PARIS, April 24 - The head of Europe’s securities regulator cautioned that cyberthreats are on the rise and that emerging artificial intelligence models may accelerate the pace at which attacks can occur. The warning comes as European supervisors intensify engagement with financial firms and third-party technology providers to gauge and bolster cybersecurity resilience.
Verena Ross, chair of the European Securities and Markets Authority (ESMA), said geopolitical tensions have heightened cyber risk and that ESMA has been in touch with the financial entities it oversees to evaluate their defences amid recent AI developments. She emphasised the possibility that the introduction of advanced AI into cyber operations could increase the speed of attacks, saying: "We are closely watching how bringing AI models into this could increase the potential speed with which such attacks could happen." She declined to comment on individual providers.
The financial sector was unsettled earlier this month by reports that an AI model called Mythos, built by U.S. AI firm Anthropic, can locate and exploit previously unknown cybersecurity vulnerabilities in information technology systems. That episode has contributed to a broader sense among supervisors that fast-evolving AI capabilities are reshaping the cyber threat landscape.
Regulators themselves face the challenge of keeping regulatory and oversight capabilities aligned with rapid technological change. Ross said there is a need for both national authorities and EU-level bodies to "up our game" so they can properly monitor how financial firms are deploying AI and other technologies and build the expertise necessary to oversee critical third-party providers.
In a move aimed at strengthening the tech resilience of the bloc’s finance industry, ESMA and two other EU regulators in November identified 19 technology companies that they consider critical third-party providers under new rules. Ross declined to say whether AI providers might be added to that list at a later date.
Beyond cyber risk, Ross flagged market valuations and abnormal trading activity as additional supervisory concerns. She noted that elevated asset prices - in part driven by large technology companies - leave markets vulnerable to shifts in sentiment. "We are still looking very carefully at how the markets are reacting in terms of the overall valuations, which are still very, very high, so there’s a question of what type of events might turn that general positive feeling in the market around and might lead to quite some selloff," she said.
The executive, who is 58 years old and will step down from her post on October 31, added that large market swings commonly prompt scrutiny for potential insider trading. She pointed to recent extreme movements in prices - including an oil-price spike following the outbreak of the U.S. and Israeli war on Iran - as examples of volatility that draw supervisory attention.
Ross said that the Commodity Futures Trading Commission in the United States is examining a series of trades in oil derivatives, according to media reports. She explained that volatile markets driven by news often trigger closer inspection: "Whenever you see very volatile markets that are driven by news and things like that, it’s an area that you automatically spend some attention and look at carefully. That’s quite natural." She declined to discuss any specific regulatory activity.
On the subject of crypto, Ross outlined how national regulators retain responsibility for overseeing crypto firms within EU countries and have set an end-of-June deadline for firms to obtain licences or to stop offering services. She noted that France’s regulator reported in January that nearly a third of unlicensed crypto companies had not informed it whether they intended to seek a licence.
Looking ahead, Ross said a primary challenge from July 1 onwards will be how to "police the perimeter" as licensing and supervision arrangements take effect. The European Commission has proposed granting ESMA expanded powers to supervise important cross-border financial market players, including major trading venues and crypto companies, as part of a broader package intended to centralise oversight and reduce fragmentation across EU financial markets.
Those proposals have backing from the EU’s six largest economies but face opposition from some member states. "My impression is that there is indeed a political ambition now to try to move forward quickly," Ross said, underlining both momentum and remaining disagreement at the political level.
As regulators press firms on cyber defences, maintain vigilance over market valuations, and prepare for tightened cross-border supervision, financial institutions and technology providers operating in Europe will face intensified scrutiny. ESMA’s approach combines outreach to supervised entities, efforts to develop in-house and cross-jurisdictional expertise, and the use of regulatory tools aimed at strengthening resilience among critical third-party vendors.
That multi-pronged supervisory posture reflects a recognition among European authorities that fast-moving technological advances, geopolitical developments, and concentrated market valuations can combine to heighten systemic vulnerabilities in the financial sector.