, open supervisory findings and measures related to the ICT areas in focus and security risks that have been identified in previous supervisory activities such as on-site inspections, targeted reviews and the 2024 cyber-resilience stress test. Given the accelerating threat landscape, existing weaknesses that remain unresolved may become increasingly material and pose significant risks to operational resilience.

The requirements set out in the Digital Operational Resilience Act (DORA) remain highly relevant and valid in view of the impending change in the cybersecurity landscape. In line with these requirements, the ECB is calling on significant institutions to assess the impact of the evolving threat landscape without delay, and to develop a comprehensive action plan outlining concrete measures to strengthen relevant controls, allocating the necessary resources, assigning clear roles and responsibilities, and defining timelines for implementation.

This action plan should build upon the bank’s existing cyber-risk strategy and address both immediate priorities and longer-term strategic aspects. In the short term, particular focus should be placed on the following areas:

. accelerate vulnerability and patch management at scale;

. enhance monitoring, detection and AI-enabled defensive capabilities;

. verify that third-party risk management is fit for purpose in the current situation, in light of the role of ICT service providers in critical supply chains.

As part of the short-term effort, prioritising protection of perimeter technologies and internet-facing and externally exposed ICT assets, including third-party software and open-source components, is key to preparing for the rise in AI-enabled cybersecurity threats. In addition to these short-term actions, operational and cyber resilience should be advanced through structural measures, including:

. reinforcing defence-in-depth and cyber hygiene, and modernising infrastructure by replacing or updating legacy, unsupported or end-of-life technologies;

. improving operational resilience through response and recovery mechanisms, including crisis management, as well as information sharing arrangements.

This action plan should be submitted to the respective Joint Supervisory Team (JST) by 31 October 2026. The JST will further engage with the bank to discuss the action plan and will monitor its progress. In addition, the ECB will conduct a horizontal analysis of the submitted action plans to identify trends, challenges and areas for improvement, and will share the conclusions of this analysis with significant institutions to support them in strengthening their ICT resilience. Additional industry events or workshops may be organised, as needed, depending on the outcomes of the assessments and developments in frontier AI.

The ECB remains committed to enabling supervised institutions to prioritise their efforts and focus resources on the relevant key areas. For that reason, the ECB will extend the deadline for the annual collection of the IT Risk Questionnaire from September 2026 to February 2027.

Potential adjustments to other supervisory activities, such as on-site inspections or deep dives, will be considered on a case-bycase basis. These adjustments may include remediation activities associated with recommendations raised in previous supervisory activities, especially in areas that are not related to the key focus areas but require significant involvement of banks’ ICT risk functions. This will be part of the ongoing dialogue between JSTs and supervised institutions.

In light of the aforementioned developments and in line with the European Systemic Risk Board’s warning on “systemic cyber risks stemming from frontier artificial intelligence models” also published today, the ECB expects significant institutions to take immediate and proactive measures to address the increased risks. It is important to note that the responsible CERT (Computer Emergency Response Team) / CSIRT (Computer Security Incident Response Team) authorities may provide additional relevant threat intelligence and guidance which can inform institutions’ defensive postures. The ECB is also actively engaged in international fora such as the G7, the Basel Committee on Banking Supervision and the Financial Stability Board, promoting international coordination in addressing AI-enabled cybersecurity threats.

Lastly, the ECB would like to highlight that other emerging technologies, like the ongoing progress towards practical quantum computing, will have a significant impact on the cybersecurity landscape. The adoption of post-quantum cryptography may involve a longer time frame, but must start now and necessitates sustained, strategic investment over time. The ECB will address the emerging risk to traditional encryption methods posed by advances in quantum computing in a separate letter in due course.

Noutăți
Stay updated to the impact of emerging technologies in fintech & banking.
Banking 4.0 newsletter - subscribe
Cifra/Declaratia zilei

Dariusz Mazurkiewicz – CEO at BLIK Polish Payment Standard

Banking 4.0 – „how was the experience for you”

To be honest I think that Sinaia, your conference, is much better then Davos.”

Many more interesting quotes in the video below:

Sondaj