ECB requires action plan on AI-enabled cyber threats by 31 October 2026

Phil Hansen
Phil Hansen
7 min read
ECB requires action plan on AI-enabled cyber threats by 31 October 2026

The essentials in 30 seconds

  • New supervisory letter: On 7 July 2026, ECB Banking Supervision wrote to the CEOs of all significant institutions (SSM-2026-0301): AI models now discover vulnerabilities and generate working exploits at unprecedented speed.
  • Hard deadline: By 31 October 2026, every significant institution must submit a concrete action plan to its Joint Supervisory Team (JST), with measures, resources, responsibilities and timelines.
  • No new rules: The ECB is explicit: no new rulebook. DORA remains the binding framework, AI amplifies the speed and scale of known risks, it does not create new categories.
  • Relief in exchange: In return, the ECB postpones the annual IT Risk Questionnaire from September 2026 to February 2027.

What happened?

In a letter dated 7 July 2026, Claudia Buch, Chair of the ECB's Supervisory Board, addressed the CEOs of all significant institutions in the SSM. The trigger: frontier AI models are compressing the timeline between vulnerability discovery and exploitation. The letter (SSM-2026-0301) calls this a long-term shift in the threat landscape, not a temporary phenomenon.

On the same day, the European Systemic Risk Board issued a warning on systemic cyber risks stemming from frontier AI models, and CERT-EU had already analysed how AI is changing the economics of vulnerability discovery. The supervisory message is coordinated and unambiguous: defenders must adapt now.

The deadline: action plan by 31 October 2026

The core requirement: develop a comprehensive action plan without delay and submit it to the responsible JST by 31 October 2026. The plan must build on the existing cyber-risk strategy and deliver three things: concrete measures with timelines, clear roles and responsibilities, and the resources to execute.

The ECB will run a horizontal analysis of all submitted plans and feed the conclusions back to institutions. Open findings from previous on-site inspections, targeted reviews and the 2024 cyber resilience stress test must be prioritised, unresolved weaknesses are explicitly flagged as increasingly material under the new threat landscape.

The six focus areas of the action plan

1. Prioritise protection of attack surfaces

Full inventory of ICT assets, including third-party software and open-source components. Internet-facing and externally exposed systems, cloud environments and third-party VPN connections must be minimised and continuously monitored; perimeter technologies come first in remediation.

2. Accelerate vulnerability and patch management at scale

Prioritised vulnerability scanning, preparation for more frequent and higher-volume patching, and ICT change management that enables rapid, risk-based emergency fixes. AI-based tooling is permitted, but only with a prior risk assessment, safeguards and human oversight. The requirements must also land in contracts and SLAs with ICT service providers.

3. Monitoring, detection and AI-enabled defence

Strengthened monitoring of application and access logs, network traffic and indicators of compromise, especially across internet-facing applications, cloud repositories and critical internal systems.

4. Governance, funding, training and supply chain

Management bodies must assess whether budget, staffing, tooling and change capacity are sufficient for accelerated patching, resilience testing and AI-enabled defence. Risk appetite frameworks need updating, including metrics and tolerance thresholds. Institutions remain fully accountable for outsourced ICT services; third-party providers' readiness for accelerated vulnerability disclosure belongs on the agenda.

5. Defence-in-depth and modernisation

The ECB states a clear working assumption: perimeter defences will be breached. Expected measures: segmentation and micro-segmentation, zero-trust principles with continuous verification of users, devices, APIs and service accounts, strong baseline controls (least privilege, MFA, comprehensive logging), and replacing or ring-fencing legacy and end-of-life systems.

6. Response, recovery and information sharing

Regularly tested crisis management, backup, failover and recovery arrangements aligned with DORA. Exercises should explicitly cover high-speed scenarios: broad compromise through zero-days, ransomware, destructive attacks, and supply chain or cloud service disruption.

What does this mean for DORA?

Everything. The letter consistently anchors its expectations in Regulation (EU) 2022/2554, the action plan is, at its core, an accelerated DORA programme under sharpened assumptions. Institutions with solid ICT risk management, a clean register of information and tested resilience arrangements can serve most of the ECB's expectations from existing work. Institutions with gaps now have a hard deadline.

Looking ahead: post-quantum cryptography

The letter closes with an announcement: the ECB will address the risks quantum computing poses to today's encryption methods in a separate letter. Migrating to post-quantum cryptography will take years, but must start now, with sustained strategic investment.

How ADVISORI supports you

We have translated the six ECB focus areas into a compact gap assessment: within two to three weeks you know where your institution stands, which open DORA findings fall under the new priorities, and how your JST action plan needs to be structured. Our consultants have seen BaFin and Section 44 inspections from both sides of the table, from the register of information to TLPT. Learn more on our DORA compliance page.

Talk to us before the deadline closes in: an action plan started in September is not a plan in October, it is an excuse.

Hat ihnen der Beitrag gefallen? Teilen Sie es mit:

DORA in 12 Weeks — from ICT Register to TLPT

We structure your DORA implementation in a 30-minute strategy session and deliver gap-analysis plus the rollout roadmap.

30 Minuten • Unverbindlich • Sofort verfügbar

Further reading

Continue exploring with related insights from our experts.

Your strategic success starts here

Our clients trust our expertise in digital transformation, compliance, and risk management

Ready for the next step?

Schedule a strategic consultation with our experts now

30 Minutes • Non-binding • Immediately available

For optimal preparation of your strategy session:

Your strategic goals and challenges
Desired business outcomes and ROI expectations
Current compliance and risk situation
Stakeholders and decision-makers in the project

Prefer direct contact?

Direct hotline for decision-makers

Strategic inquiries via email

Detailed Project Inquiry

For complex inquiries or if you want to provide specific information in advance