Europe’s markets watchdog warns cyber threats are growing as AI speeds up risks

In April 2026, Verena Ross, executive director of the European Securities and Markets Authority, said something that should have landed harder in boardrooms than it did. The risks from cyberattacks and the speed at which they can happen are both growing, she told Reuters from Paris, and the regulator has been directly contacting financial entities it supervises to assess their defences in light of recent developments in AI. ESMA does not issue warnings casually. When a regulator of its standing starts reaching out to supervised institutions one by one, the implication is clear: the existing posture is not enough.

Financial institutions have always managed cyber risk. What they have not had to contend with until recently is the speed at which that risk can materialise. Ross was direct about this, noting that ESMA is closely watching how AI models could increase the potential speed with which attacks can happen. The concern is not abstract. The financial sector was shaken this month by reports that Mythos, an AI model developed by Anthropic, can autonomously find and exploit previously undiscovered cybersecurity vulnerabilities in IT systems.

This matters because the entire architecture of financial market defence is built on response time. Detection, escalation, containment, and recovery. Each step assumes a window. AI-enabled attacks shrink that window in ways that most institutions are not operationally prepared for. Phishing attacks on financial institutions have surged 1,265% since 2022, driven largely by AI-generated content engineered to bypass conventional filters. The volume is one problem. The precision is another.

ESMA, alongside two other EU regulators, named 19 technology companies as critical third-party providers to Europe's finance industry in November 2025, as part of a regulation designed to strengthen technology resilience across the bloc. The logic is straightforward. When trading venues, clearing systems, and data providers all rely on the same cloud infrastructure and the same handful of technology vendors, a breach anywhere in that chain can reach everywhere. The perimeter, in any traditional sense, no longer exists. What makes this particularly difficult for senior leaders is that third-party risk does not show up neatly on internal dashboards. It lives in contract schedules, vendor security reviews that happen once a year, and SLA clauses that were never written with AI-assisted attacks in mind. Ross acknowledged that regulators themselves are grappling with keeping pace and that the EU collectively needs to build expertise to oversee critical technology providers properly. If the regulator is saying that openly, institutions should take it as a prompt to ask the same question internally.

The SEC's 2026 examination priorities show a notable shift: cybersecurity and AI concerns have displaced cryptocurrency as the dominant risk topic, driven by a pattern of large-scale data breaches, cross-sector attacks, and operational failures at technology providers with cascading impact across markets. In Europe, DORA has been in force since January 2025. Cyber resilience testing, incident reporting, and third-party oversight are now regulatory requirements, not optional frameworks.

But regulation sets a floor, not a ceiling. The institutions treating DORA as a checklist are solving the wrong problem. Research from Datos Insights finds that 57% of financial institution leaders now rank improving cyber governance at the board level as their top objective. That shift in boardroom priority is the right instinct. The risk is no longer contained in the IT function. A trading outage triggered by a vendor compromise carries reputational and liquidity consequences that sit squarely in the CEO's lane.

Three priorities deserve immediate attention from leadership. The first is third-party mapping, but not the version that lives in a contract register. The operational version. Every institution carries vendors it depends on daily for trading, payments, and settlement. The question worth asking is a simple one: if that vendor went down tomorrow, or was quietly compromised last week, would anyone know before the damage spread? Most teams do not have a confident answer to that.

Second, reframe recovery speed as a competitive metric. Gartner projects that by 2028, more than half of CISOs will carry direct responsibility for disaster recovery alongside security operations. The firms that can return to full operation in hours rather than days will protect counterparty relationships and market position that slower-moving peers will not. That is a strategic differentiator, not just an operational one.

Third, acknowledge the talent gap honestly. The global cybersecurity workforce shortfall stands at 4.8 million, and existing teams are already stretched thin by alert volume. There is no hiring solution to that problem at the pace threats are evolving. The answer lies in building toward AI-native defenses that reduce the manual burden, not in waiting for the labor market to catch up.

The global AI security market is projected to reach $133.8 billion by 2030, up from $24.3 billion in 2024, growing at a compound annual rate of nearly 22%. That trajectory reflects the scale of investment that organizations across sectors now recognize as necessary, not discretionary.

ESMA's warning is a useful moment of clarity for decision-makers who may have been treating cyber risk as a contained, technical matter. It is neither. It touches financial stability, regulatory standing, and investor confidence. The institutions that grasp that connection and build their defense posture accordingly will be the ones still standing when the next wave of AI-enabled attacks hits. The ones that don't will be reading about themselves in incident reports.

JMC tracks where AI, regulation, and financial risk intersect, delivering the intelligence that senior decision-makers need to stay ahead of what is coming.