On 7 July 2026 the European Systemic Risk Board (ESRB) published a formal warning on systemic cyber risks stemming from frontier AI models. This is remarkable because the ESRB almost never uses this instrument: it is only the second general, EU-wide warning in its history, and the first ever on a cyber or AI topic. More remarkable still is what sat beside it on the same day. The banking supervision arm of the European Central Bank (ECB) sent a letter to all the significant institutions it directly supervises, turning the general warning into a dated obligation: by 31 October 2026 each bank is to submit a comprehensive action plan to its supervisory team. Within hours, a signal had become a task with a deadline.

Anyone who followed the debate over recent weeks will recognise the escalation. In May a soft signal was in play, a joint statement by British authorities, flanked by matching remarks from Frankfurt and Madrid. Back then the central question was whether a non-binding expectation has any consequences at all. That question has now been answered. The ESRB has chosen the highest escalation form of its soft toolkit, and the ECB delivered the concrete enforcement alongside it.

In brief

What: Formal ESRB warning on systemic cyber risks from frontier AI models (reference ESRB/2026/3), supported by the three European Supervisory Authorities EBA, EIOPA and ESMA

When: Adopted on 25 June 2026, published on 7 July 2026; beforehand the ESRB had raised systemic cyber risk from "elevated" to "severe" in June

The lever: A letter from ECB banking supervision, sent in parallel to the significant institutions, with a deadline of 31 October 2026 for an action plan to the respective Joint Supervisory Team

The core: Frontier AI models find and weaponise vulnerabilities in minutes or hours rather than days or weeks, a "collapse of defensive time buffers"

The framework: The Digital Operational Resilience Act (DORA) and the EU AI Act remain sufficient; the problem is not a lack of rules but the speed of response

What happened on 7 July

There were three documents, released in coordination. The first is the ESRB warning itself. It carries the date of its adoption, 25 June 2026, and is addressed generally to all institutions of the European Union and its member states. The second is a joint statement of support from the three European Supervisory Authorities, the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA). They expressly welcome the warning and announce that they will work with national supervisors to specify supervisory expectations. The third document is the one that matters for practice: a letter from ECB banking supervision, signed by Claudia Buch, Chair of the Supervisory Board, addressed to the chief executives of the significant institutions.

This tripartite structure is not accidental but deliberate. The warning provides the systemic diagnosis, the supervisory authorities signal Europe-wide unity, and the ECB letter translates the whole into a dated obligation for the institutions that fall directly under European supervision. For a German board member, therefore, the relevant news is not the abstract warning but the letter with the date on it.

Why this warning carries more weight than May's signal

To gauge the weight of the warning, it helps to look at the instrument. The ESRB can warn and it can recommend, and the two are legally distinct. A recommendation triggers a so-called act-or-explain mechanism: the addressee must report to the authority what it has done, or justify why it has done nothing. A warning does not carry this obligation; it is legally non-binding. Yet that is precisely where its signalling function lies. The ESRB bases the current warning expressly on Articles 16 and 18 of its founding regulation, not on the follow-up article that applies to recommendations. It deliberately warns, it does not recommend, and the effect is nonetheless considerable, because a public release requires a two-thirds majority in the General Board and the Council is informed in advance.

The rarity underscores the point. Christine Lagarde, as ECB President also Chair of the ESRB, described the only comparable general warning to date, the one from September 2022 on vulnerabilities in the financial system, as "the first such warning in its 13-year history". All other ESRB warnings concerned country-specific real estate risks. That the body is now warning generally for only the second time in its history, and has chosen a technology topic to do so, is a deliberate act. The counterpart to the soft British statement I analysed in this space in May is thus a category sharper: no longer an informal bundling of existing expectations, but a formal instrument with its own procedural rules.

The crafting of weaponised exploits was previously largely done manually and took human experts days or weeks, whereas it can now be done by frontier AI models in a matter of minutes or hours. This constitutes a collapse of defensive time buffers. ESRB, Warning ESRB/2026/3 of 25 June 2026

From Weeks to Hours

The core of the warning is a thesis about speed, and this thesis is better supported empirically than is usually the case with supervisory alarms. To understand it, it helps to look at a familiar pattern in cyber security. The moment a vendor closes a vulnerability and publishes the patch, it also hands out the map to the flaw. Attackers exploit the window in which the patch exists but has not yet been installed everywhere. Historically this window was the defenders' protection, because reconstructing a working attack from a published patch was specialised manual work and took weeks.

That this window is closing is not a claim by supervisors but the result of concrete measurements. Anthropic, one of the leading AI providers, published a study on exactly this on 8 June 2026. On a set of eighteen public security patches for the Firefox browser, the most capable model tested built eight working exploits fully autonomously, the first in under an hour of the patch being published. On twenty-one vulnerabilities in the Windows kernel, where no source code was available, the same model produced eight full attack chains that escalated an unprivileged user to full system control, at a cost of roughly two thousand US dollars per chain. The historical contrast the researchers themselves draw makes the shift tangible: the ransomware WannaCry struck 59 days after the corresponding patch in 2017; the public exploit for the Citrix Bleed flaw took about two weeks in 2023. The study's conclusion: the established window between patch and attack, once measured in weeks, is shrinking to hours.

Intellectual honesty requires noting the limit of this evidence. The providers themselves point out that exploit development is only one step in a real attack campaign; finding the targets, delivering the attack and evading defences still cost time and resources. The strongest model in the study is also not publicly available. The relevant measure for strategic conclusions is therefore not whether an AI defeats every defence single-handedly today. The relevant measure is that the most expensive and slowest step of such an attack, weaponising the patch, has shrunk from expert-weeks to machine-hours. Against that timescale, a patching rhythm tied to monthly maintenance windows is structurally too slow.

What the ECB actually demands

Here the ECB letter becomes the document that matters for practice, because it is the only one of the three papers to contain dated, verifiable measures. Claudia Buch first makes clear that this is a long-term shift in the threat landscape, not a temporary phenomenon and not a risk tied to any single tool. This model-agnostic wording matters: the supervisor is not warning about a product but about a class of capability. Responsibility, the letter states, lies primarily with the banks' management bodies; strategic decisions about ICT investment, resources and risk tolerance may need to be revisited.

The operational core is the action plan required. Each significant institution is to submit it to its Joint Supervisory Team by 31 October 2026, with concrete measures, allocated resources, clear responsibilities and implementation timelines. In the short term the letter names three priorities: accelerating and scaling vulnerability and patch management, strengthening monitoring, detection and AI-enabled defence, and verifying whether third-party risk management is still fit for the situation. The particular focus is on externally exposed systems, that is internet-facing applications together with the third-party software and open-source components they use. Structurally, the modernisation of legacy systems without vendor support, the embedding of zero-trust principles and tested recovery capabilities follow.

The ECB letter in figures and deadlines

Addressee: the significant institutions directly supervised by the ECB (around 110 banks across the euro area)

Deadline: 31 October 2026 for the action plan to the Joint Supervisory Team, just under four months from dispatch

Relief: The annual collection of the IT Risk Questionnaire is deferred from September 2026 to February 2027, an admission that the deadline is tight

Afterwards: The ECB announces a horizontal analysis of all action plans to identify trends and good practices and feed them back

Outlook: A separate letter on the risks that quantum computing poses to today's encryption is already announced

It is notable that the ECB does not only demand but also sets priorities. Deferring the IT Risk Questionnaire and adjusting on-site inspections case by case is a signal that the supervisor acknowledges the institutions' capacity problem. Those who previously had to work on everything at once are given a right of way for this topic. That is not leniency but focus: the scarce resources of the ICT risk function are to be steered towards the new threat landscape.

DORA covers the substance, speed is the gap

This raises the question every board will now hear: are we not already done with a fully implemented Digital Operational Resilience Act (DORA)? The honest answer is a qualified yes and no, and it matches exactly what the warning itself says. The ESRB expressly describes DORA as a comprehensive framework and calls for no new legislation. The regulation, fully applicable since 17 January 2025, structurally contains all the relevant building blocks: mandatory ICT risk management with its identify-protect-detect-respond-recover logic in Articles 5 to 16, incident reporting in Articles 17 to 23, threat-led penetration testing in Articles 26 and 27, and the regime for ICT third-party risk in Articles 28 to 30 together with the oversight of critical third-party providers in Articles 31 to 44. Whoever genuinely lives DORA meets the scaffolding of the new expectation.

The gap lies not in the substance but in the speed. DORA does not prescribe a patching pace measured in hours. Yet that is precisely the expectation the ESRB and ECB now articulate: that the response paradigm oriented around maintenance windows no longer suffices under machine-accelerated threat cycles. DORA compliance is therefore necessary, but under the new assessment no longer automatically sufficient. It is the same thesis I set out in May, only it has since been confirmed by the supervisor itself. The difference between an institution that treats DORA as a documentation duty and one that measures and shortens its real response time will become visible in the supervisory dialogue, at the latest when the action plans are evaluated.

A second flank concerns third parties. The ESRB expressly identifies the concentration of leading AI providers outside the European Union as a strategic dependency and geopolitical risk. This is more than a location debate. The DORA oversight regime for critical third-party providers named its first addressees in November 2025, among them large cloud and IT providers. The specialised providers of frontier models, however, sit predominantly across the Atlantic and thus outside the direct reach of European supervision. For banks this means a double task: knowing their own dependency on concentrated providers, and at the same time understanding that the sharpest tools for defence come from the very providers whose models create the threat.

Does AI not also defend?

A supervisory alarm of this force calls for the counter-test, and it turns out to be more nuanced than the headline suggests. The same technology that accelerates attacks also strengthens the defence. The World Economic Forum's Global Cybersecurity Outlook 2026 reports that organisations making intensive use of AI in security reduce their average cost per incident by up to 1.9 million US dollars and shorten the lifecycle of an incident by around eighty days. At the same time, eighty-seven per cent of the organisations surveyed see AI-related vulnerabilities as the fastest-growing risk. Both findings stand side by side, and quoting only one distorts the picture.

A fair assessment must also record what the "severe" rating rests on. Fully autonomous AI attacks against genuinely defended systems remain the exception, not the rule, to date. The best-known documented case, an espionage operation disclosed in November 2025 in which a state-linked actor had an AI model carry out large parts of a campaign against around thirty targets largely on its own, is an existence proof, not a mass phenomenon. The supervisor therefore argues less from today's frequency than from the curve: from the speed at which capabilities are growing. That is a legitimate but forward-looking approach. For a board this does not mean relativising the alarm but reading it correctly: it is about preparing for a foreseeable situation, not reacting to a mass attack that has already occurred. That is precisely the more favourable starting position, as long as one uses it.

While these developments do not introduce entirely new risks, they significantly amplify the speed and scale at which such risks materialise. Claudia Buch, Chair of the ECB Supervisory Board, letter to the significant institutions of 7 July 2026

What institutions should do now

For the board, IT security and the ICT risk function, 31 October 2026 is not a bureaucratic cut-off but the opportunity to put one's own response capability to an honest test. Five priorities can be derived from the facts.

1. Set up the action plan as a leadership document, not a form

Immediately: The letter expressly addresses the management body. The required action plan should therefore not originate in, and remain within, the second line of defence, but be adopted at board level with clear responsibilities, resources and timelines. The horizontal analysis announced by the ECB means that every plan will be read in comparison with peers.

2. Measure the real time from vulnerability to remediation

Immediately: The benchmark is not the DORA documentation but the actually achievable span between a vulnerability becoming known and its remediation, prioritised for the externally reachable attack surface. Where fixed maintenance windows still apply to critical, internet-facing systems, a principle of accelerated, risk-based emergency change should take their place. Legacy systems without vendor support are here not a patching but a replacement problem.

3. Bring detection and AI-enabled defence up to par

Short term: If attacks run at machine speed, the defence must be able to keep pace. The letter expressly names the use of AI-enabled defence, albeit on condition of appropriate governance, validation and human oversight. Monitoring of access and application logs as well as network traffic should be designed for the rapid detection of indicators of compromise, not for retrospective analysis.

4. Develop the third-party and open-source inventory into a risk view

Short term: The DORA information register is the mandatory basis, but the new expectation goes beyond it. External applications, libraries and services including open-source components are to be identified and their concentration mirrored against outage and compromise scenarios. Dependency on a few, partly non-European providers should be consciously assessed, not merely administered.

5. Exercise recovery and update the risk appetite

By the deadline: Response and recovery belong tested under realistic scenarios, including exercises for fast, broad compromises. In parallel, the risk appetite framework should be extended with metrics and tolerance thresholds that reflect the new threat landscape, expressly including patch frequency. Defining these figures makes progress measurable rather than asserted.

Timeline: From soft signal to dated obligation
How the supervisory expectation on frontier AI cyber risks has intensified
15 May 2026
British joint statement on frontier AI
Bank of England, FCA and HM Treasury bundle existing cyber expectations, expressly without new rules.
3 June 2026
First ESA annual report on ICT incidents
3,383 major incidents reported for 2025; supervisors already warn of highly capable AI-driven tools.
8 June 2026
From patch to attack in hours
A provider study shows autonomous exploit development within hours rather than weeks from public patches.
7 July 2026
ESRB warning and ECB letter
Only the second general ESRB warning ever, backed by EBA, EIOPA and ESMA; the ECB sets banks a deadline.
31 October 2026
Deadline for the action plan
Each significant institution submits its action plan to the Joint Supervisory Team.
February 2027
Deferred IT Risk Questionnaire
The ECB moves the annual collection to free capacity for the new priority and evaluates the plans horizontally.

Assessment

The warning of 7 July 2026 is neither posturing nor a consequence-free communiqué. It is the formal condensation of an expectation that has been running through the European supervisory landscape since the spring, and it comes with a date. Its strength lies not in new obligations, for DORA and the EU AI Act cover the substance. Its strength lies in the shift in what counts as an appropriate response speed. For an institution the consequence is uncomfortably simple: the rules are known, the required speed is not yet everywhere. Whoever uses the action plan by the end of October as an honest self-assessment, rather than as a form, treats the warning as what it is, a preparation window. Whoever waits until the expectation becomes a finding in the next supervisory dialogue forfeits the only advantage a lead time offers.

Christian Schablitzki

Christian Schablitzki

Strategy & Management Consultant · Agentic AI expert for financial institutions

Over 20 years in investment banking and derivatives trading, followed by more than 10 years advising financial institutions. Currently Partner at Infosys Consulting in Germany. Certified in Google AI, Generative AI Leader (Google Cloud) and IBM RAG and Agentic AI.

LinkedIn profile →
newsletter
the agentic banker

Read on – every 14 days in your inbox.

Capital markets insights, regulatory updates and AI trends. Concise, well-founded, free.

GDPR-compliant. Unsubscribe anytime.

← Back to overview