What happened
On July 7, 2026, the ESRB published a formal Warning (ESRB/2026/3, dated 25 June 2026) on systemic cyber risks stemming from frontier AI models (FAIMs), following the ESRB General Board's June decision to raise its assessment of systemic cyber risk from 'elevated' to 'severe'. The ESRB warns that frontier AI models represent a 'paradigm shift' capable of autonomously executing full-scale cyberattacks and materially compressing the time available to patch vulnerabilities before exploitation. The ESRB also published an accompanying note, 'Addressing Frontier AI Models with cyber capabilities from a financial stability perspective.'
Why it matters
A formal ESRB Warning is a distinct macroprudential instrument under EU law directed at the EU and national supervisory authorities, distinct from and separate from the ECB's operational letter to banks. It elevates AI-enabled cyber risk to the level of a systemic financial-stability threat requiring EU-wide policy response (DORA, AI Act) and continued monitoring.
Action needed
National competent authorities and financial institutions should factor the ESRB's severe systemic risk rating into DORA and AI Act compliance programs; the ESRB will continue monitoring frontier AI cyber capability developments.