Europe’s financial regulator raises alarm over AI-powered cyberattacks

Europe’s top financial watchdog is sounding the alarm about a dangerous new reality: artificial intelligence is making cyberattacks faster and more devastating. The warning comes as geopolitical tensions create fresh vulnerabilities across the continent’s financial system.

Verena Ross, who leads the European Securities and Markets Authority (ESMA), says her agency is closely monitoring how AI could supercharge the speed of cyber assaults on financial institutions. The concern isn’t theoretical anymore – it’s becoming an urgent regulatory priority.

AI models create new attack vectors

The financial sector got a wake-up call this month when reports emerged about Mythos, an AI model from U.S. company Anthropic that can discover and exploit previously unknown cybersecurity holes in IT systems.

“We are closely watching how bringing AI models into this could increase the potential speed with which such attacks could happen,” Ross said in a recent interview in Paris. She declined to comment on specific AI providers but made clear that regulators are struggling to keep up with the rapid changes.

The challenge goes beyond just understanding the technology. ESMA has been reaching out to financial firms under its supervision to check their cyber defenses in light of these AI developments.

Regulators scrambling to catch up

Ross admits that European regulators need to step up their game significantly:

• Build expertise to properly oversee what financial companies are doing with AI
• Develop capabilities to monitor critical third-party tech providers
• Coordinate better between national and EU-level authorities

ESMA already took one major step in November when it worked with two other EU regulators to identify 19 technology companies as critical third-party providers to Europe’s finance industry. This was part of new rules designed to improve tech resilience across the sector.

Ross wouldn’t say whether AI providers might be added to this critical list later, but the implication seems clear given the growing concerns.

Perfect storm of risks

The cyber threat isn’t happening in isolation. Ross points out that these vulnerabilities could coincide with major shifts in how financial assets are valued – creating a potentially explosive combination.

Stock markets in the U.S. and elsewhere are trading near record highs, largely thanks to big tech companies. But Ross sees warning signs:

“We are still looking very carefully at how the markets are reacting in terms of the overall valuations, which are still very, very high, so there’s a question of what type of events might turn that general positive feeling in the market around and might lead to quite some selloff.”

Recent oil price spikes following conflicts involving the U.S., Israel, and Iran have already rattled investors. The concern is that a major cyberattack during such volatile times could trigger much broader market chaos.

Crypto regulation deadline looms

Adding to the regulatory complexity, national authorities across EU countries face a June 30 deadline for crypto company licensing. Companies that don’t secure proper licenses by then must stop offering services.

Early signs suggest compliance will be patchy. France’s regulator reported in January that nearly a third of unlicensed crypto companies hadn’t even told regulators whether they planned to get licenses.

“One of the challenges we will face from the first of July onwards is how do we then deal with the policing of the perimeter,” Ross said.

The European Commission wants to give ESMA more power to supervise major cross-border financial players, including big trading venues and crypto companies. The proposal has support from the EU’s six largest economies but faces opposition from some smaller countries.

Why this matters now

These developments represent more than just regulatory housekeeping. They reflect a fundamental shift in how cyber threats work in the AI age. Traditional cybersecurity approaches assumed human-speed attacks that could be detected and stopped with existing defenses.

AI changes that equation entirely. Automated systems can probe for vulnerabilities, launch attacks, and adapt their methods faster than human defenders can respond. For financial markets – where milliseconds can mean millions of dollars – this speed advantage could be catastrophic.

The timing makes things worse. Geopolitical tensions are already creating new attack vectors as state and non-state actors look for ways to disrupt enemy financial systems. AI gives these actors powerful new tools just when the stakes are highest.

Ross, who steps down from her ESMA role on October 31, clearly sees this as one of the most serious challenges facing European finance. Her warnings suggest that 2026 could be a pivotal year for determining whether regulators can keep pace with AI-powered threats – or whether the financial system will face unprecedented cyber risks.