European financial regulators are sounding the alarm on the growing cybersecurity risks posed by advanced artificial intelligence models. In separate but complementary assessments, the European Banking Authority (EBA) and the Bank for International Settlements (BIS) have warned that the rapid development of frontier AI systems is reshaping the threat landscape for banks and could have far-reaching implications for global financial stability.
The EBA's June 2026 Risk Assessment Report highlights a marked increase in concerns among both banks and supervisors. Recent advances in large language models and other highly capable AI systems have demonstrated increasingly sophisticated abilities to identify and exploit software vulnerabilities. This capability, the regulator notes, is creating an environment where cybercriminals and hostile actors can probe weaknesses in banking infrastructure faster and more efficiently than traditional defenses can adapt. The EBA makes clear that its warning is not confined to the possibility of direct attacks. Banks now operate through complex technology stacks involving cloud services, third-party vendors, payment networks, and outsourced providers. A vulnerability in any single link can ripple across institutions, especially those with limited operational resources to respond to rapidly evolving threats.
The BIS echoes these concerns, adding that cyber incidents—whether deliberate attacks or accidental failures—have the potential to halt operations, compromise sensitive data, disrupt supply chains, and erode public confidence. Financial institutions are particularly exposed, the BIS explains, because breaches can cascade through interconnected payment systems and counterparty networks, amplifying systemic effects. The analysis points to several key drivers: sophisticated hacking tools, heightened geopolitical tensions, the rapid expansion of digital services, reliance on a small number of technology providers, and fragile supply chains.
While advanced AI could help strengthen defenses through faster vulnerability detection, the balance of risks depends on whether protective capabilities or offensive tools gain the upper hand. The BIS warns that frontier AI developments might empower attackers with automated, large-scale exploits, adding urgency to the need for preparedness. Ransomware remains the dominant source of insured losses, with attackers using multi-stage extortion tactics that can hit numerous organizations simultaneously.
The EBA report also extends the AI conversation beyond cybersecurity. It notes that AI-related optimism has driven elevated equity valuations, raising financial stability concerns if earnings expectations fall short. Data cited from the BIS indicates that AI-related projects accounted for more than one-third of private credit deals in 2025, up from 17% over the previous five years. The EBA cautions that investments in AI infrastructure—particularly data centers—face risks from construction delays, electricity supply constraints, and demand uncertainty.
On the insurance front, the BIS highlights a stark protection gap: approximately 99% of global cyber-related economic damages go uninsured. Small and medium-sized enterprises face the widest shortfall, but even large firms may encounter coverage limits insufficient for catastrophic scenarios. The BIS calls for collaborative action, including public-private initiatives to cover otherwise uninsurable perils, incentives linking premiums to security controls, and better incident data sharing. Regulators must balance enhanced transparency with affordability concerns, the BIS concludes, stressing that cyber insurance is a crucial safety net but no substitute for robust internal defenses.
Despite the rising risks, the EBA notes that European banks continue to report strong profitability, resilient asset quality, and capital ratios near record highs. Operational resilience, however, is fast becoming the defining challenge. As AI systems become more widely available, the ability of institutions—large and small—to manage cyber risk may become as critical to long-term stability as traditional credit and liquidity metrics.
