European Banks Given 4-Month Deadline to Prepare for AI Cyber Threats

FRANKFURT — Europe’s central banking authority has given financial institutions across the euro zone until October 31 to develop concrete plans for defending against cyber threats powered by artificial intelligence, warning that such attacks could seriously damage confidence in the financial system and disrupt payment operations.

The move comes as regulators grow increasingly concerned about highly advanced AI models — including Anthropic’s Mythos — whose cyber capabilities have grown so sophisticated that access to some of them has already been restricted. Euro zone banks are currently among those excluded from accessing these tools.

In a letter sent directly to bank chief executives, the European Central Bank warned that recent developments carry serious consequences for the security and stability of banking technology infrastructure. “These developments have potentially profound implications for the confidentiality, integrity and resilience of banks’ information and communication technology (ICT) systems,” the ECB wrote.

Banks were instructed to make protecting internet-connected systems a top priority, including third-party software and open-source components. The ECB also called on institutions to speed up fixes for known vulnerabilities and strengthen their monitoring capabilities.

Beyond immediate cyber defenses, the ECB urged banks to update outdated technology systems, improve basic cyber hygiene practices, and strengthen their ability to manage crises, recover from incidents, and share information with other institutions.

To help banks focus on meeting the October 31 deadline, the ECB said it would postpone a separate information technology survey and may also scale back certain inspections and other oversight activities.

Alongside the ECB’s letter, the European Systemic Risk Board — an EU body responsible for issuing recommendations to other authorities — released its own warning, cautioning that large-scale cyber disruptions could erode public trust in financial institutions and potentially trigger bank runs against companies or even countries seen as vulnerable.

“The ESRB considers these developments to be a source of systemic risks to the financial system,” the board stated.

To put the threat in concrete terms, the ESRB outlined a range of possible scenarios, from a slow erosion of confidence in smaller banks to state-sponsored espionage and coordinated attacks targeting payment, clearing, and settlement systems. Officials also warned that misinformation campaigns could amplify the damage caused by such incidents.

The board noted that disruptions could spread rapidly through the financial sector due to the widespread use of shared technology providers and common software platforms across institutions.