The European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority on Tuesday endorsed a warning from the European Systemic Risk Board about frontier AI models creating systemic cyber risks.

“Recent advances have significantly enhanced the ability of frontier AI models to identify and exploit high-severity vulnerabilities in IT systems within very short timeframes,” the ESAs said.

The statement set out two instructions. Financial entities were urged to adapt their cybersecurity capabilities. Competent authorities were asked to reflect the risk in supervisory work under DORA and the AI Act.

The ESAs framed the concern as systemic, pointing to shared infrastructure, service providers and interconnected systems that could widen the impact of an AI-enabled attack.

DORA incident baseline

In their first annual report under DORA on major ICT-related incidents, the ESAs recorded 3,383 incidents across the EU in 2025. Roughly one third originated from ICT third-party providers or other financial entities, and about one third had cross-border impact. Only around 10% were cybersecurity-related, but the ESAs said frontier AI is changing that threat profile.

The ESAs said they will continue monitoring highly cyber-capable frontier AI models, engage critical ICT third-party providers on continuity measures, and work with national supervisors to clarify expectations for regulated firms.