CSSF and ECB raise expectations on AI-enabled cyber resilience
Published on 09 July 2026
The CSSF and the ECB have issued new guidance on AI-enabled cyber risks, governance under DORA and operational resilience. Discover the key expectations for financial institutions and the ABBL’s call for contributions to the FSB consultation.
Summary
Artificial intelligence is rapidly transforming the cybersecurity landscape. While recent advances in frontier AI models offer significant opportunities, they also enable malicious actors to discover vulnerabilities faster, generate sophisticated exploits and automate attacks at unprecedented speed and scale.
Against this backdrop, both the Commission de Surveillance du Secteur Financier (CSSF) and the European Central Bank (ECB Banking Supervision) have recently published important communications urging financial institutions to strengthen their cyber resilience and adapt their cybersecurity strategies.
Together, these publications send a clear signal: traditional cybersecurity practices alone are no longer sufficient in an AI-enabled threat environment.
Key takeaway
The CSSF and the ECB are sending a consistent message: financial institutions should no longer rely solely on patch management but strengthen their overall cyber resilience against AI-enabled threats.
The CSSF calls for a more holistic approach
In its communiqué published on 7 July 2026, the CSSF explains that traditional vulnerability and patch management are showing clear limitations as AI significantly shortens the time between vulnerability disclosure and exploitation.
Rather than assuming that cyberattacks can always be prevented, supervised entities should now operate on the assumption that some attacks will inevitably succeed, while strengthening their capabilities to identify, protect, detect, respond and recover.
Drawing on observations made during its supervisory activities, the CSSF also notes that many financial institutions still face recurring weaknesses, including:
- vulnerability scans that are not performed frequently enough;
- remediation measures implemented too late;
- insufficient reviews of network security safeguards; and
- secure configuration baselines that are not monitored regularly enough.
Governance expectations under DORA
In line with the ICT risk management requirements introduced by the Digital Operational Resilience Act (DORA), the CSSF expects all members of the management body to establish governance arrangements that support the effective management of AI-related cyber risks.
The regulator also encourages institutions to adopt a balanced cybersecurity strategy that allocates resources across the full resilience lifecycle rather than concentrating efforts solely on increasingly frequent patching.
Among the measures highlighted are:
- reducing the attack surface, particularly internet-facing systems and unsupported technologies;
- prioritising patching according to exposure and exploitability rather than theoretical severity;
- securing software development pipelines;
- designing ICT environments to contain incidents and limit lateral movement;
- strengthening proactive threat hunting capabilities;
- preparing operational procedures for “no-patch” scenarios;
- adopting AI-assisted defensive capabilities under appropriate human oversight; and
- regularly testing cybersecurity controls and incident response plans.
The ECB reinforces the same message
The CSSF’s position is reinforced by a letter issued on 7 July 2026 by ECB Banking Supervision to the Chief Executive Officers of significant institutions.
The ECB warns that emerging AI models are fundamentally changing the cyber threat landscape by enabling attackers to identify vulnerabilities and develop functioning exploits much more rapidly than before.
As a result, significant institutions are expected to assess the impact of this evolving threat environment without delay and prepare a comprehensive action plan covering concrete measures, required resources, responsibilities and implementation timelines.
The ECB identifies several priority areas for action, including:
- accelerating vulnerability and patch management at scale;
- strengthening monitoring, detection and AI-enabled defensive capabilities;
- ensuring effective third-party ICT risk management;
- protecting perimeter technologies and internet-facing ICT assets;
- reinforcing defence-in-depth and cyber hygiene;
- modernising legacy, unsupported and end-of-life technologies; and
- enhancing incident response, crisis management, recovery and information-sharing arrangements.
The action plan must be submitted to each institution’s Joint Supervisory Team (JST) by 31 October 2026. The ECB has also announced that the annual IT Risk Questionnaire collection deadline will move from September 2026 to February 2027.
A clear supervisory direction
Although the ECB letter is addressed specifically to significant institutions, its message is closely aligned with the CSSF’s guidance.
Taken together, the two publications illustrate a broader supervisory trend: cyber resilience in the age of artificial intelligence requires governance, operational preparedness and continuous resilience—not simply faster patch management.
For financial institutions, the focus is shifting from preventing every cyberattack to ensuring that organisations can effectively detect, contain, respond to and recover from increasingly sophisticated AI-enabled threats.
ABBL invites members to contribute
Alongside its own observations, the CSSF encourages supervised entities to review two recent international publications:
- the European Systemic Risk Board (ESRB) warning on systemic cyber risks stemming from frontier AI models; and
- the Financial Stability Board (FSB) consultation on sound practices for the responsible adoption of artificial intelligence.
The FSB consultation is open until 22 July 2026.
To help coordinate the banking sector’s input, the ABBL invites members to share their initial feedback on the seven consultation questions included in the FSB consultation.
Members are requested to send their comments to digital@abbl.lu by 15 July 2026 (close of business).
The ABBL also encourages all members, including less significant institutions, to consider the measures outlined in the ECB letter when reviewing their own cyber resilience strategies in light of the CSSF’s recommendations.
What members should know
- CSSF Communiqué: 7 July 2026
- ECB Banking Supervision letter: 7 July 2026
- ABBL feedback deadline: 15 July 2026 (CoB)
- FSB consultation closes: 22 July 2026
- ECB action plan deadline (significant institutions): 31 October 2026
- Contact: digital@abbl.lu
Andrey Martovoy
Senior Adviser - Innovation & Digital, ABBL
Published on 09 July 2026