Strengthening operational resilience for the age of AI

Frank Elderson, Member of the ECB Executive Board and Vice-Chair of the Supervisory Board, highlighted the critical need for banks to strengthen operational resilience at the Goldman Sachs European Financials Conference 2026.

He emphasized that Europe faces unprecedented geopolitical and economic challenges, including high dependencies on external providers for energy, technology, security, and financial infrastructure. Reducing these dependencies is essential for safeguarding the European way of life, requiring an additional €1.2 trillion annually for green, digital, and defense transitions until 2031.

Operational resilience extends beyond capital adequacy. Despite financial strength, banks can be vulnerable to cyber incidents, technology failures, and dependencies on third parties. Examples include the 2023 ransomware attack on ICBC’s New York branch and the 2024 CrowdStrike system crash, illustrating that resilience involves maintaining critical services under operational stress.

The rise of AI introduces new cyber threats, with malicious actors using AI-generated identities and advanced models to conduct rapid, sophisticated attacks. AI tools are lowering the cost and increasing the speed of cyber exploits, making proactive resilience measures more urgent.

Management bodies must take ownership of cybersecurity and operational resilience, ensuring adequate resources and oversight. Supervisory efforts include stress testing and the implementation of the Digital Operational Resilience Act (DORA), which enhances cyber risk management and third-party oversight.

Supervisory authorities are preparing banks through targeted assessments and plans to issue guidance to ensure banks address vulnerabilities proactively. The goal is to prevent cyber threats from escalating into systemic disruptions.

Operational resilience is integral to banks’ competitiveness and trustworthiness. It requires continuous, multi-year investments in people, systems, and governance. Smaller banks should also enhance resilience, supported by proportional regulatory approaches that do not compromise risk management.

In conclusion, Elderson stresses that Europe’s financial stability depends on resilient banks capable of managing operational threats, especially in the context of AI-driven cyber risks. Early action and decisive investment are essential to support the transition to a sustainable and digital economy.