ECB summons banks to fix cyber flaws exposed by AI models

The Financial Times reported on Sunday that the European Central Bank had called euro-area lenders to a hastily arranged meeting and told them to fix cyber and IT weaknesses that the latest AI models can expose more quickly. The step is unusual for the bloc’s top banking supervisor and suggests the ECB now treats AI risk as an immediate operational-resilience issue, not a longer-dated technology concern.

The issue is less whether banks have deployed the newest models themselves than how quickly those systems can find and test weak points in existing defences. In the FT’s account, officials planned to tell lenders that flaws once handled through ordinary remediation queues now need faster treatment because advanced models can compress the time between discovery and exploitation.

For the ECB, the problem is time. A flaw that once sat in an IT queue for weeks can look different if stronger tools make it easier to find and exploit.

Reuters reported on May 13 that Frank Elderson, the ECB executive board member and vice-chair of bank supervision, had already urged euro-area banks to prepare quickly for AI-assisted cyberattacks tied to Anthropic’s Mythos model. His warning was direct:

“Lack of access is not an excuse for inaction. On the contrary, it makes it even more critical that banks step up and act now.”

— Frank Elderson, Reuters

Elderson used similar language in the FT, saying that “given the progress in AI, they need to be dealt with faster.” Read together, the FT and Reuters reports suggest the ECB is focused on a shorter window between the discovery of a weakness and its possible use by attackers.

Why the ECB is escalating

A special meeting carries its own message. The ECB appears to want evidence that banks can speed up cyber and IT remediation, not just assurances that formal controls exist on paper. A lender that has been slow to patch a weakness could draw scrutiny even if it has been cautious about rolling out frontier AI inside its own operations.

Banks do not need to be first movers on AI to be exposed to AI-shaped threats.

Attackers, vendors and external testing teams can use stronger models to sharpen phishing campaigns, probe code bases or identify operational weak spots faster than a bank’s governance process moves. That is why Elderson framed the issue around preparedness rather than access.

Bloomberg reported on Saturday that the ECB’s intervention marked a tougher regulatory response after recent AI advances exposed new vulnerabilities. For bank executives and investors, that matters because it puts AI inside the same operational-resilience agenda regulators have already been tightening across payments, technology and continuity planning.

For euro-area lenders, the practical implication is straightforward. A weakness that might once have been treated as a medium-term IT issue can now look like an urgent control problem if supervisors believe AI has changed the threat environment around it. The ECB’s summons points to less tolerance for delay as banks adjust to a faster cyber-risk cycle.