Introduction
On 7 July 2026, the European Central Bank sent a letter to the CEO of every significant institution it supervises. The message was direct: artificial intelligence is fundamentally reshaping the cybersecurity landscape, and banks have until 31 October 2026 to submit a concrete action plan explaining how they will respond. For identity security teams in European financial services, this letter is validation. The ECB has now mandated, at a supervisory level, the controls that identity security professionals have been advocating for internally for years, often without executive buy-in. The conversation has changed.
Here is what the letter requires, and what banks need to do before the deadline.
What the ECB letter actually says
The core thesis is a shift in the economics of threats. Emerging AI models can identify software vulnerabilities and generate functioning exploits at unprecedented speed, compressing the timeline between vulnerability discovery and exploitation. The ECB is explicit that this is a long-term structural shift, not a temporary phenomenon tied to any single tool. The risks are not entirely new, but AI amplifies the speed and scale at which they materialize. The letter places responsibility squarely on banks' management bodies. Strategic ICT decisions, resource allocation, and risk tolerance frameworks may all need to be revisited. Governance and control systems are expected to be strengthened.
The requirements are set out in the Digital Operational Resilience Act (DORA), which the ECB confirms remains fully valid. Banks must submit their action plans to their Joint Supervisory Team by 31 October 2026, after which the ECB will run a horizontal analysis across all submissions.
The four short-term focus areas
The letter defines specific short-term priorities. Read them through an identity lens, and the pattern is unmistakable.
Protect potential attack surfaces.
Identify ICT assets, including third-party software and open-source components. Minimize and continuously monitor all internet-facing and externally exposed assets, including cloud environments and VPN connections to third parties. The letter also notes that threat vectors originate not only externally but from internal sources.
Accelerate vulnerability and patch management at scale.
Prepare for higher-volume, more frequent patching as AI accelerates vulnerability discovery.
Enhance monitoring, detection, and AI-enabled defensive capabilities.
Strengthen monitoring of application and access logs, network traffic, and other indicators to detect indicators of compromise and attempted exploitation.
Strengthen governance, funding, awareness, and supply chain assurance.
Assess whether current tooling and capacity are sufficient. Maintain adequate supply chain assurance, including understanding third-party providers' readiness for accelerated vulnerability disclosure.
Why this is an identity security mandate
The structural measures in the letter make the identity connection explicit. The ECB advocates a security posture that assumes perimeter defenses will be breached, particularly as frontier AI accelerates vulnerability discovery, including potential zero-day exploitation. Once you accept that the perimeter will fall, identity becomes the control plane that matters. The letter then calls for the adoption of zero-trust principles, including continuous verification of users, devices, applications, application programming interfaces (APIs), and service accounts. It names least-privilege access, multi-factor authentication, accurate asset inventories, and comprehensive logging as central baseline controls.
This is the language of identity security: service accounts, APIs, continuous verification, and least privilege. The ECB has told every significant bank in the Eurozone that identity governance across human and non-human identities is now a supervisory expectation, not an internal preference. For teams that have struggled to fund an identity security program, the funding conversation just moved from the security team to the supervisory board.
What banks need to do before the deadline
The action plan must build on the bank's existing cyber-risk strategy and address immediate and long-term measures. In practice, that means demonstrating three capabilities.
First, a complete and continuously updated inventory of every identity and asset in the environment, including the internal-facing systems and non-human identities that are frequently unaccounted for. You cannot protect an attack surface you have not mapped.
Second, runtime detection that surfaces indicators of compromise across access logs and identity behavior, fast enough to matter in a world where the exploitation window is collapsing.
Third, governance that runs continuously rather than through periodic review, with least-privilege enforcement and a full audit trail extending across cloud, system, and third-party boundaries.
The banks that struggle will be those treating this as a documentation exercise. The banks that succeed will treat it as an operational upgrade to their identity program.
How Unosecur helps banks meet the ECB requirements
Unosecur maps directly to three of the ECB's core focus areas.
Protect potential attack surfaces.
Unosecur's Unified Identity Fabric correlates AI agents, non-human identities, and human identities across your connected systems, giving you a single view of every identity and what it can access. This surfaces the exposures that create the attack surface: shadow admins, toxic privilege combinations, standing privileges, partially offboarded accounts, lateral movement, and identity drift. It then right-sizes access based on actual activity using attribute-based access control (ABAC).
Enhance monitoring, detection, and Ai-enabled defense.
Unosecur monitors identity behavior at runtime and builds behavioral baselines for non-human identities and AI agents, so anomalous access and drift stand out against normal patterns. The MCP Auth Gateway provides a runtime control point for AI agents, governing how they authenticate and which tools and services they can access. ARK AI, a plan-build-approve-execute-audit copilot for the Identity Fabric, investigates exposures, correlates findings across systems, and drafts remediation for your approval and can even take action.
Strengthen governance and supply chain assurance.
Governance runs on continuous visibility rather than periodic review. Unosecur enforces just-in-time access and just-enough-permission decisions, tracks who holds what across cloud and system boundaries, and keeps a full audit trail of access and change. For the supply chain, it maps cross-system identity chains and third-party access, and the MCP Auth Gateway controls the tools and external services AI agents connect to, so machine and third-party access stays governed at runtime.
Conclusion
The ECB letter marks a turning point. Identity security is no longer a discretionary line item that security leaders must justify against competing priorities. For significant institutions in European financial services, it is now a supervisory expectation with a fixed deadline and clear next steps. The October 2026 action plan is as much an opportunity as an obligation. Banks that use it to genuinely modernize their identity program, continuous visibility, runtime detection, and least-privilege enforcement across human and non-human identities will emerge more resilient against exactly the threats the ECB is warning about. The compression of the exploitation window is real. The regulatory clock is running.
See how Unosecur helps financial institutions meet DORA and ECB identity requirements. Book a demo at unosecur.com









