Back to Home

AI Cyber Threats: ECB Warning to Banks About New Attacks

The European Central Bank warned about new AI-driven cyber threats, pointing to a structural failure in the protection of European banks. The regulator noted that US banks are already eliminating vulnerabilities with Mythos, while their competitors in Europe lack this tool. The situation is aggravated by stagflation risks, constraining the ECB's ability to support banks in case of an attack.

ECB warned banks: AI cyberattacks and new systemic risk
Advertisement 728x90

ECB Warns Banks of New AI-Powered Cyber Threats

The European Central Bank has issued a warning to all banks to prepare for AI-driven cyberattacks, including advanced models. The regulator also noted signs of stagflation in the region's economy.


Cyber Shield with a Hole: How the AI Arms Race Masks European Banks' Main Vulnerability

The Gist: What's Really Happening

At first glance, the ECB issued a standard warning: prepare for cyberattacks using advanced AI. Executive Board member Frank Elderson named a specific model — Anthropic's Mythos — and urged banks to act immediately, without waiting for access to it.

Google AdInline article slot

But reading between the lines, the real message is much harsher. The ECB is signaling a structural failure in Europe's cybersecurity architecture: European banks have been cut off from a key defensive tool that their American competitors are already using. While JPMorgan and other Project Glasswing participants calmly scan their systems with Mythos and patch dozens of vulnerabilities, European banks are left guessing which holes in their infrastructure this model might find. This is not so much a warning about a future threat as an acknowledgment of an existing asymmetry.

At the same time, the regulator effectively admits that stagflation risks are hampering its ability to support banks through monetary policy. Inflation in April 2026 jumped to 3.0% — up from 2.6% in March — amid the Middle East conflict, which drove up energy prices. Eurozone economic growth in the first quarter was just 0.1%. If a full-scale cyberattack hits a major European bank at a time when the ECB is forced to keep rates high to fight inflation, the classic stabilization toolkit will be unavailable. You cannot simultaneously provide liquidity support and fight rising prices.

Timeline and Context

The story of this warning did not begin in May 2026. Back in January 2026, the ECB's supervisory arm set priorities for 2026-2028, where the second key item after geopolitical risks was strengthening banks' operational resilience, including managing AI-related risks.

Google AdInline article slot

Then, in April 2026, the new head of the European Banking Authority (EBA), François-Louis Michaud, directly called AI-powered cyber threats a "front and center" priority for the supervisory body. By that time, US authorities had already held emergency meetings with bank executives to discuss risks related to Mythos. European regulators watched from the sidelines, unable to assess the threat concretely.

By May 2026, tensions peaked. The UK's AI Security Institute, which received early access to Mythos Preview, confirmed that the new version of the model shows an "impressive performance leap" in cyber capabilities. In response, OpenAI announced it would provide access to GPT-5.5-Cyber for the European Commission and select companies, including Spain's BBVA. France's Mistral began secret talks with major European banks to create a local competitor to Mythos. And it was at this moment — May 12, 2026 — that Elderson published his statement, which in form is a bulletin but in substance is an ultimatum.

A separate alarm bell rang on April 30: the ECB Governing Council left rates unchanged despite growing risks to growth, as inflationary pressures intensified. The regulator found itself in a classic stagflation trap.

Google AdInline article slot

Who Wins and Who Loses

Winners currently fall into three groups.

First, US banks that gained early access to Mythos through Project Glasswing. They are not just testing the tool — they have already eliminated dozens of vulnerabilities whose existence their European competitors are not even aware of. This creates an extraordinary situation: simply possessing a defensive AI tool has become a competitive advantage. A bank that has undergone Mythos scanning is objectively safer than one that has not. Large corporate clients, when choosing a bank for services, will sooner or later start factoring this in.

Second, cybersecurity companies. The ECB warning is essentially free advertising for their services. The volume of orders for security audits, penetration tests, and monitoring systems from European banks will inevitably grow in the coming months. Conservatively estimating the market, an additional influx of 500-800 million euros into this sector can be expected by year-end.

Third, Anthropic itself. Pressure on European authorities to grant access to Mythos works in the company's favor: negotiations with the EU are already underway, and Economy Minister Valdis Dombrovskis confirmed contacts with the developer. Paradoxically, the ECB warning strengthens Anthropic's bargaining position.

Losers include second- and third-tier European banks. Major players like BBVA have already gained access to OpenAI's GPT-5.5-Cyber and are negotiating with Mistral. But regional banks with assets of 50-150 billion euros have neither access to advanced AI tools nor the resources to develop their own. They find themselves in the highest risk zone — their infrastructure will become the testing ground for the first wave of AI-enhanced attacks.

The European regulatory project itself also loses. The ECB and EBA have spent years building a supervisory system based on standardized capital requirements and stress tests. Now it turns out that the technological gap between banks with access to advanced AI security tools and those without creates a new, unregulated channel of systemic risk.

What the Media Isn't Saying

A key point completely missed in public discussions: access to Mythos was not granted to just "American banks." It was given to companies participating in the Project Glasswing initiative, including Amazon Web Services, Microsoft, Nvidia, and the Linux Foundation. Note this list: it's not just banks; it's the basic infrastructure on which European financial organizations run.

JPMorgan, after scanning its systems with Mythos, eliminated vulnerabilities. But a European bank whose critical applications are hosted on AWS cannot verify whether vulnerabilities at the cloud provider level have been fixed. This creates a blind spot: the infrastructure layer is protected by a tool to which the end user has no access, and the user must rely on the provider's assurances.

The second underestimated factor is the impact on the cyber risk reinsurance market. European banks actively insure operational risks, including cyber threats. Insurers use actuarial models based on historical data to assess risks. But AI-enhanced attacks are events with a fundamentally different profile: they are faster, larger-scale, and can exploit vulnerabilities unknown even to the software developer. This means existing underwriting models systematically underestimate risks. If a major incident occurs, insurers could face cumulative losses that threaten their own solvency — and that would have a cascading effect on financial stability.

The third point is the geopolitical subtext. Arthur Mensch, CEO of Mistral, was blunt during a hearing in the French parliament: "You cannot scan the source code of the French military with Mythos." But if military systems cannot be checked by an American tool, and the banking systems of these countries critically depend on the same infrastructure — what guarantee is there that vulnerabilities found by Mythos in the financial sector are not the same vulnerabilities present in defense systems? The question of who exactly has access to the scanning results of European critical infrastructure remains unanswered.

Forecast: Next 30 and 90 Days

In the next 30 days, three specific events are expected.

First, the ECB will conduct emergency cyber resilience stress tests for systemically important eurozone banks. Unlike traditional scenarios, these tests will simulate an attack using AI tools on par with Mythos — even if the banks themselves do not have such tools. The results will be painful.

Second, at least one major European bank will announce a partnership with Mistral to create a defensive AI solution. Given that negotiations are already underway, an announcement is likely within 3-4 weeks. The budget for such a project is estimated at 100-200 million euros.

Third, European insurers will begin revising cyber insurance policy terms for banks, introducing exclusions for losses caused by AI-enhanced attacks. This will trigger a chain reaction: banks will be forced to increase provisioning for operational risks, further reducing available capital.

Within a 90-day horizon, the key factor will be the intersection of two crises: cyber threats and stagflation. Inflation at 3.0% and GDP growth at 0.1% already form a classic stagflationary picture. The ECB confirmed that risks to growth are tilted to the downside, and risks to inflation are tilted to the upside. If, in this situation, a cyber incident affecting payment infrastructure occurs, the regulator will have no good options: lowering rates to support liquidity would fuel inflation, while keeping rates high would worsen the damage to the affected bank.

The most likely scenario: by the end of August 2026, at least one European bank will disclose a serious cyberattack using AI tools. Market reaction will be swift and harsh: the affected bank's shares will fall 15-25% in a single session, and CDS spreads for European banks will widen by 50-80 basis points. The total damage from such an incident, including direct losses, regulatory fines, and reputational costs, could reach 2-3 billion euros.

The only way to avoid this scenario is to accelerate European banks' access to advanced defensive AI tools, whether through agreements with Anthropic, development of local Mistral solutions, or other channels. But even then, the gap between attackers and defenders will not narrow until mid-2027. Until then, European banks will be playing catch-up with an adversary that moves faster.

— Editorial Team

Advertisement 728x90

Read Next

Partner News