ECB advises eurozone banks to enhance their cyber-security measures as artificial intelligence transforms the landscape of threats.

      The European Central Bank has officially instructed eurozone banks to strengthen their cyber-security measures in response to AI-driven attack tools, transforming earlier private advice into a more definitive supervisory expectation in a statement released on Wednesday.

      Frank Elderson, the ECB’s vice-chair of the Single Supervisory Mechanism, expressed that this change in wording indicates a tougher regulatory stance instead of merely being a discussion draft. The catalyst for this shift remains Anthropic's AI model, Mythos, which has restricted access and can autonomously identify and exploit cybersecurity weaknesses at high speed. Demonstrations have shown that Mythos can combine minor vulnerabilities into more significant attacks and can reverse-engineer fixes into exploitable issues faster than previous tools.

      Access to Mythos is limited to about 40 to 50 organizations, including a few US banks, with no eurozone institutions included. According to Elderson, “lack of access is not an excuse for inaction,” reflecting the ECB’s perspective. The recent statement emphasizes that banks should operate under the assumption that attackers will have access to AI tools with similar capabilities, regardless of whether defenders do.

      As a supervisory implication, the ECB suggests that traditional monthly software-patching schedules are insufficient, that contractor relationships should be scrutinized for corresponding risks, and that institutions must adapt their vulnerability management practices to align with AI attacker timelines. The ECB plans to integrate AI-cyber readiness into supervisory discussions with individual banks.

      The political and commercial environment has also evolved. BNP Paribas is now collaborating with Mistral to create a European alternative to Mythos, representing a broader continent-wide strategy. Meanwhile, discussions in Brussels with Anthropic about expanding Mythos access to European institutions have reached an impasse, with Spain indicating that talks are stalled.

      The ECB's statement is essentially the regulatory aspect of a similar issue: regulators cannot afford to wait for access matters to be resolved before demanding improved defensive measures.

      A more profound question, however, is the specific changes banks are expected to implement. The ECB has not released a definitive list of technical controls, in part due to the rapidly evolving threat landscape. The closest thing to a guideline is the understanding that banks should consider any unpatched vulnerability as a potential target and reduce the time needed to patch critical systems from weeks to days or hours.

      Smaller eurozone banks, which have traditionally depended on outsourced infrastructure providers, are less equipped to meet this timeline compared to the larger universal banks. The ECB also highlighted contractor exposure as a significant challenge; many eurozone banks rely on numerous third-party software vendors with inconsistent patching practices. An AI-driven attacker could exploit a single vulnerability in a widely used product to access multiple bank environments through their vendor connections.

      The supply-chain vulnerabilities reminiscent of the SolarWinds incident of the late 2010s are now being reinterpreted in the context of AI-driven attacks. Elderson has indicated that supervisors will hold banks responsible for the security of their contractors, not just their own systems.

      Eurozone banks have until the end of 2026 to demonstrate their preparedness according to the ECB's new stance, with formal supervisory discussions set to commence over the summer. As per current public knowledge, Mythos has not yet been shown to have been used against any European institution in real-world scenarios.