ECB officials warn that advanced AI models can reverse-engineer software patches in 30 minutes, leaving euro area banks scrambling to catch up.
The European Central Bank just told the continent’s biggest banks they need to spend more on cybersecurity, and the reason is exactly what you think it is: artificial intelligence is making cyberattacks faster, smarter, and harder to defend against.
ECB Executive Board member Frank Elderson delivered the message during an urgent meeting with major euro area banks on May 23, laying out a threat landscape that reads like a thriller movie pitch. Advanced AI models can now discover and exploit software vulnerabilities at speeds that make traditional defense timelines look quaint.
The 30-minute problem #
Elderson warned that AI models now have the capability to reverse-engineer software patches within roughly half an hour. In English: the moment a company releases a fix for a security flaw, AI can dissect that fix, figure out what the original vulnerability was, and build an attack around it before most security teams have finished their morning coffee.
Elderson specifically flagged models like Anthropic’s Claude Mythos as examples of the new generation of AI that can expose thousands of zero-day vulnerabilities. Zero-days are security flaws that software makers don’t know about yet, which means there’s no existing fix.
Elderson made the point bluntly, stating that issues in cybersecurity must be addressed more rapidly given AI’s advancements.
Europe’s AI access gap #
The meeting also surfaced an uncomfortable competitive reality. Euro area banks currently lack direct access to the most advanced AI models, including Mythos, while some US banks do not face the same limitation.
Elderson used this gap to push for greater information sharing among European financial institutions. If individual banks can’t each access frontier AI models, the thinking goes, they can at least pool intelligence about emerging threats and coordinate their defenses more effectively.
The ECB has maintained an ongoing cybersecurity dialogue with banks for some time, but the pace of engagement is now accelerating. No new regulatory mandates came out of the meeting. The ECB is framing this as a resilience-building exercise rather than a compliance crackdown.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our