What happened
On July 7, 2026, the European Central Bank's Banking Supervision arm sent a letter (signed by Chair of Supervisory Board Claudia Buch) to all significant euro zone banks requiring them to submit concrete action plans by October 31, 2026 to counter AI-enabled cybersecurity threats, citing frontier models like Anthropic's Claude Mythos as capable of disrupting payments and undermining financial stability. The ECB is postponing its annual IT Risk Questionnaire from September 2026 to February 2027 to allow banks to focus on this priority. Short-term priorities include accelerating vulnerability/patch management, enhancing AI-enabled defensive monitoring, and verifying third-party ICT risk management.
Why it matters
This is a binding supervisory directive from the eurozone's top banking regulator to all significant institutions (SIs) under its direct supervision, converting a previously voluntary cybersecurity posture into a mandatory action-plan requirement with a hard deadline. It represents one of the first instances of a major central bank treating frontier AI cyber capability as a systemic, bank-level compliance obligation.
Action needed
Significant euro zone banks must develop and submit comprehensive action plans addressing AI-enabled cyber threats to the ECB by October 31, 2026, prioritizing perimeter/internet-facing asset protection and third-party risk management.