Belgium Financial Services and Markets Authority warns frontier AI heightens cyber risk and tells DORA firms to strengthen controls

The Belgium Financial Services and Markets Authority has issued a communication warning that frontier artificial intelligence systems are materially increasing cyber risk for regulated firms and lowering the threshold for attacks, including for firms that may previously have viewed themselves as less exposed because of their size or activities. It says the European Digital Operational Resilience Act, or DORA, provides the main framework for addressing those risks and expects firms subject to DORA to reassess their exposure and strengthen their digital operational resilience accordingly. The communication highlights that advanced AI models can identify and exploit vulnerabilities across ICT systems, including legacy and widely used applications, at speed and at scale, without requiring deep specialist expertise. As a result, firms should assume shorter patching cycles and focus on four areas: identifying ICT assets; protecting them through measures such as securing external touchpoints, access controls, vulnerability scanning, rapid patching, backups, network segmentation and testing; detecting and responding quickly to incidents, including major-incident reporting to the FSMA where required; and pressing ICT service providers to apply equivalent safeguards. The FSMA also notes that the European Supervisory Authorities had identified 19 critical ICT third-party providers by the end of 2025, but stresses that firms remain responsible for supply-chain cyber resilience, particularly where providers are not designated critical. The FSMA expects all firms subject to DORA to implement these measures swiftly and says the same recommendations are relevant for firms outside DORA's scope.