The European Central Bank is pressing lenders across the eurozone to pour more money into cybersecurity, warning that artificial intelligence is turbocharging the scale and speed of digital attacks. In a fresh directive sent to supervised institutions, the ECB said the surge in AI-driven threats demands a significant upgrade in defense spending — not just incremental tweaks. Banks that fail to keep pace risk not only their own systems but the stability of the broader financial network, the regulator stressed.
Why the warning lands now
Cybercriminals have begun weaponizing generative AI and machine learning tools to craft more convincing phishing emails, automate vulnerability scans, and evade traditional detection systems. The ECB’s assessment, shared with banks in recent weeks, notes that these attacks are arriving faster and with fewer telltale signs. A single compromised credential can cascade into a cross-border breach before a bank’s security team even spots the intrusion. The central bank’s message is blunt: the old playbook won’t cut it.
The timing is no accident. European banks are already grappling with tighter capital rules and a sluggish economy. Adding a cybersecurity arms race to that mix strains budgets, but the ECB is making clear that underinvesting is no longer an option. Internal ECB documents reviewed by GFdaily describe the current threat environment as “unprecedented in velocity and reach,” though the bank declined to elaborate on specific incidents that triggered the alert.
What the ECB is demanding
The directive stops short of setting a specific spending target — no percentage of revenue or fixed euro amount. Instead, it asks each bank to conduct a fresh risk assessment focused on AI-enabled attack vectors and to present a multiyear investment plan. Those plans must show concrete steps: hiring specialized staff, upgrading threat-detection software, and running red-team simulations that mimic AI-driven intrusions. Banks that drag their feet can expect more frequent on-site inspections and, in extreme cases, higher capital buffers tied to cyber risk.
The ECB also wants lenders to share threat intelligence more aggressively. “No bank is an island anymore,” the directive states. “Collaboration on attack patterns and defensive tools is essential for the system as a whole.” Several large eurozone banks have already begun pooling data through a pilot platform run by the European Banking Authority, and the ECB expects that effort to expand.
The broader regulatory picture
This push from Frankfurt aligns with a wider regulatory trend. The EU’s Digital Operational Resilience Act (DORA), which took effect in January 2025, already requires financial firms to test their cyber defenses regularly and report major incidents within hours. The ECB’s latest call goes further by zeroing in on the AI dimension specifically. It’s a sign that regulators see the technology as a distinct threat, not just another item on the risk checklist.
Smaller banks, which often lack the deep pockets of their larger rivals, face the steepest climb. The ECB has acknowledged that disparity and is exploring whether to offer shared cybersecurity services or coordinated procurement of defensive tools. No firm plan has been announced, but the central bank’s board is expected to discuss options at its June meeting.
For now, the clock is ticking. Banks have until the end of the third quarter to submit their AI risk assessments and investment roadmaps. Those that miss the deadline will face a formal review and, potentially, public naming in the ECB’s supervisory reports.
