ECB tells banks to speed tech fixes as AI shrinks the clock

• Key insight: The ECB is the first eurozone supervisor to lean on banks directly over the cyber threat from frontier AI models like Mythos, pressing for far faster patching.
• What's at stake: U.S. banks with European operations answer to the ECB's resilience regime, and every bank faces the same AI-enabled attack tools regardless of jurisdiction.
• Forward look: No U.S. financial regulator has issued comparable guidance, leaving open whether Washington follows the EU, the U.K. and the IMF.

Overview bullets generated by AI with editorial review.

The European Central Bank is pressing the bloc's largest banks to patch software flaws faster, warning that artificial intelligence has collapsed the time attackers need to turn a security fix into a working attack.

Frank Elderson, vice-chair of the ECB's supervisory board, said banks can no longer afford their usual deliberate pace.

"In musical terms, I would say andante may have been good enough, but we need to go to presto," Elderson said in remarks the ECB provided to American Banker. Andante is an Italian term for walking pace; presto is very fast.

Once a software maker issues a patch, he said, attackers can now reverse-engineer the flaw it is meant to fix in as little as 30 minutes, not the weeks such work used to take, so banks have to apply fixes far faster than they do today.

A spokesperson for the ECB confirmed to American Banker that central bank reps met with the heads of its largest supervised banks on Tuesday to press the point, that the banks discussed possible steps to take and that the conversation will continue in the coming weeks.

The push matters for U.S. bankers because the eurozone's top supervisor is now setting concrete cybersecurity expectations over the same advanced AI that threatens lenders everywhere, even as U.S. financial regulators have not set formal expectations.

American banks with European operations answer to the ECB's resilience regime, and every bank faces the same threat, wherever it operates.

The ECB is particularly concerned about Anthropic's Claude Mythos, which the company released in preview in April.

Elderson called Mythos "a game-changer in cybersecurity" in a May 13 ECB Supervision Newsletter interview.

The model can autonomously find and exploit software flaws "at a speed and scale far beyond what we have seen before," he said, and can chain minor flaws into the kind of serious attack that once took a team of experts working for days.

The U.K.'s AI Security Institute found in April that Mythos cleared 73% of expert-level capture-the-flag challenges, contests in which security professionals race to find planted software flaws.

Mozilla credited the model with finding 271 of the security flaws it fixed in Firefox 150, which it shipped April 21, most of them high-severity.

Elderson's demand that banks patch faster builds on rules already in place.

The ECB's supervisory priorities for 2026 through 2028, published in November, name operational resilience as a top concern and report that significant cyber incidents have "doubled in recent years."

The same document warns that "advancements in the development of AI applications may also significantly put banks' cybersecurity to the test."

Since January 2025, the Digital Operational Resilience Act, the European Union's rulebook for banks' technology resilience, known as DORA, has given the ECB authority over how banks manage outside technology providers and respond to incidents.

A faster patch has its own risks

The call to patch faster comes with a catch; the ECB's own data says rushing changes is a leading cause of the outages it worries about.

Anneli Tuominen, an ECB representative to the supervisory board, wrote in a March contribution to Eurofi Magazine that 38% of the major incidents banks reported in 2025 had "IT change" as their root cause.

The same supervisory priorities single out change management as a weak spot and commit the ECB to a targeted review, noting that unplanned downtime most often traces to changes in banks' core technology systems, what it calls "ICT system changes."

That leaves banks caught between two of their supervisor's instructions: deploy fixes in minutes, but stop letting hurried changes take systems down.

Asked about that contradiction, the ECB said the outcome will come down to a balance.

Banks have to patch fast to limit their exposure to attacks while taking enough care that the fixes themselves don't take systems down, a spokesperson for the ECB told American Banker, and they will have to rethink how much risk they are willing to accept to strike that balance.

The UK and IMF got there first

European banks are exposed on two fronts; the advanced AI used against them and the AI tools they increasingly rely on both come from a handful of providers outside the bloc.

Elderson said European banks cannot yet get Mythos, because Anthropic has released it to only a limited number of organizations in the United States.

That, he said, is no reason to wait. "The fact that you don't have access to this model is not an excuse for inaction. Malicious actors might have access to this technology soon," he said in remarks the ECB provided to American Banker.

Pedro Machado, another ECB supervisory representative, said in a February speech that generative AI is "sourced from a small number of major third-party providers," and he urged banks to reduce "vendor lock-in" (i.e., their reliance on one provider's proprietary technology).

The ECB is the latest authority to move. U.K. regulators told financial firms in a May 15 joint statement to take "active steps" against the cybersecurity risks of frontier AI, and the International Monetary Fund called AI-driven cyberattacks a systemic threat the same month.

No U.S. financial regulator has set comparable expectations.

The Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. have publicly issued no equivalent guidance for the banks they oversee.

Treasury Secretary Scott Bessent and Fed Chair Jerome Powell did meet privately with big-bank chief executives in April to warn them about Mythos.