Summary
- The ECB has asked significant institutions to submit AI cyber action plans by 31 October 2026.
- The letter focuses on vulnerability discovery, patching, exposed assets, monitoring, supplier ICT risk, and resilience testing.
- Banks’ management bodies remain accountable for ICT investment, risk tolerance, governance, and operational resilience under DORA.
The European Central Bank has given major eurozone banks until 31 October 2026 to submit action plans for AI-enabled cybersecurity threats, placing frontier AI risk inside supervisory expectations for operational resilience.
The ECB’s letter to chief executives says emerging AI models can identify software vulnerabilities and generate functioning exploits at high speed, compressing the time between vulnerability discovery and exploitation. The supervisor describes the shift as a long-term change in the cyber threat landscape rather than a temporary risk linked to a single tool.
Significant institutions supervised by the ECB are expected to assess the evolving threat landscape, set out concrete measures to strengthen controls, allocate resources, assign responsibilities, and define implementation timelines. The action plans must be sent to the relevant Joint Supervisory Team by 31 October, after which the ECB will discuss them with individual banks and conduct a horizontal analysis across submissions.
The letter gives short-term priority to vulnerability and patch management at scale, monitoring and detection, AI-enabled defensive capabilities, and supplier risk management. It also highlights perimeter technologies, internet-facing assets, externally exposed ICT systems, third party software, open-source components, cloud environments, and VPN connections to suppliers.
The ECB ties the work explicitly to the Digital Operational Resilience Act, making the letter more than a warning about attacker tooling. Banks are being asked to show that existing ICT risk frameworks, change management processes, supplier contracts, crisis arrangements, recovery mechanisms, and governance structures can cope with a faster vulnerability cycle.
That emphasis changes the practical burden on banks. A firm may have a patching policy, a supplier register, and a cyber risk appetite statement, but those artefacts carry less weight if they cannot support more frequent emergency change, rapid exposure assessment, and clear ownership of decisions under pressure. The ECB’s focus on unresolved supervisory findings also gives old remediation gaps a more immediate role in resilience planning.
The letter moves AI cyber risk beyond the security function. Management bodies are expected to revisit ICT investments, staffing, tooling, risk tolerance frameworks, and change capacity. Banks are also told to consider whether budgets and controls are sufficient for accelerated patching, infrastructure updates, resilience testing, AI-enabled defence, and sector-wide coordination.
Supplier assurance receives particular attention. The ECB says institutions remain exposed to, and fully accountable for, risks from outsourced ICT services, including whether suppliers are prepared for accelerated vulnerability disclosure and patching. Under DORA, that framing affects contractual terms, service levels, exit planning, resilience testing, and concentration risk.
The supervisor also links AI-enabled cyber threats to broader strategic technology risk, noting that post-quantum cryptography will be addressed separately. That signals more supervisory pressure on technology transitions that affect core resilience, even where the underlying risks are still developing.
The October deadline gives banks a narrow window to turn AI cyber concern into board-approved plans, evidence, and delivery milestones. The harder task will be showing that those plans can survive legacy systems, supplier dependencies, constrained change windows, and the need to patch faster without disrupting critical services.





