ECB advises eurozone banks to enhance cyber-security due to changes in threat landscape caused by AI.

      The European Central Bank has officially informed eurozone banks that they need to strengthen their cyber-security measures in light of AI-driven attack tools. This announcement on Wednesday escalates previous private guidance to a level closer to a supervisory mandate. Frank Elderson, the ECB’s vice-chair of the Single Supervisory Mechanism, emphasized that this change in language signals a tougher regulatory stance rather than merely a discussion document.

      The impetus for this shift is Anthropic’s Mythos, a restricted-access AI model capable of autonomously identifying and exploiting cybersecurity vulnerabilities at machine speed. Mythos has shown the ability to amalgamate minor weaknesses into more significant attacks and to reverse-engineer patches into exploitable vulnerabilities more swiftly than older toolsets.

      Access to Mythos is limited to around 40 to 50 organizations, including a few US banks, with no eurozone institutions included on that list. Earlier this month, Elderson stated that "lack of access is not an excuse for inaction," reinforcing that notion in Wednesday's announcement. Banks are now expected to operate under the assumption that attackers may have access to AI tools with similar capabilities, irrespective of whether the defenders do.

      This supervisory perspective suggests that the traditional cycle of monthly software patches is no longer sufficient. Banks must also audit their contractor relationships for similar vulnerabilities, and the overall approach to vulnerability management must adapt to the speed of AI attackers. The ECB has indicated its intention to include AI-cyber readiness in its supervisory discussions with individual banks.

      The political and business landscape has also evolved. BNP Paribas is now openly collaborating with Mistral to create a European alternative to Mythos, essentially serving as a continent-wide safeguard. Meanwhile, Brussels has been in stalled negotiations with Anthropic for several weeks regarding extending Mythos access to European institutions, with Spain noting that those discussions are deadlocked.

      The ECB's statement represents the regulatory side of the same issue: regulators cannot afford to wait for the access situation to be resolved before mandating a defensive strategy.

      A more challenging question concerns the specific changes that banks are expected to implement. The ECB has not released a detailed list of technical controls, partly because the threat landscape is evolving more rapidly than any static checklist could encompass. The closest established guideline appears to be the expectation that banks should consider any unpatched vulnerability as a potential target and reduce the meantime-to-patch for critical systems from weeks to days or even hours.

      Smaller eurozone banks, which have historically depended on outsourced infrastructure providers for their technical operations, may find it more difficult to meet this timeline compared to the three major universal banks.

      The ECB has also pointed out contractor exposure as a disproportionate risk. Many eurozone banks work with numerous third-party software providers with inconsistent patching practices. An AI-driven attacker uncovering a vulnerability in a widely-used vendor product can exploit that single point of failure to access multiple banking environments through vendor connections.

      The Solarwinds-style supply chain vulnerabilities that characterized the late 2010s are now being reinterpreted in the context of AI-driven attacks. Elderson has stated that supervisors will hold banks accountable for the security of their contractors, not just their own.

      Eurozone banks have until the end of 2026 to show their readiness in line with the ECB's new stance, with formal supervisory discussions set to begin over the summer. Currently, there have been no reports of Mythos being deployed against a European institution in the field.