The use of artificial intelligence (AI) is creating new digital attack vectors for cybercriminals – the threat landscape is changing rapidly, presenting the banking sector with complex new challenges. The European Central Bank (ECB) now wants financial institutions to provide information in the short term on how well prepared they are for these threats, and is calling for an action plan to be drawn up promptly. The deadline: 31 October 2026. Our experts outline the regulatory requirements and explain how we can support your organisation in drawing up the action plan.
Scenario: A year’s worth of cyber incidents condensed into 24 hours
Think of the number of cyber incidents your organisation experienced last year, and imagine if they all took place within 24 hours. The first critical attack strikes: systems are taken offline, core processes grind to a halt, and customers can no longer access their accounts. Before recovery measures can even take effect, the next attack follows. And the one after that. Response teams fall behind; traditional processes – designed to handle individual incidents over extended periods – collapse under the sheer frequency and volume of attacks. In the case of cyber-attacks driven by Frontier AI – that is, the most powerful and advanced artificial intelligence currently available – this scenario is no longer mere speculation, but the new threat landscape.
The ECB is responding to the threats posed by AI-enabled cyberattacks
In letter SSM-2026-0301 dated 7 July 2026, the ECB’s Banking Supervision calls on significant institutions to submit an action plan to the Joint Supervisory Team by 31 October 2026 to defend against AI-driven cyberattacks.
The implication is that institutions wishing to defend against AI-driven attacks must make AI itself the cornerstone of their defences.
The ECB’s letter identifies six key areas in which institutions should take immediate action. Our experts can help you implement these optimisation measures quickly, efficiently and comprehensively.
How we support you:
Continuous attack surface management with AI-driven prioritisation
We consolidate internal and external assets into a single, unified inventory and assess each asset using AI-driven risk scoring based on exposure window and business criticality.
How we support you:
VulnOps – targeted vulnerability monitoring and management – as a permanent capability: automated and AI-first
We are building a VulnOps model that combines scanning, prioritisation and patching into a seamless pipeline. AI-powered CVE assessment, just-in-time patching and phased rollouts replace the weekly CAB cycle for critical fixes.
How we support you:
Combating AI with AI – from SOC alerts, i.e. warnings from the Security Operations Centre, through to automated response
We are modernising the SOC with LLM-based alert triage and detection-as-code. Data labelling at scale and automated AI-driven penetration testing continuously validate the effectiveness of detection.
How we support you:
Risk appetite, board reporting and AI supply chain management from a single source
We expand your cyber risk appetite framework to include AI-specific metrics right through to board reports, and supplement Third-Party Risk Management (TPRM) with AI supply chain assessments – from model provenance to the responsiveness and capability of technology providers (vendor preparedness) for accelerated vulnerability disclosure.
How we support you:
Zero Trust for non-human identities and agentic AI too
We bring Zero Trust principles to life in the context of vast numbers of non-human identities generated by agentic AI and service accounts: continuous verification, multi-factor authentication (MFA) and identity-centred access controls – including for APIs and agents.
How we support you:
Resilience testing against frontier AI scenarios
We refine incident response, backup and recovery procedures in line with the scenarios set out in the ECB letter: Zero-day waves, destructive AI attacks, ransomware, supply chain failures. Executive board tabletop exercises and threat-led penetration tests (TLPT) validate operational readiness under real-world conditions.
Comprehensive expertise for the ECB’s action plan
Our financial services experts bring the right expertise to the required action plan: in-depth regulatory knowledge of the Digital Operational Resilience Act (DORA), the Network and Information Security Directive (NIS2) and the EU AI Act, proven cyber delivery experience and our own best practices for AI security – and we ensure a fast and effective time-to-delivery. With market-leading, cross-sector expertise, we support European banks and insurers in detection and response, third-party risk management, threat-led penetration testing and AI governance frameworks – in close coordination with the relevant Joint Supervisory Teams (JSTs) of the ECB’s banking supervision and national supervisory authorities. In addition, we draw on the global KPMG network and digital applications that are already in use as part of our Trusted AI Framework in countries with comparable regulatory requirements. Drawing on this experience, we have developed an approach that enables us to meet the requirements of the ECB’s letter within the specified timeframe.
Für einen fokussierten 30-Tage-Sprint in fünf Schritten bündeln wir unsere Kompetenzen und erstellen für Ihr Unternehmen einreichungsfertige Unterlagen (Board Pack) bis zum 31. Oktober 2026.
At the end of the sprint, you will receive consolidated materials and documents – ranging from the standardised evidence base and the gap heatmap to the board pack – which you can continue to use as your own templates even after the submission.
After the deadline: implementing the action plan with us as your trusted partner
The Sprint provides the plan; implementation goes beyond that. In doing so, we draw on best practices aligned with industry standards across the six ECB focus areas – from attack surface management to crisis management, with third-party risks as an accompanying theme. In this way, the action plan does not stop at submission, but enables a robust improvement in security that goes beyond the level of mere compliance.
One thing is clear: the requirement is specific and has a deadline. We recommend preparing for the JST dialogue at an early stage, subjecting your existing cyber risk appetite to a structured review, and approaching the creation of the action plan not as a mere documentation exercise but as a strategic realignment. Arrange an initial consultation with us to tailor the sprint to your needs and benefit from our regulatory perspective, technical implementation expertise and experience from comparable programmes.
More KPMG Insights on this topic
Your contacts
Dr. Matthias Mayer
Partner, Financial Services, FS Chief Solution Officer and Chief Markets Officer
KPMG AG Wirtschaftsprüfungsgesellschaft
Christian Nern
Partner, Financial Services, Head of Cyber Security Solution
KPMG AG Wirtschaftsprüfungsgesellschaft