The European Central Bank just gave every bank it supervises a homework assignment with a hard deadline. Submit a cybersecurity action plan by October 31, or prepare for some uncomfortable conversations with your regulators.

ECB Executive Board member Frank Elderson laid out the directive on June 3, framing it as a necessary response to the escalating sophistication of AI-powered cyberattacks. With more than 85% of significant euro-area banks now using AI themselves, the attack surface has grown considerably.

Why the ECB is moving now

This isn’t the ECB suddenly waking up to cybersecurity as a concept. It’s the latest step in a multi-year escalation that started gaining real momentum when the Digital Operational Resilience Act, known as DORA, came into effect in 2025. DORA essentially told every financial institution in Europe: continuously improve your IT and cybersecurity measures, or face the consequences.

The ECB ran a cyber resilience stress test in 2024, evaluating 109 banks across the euro area. Nearly three-quarters of the issues identified during that stress test had been resolved by mid-2026.