ECB warns euro area banks to brace for AI-powered cyberattacks

Frankfurt’s top banking supervisor is warning euro area lenders to move now against a new class of cyber threat: attacks driven by advanced AI tools that can probe systems faster, scale breaches more efficiently and turn small software flaws into major disruptions.

Frank Elderson, a member of the European Central Bank’s executive board and vice chair of its supervisory arm, said banks should not wait for direct access to Anthropic’s Mythos model before hardening their defenses. His message was aimed not just at banks but at their contractors and software suppliers, where a single overlooked weakness can become the entry point for account fraud, service outages or payment delays.

The warning lands at a moment when the ECB has already been treating cyber risk as a systemic financial-stability issue. ECB staff said in May 2025 that cyberattacks are playing an increasingly important role in hybrid conflicts and that publicly disclosed attack data has risen sharply over the past decade. Earlier, in January 2024, ECB board member Piero Cipollone said cyber risks had become one of the main issues for global security and put the annual global cost at more than $200 billion.

The central bank is now moving from broad concern to supervisory pressure. ECB supervisors were set to quiz bankers about risks from Anthropic’s new AI model, and Christine Lagarde has already said the ECB was studying defenses against Mythos-powered attacks despite not having access to the model itself. Elderson’s remarks suggest the bank sees the issue as urgent enough to push through the normal cycle of patching and compliance.

That urgency reflects a broader shift in the security market. Anthropic says Mythos Preview is its most capable frontier model yet for computer-security tasks, and it launched Project Glasswing on April 7 to give defenders early access to the model for protecting critical software. The launch partners include JPMorganChase, Microsoft, Google, Cisco, Palo Alto Networks, Amazon Web Services, Apple, Broadcom, CrowdStrike, the Linux Foundation and NVIDIA.

The concern is that the same capabilities helping defenders find hidden bugs can also help attackers automate reconnaissance and exploitation. U.S. banks with early access to Mythos have been racing to patch weaknesses the model flagged, showing how quickly AI can become a stress test for financial institutions. In Europe, the risk is not only whether banks can stop today’s phishing and malware, but whether they can absorb a future wave of attacks that may arrive in rapid succession and at scale.

The regulatory race is global. The European Commission is in contact with Anthropic and reviewing Mythos’s possible implications for EU policy and legislation. In Japan, the three largest banks, Mitsubishi UFJ Financial Group, Mizuho Financial Group and Sumitomo Mitsui Financial Group, are expected to gain access to Mythos around the end of May, while Japan’s finance ministry said it will create a public-private working group and hold its first meeting on Thursday, May 14, to address the threat. The gap between banks with access and those without is becoming part of the risk itself.