ECB to Send 'Dear CEO' Letter Urging Banks to Bolster Operational Resilience as AI Use Grows

The European Central Bank will send banks a sector-wide supervisory letter telling them to strengthen operational resilience as artificial intelligence spreads across the industry and as cyber and technology disruptions become more difficult to contain, ECB supervisory Vice Chair Frank Elderson said Tuesday.

Elderson, a member of the ECB Executive Board and vice-chair of the ECB Supervisory Board, announced the move in a keynote speech, “Strengthening operational resilience for the age of AI,” at the Goldman Sachs European Financials Conference 2026 in Zurich. In the ECB-published speech, he said “more than 85% of banks under European banking supervision use artificial intelligence,” underscoring why supervisors see the issue as extending beyond technology adoption to the safety and continuity of core banking systems.

He said the ECB’s Single Supervisory Mechanism will send a “so-called ‘dear CEO letter’” to banks, asking them “to take proactive measures to ensure the continued robustness and security of their systems.” Elderson said supervisors would then follow up in a targeted manner. A dear CEO letter is a standard supervisory tool used to set expectations across a sector; it is not a law or a formal sanction, but it can be followed by deeper reviews and other supervisory action.

Elderson pointed to lessons from the ECB’s 2024 cyber resilience stress test, which covered 109 banks, including a deeper assessment of 28 lenders’ ability to respond to and recover from a severe but plausible cybersecurity incident. He said the exercise showed banks broadly had response and recovery frameworks in place, but it also exposed areas needing improvement. Nearly three-quarters of the findings from that work have since been addressed, he said, suggesting progress but also a continuing need for supervisory pressure.

He also cited recent real-world disruptions that illustrated the risks. A November 2023 ransomware attack on ICBC’s New York unit disrupted settlement of U.S. Treasury trades, while the July 2024 CrowdStrike software update failure caused widespread Windows outages across multiple sectors. The examples were brief, but they highlighted why bank supervisors are focused not just on internal systems, but also on the knock-on effects of attacks, software failures and dependence on third-party technology providers.

The supervisory signal comes as the European Union’s Digital Operational Resilience Act, or DORA, is now in force across the bloc. The law entered into force in January 2023 and began applying from Jan. 17, 2025, tightening expectations for information and communications technology incident reporting, oversight of critical third-party tech providers and advanced resilience testing, including threat-led penetration testing. Against that backdrop, Elderson framed the ECB’s message as a push for banks to strengthen governance and controls before a serious failure exposes weak spots. “This is not about creating a sense of alarm, but rather a sense of urgency,” he said. “Our message as supervisors is simple: act early, invest decisively now, and do not wait for the next incident to reveal where your vulnerabilities lie.”