ECB tells eurozone banks to spend more on AI cyber security
TL;DR:
- ECB outgoing vice-president Luis de Guindos has told eurozone banks they must invest substantially more in cyber security to get a grip on AI models that can find vulnerabilities in software, calling the spend “structural” rather than discretionary.
- The warning followed an ECB-hosted meeting where a US bank presented its experience with Anthropic’s Mythos model — a frontier system European peers have not yet had access to.
- For UK banking supervisors at the PRA, the read-across is direct: if the ECB is escalating, the Bank of England’s existing cyber resilience expectations may need refreshing for the AI era.
The European Central Bank has told eurozone banks they need to substantially increase cyber security investment to defend against AI systems capable of discovering software vulnerabilities, outgoing vice-president Luis de Guindos said on Wednesday. The intervention came after weeks of ECB engagement with the sector, including a meeting this week where a US bank shared its experience using Anthropic’s Mythos model — a system its European peers have not yet been able to deploy.
A “structural” requirement, not a discretionary one
De Guindos, whose term ends this month, framed AI cyber security spending as a permanent and growing cost line rather than a one-off response to specific threats. “Cyber is becoming more and more important. We have to invest more. And investment has to be pervasive. It’s not only for the large banks. It’s as well for the small banks,” he said.
The framing matters because it signals supervisory expectation. When the ECB declares an issue structural, it usually translates into stress-testing assumptions, capital planning conversations and supervisory reviews under the SSM. Smaller banks — which have historically argued for lighter cyber expectations on cost grounds — now face explicit pushback from Frankfurt.
The Mythos exposure gap
The reference to Anthropic’s Mythos model is unusually specific for an ECB intervention and reveals where the regulator’s concern actually sits. New large language models that can find flaws in software pose a different category of threat from previous-generation cyber tools: they scale autonomous reconnaissance, and they target the legacy systems banks still rely on. The fact that a US bank had to brief eurozone peers on Mythos — rather than the other way around — is itself a competitive and supervisory data point.
UK read-across
The UK’s Prudential Regulation Authority and Financial Conduct Authority have been escalating cyber and operational resilience expectations since 2018, when the PRA’s Statement of Policy on operational resilience first formalised supervisory thinking. AI-specific guidance from the Bank of England has so far been narrower than the ECB’s. The latest ECB intervention is the kind of signal that typically prompts the Bank of England to revisit its expectations — particularly given the UK banking sector’s similar exposure to legacy technology systems and similar shortage of frontier AI access.
GCHQ’s announcement this week of a national AI cyber shield (covered separately) reinforces the same direction of travel at the national-security level.
Looking forward
UK retail and challenger banks should expect cyber investment expectations to rise materially over the next 12-18 months. Boards that have not yet had a substantive conversation about AI-specific cyber threat modelling — separate from generic cyber risk — should treat de Guindos’s intervention as the canary in the shaft.