Resources | Blog

July 9, 2026

The ECB Just Mandated What Identity Security Teams Have Been Asking For. Here Is What Banks Must Do By October 2026

Table of contents

Introduction

On 7 July 2026, the European Central Bank sent a letter to the CEO of every significant institution it supervises. The message was direct: artificial intelligence is fundamentally reshaping the cybersecurity landscape, and banks have until 31 October 2026 to submit a concrete action plan explaining how they will respond. For identity security teams in European financial services, this letter is validation. The ECB has now mandated, at a supervisory level, the controls that identity security professionals have been advocating for internally for years, often without executive buy-in. The conversation has changed.

Here is what the letter requires, and what banks need to do before the deadline.

What the ECB letter actually says

The core thesis is a shift in the economics of threats. Emerging AI models can identify software vulnerabilities and generate functioning exploits at unprecedented speed, compressing the timeline between vulnerability discovery and exploitation. The ECB is explicit that this is a long-term structural shift, not a temporary phenomenon tied to any single tool. The risks are not entirely new, but AI amplifies the speed and scale at which they materialize. The letter places responsibility squarely on banks' management bodies. Strategic ICT decisions, resource allocation, and risk tolerance frameworks may all need to be revisited. Governance and control systems are expected to be strengthened.

The requirements are set out in the Digital Operational Resilience Act (DORA), which the ECB confirms remains fully valid. Banks must submit their action plans to their Joint Supervisory Team by 31 October 2026, after which the ECB will run a horizontal analysis across all submissions.

The four short-term focus areas

The letter defines specific short-term priorities. Read them through an identity lens, and the pattern is unmistakable.

Protect potential attack surfaces.

Identify ICT assets, including third-party software and open-source components. Minimize and continuously monitor all internet-facing and externally exposed assets, including cloud environments and VPN connections to third parties. The letter also notes that threat vectors originate not only externally but from internal sources.

Accelerate vulnerability and patch management at scale.

Prepare for higher-volume, more frequent patching as AI accelerates vulnerability discovery.

Enhance monitoring, detection, and AI-enabled defensive capabilities.

Strengthen monitoring of application and access logs, network traffic, and other indicators to detect indicators of compromise and attempted exploitation.

Strengthen governance, funding, awareness, and supply chain assurance.

Assess whether current tooling and capacity are sufficient. Maintain adequate supply chain assurance, including understanding third-party providers' readiness for accelerated vulnerability disclosure.

Why this is an identity security mandate

The structural measures in the letter make the identity connection explicit. The ECB advocates a security posture that assumes perimeter defenses will be breached, particularly as frontier AI accelerates vulnerability discovery, including potential zero-day exploitation. Once you accept that the perimeter will fall, identity becomes the control plane that matters. The letter then calls for the adoption of zero-trust principles, including continuous verification of users, devices, applications, application programming interfaces (APIs), and service accounts. It names least-privilege access, multi-factor authentication, accurate asset inventories, and comprehensive logging as central baseline controls.

This is the language of identity security: service accounts, APIs, continuous verification, and least privilege. The ECB has told every significant bank in the Eurozone that identity governance across human and non-human identities is now a supervisory expectation, not an internal preference. For teams that have struggled to fund an identity security program, the funding conversation just moved from the security team to the supervisory board.

What banks need to do before the deadline

The action plan must build on the bank's existing cyber-risk strategy and address immediate and long-term measures. In practice, that means demonstrating three capabilities.

First, a complete and continuously updated inventory of every identity and asset in the environment, including the internal-facing systems and non-human identities that are frequently unaccounted for. You cannot protect an attack surface you have not mapped.

Second, runtime detection that surfaces indicators of compromise across access logs and identity behavior, fast enough to matter in a world where the exploitation window is collapsing.

Third, governance that runs continuously rather than through periodic review, with least-privilege enforcement and a full audit trail extending across cloud, system, and third-party boundaries.

The banks that struggle will be those treating this as a documentation exercise. The banks that succeed will treat it as an operational upgrade to their identity program.

How Unosecur helps banks meet the ECB requirements

Unosecur maps directly to three of the ECB's core focus areas.

Protect potential attack surfaces. 

Unosecur's Unified Identity Fabric correlates AI agents, non-human identities, and human identities across your connected systems, giving you a single view of every identity and what it can access. This surfaces the exposures that create the attack surface: shadow admins, toxic privilege combinations, standing privileges, partially offboarded accounts, lateral movement, and identity drift. It then right-sizes access based on actual activity using attribute-based access control (ABAC).

Enhance monitoring, detection, and Ai-enabled defense. 

Unosecur monitors identity behavior at runtime and builds behavioral baselines for non-human identities and AI agents, so anomalous access and drift stand out against normal patterns. The MCP Auth Gateway provides a runtime control point for AI agents, governing how they authenticate and which tools and services they can access. ARK AI, a plan-build-approve-execute-audit copilot for the Identity Fabric, investigates exposures, correlates findings across systems, and drafts remediation for your approval and can even take action.

Strengthen governance and supply chain assurance. 

Governance runs on continuous visibility rather than periodic review. Unosecur enforces just-in-time access and just-enough-permission decisions, tracks who holds what across cloud and system boundaries, and keeps a full audit trail of access and change. For the supply chain, it maps cross-system identity chains and third-party access, and the MCP Auth Gateway controls the tools and external services AI agents connect to, so machine and third-party access stays governed at runtime.

Conclusion

The ECB letter marks a turning point. Identity security is no longer a discretionary line item that security leaders must justify against competing priorities. For significant institutions in European financial services, it is now a supervisory expectation with a fixed deadline and clear next steps. The October 2026 action plan is as much an opportunity as an obligation. Banks that use it to genuinely modernize their identity program, continuous visibility, runtime detection, and least-privilege enforcement across human and non-human identities will emerge more resilient against exactly the threats the ECB is warning about. The compression of the exploitation window is real. The regulatory clock is running.

See how Unosecur helps financial institutions meet DORA and ECB identity requirements. Book a demo at unosecur.com

Ready To Secure Your Identities?

Blue cardholder with translucent card showing icons and the text 'unosecur'.
FAQs

Everything you Need to Know

The letter was addressed to the CEO of every significant institution supervised directly by the ECB under the Single Supervisory Mechanism. These are the largest banks in the euro area. However, the guidance reflects a broader regulatory direction: smaller institutions and banks outside the Eurozone operating under equivalent frameworks, such as DORA, should apply the same priorities where applicable.

Banks must submit their action plan to their Joint Supervisory Team by 31 October 2026. After submission, the JST will engage with each bank to discuss the plan and monitor its progress. The ECB will also conduct a horizontal analysis across all submissions to identify trends and share conclusions with institutions. This is an ongoing supervisory dialogue, not a one-time filing.

The ECB explicitly confirms that DORA requirements remain fully valid and highly relevant. The letter is not a new regulation; it is a supervisory call to action within the existing DORA framework, prompting institutions to assess the impact of AI-enabled threats and strengthen the controls DORA already requires around ICT risk management, incident response, and operational resilience.

Because the ECB adopts a posture that assumes perimeter defenses will be breached. Once that assumption holds, the controls that limit damage are identity-based: continuous verification of users, APIs, and service accounts; least-privilege access; and comprehensive logging. As AI accelerates exploitation, identity becomes the control plane that determines how far an attacker can move after initial access.

The letter names service accounts and APIs directly within its zero-trust guidance, and calls for continuous verification of both. As banks deploy AI agents and accumulate non-human identities, these become a significant part of the attack surface that the ECB is asking institutions to protect and monitor. Runtime governance of machine and agent identities is central to meeting the letter's intent.

Not in this action plan. The ECB notes that quantum computing will significantly affect the cybersecurity landscape and that adoption of post-quantum cryptography must begin now, but it states that it will address quantum-related encryption risks in a separate letter. The 31 October 2026 action plan focuses on AI-enabled threats.