Source
European Banking Authority
July 07, 2026
The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) have expressed support for the European Systemic Risk Board (ESRB) warning regarding systemic cyber risks from frontier AI models.
Recent advances in frontier AI models have increased their ability to identify and exploit high-severity vulnerabilities rapidly. While the EU’s regulatory framework, including DORA and the AI Act, provides a foundation for managing cyber and AI risks, the speed and scale of these tools raise concerns about potential cyber-attacks undermining operational resilience in the financial sector.
Since the introduction of the first frontier AI models, the ESAs have raised awareness of ICT risks and engaged with EU authorities to ensure mitigation measures are in place. Their first annual report under DORA encouraged financial entities to strengthen cybersecurity measures to maintain resilience amid evolving AI capabilities.
The ESAs agree with the ESRB warning and urge financial entities to adapt their cybersecurity capabilities accordingly. They also call on supervisory authorities to incorporate these developments into their oversight activities. The ESAs highlight the need for increased EU capacity, expertise, and strategic autonomy involving AI providers, software firms, security companies, open-source maintainers, financial institutions, and authorities at both national and EU levels.
The ESAs are collaborating with EU supervisors to ensure proactive identification and mitigation of risks, aligned with DORA requirements, which establish a harmonized ICT risk framework for the financial sector.
As overseers of critical ICT third-party providers, the ESAs are engaging with these providers to assess measures taken to manage risks and ensure service continuity for the EU financial sector.
Background and next steps include monitoring the development of highly cyber-capable frontier AI models and assessing their impact. The ESAs will work with national supervisors to clarify supervisory expectations and communicate them to ensure compliance with existing regulations.