ECB AI Cyber-Resilience Bank Action Plans | TLY

AI Regulation Tracker  /  Guidance

ECB Tells Euro Area Banks to File AI Cyber-Resilience Action Plans by October 31

Regulatory summary: The ECB's Single Supervisory Mechanism has written to the CEOs of significant euro area banks, warning that AI models can now find software flaws and generate working exploits at unprecedented speed. Every supervised bank must submit an action plan to its Joint Supervisory Team by October 31, 2026.

Primary source

ECB Tells Euro Area Banks to File AI Cyber-Resilience Action Plans by October 31 regulation briefing
The Leveraged Years AI Regulation Tracker

Key takeaways

  • The ECB converted a general concern about AI-enabled cyber threats into a specific, dated supervisory ask. Significant banks must now produce and file an action plan addressing named focus areas, and the ECB will run a horizontal analysis across the submitted plans. To make room for the effort, the ECB extended the deadline for the annual IT Risk Questionnaire collection from September 2026 to February 2027.
  • CEOs and management bodies of significant euro area banks; heads of ICT risk, CISOs, and operational-resilience functions; Joint Supervisory Teams that will assess and monitor the plans; and ICT third-party providers whose services sit in banks' critical supply chains.
  • Status: Issued July 7, 2026.
  • Assign an accountable owner now, inventory internet-facing and externally exposed ICT assets including third-party and open-source components, and draft the action plan against the letter's focus areas. Close out open supervisory findings from prior inspections and the 2024 cyber-resilience stress test, brief the management body on ICT investment and risk tolerance, and file with the Joint Supervisory Team before October 31, 2026.
DateJurisdictionRuleAffected professionalsStatus or effective date
2026-07-09European Union (Euro area)The ECB converted a general concern about AI-enabled cyber threats into a specific, dated supervisory ask. Significant banks must now produce and file an action plan addressing named focus areas, and the ECB will run a horizontal analysis across the submitted plans. To make room for the effort, the ECB extended the deadline for the annual IT Risk Questionnaire collection from September 2026 to February 2027.CEOs and management bodies of significant euro area banks; heads of ICT risk, CISOs, and operational-resilience functions; Joint Supervisory Teams that will assess and monitor the plans; and ICT third-party providers whose services sit in banks' critical supply chains.Issued July 7, 2026. Live supervisory expectation with a fixed filing deadline. Joint Supervisory Teams will engage with each bank on its plan and monitor progress; the ECB will share conclusions from its horizontal analysis.

Frequently Asked Questions

Who has to respond to this ECB letter?

The CEOs of significant institutions supervised directly by the ECB under the Single Supervisory Mechanism. Each such bank must prepare an action plan and file it with its Joint Supervisory Team.

What is the deadline?

The action plan is due to the respective Joint Supervisory Team by October 31, 2026. Separately, the ECB moved the annual IT Risk Questionnaire collection deadline from September 2026 to February 2027.

Is this a new regulation banks must comply with?

No. It is a supervisory expectation grounded in the existing Digital Operational Resilience Act (DORA). It does not create new statutory duties, but it is issued by the direct supervisor and requires a dated filing, so it carries real supervisory weight.

What must the action plan cover?

Concrete, resourced measures across attack-surface and ICT asset protection, vulnerability and patch management at scale, monitoring and AI-enabled defense, third-party risk management, defence-in-depth and cyber hygiene, legacy-technology modernization, and response and recovery, built on the bank's existing cyber-risk strategy.

How does it relate to the ESRB warning issued the same day?

The letter cites the ESRB's July 7, 2026 warning on systemic cyber risks from frontier AI models. The ESRB speaks system-wide to all financial sectors; the ECB letter turns the same concern into a specific supervisory deliverable for the significant banks it supervises.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.