The ECB advises eurozone banks to enhance their cyber-security measures as AI alters the landscape of threats.

      The European Central Bank has officially notified eurozone banks of the need to enhance their cyber-security measures due to the emergence of AI-driven attack tools. This announcement, made in a statement on Wednesday, shifts prior private guidance towards a more definitive supervisory expectation.

      Frank Elderson, the ECB's vice-chair of the Single Supervisory Mechanism, articulated this change in tone, which indicates a stricter regulatory approach rather than a mere discussion paper. The catalyst for this shift is Anthropic’s Mythos, an AI model with restricted access that can autonomously identify and exploit cybersecurity vulnerabilities at high speeds. It has been shown to integrate minor weaknesses into more significant attacks and to reverse-engineer security patches into vulnerabilities more quickly than traditional tools.

      Anthropic has limited access to around 40 to 50 organizations, including a few US banks, but no eurozone institutions are included in this list. Earlier this month, Elderson emphasized that “lack of access is not an excuse for inaction.” The latest statement amplifies this view, indicating that banks should operate under the assumption that attackers have access to equally capable AI tools, regardless of whether defenders do.

      This supervisory direction suggests that the conventional monthly software-patching schedules are insufficient, that contractor relationships should be scrutinized for potential vulnerabilities, and that the overall approach to vulnerability management must keep pace with the speed of AI-based attackers. The ECB has indicated it will include AI-cyber readiness in its supervisory conversations with individual banks.

      The political and commercial context is also evolving. BNP Paribas has begun collaborating with Mistral on a European alternative to Mythos, effectively serving as a continent-wide safeguard. Meanwhile, Brussels has been in stalled negotiations with Anthropic for several weeks regarding the expansion of Mythos access to European institutions; Spain has characterized these discussions as deadlocked.

      The ECB's statement represents the supervisory aspect of this issue: regulators cannot afford to wait for the access situation to be resolved before enforcing a stronger defensive stance.

      The more challenging question is what specific changes are required from banks. The ECB has not released a detailed list of technical controls, partly because the landscape of threats is changing more rapidly than any static checklist can address.

      The closest guideline available is the expectation that banks should now consider any unpatched vulnerability as a potential target, with the timeframe for critical system patches shortened from weeks to days or hours. Smaller eurozone banks, which have traditionally depended on external infrastructure providers for technical needs, may find it more challenging to meet this timeline compared to the larger universal banks.

      The ECB also highlighted contractor exposure as a significant concern. Many eurozone banks have numerous third-party software vendors with inconsistent patching practices; an AI-driven attacker could exploit a vulnerability in a widely used vendor product, gaining access to several bank environments through that vendor relationship.

      The kind of supply-chain vulnerability seen with Solarwinds in the late 2010s is now being interpreted in the context of AI-driven attacks. Elderson framed this by stating that supervisors will hold banks accountable for the security of their contractors, not just their own.

      Eurozone banks have until the end of 2026 to demonstrate their readiness in light of the ECB's new stance, with formal supervisory discussions set to begin over the summer. Currently, Mythos has not been reported to have been used against a European institution in the wild.