ECB advises eurozone banks to enhance cyber-security measures due to changing threat landscape caused by AI.

      The European Central Bank has officially informed eurozone banks that they must enhance their cyber-security measures in light of AI-driven attack tools. This announcement, made in a follow-up statement on Wednesday, escalates previous private guidance to a level of supervisory expectation. Frank Elderson, the ECB’s vice-chair of the Single Supervisory Mechanism, indicated that the shift in terminology reflects a more stringent regulatory approach instead of merely being a discussion document.

      The impetus for this directive remains Anthropic’s Mythos, a restricted-access AI model capable of autonomously identifying and exploiting cybersecurity vulnerabilities at extraordinary speeds. Mythos has shown the ability to amalgamate minor weaknesses into significant attacks and to reverse-engineer patches into exploitable flaws at a pace surpassing older toolchains.

      Access to Mythos is currently restricted by Anthropic to around 40 to 50 organizations, including a few U.S. banks, with no eurozone institutions included in that list. Earlier this month, Elderson stated that “the lack of access is not an excuse for inaction,” echoing the ECB’s stance on the matter. The recent statement reinforces this view, requiring banks to operate under the assumption that attackers may have access to AI tools with similar proficiency regardless of the defenders' capabilities.

      The supervisory implication is that the conventional monthly software-patching cycles are now insufficient. Banks need to audit contractor relationships for similar risks, and the overall institutional approach to vulnerability management must align with the speed of AI attackers. The ECB has indicated that it will integrate AI-cyber readiness into supervisory discussions with individual banks.

      The political and commercial landscape has also shifted. BNP Paribas is now openly collaborating with Mistral to create a European alternative to Mythos, effectively acting as a continent-wide hedge. Meanwhile, discussions between Brussels and Anthropic regarding expanding Mythos access to European entities have reportedly stalled, with Spain describing the negotiations as deadlocked.

      The ECB's statement essentially reflects the supervisory aspect of the same issue: regulators cannot wait for the access question to be resolved before demanding an enhanced defensive posture.

      The more challenging question is what specific changes banks are expected to implement. The ECB has not released a precise list of technical controls, partly due to the rapidly evolving threat landscape that a static checklist would fail to capture. The implicit expectation is that banks now treat any unpatched vulnerability as a potential target, and the time to patch critical systems should be reduced from weeks to days or even hours.

      Smaller eurozone banks, which have traditionally depended on outsourced infrastructure for their technical operations, are less equipped to meet this timeline compared to the larger universal banks.

      The ECB also highlighted contractor exposure as a significant concern. Most eurozone banks have a lengthy list of third-party software providers with inconsistent patching practices; an AI-driven attacker discovering a vulnerability in a commonly used vendor product could infiltrate multiple banking environments through that vendor relationship.

      The supply-chain vulnerabilities similar to those witnessed in the Solarwinds incident of the late 2010s are being recontextualized in terms of AI threats. Elderson noted that supervisors will hold banks responsible for their contractors' security, as well as their own.

      Eurozone banks have until the end of 2026 to prove their readiness in alignment with the ECB’s new expectations, with formal supervisory discussions set to commence over the summer. Current public reports indicate that Mythos has not yet been demonstrated in real-world scenarios involving a European institution.