The European Central Bank has told EU banks to prepare and submit AI cyber defence plans as regulators tighten controls around AI-driven threats to financial stability. The requirement sits within the Digital Operational Resilience Act framework and forms part of a coordinated push from the ESRB, ESAs and the European Commission to limit systemic risk from advanced AI tools.
ECB Mandates AI Cyber Resilience for EU Banks
Using DORA to harden operations
The ECB is asking banks to align AI defence plans with DORA obligations on ICT risk, incident reporting and operational testing. Plans must describe how institutions will detect, respond to and recover from AI-enabled attacks, and how they will incorporate AI scenarios into existing resilience tests. A deadline of 31 October 2026 is now in effect for submission and follow-up activity.
Addressing third-party AI vulnerabilities
Regulators emphasise supply chain exposure. Model providers, cloud hosts and data vendors are potential contagion points. Banks must extend vendor due diligence to include model provenance, security testing results, contractual controls and contingency arrangements for provider failures.
EU Regulators Unite on Systemic AI Threats
Unified warnings and strategic responses
The European Systemic Risk Board and the European Supervisory Authorities have issued joint warnings that AI could amplify cyber incidents into system-wide events. The European Commission is coordinating cross-border policy responses. Supervisors expect scenario-based testing, red-team exercises on advanced models and enhanced incident information sharing between firms and authorities.
Preparing for the Future of AI Security
Bank leaders should prioritise practical steps that can be implemented quickly.
- Map AI assets and critical processes where models interact with customer or market systems.
- Integrate AI-specific scenarios into business continuity and incident response playbooks.
- Strengthen third-party governance: require security attestations and test results from model vendors.
- Invest in red-teaming and continuous monitoring for anomalous model behaviour.
- Raise AI risk reporting to the board and align capital and operational planning with oversight expectations.
Regulatory scrutiny is increasing now. Banks that treat AI resilience as a core operational priority will be better placed to meet supervisor expectations and limit systemic exposures.




