ECB: AI Means European Banks Must Hasten Cybersecurity Pace

Artificial Intelligence & Machine Learning , Geo-Specific , Next-Generation Technologies & Secure Development ECB: AI Means European Banks Must Hasten Cybersecurity Pace France's Mistral Makes Digital Sovereignty Case for a European Mythos David Meyer • May 14, 2026     Credit Eligible Get Permission Image: Shutterstock The European Central Bank added to mounting warnings sent to financial institutions that they must urgently act to protect their systems from artificial intelligence-enabled cyberattacks. British experts warned that gains in AI models' cyber capabilities appear to be accelerating. See Also: Context Drives Security in Agentic AI Era Frank Elderson, vice-chair of the ECB supervisory board, said in a Wednesday regulatory newsletter that European banks' current lack of access to Anthropic's Mythos - the model whose appearance sparked the current wave of panic over AI that can quickly find and exploit vulnerabilities - was "not an excuse for inaction." "On the contrary, it makes it even more critical that banks step up and act now," Elderson said. He called for "bank-specific, risk-based" action in line with the Digital Operational Resilience Act, a cybersecurity law specific to the European financial sector. "Banks need to redouble their efforts to identify vulnerabilities, even minor ones, using existing AI tools. And their approach to patching needs to be changed. Vulnerabilities once thought minor - and therefore typically only patched in longer cycles - need to be treated as urgent and must be fixed right away." The ECB's warning closely echoed others in recent days, coming from the likes of the International Monetary Fund and the German financial regulator Bafin, who all say the sector faces an imminent threat (see: IMF Warns AI Has Made Cyber Risk a Financial Stability Threat). Elderson also noted that other critical infrastructure, on which banks rely, could be vulnerable now that automated hacking is likely to become more powerful and prevalent. "Banks therefore need to update their operational resilience plans to cater for the higher probability of severe disruptions," he said, urging banks to pay close attention to communications from EU and national authorities - and to keep an eye on what banks with access to Mythos are doing. For reasons that remain unclear, Anthropic has allowed European authorities and companies into Project Glasswing, its name for a collection of hand-picked companies selected for early access to Mythos. On Monday, OpenAI said it would let the European Commission and several regional companies - such as Deutsche Telekom and the Spanish bank BBVA use its new GPT-5.5-Cyber model to the same effect (see: OpenAI Unlocks Cybersecurity Model for Europe). France's Mistral - the EU's only rival to OpenAI, Anthropic and Google DeepSeek - also seems to be stepping up. Citing unnamed sources, Bloomberg reported Wednesday that Mistral was developing its own rival to Mythos and GPT-5.5-Cyber, and had been in secretive talks with large European banks about its use. On the same day, Mistral CEO Arthur Mensch added a digital-sovereignty twist to the matter by telling a French parliamentary inquiry that it is essential to have a local alternative for finding bugs in sensitive systems. "You can't have the French military's source code scanned by Mythos," he argued. "That creates such an irreparable dependency that we absolutely must find solutions." Also on Wednesday, the U.K.'s AI Security Institute - which got an early look at the Mythos Preview model and validated its capabilities a month ago - said a newer variant also showed an impressive leap in performance. "Since our blog post describing our pre-deployment testing of Mythos Preview, we received access to a newer checkpoint," AISI said in its new post. "This checkpoint delivered stronger cyber results than the previous version, including the first completion of both our cyber ranges." "In February 2026, we estimated that frontier models' 80%-reliability cyber time horizon had doubled every 4.7 months since reasoning models emerged in late 2024, given a 2.5M token limit," the post read. Token limits artificially depress success rates, allowing for the estimation of time horizons. "This was around half our November 2025 doubling time estimate, which was eight months for both 50% and 80% reliability. Claude Mythos Preview and GPT-5.5 have since significantly outperformed this trend. At the time of writing, it's unclear whether Mythos Preview and GPT-5.5 represent an isolated break from existing rates of progress or are part of a new, faster trend." AISI said its latest observations scanned with the time estimates coming from researchers at the non-profit METR, who track AI's capabilities in software engineering. METR sees a consistent doubling time of 4.2 months on software tasks. "Frontier AI's autonomous cyber and software capability is advancing quickly: the length of cyber tasks that frontier models can complete autonomously has doubled on the order of months, not years," AISI said in its post. "What this evidence does not tell us is how the pace of progress will evolve, when AI will reach any particular capability threshold, or how these capabilities will translate against defended, real-world systems." "The time to invest in strong security baselines is now," it added. "If the current rate of AI progress persists (or accelerates), AI cyber capabilities will remain a fast-moving target to track."