The ECB urges banks in the eurozone to enhance their cyber-security measures as artificial intelligence alters the landscape of threats.

      The European Central Bank has officially informed eurozone banks that they need to strengthen their cyber-security measures in light of AI-driven attack tools, following a statement released on Wednesday that elevates previous private advice to a supervisory expectation.

      Frank Elderson, the ECB's vice-chair of the Single Supervisory Mechanism, articulated this shift in tone as an indication of a more stringent regulatory stance rather than a mere discussion paper. The catalyst for this change is Anthropic’s Mythos, an exclusive AI model capable of autonomously identifying and exploiting cybersecurity vulnerabilities at high speeds. Mythos has been shown to merge smaller weaknesses into more severe attacks and can reverse-engineer patches into exploitable vulnerabilities more rapidly than traditional toolchains.

      Access to Mythos has been restricted by Anthropic to approximately 40 to 50 organizations, including a few US banks, with no eurozone institution listed as a recipient. According to Elderson's remarks earlier this month, the ECB believes that “lack of access is not an excuse for inaction.”

      The statement from Wednesday further elaborates on this perspective, requiring banks to anticipate that attackers may possess AI tools of similar capabilities, regardless of whether the defenders do.

      This supervisory directive indicates that the conventional monthly software-patching schedules are insufficient, contractor relationships need to be assessed for exposure, and the overall approach to vulnerability management must adapt to the quicker timescales of AI-driven attackers. The ECB plans to include AI-cyber readiness in its supervisory discussions with individual banks.

      The larger political and commercial environment has also progressed. BNP Paribas is now publicly collaborating with Mistral to create a European alternative to Mythos, effectively serving as a continent-wide safeguard. Meanwhile, Brussels has been in protracted negotiations with Anthropic for several weeks to broaden Mythos access to European institutions, but these talks have reportedly reached an impasse.

      The ECB’s statement represents the regulatory side of this issue: regulators cannot afford to wait for the access situation to be resolved before demanding a proactive defense strategy.

      The more challenging question lies in what specific changes banks are actually anticipated to implement. The ECB has not released a detailed list of technical controls, partly due to the rapidly evolving nature of threats that no static checklist could adequately address.

      The closest approximation to a practical playbook is the implied expectation that banks now identify any unpatched vulnerabilities as potential targets and that the time taken to patch critical systems should be reduced from weeks to days or even hours.

      Smaller banks in the eurozone, which have traditionally depended on outsourced infrastructure providers for their technical needs, are in a less favorable position to meet this timeline compared to the three largest universal banks.

      The ECB has also highlighted contractor exposure as a significant issue. Many eurozone banks engage with a number of third-party software suppliers who vary in their patching practices; an AI-enabled attacker discovering a vulnerability in a widely used product from a single vendor can exploit that vulnerability across multiple banks through their relationship with the vendor.

      The supply-chain vulnerabilities characterized by the Solarwinds incident of the late 2010s are now viewed through the lens of AI attackers. Elderson's assertion is that supervisors will hold banks accountable not only for their own security measures but also for those of their contractors.

      Eurozone banks have until the end of 2026 to prove their readiness in alignment with the ECB's new stance, with formal supervisory discussions set to commence in the summer. According to current public information, Mythos has not yet been observed in action against any European institution.