ECB tells eurozone banks to tighten cyber-security as AI shifts the threat picture

The European Central Bank has formally told eurozone banks they must tighten their cyber-security posture in response to AI-led attack tools, in a follow-up statement issued on Wednesday that turns earlier private guidance into something closer to a supervisory expectation.

The ECB’s vice-chair of the Single Supervisory Mechanism, Frank Elderson, framed the shift in language that signals a hardening regulatory posture rather than a discussion document.

The trigger remains Anthropic’s Mythos, the restricted-access AI model that can autonomously discover and exploit cybersecurity vulnerabilities at machine speed. Mythos has been demonstrated to combine smaller weaknesses into more serious attacks and to reverse-engineer patches into exploitable flaws faster than older toolchains.

Access has been limited by Anthropic to roughly 40 to 50 organisations including a handful of US banks; no eurozone institution sits on the list. The ECB’s position, in Elderson’s words earlier this month, is that “lack of access is not an excuse for inaction.”

Wednesday’s statement extends that framing. Banks are now expected to assume that attackers will have access to AI tools of comparable capability whether or not the defenders do.The 💜 of EU techThe latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!