European Financial Regulators Warn AI Is Accelerating Cyberattack Sophistication and Systemic Risk

# European Financial Regulators Warn AI Is Accelerating Cyberattack Sophistication and Systemic Risk

Europe's top financial watchdogs are sounding the alarm: artificial intelligence is not just transforming how banks and insurers operate — it is fundamentally changing the threat landscape they face. In a series of coordinated warnings and regulatory actions this spring, the European Supervisory Authorities (ESAs) — comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — have made clear that AI-powered cyberattacks represent a growing source of systemic risk across the continent's financial markets.

The warnings arrive at a critical juncture. The EU AI Act's high-risk system requirements take full effect on August 2, 2026, and the Digital Operational Resilience Act (DORA) is already reshaping how financial institutions manage their digital supply chains. Against that regulatory backdrop, the ESAs' Joint Committee published its 2025 Annual Report on April 24, 2026, highlighting a sharp focus on strengthening operational and cyber resilience, protecting consumers in digital financial markets, and enhancing cross-sectoral risk monitoring.

"Growing geopolitical tensions and rising cyber risks present significant challenges to financial stability," the ESAs stated in their spring risk assessment. "Financial institutions must navigate growing uncertainties, including exposure to international markets, liquidity risks, and the evolving role of artificial intelligence."

AI as a Force Multiplier for Attackers

The concern is not hypothetical. European regulators have documented a measurable increase in AI-enabled fraud and cyber intrusion attempts targeting the financial sector. Deepfake-led fraud attempts have surged, with attackers using generative AI to clone voices and forge video for social engineering attacks against bank employees and high-net-worth clients. AI-generated phishing campaigns are becoming more convincing, more targeted, and harder to detect with legacy security tools.

Moody's 2026 cyber outlook forecast reinforced the European warnings, projecting that AI-powered cyberattacks will grow more dangerous throughout the year while regulatory harmonization efforts face increasing friction. The rating agency flagged the financial sector as particularly exposed due to its reliance on interconnected digital infrastructure and the high value of the data it holds.

The European Systemic Risk Board (ESRB) laid the intellectual groundwork for these warnings in December 2025, when its Advisory Scientific Committee published a landmark report identifying five features of AI that could significantly amplify systemic risk in the financial system: concentration and entry barriers in the AI provider market, model uniformity across institutions, monitoring challenges inherent to opaque AI systems, overreliance and excessive trust in automated outputs, and the sheer speed at which AI-driven decisions propagate through markets.

"AI errors are difficult to detect, outputs inherit biases from their training data, and there is a tendency towards excessive trust and overreliance on the tools themselves," the ESRB report concluded. "Since many of our existing enforcement protocols require identifying a person with legal responsibility, oversight is challenging."

The Regulatory Response Takes Shape

The regulatory response is converging from multiple directions. Under DORA, which became fully applicable in January 2025, financial entities across the EU must maintain comprehensive ICT risk management frameworks, report major ICT-related incidents, and manage risks from critical third-party technology providers — a category that increasingly includes AI model providers. The ESAs have now published a list of critical ICT third-party providers subject to direct oversight, establishing a new layer of supervisory scrutiny over the firms that supply AI infrastructure to the financial sector.

Simultaneously, the EU AI Act is imposing its own requirements. AI systems used for credit scoring, creditworthiness assessments, and insurance risk pricing are classified as high-risk under the Act and must meet stringent transparency, accuracy, and human oversight requirements by August 2026. In Luxembourg, the CSSF will serve as the market surveillance authority for AI systems directly connected to financial services — one of the first concrete examples of national regulators assuming AI-specific enforcement responsibilities.

A survey conducted by the CSSF and the Luxembourg central bank found that approximately 28 percent of financial institutions already have AI use cases in production or development, while 22 percent are actively experimenting. Adoption rates are notably higher among payment and e-money institutions at 63 percent, and banks at 38 percent. Those figures underscore both the opportunity and the urgency: AI is already embedded in European finance, and the attack surface is growing in parallel.

The Eversheds Sutherland Global AI Regulatory Update for April 2026 noted that these converging frameworks — the AI Act, DORA, GDPR, the Anti-Money Laundering Directive, and MiFID II — create an increasingly complex compliance matrix for financial institutions deploying AI, requiring them to satisfy overlapping and sometimes conflicting requirements across multiple regulatory regimes.

Why This Matters

The European regulators' warnings carry weight beyond compliance checklists. The ESRB report proposed a policy approach combining competition and consumer protection measures with specific adjustments to prudential regulation — including changes to capital and liquidity requirements, "skin-in-the-game" mandates for AI providers, and enhanced supervisory powers. If adopted, these measures would represent the first time systemic risk regulation has been explicitly calibrated around AI-specific vulnerabilities.

The cross-border dimension adds further complexity. As the ESRB noted, "AI is not bound by geographical borders," making international cooperation among regulators essential. Yet the regulatory landscape remains fragmented: the EU is moving ahead with binding rules while the United States and United Kingdom pursue lighter-touch approaches, creating potential arbitrage opportunities for both financial institutions and the threat actors targeting them.

What to Watch Next

The August 2 deadline for high-risk AI system compliance under the EU AI Act will be the next major inflection point. Financial institutions that have not yet completed risk categorization of their AI systems face a narrowing window. The ESAs are expected to issue further joint guidance on AI risk management in the financial sector before the summer, and the ESRB's recommendations on AI and systemic risk are likely to inform the next round of macroprudential policy discussions at the European level. For an industry that has spent the last decade digitizing, the message from Europe's regulators is unambiguous: the same technology driving transformation is also driving the threats, and the window for proactive governance is closing.