
ECB orders eurozone banks to submit AI defence plans by October as systemic cyber risk raised to 'grave'
The European Central Bank has told the eurozone's largest banks to deliver a comprehensive action plan by 31 October 2026 to counter cybersecurity threats from advanced AI models, warning of a permanent shift in the threat landscape.
ECB demands action plans from 110 banks
The European Central Bank sent a letter on 7 July to the CEOs of the 110 significant institutions it directly supervises, requiring them to submit an action plan by 31 October 2026. The letter, signed by Supervisory Board chair Claudia Buch, describes advanced AI models capable of identifying vulnerabilities and generating functional exploits as a long-term change, not a temporary phenomenon.
It is a long-term shift in the threat landscape, not a temporary phenomenon or a risk linked to any single tool.
The ECB expects banks to assess their exposure immediately and develop a plan covering both short-term measures (patching, attack surface protection) and long-term steps (asset inventory controls, infrastructure modernisation). Each plan must be sent to the relevant Joint Supervisory Team, after which the ECB will review and provide feedback. The supervisor stressed that responsibility rests with banks' management bodies and that no uniform sector-wide response will be imposed.
The Mythos trigger
The urgency follows the April 2026 disclosure by US startup Anthropic of Mythos 5, a model built without safety classifiers that showed unprecedented skill in cybersecurity and hacking tasks. Only a limited number of companies have access under 'Project Glasswing'. In mid-June the White House banned foreign citizens from using new Anthropic models on national security grounds, but the ban ended on 1 July, reportedly as China's Zhipu AI launched a comparable system.
In June the European Systemic Risk Board (ESRB) raised its systemic cyber risk rating from 'high' to 'grave', warning that frontier AI models give malicious actors an advantage by enabling faster, larger-scale and more sophisticated attacks. The ESRB called for a coordinated EU response involving AI providers, security firms, open-source software maintainers and banks.
Brussels launches its own testing capacity
On the same day the ECB letter was published, the European Commission presented an action plan to build a secure platform for testing advanced AI models' cybersecurity risks. Vice-President Henna Virkkunen said the EU must keep pace with AI-driven changes to cybersecurity.
AI is transforming the meaning of cybersecurity and we must keep pace.
The platform, to be run by ENISA and the Joint Research Centre, is expected to be operational by 2027. It will provide simulated environments for critical sectors (finance, energy, health, transport) and produce guidelines for public and private organisations to access advanced AI capabilities under transparent conditions. The plan does not propose new legislation or funds, relying instead on existing frameworks. The AI Act's risk-mitigation obligations for advanced models will apply from 2 August 2026.
What happens next
Banks must deliver their plans by 31 October 2026. The Commission will launch a resilience campaign for critical open-source software in the fourth quarter of 2026 and a European AI for Cybersecurity Grand Challenge to foster homegrown solutions. The timeline below captures the key milestones.
- Anthropic reveals Mythos 5, a model with advanced cybersecurity and hacking capabilities.
- ESRB raises systemic cyber risk rating from 'high' to 'grave'.
- White House bans foreign citizens from using new Anthropic models on national security grounds.
- White House ban on foreign users of Anthropic models ends.
- ECB sends letter to 110 banks demanding action plans; European Commission presents its cybersecurity and AI action plan.
- AI Act risk-mitigation obligations for advanced models come into force.
- Deadline for banks to submit their action plans to the ECB.
- EU secure testing platform for AI cybersecurity risks expected to be operational.


