European banks can absorb current shocks, but AI cyber risks loom

Europe’s largest banks are entering the next phase of stress with ample capital and liquidity, but the warning from the region’s new banking watchdog is that the real test may come from AI-powered cyber attacks that can spread faster than traditional defenses can react. François-Louis Michaud, who took up the European Banking Authority chair role on 16 April 2026, said the sector is resilient enough for current financial and geopolitical turbulence, yet that strong balance sheets do not eliminate operational vulnerabilities.

That concern is not abstract. The European Central Bank said in December 2025 that it will run a geopolitical risk reverse stress test on 110 directly supervised banks in 2026, requiring each lender to identify a scenario that would wipe at least 300 basis points off common equity tier 1 capital. The aggregate results are due in summer 2026, underscoring that supervisors are looking past headline capital ratios and into how banks would behave under a severe, fast-moving shock.

The backdrop has grown more hostile. The ECB and the European Systemic Risk Board said in January that geopolitical shocks and policy uncertainty can tighten financial conditions, push up risk premia, reduce loan growth and weaken expected growth. They also said such risks have risen markedly since the mid-2010s, with notable jumps in 2024 and 2025. That matters for lenders because a cyber event in a tense geopolitical environment would not be read as a mere technology outage. It would be read as a broader stability signal.

The ECB has already tied cyber risk to hybrid conflict. In May 2025, it said cyberattacks were playing an increasingly important role in that kind of conflict and that assaults on financial firms often arrive in clusters. The European Banking Authority has separately said AI adoption has consolidated significantly across EU and EEA banks, with the most common uses in client and transaction profiling and customer support, including chatbots. Its updated ICT and security risk-management guidelines under the Digital Operational Resilience Act took effect on 20 May 2025, giving supervisors a common framework just as banks deepen their reliance on digital systems.

For markets, the practical stakes are bigger than compliance costs. An AI-assisted breach could hit payment flows, delay transactions, shake deposit confidence and rattle counterparties far beyond Europe if it lands in a major cross-border bank or service provider. Michaud’s message, delivered as he began his term, was that Europe’s lenders may be ready for the shocks they know. The danger now is the one that learns faster than they do.