ECB orders banks to plan for AI cyberattacks by October

TL;DR:

  • The European Central Bank has given euro zone banks until 31 October to draw up plans against AI-enabled cyberattacks.
  • The Bank of England and US Federal Reserve struck softer, less prescriptive tones the same day.
  • The EU’s systemic risk board warned AI-driven disruption could erode trust and trigger runs on weaker institutions.

Europe’s banking supervisors are diverging on how hard to push lenders over AI-enabled cyber threats. On Tuesday the European Central Bank gave euro zone banks four months to submit concrete defence plans, a notably more prescriptive stance than either the Bank of England or the US Federal Reserve took in parallel statements the same day.

A transatlantic split on tempo

ECB chief supervisor Claudia Buch told bank chief executives that advanced AI models carry “potentially profound implications” for the confidentiality, integrity and resilience of their technology systems. Banks must prioritise protecting internet-facing systems, accelerate vulnerability fixes and modernise ageing infrastructure, with plans due by 31 October. The contrast with Britain was pointed. Bank of England Governor Andrew Bailey called the ECB warning “sensible” but said the BoE would not be “issuing edicts”, preferring to share vulnerability findings collaboratively, consistent with its lighter-touch line even as it names AI a financial stability risk. The Fed’s Michelle Bowman went further still, stressing “a lighter supervisory and regulatory touch” for lower-risk uses.

Looking forward

The urgency is partly driven by capability. The cyber powers of frontier models are now considered potent enough that access is restricted, with euro zone banks currently excluded from Anthropic’s Mythos, a thread running through the ongoing US export-control saga over frontier models. Published alongside the ECB letter, the European Systemic Risk Board warned that large-scale cyber disruption could erode confidence and even trigger runs on institutions seen as less secure, spreading through shared software providers. For UK banks watching from outside the euro zone, the divergence is instructive: the same risk, three regulators, three different speeds.