Europe's banks are being told to patch faster - they can't use the tool that finds the holes

There is a software vulnerability in the systems of a major European bank right now. The bank's IT team probably knows it exists. They have a patch queued up, scheduled for the next maintenance window in a few weeks. That timeline was fine in 2022. Today, according to the European Central Bank, it is a window large enough to drive a freight train through.

In a speech published today, the ECB formalized a warning it has been escalating since May: artificial intelligence has fundamentally changed the economics of cyberattacks on financial institutions. A software patch - the digital equivalent of fixing a known lock - can now be reverse-engineered by an AI model in roughly 30 minutes. That means the gap between when a bank announces it has fixed a vulnerability and when a criminal can weaponize the old flaw has collapsed from weeks to half an hour.

The ECB's message to the banks it supervises across the eurozone is blunt: stop treating cybersecurity as a scheduled maintenance task. What was a manageable update cycle is now a race against a machine. And the uncomfortable subtext, which regulators have been dancing around since May, is that the most powerful machine doing this work is one European banks are not allowed to use.

The background

Every piece of software has bugs - errors in its code that, under certain conditions, create openings that an attacker can exploit. When those openings are discovered and fixed, developers release a patch - a small update that closes the gap. The whole process sounds simple, but in a large bank running thousands of interconnected software systems, patching is a logistical nightmare. Systems need testing before updates are applied; critical infrastructure cannot simply be switched off during business hours. Patches get queued, reviewed, scheduled, and often applied weeks after they are released.

For decades, this was acceptable. Finding and exploiting a vulnerability required significant human skill, time, and resources. The attack surface was real but the number of people capable of acting on it was limited. Defenders had a window.

DORA - the Digital Operational Resilience Act - is the European Union's attempt to set baseline standards for how banks manage this problem. It came into force in January 2025 and covers everything from how banks test their systems against cyberattacks to how they manage their relationships with outside technology providers. The regulation requires banks to document IT risks, conduct resilience testing, and report incidents. It applies to all significant financial institutions operating within the EU.

The ECB, as the supervisor of the eurozone's largest banks, has been building its approach to AI risk into this framework throughout 2025 and 2026. Its supervisory priorities for 2026 to 2028, published in November 2025, flagged that significant cyber incidents had already doubled in recent years - before the current wave of AI-assisted tools had fully arrived.

What changed in 2026 is not the existence of the threat but its scale and speed. AI models can now scan an entire banking infrastructure for known vulnerability patterns automatically. They do not need sleep. They do not get distracted. And the best of them can take a released software patch, analyze what it fixed, and generate an exploit for the old vulnerability before most bank IT teams have even read the patch notes.

What is actually happening

Today's ECB speech, titled "Strengthening operational resilience for the age of AI," is the formal published output of an escalating supervisory campaign that began in earnest with an unusual gathering of eurozone bank executives on May 24. The ECB convened that meeting specifically to address what it described as a materially changed cyber threat environment - one shaped by the capabilities of a single AI model.

That model is Anthropic's Claude Mythos Preview, the frontier AI system at the center of the company's restricted Project Glasswing initiative. According to The Next Web's reporting, Mythos has identified thousands of zero-day vulnerabilities - previously unknown security flaws - across major operating systems and browsers. A zero-day is particularly dangerous because, by definition, no patch exists for it yet. Defenders cannot fix what they do not know is broken.

Frank Elderson, the ECB's executive board member and vice-chair of its supervisory board, described the core problem in terms of tempo. The length of cyber tasks that frontier AI models - the most advanced class of AI systems - can complete autonomously has been doubling on the order of months, not years. That compression is not a trend to monitor. It is a structural shift in the balance of power between attackers and defenders.

The specific statistic that has alarmed regulators is the 30-minute reverse-engineering window. When a software vendor releases a patch, the patch itself is a partial map to the flaw it fixed. A skilled attacker can analyze the patch and reconstruct an exploit - essentially a weapon designed to hit the exact gap the patch just closed. Historically this took days or weeks, meaning that institutions who patched promptly were safe. According to analysis referenced in ECB communications, AI models can now perform this reverse-engineering in roughly half an hour. Patch deployment windows of weeks now look like an open invitation.

Elderson was direct about the implications: the lack of access to Mythos among European banks is not a reason to wait. According to reporting by GovInfoSecurity, he stated that banks must update their operational resilience plans to account for a higher probability of severe disruptions, and that they should treat DORA as a floor, not a ceiling.

The ECB's supervisory priorities published in November 2025 already identified operational resilience and ICT capabilities as a top concern, noting that the advancement of AI applications could significantly test banks' cybersecurity.

The money trail

The reason this matters economically - and not just technically - is that the financial system's stability depends on trust, and trust depends on availability. Banks do not just hold money; they run payment systems, settle securities trades, process payroll. A successful cyberattack that takes a major bank offline for hours does not only hurt shareholders. It disrupts supply chains, delays wages, and creates knock-on effects through the entire economy. The Bank for International Settlements, which coordinates global financial regulation, has been tracking AI's impact on financial system resilience through something it calls Project Raven.

The access gap running through this story is the real economic fault line. Only around 40 to 50 organizations globally have been granted access to Anthropic's Mythos Preview under Project Glasswing. According to The Next Web, those organizations include Amazon, Microsoft, Google, Nvidia, CrowdStrike, Palo Alto Networks, and JPMorgan Chase. As of late May, no European bank had been granted access. The negotiations between the European Union and Anthropic over access for European institutions were reported as stalled by Crypto Briefing as of May 22.

This creates a lopsided situation that ECB President Christine Lagarde described in explicitly geopolitical terms at the May 24 meeting: the tool finding the vulnerabilities in European banks' systems is available to American competitors and to the attackers' own potential infrastructure, but not to the European defenders who most need it. The AI is effectively operating as a form of asymmetric competitive advantage - not because Anthropic designed it that way, but because access remains structurally concentrated.

Meanwhile the costs of a breach compound across multiple parties. Banks that fail to meet DORA requirements face regulatory penalties. Customers bear the operational disruption. Insurance premiums for cyber coverage have risen sharply across the European financial sector. And European banks operating older, fragmented technology stacks - a legacy of decades of mergers across different national systems - face higher exposure than newer institutions built on unified platforms. Those legacy systems are harder to patch quickly, precisely because their interconnections are complex and poorly documented.

The incentive problem is not straightforward. Banks face a real dilemma: patching quickly means deploying updates without full testing, which is itself a leading cause of the system outages that regulators worry about. According to American Banker's coverage, the ECB's own data shows that rushed IT changes are among the primary drivers of unplanned banking downtime. Move too slow and AI exploits the gap. Move too fast and the patch itself breaks something.

What people are doing about it

European financial institutions have responded in three ways since the May 24 meeting, and the June 3 speech is the ECB's attempt to sharpen those expectations into something measurable.

The first response is accelerated patching programs. Major European banks have reportedly begun reviewing their patch management timelines, pushing to compress multi-week cycles into days for critical vulnerabilities. This requires additional IT resources, expanded testing environments, and in some cases changes to outsourcing contracts with third-party technology providers - who are themselves subject to DORA oversight.

The second is lobbying for access. France's Mistral, the European AI company, has been making what reports describe as a digital sovereignty case for the development of a European equivalent to Mythos - a frontier model that European banks could actually test their own systems against. The argument is that dependence on American models for the security testing of European financial infrastructure is itself a sovereignty risk. Whether European AI development can realistically close the capability gap with frontier American models in a meaningful timeframe is a question that European regulators have not answered publicly.

The third response is regulatory alignment. The European Banking Authority has been coordinating with national market surveillance authorities on AI Act implementation as it applies to financial services. Banks are establishing internal governance frameworks for AI risk that sit above their existing DORA compliance postures. The ECB's speech today formalizes those expectations and signals that supervisory reviews will start evaluating whether banks have updated their operational resilience plans to account for AI-driven threats - not just the cyber threats of three years ago.

The UK's financial regulators have issued comparable warnings. No US financial regulator has, as yet, issued formal guidance on the issue - a regulatory divergence that American Banker noted could create compliance asymmetries for banks operating on both sides of the Atlantic.

The bottom line

The ECB's new operational resilience speech is not really about cybersecurity. It is about a structural shift in who controls the pace of financial risk. When the window between a patch release and a working exploit collapses to 30 minutes, the bank that patches weekly is already exposed. The deeper problem - and the one neither DORA nor today's speech resolves - is that the tool driving this compression is held by a small group of American organizations, while the institutions being told to defend against it are European, locked out of the very system they are being asked to prepare for. The regulation exists. The urgency is real. The instrument is missing.

Timeline

• January 2022: The EU begins drafting DORA following concerns about banking sector vulnerability to ICT disruption.
• December 14, 2022: DORA is formally adopted as EU Regulation 2022/2554.
• January 17, 2025: DORA comes into full application across the EU financial sector, without a transitional period.
• July 2025: The ECB publishes its guide on cloud outsourcing, setting out how it expects banks to comply with DORA requirements for third-party technology providers.
• November 2025: ECB Banking Supervision publishes supervisory priorities for 2026-2028, listing operational resilience as a top concern and noting that significant cyber incidents have doubled in recent years.
• January 2026: DORA's oversight framework for critical third-party providers is formally launched.
• February 3, 2026: Frank Elderson delivers a speech, "Encouraging innovation, managing risks," outlining the ECB's approach to AI risk in banking for the year ahead.
• May 13, 2026: The ECB issues warnings to euro-area banks about AI-assisted cybersecurity risks, reported by Domain-B.
• May 22, 2026: Negotiations between the EU and Anthropic over access for European banks to Mythos are reported as stalled, according to Crypto Briefing.
• May 24, 2026: The ECB convenes eurozone bank executives for an urgent meeting on the cyber threats posed by frontier AI models, with specific reference to Anthropic's Claude Mythos Preview.
• May 25, 2026: The Next Web reports on the ECB meeting and Elderson's message that banks must patch faster and treat their lack of Mythos access as reason for greater urgency, not less.
• May 29, 2026: American Banker reports the ECB as the first eurozone supervisor to directly address the threat from frontier AI models; notes no US financial regulator has issued comparable guidance.
• June 3, 2026: The ECB publishes today's formal speech, "Strengthening operational resilience for the age of AI," cementing the supervisory expectation that banks update resilience plans to account for AI-driven threats.

Summary

Who: The European Central Bank, led by Executive Board member and Supervisory Board vice-chair Frank Elderson, addressing the eurozone's largest supervised banks.

What: A formal supervisory speech demanding that banks accelerate cybersecurity patch management and update their operational resilience frameworks in response to AI-enabled cyber threats - specifically the capability of frontier AI models to reverse-engineer software exploits within approximately 30 minutes of a patch's release.

When: Today, June 3, 2026, formalizing a supervisory campaign that began with an urgent convening of eurozone banks on May 24, 2026.

Where: The ECB in Frankfurt, supervising banks across the 20-nation eurozone - but with implications for any bank operating under EU jurisdiction, including US banks with European operations.

Why: AI models can now find and exploit software vulnerabilities at a speed that renders traditional patch management cycles dangerously slow. The ECB has identified this as a systemic risk to financial stability, compounded by the fact that European banks lack access to the most powerful tool - Anthropic's Mythos - that is reshaping the threat environment.