EBA Warns AI Models Increase Cyber Risks for Banks

The European Supervisory Authorities (EBA, EIOPA and ESMA) published their first annual overview of major ICT-related incidents under the Digital Operational Resilience Act (DORA) on June 3, 2026. The report, covering 3,383 major incidents from EU financial entities, states that banks must strengthen cybersecurity to keep pace with the potential use of highly capable AI-driven tools. The ESAs flag that one third of incidents had cross-border impact, driven by system failures and external events, and underline that robust third-party risk management is essential. The report signals that EU banking supervisors now formally treat advanced AI tools as a material cyber risk factor requiring operational resilience planning.
What happened
The European Supervisory Authorities (EBA, EIOPA and ESMA) published their first annual report on major ICT-related incidents in the EU financial sector on June 3, 2026, under the Digital Operational Resilience Act (DORA). The report covers 3,383 major ICT incidents reported by EU financial entities and finds that roughly one third had cross-border impact, driven by shared infrastructure and third-party services. The EBA press release states that "it is key that financial entities uphold to the highest cybersecurity standards to be able to keep pace with the potential use of highly capable AI-driven tools."
What the report found
System failures and external events were the main incident drivers. Around 10% of reported incidents were directly related to cybersecurity. Cross-border incidents accounted for approximately one third of the total, underscoring growing interconnectedness through shared infrastructure. Direct client and transaction impact was generally limited, but the supervisors flag systemic dimension and third-party risk as the central concern.
The AI angle
The ESAs flag, per the June 2026 DORA report, that highly capable AI-driven tools may amplify the speed and sophistication of exploitation attempts. The report does not frame this as a realized incident type but as a forward-looking operational resilience concern: financial entities should assume that adversaries will use AI tools and should plan accordingly. This framing differs from traditional cyber risk guidance in that it explicitly names AI capability growth as a driver of future risk, not just current incidents.
Why it matters
The DORA ICT incidents report is the first mandatory reporting of its kind under EU law. Its AI-cyber risk flag carries regulatory weight because it will inform supervisory expectations under DORA and the EU AI Act. Banks and insurers operating in the EU should treat this as a signal that their operational resilience frameworks will be assessed against AI-amplified threat scenarios in future supervisory reviews.
What to watch
Per the report, regulators are also watching third-party and outsourcing risk as channels for AI-enabled exploitation. Practitioners should track follow-on guidance from national competent authorities incorporating the DORA report findings, and monitor whether the EBA publishes more detailed AI-cyber risk guidance in its forthcoming Risk Assessment Reports.
Key Points
- 1The ESAs' first DORA ICT incidents report (June 2026) covers 3,383 major incidents and states AI tools require banks to uphold highest cybersecurity standards.
- 2One third of major ICT incidents had cross-border impact, per the report, underscoring shared-infrastructure systemic risk in EU financial services.
- 3Practitioners in EU-regulated finance should treat this as a supervisory signal: DORA compliance reviews will increasingly incorporate AI-amplified threat scenarios.
Scoring Rationale
The first mandatory DORA ICT incidents report from EU supervisors is significant for EU-regulated financial institutions: it formally names AI-driven tools as a forward-looking cyber risk factor requiring operational resilience planning. Not a landmark regulation itself, but authoritative regulatory guidance that will shape supervisory expectations. Score reflects notable regulatory signal, not a frontier model release or landmark enforcement action.
Sources
Public references used for this report.
Practice with real Banking data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Banking problems

