ECB requires action plan on AI-enabled cyber threats by 31 October 2026

The essentials in 30 seconds
- New supervisory letter: On 7 July 2026, ECB Banking Supervision wrote to the CEOs of all significant institutions (SSM-2026-0301): AI models now discover vulnerabilities and generate working exploits at unprecedented speed.
- Hard deadline: By 31 October 2026, every significant institution must submit a concrete action plan to its Joint Supervisory Team (JST), with measures, resources, responsibilities and timelines.
- No new rules: The ECB is explicit: no new rulebook. DORA remains the binding framework, AI amplifies the speed and scale of known risks, it does not create new categories.
- Relief in exchange: In return, the ECB postpones the annual IT Risk Questionnaire from September 2026 to February 2027.
What happened?
In a letter dated 7 July 2026, Claudia Buch, Chair of the ECB's Supervisory Board, addressed the CEOs of all significant institutions in the SSM. The trigger: frontier AI models are compressing the timeline between vulnerability discovery and exploitation. The letter (SSM-2026-0301) calls this a long-term shift in the threat landscape, not a temporary phenomenon.
On the same day, the European Systemic Risk Board issued a warning on systemic cyber risks stemming from frontier AI models, and CERT-EU had already analysed how AI is changing the economics of vulnerability discovery. The supervisory message is coordinated and unambiguous: defenders must adapt now.
The deadline: action plan by 31 October 2026
The core requirement: develop a comprehensive action plan without delay and submit it to the responsible JST by 31 October 2026. The plan must build on the existing cyber-risk strategy and deliver three things: concrete measures with timelines, clear roles and responsibilities, and the resources to execute.
The ECB will run a horizontal analysis of all submitted plans and feed the conclusions back to institutions. Open findings from previous on-site inspections, targeted reviews and the 2024 cyber resilience stress test must be prioritised, unresolved weaknesses are explicitly flagged as increasingly material under the new threat landscape.
The six focus areas of the action plan
1. Prioritise protection of attack surfaces
Full inventory of ICT assets, including third-party software and open-source components. Internet-facing and externally exposed systems, cloud environments and third-party VPN connections must be minimised and continuously monitored; perimeter technologies come first in remediation.
2. Accelerate vulnerability and patch management at scale
Prioritised vulnerability scanning, preparation for more frequent and higher-volume patching, and ICT change management that enables rapid, risk-based emergency fixes. AI-based tooling is permitted, but only with a prior risk assessment, safeguards and human oversight. The requirements must also land in contracts and SLAs with ICT service providers.
3. Monitoring, detection and AI-enabled defence
Strengthened monitoring of application and access logs, network traffic and indicators of compromise, especially across internet-facing applications, cloud repositories and critical internal systems.
4. Governance, funding, training and supply chain
Management bodies must assess whether budget, staffing, tooling and change capacity are sufficient for accelerated patching, resilience testing and AI-enabled defence. Risk appetite frameworks need updating, including metrics and tolerance thresholds. Institutions remain fully accountable for outsourced ICT services; third-party providers' readiness for accelerated vulnerability disclosure belongs on the agenda.
5. Defence-in-depth and modernisation
The ECB states a clear working assumption: perimeter defences will be breached. Expected measures: segmentation and micro-segmentation, zero-trust principles with continuous verification of users, devices, APIs and service accounts, strong baseline controls (least privilege, MFA, comprehensive logging), and replacing or ring-fencing legacy and end-of-life systems.
6. Response, recovery and information sharing
Regularly tested crisis management, backup, failover and recovery arrangements aligned with DORA. Exercises should explicitly cover high-speed scenarios: broad compromise through zero-days, ransomware, destructive attacks, and supply chain or cloud service disruption.
What does this mean for DORA?
Everything. The letter consistently anchors its expectations in Regulation (EU) 2022/2554, the action plan is, at its core, an accelerated DORA programme under sharpened assumptions. Institutions with solid ICT risk management, a clean register of information and tested resilience arrangements can serve most of the ECB's expectations from existing work. Institutions with gaps now have a hard deadline.
Looking ahead: post-quantum cryptography
The letter closes with an announcement: the ECB will address the risks quantum computing poses to today's encryption methods in a separate letter. Migrating to post-quantum cryptography will take years, but must start now, with sustained strategic investment.
How ADVISORI supports you
We have translated the six ECB focus areas into a compact gap assessment: within two to three weeks you know where your institution stands, which open DORA findings fall under the new priorities, and how your JST action plan needs to be structured. Our consultants have seen BaFin and Section 44 inspections from both sides of the table, from the register of information to TLPT. Learn more on our DORA compliance page.
Talk to us before the deadline closes in: an action plan started in September is not a plan in October, it is an excuse.
DORA in 12 Weeks — from ICT Register to TLPT
We structure your DORA implementation in a 30-minute strategy session and deliver gap-analysis plus the rollout roadmap.
30 Minuten • Unverbindlich • Sofort verfügbar
Related articles
Continue exploring with related insights from our experts.

Cyber Insurance: Requirements, Costs, and Selection Guide for Businesses 2026
Cyber insurance covers financial losses from cyberattacks, data breaches, and IT outages. This guide explains what insurers require in 2026, coverage types, costs by company size, and how to choose the right policy — including how ISO 27001 certification reduces premiums.

Vulnerability Management: The Complete Lifecycle for Finding, Prioritizing, and Remediating Weaknesses
Over 30,000 CVEs are published annually. Effective vulnerability management prioritizes what matters most to your organization and remediates before attackers exploit. This guide covers the full lifecycle: discovery, scanning, risk-based prioritization, remediation, and compliance.

Security Awareness Training: Building Effective Programs and Measuring Impact
The human layer remains the weakest link in cybersecurity. This guide covers how to build an effective security awareness program, run phishing simulations, design role-based training, and measure whether your program actually reduces risk — with benchmarks and KPIs.