European Central Bank warns frontier AI is reshaping cyber risk and will send banks a dear CEO letter

In a speech, European Central Bank Executive Board member Frank Elderson said frontier AI models are changing the economics of cyber risk and require banks to treat operational resilience as a firm-wide strategic issue rather than only a cybersecurity topic. He said the ECB will send a dear CEO letter to banks asking them to take proactive measures to keep their systems robust and secure before these technologies are more widely used by threat actors. Elderson said more than 85% of banks under ECB supervision already use artificial intelligence, while the same technology can lower the time, cost and expertise needed to discover and exploit vulnerabilities. He warned that common dependencies such as cloud providers, telecommunications networks, payment systems and utilities could become channels for wider disruption. He cited the ECB's 2024 cyber resilience stress test of 109 banks, including 28 that underwent a deeper assessment, which found response and recovery frameworks in place but also weaknesses at some firms. Almost three-quarters of the findings from that exercise have since been addressed. He also pointed to the Digital Operational Resilience Act, in force since 2025, as the framework for continuous improvement in IT and cyber risk management, stronger oversight of critical third-party providers and threat-led penetration testing. The ECB said it will follow up with individual banks in a targeted way and use its system-wide view to highlight areas of attention and good practices, particularly for smaller banks.