- Key insight: The ECB is the first eurozone supervisor to lean on banks directly over the cyber threat from frontier AI models like Mythos, pressing for far faster patching.
- What's at stake: U.S. banks with European operations answer to the ECB's resilience regime, and every bank faces the same AI-enabled attack tools regardless of jurisdiction.
- Forward look: No U.S. financial regulator has issued comparable guidance, leaving open whether Washington follows the EU, the U.K. and the IMF.
Overview bullets generated by AI with editorial review.
The European Central Bank is pressing the bloc's largest banks to patch software flaws faster, warning that artificial intelligence has collapsed the time attackers need to turn a security fix into a working attack.
Frank Elderson, vice-chair of the ECB's supervisory board, said banks can no longer afford their usual deliberate pace.
"In musical terms, I would say andante may have been good enough, but we need to go to presto," Elderson said in remarks the ECB provided to American Banker. Andante is an originally Italian term for walking pace; presto is very fast.
Once a software maker issues a patch, he said, attackers can now reverse-engineer the flaw it is meant to fix in as little as 30 minutes, not the weeks such work used to take, so banks have to apply fixes far faster than they do today.
A spokesperson for the ECB confirmed to American Banker that central bank reps met with the heads of its largest supervised banks on Tuesday to press the point, that the banks discussed possible steps to take and that the conversation will continue in the coming weeks.
The push matters for U.S. bankers because the eurozone's top supervisor is now setting concrete cybersecurity expectations over the same advanced AI that threatens lenders everywhere, even as U.S. financial regulators have not set formal expectations.
American banks with European operations answer to the ECB's resilience regime, and every bank faces the same threat, wherever it operates.
The ECB is particularly concerned about Anthropic's Claude Mythos, which the company
Elderson called Mythos "a game-changer in cybersecurity" in a May 13
The model can autonomously find and exploit software flaws "at a speed and scale far beyond what we have seen before," he said, and can chain minor flaws into the kind of serious attack that once took a team of experts working for days.
The U.K.'s AI Security Institute
Elderson's demand that banks patch faster builds on rules already in place.
The ECB's
The same document warns that "advancements in the development of AI applications may also significantly put banks' cybersecurity to the test."
Since January 2025, the Digital Operational Resilience Act, the European Union's rulebook for banks' technology resilience, known as DORA, has given the ECB authority over how banks manage outside technology providers and respond to incidents.
A faster patch has its own risks
The call to patch faster comes with a catch; the ECB's own data says rushing changes is a leading cause of the outages it worries about.
Anneli Tuominen, an ECB representative to the supervisory board, wrote in a March
The same supervisory priorities single out change management as a weak spot and commit the ECB to a targeted review, noting that unplanned downtime most often traces to changes in banks' core technology systems, what it calls "ICT system changes."
That leaves banks caught between two of their supervisor's instructions: deploy fixes in minutes, but stop letting hurried changes take systems down.
Asked about that contradiction, the ECB said the outcome will come down to a balance.
Banks have to patch fast to limit their exposure to attacks while taking enough care that the fixes themselves don't take systems down, a spokesperson for the ECB told American Banker, and they will have to rethink how much risk they are willing to accept to strike that balance.
The U.K. and IMF got there first
European banks are exposed on two fronts; the advanced AI used against them and the AI tools they increasingly rely on both come from a handful of providers outside the bloc.
Elderson said European banks cannot yet get Mythos, because Anthropic has released it to only a limited number of organizations in the United States.
That, he said, is no reason to wait."The fact that you don't have access to this model is not an excuse for inaction. Malicious actors might have access to this technology soon," he said in remarks the ECB provided to American Banker.
Pedro Machado, another ECB supervisory representative, said in a
The ECB is the latest authority to move. U.K. regulators told financial firms in a May 15
No U.S. financial regulator has set comparable expectations.
The Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. have publicly issued no equivalent guidance for the banks they oversee.
Treasury Secretary Scott Bessent and Fed Chair Jerome Powell did meet privately with big-bank chief executives in April to
