How the ECB supervises AI in eurozone banks: technology-neutral, existing frameworks, a generative-AI focus

The most consequential prudential supervisor in the euro area has now stated, in its own words, how it intends to supervise artificial intelligence — and the answer is deliberately undramatic. The European Central Bank (ECB), through the Single Supervisory Mechanism (SSM) that directly supervises the euro area's significant banks, has not written an AI rulebook. It has instead folded AI into its standing supervisory machinery and told banks where the pressure will fall. The position crystallised in the 2026-2028 supervisory priorities and was set out publicly in two February 2026 speeches by members of its Supervisory Board.

This matters because the SSM is not a soft-law body. Unlike the FSB or IOSCO, whose AI instruments work by persuasion, the ECB has binding supervisory powers over the banks it oversees: it can demand changes to governance, capital and risk management, and it conducts on-site inspections. When the ECB says how it reads AI risk, that reading has teeth, even without a single new AI-specific regulation.

The headline number, and what follows from it

Over 85% of the banks the ECB supervises already use AI, and generative AI is spreading from back-office IT into legal analysis and customer-facing functions. The supervisory inference is not that AI must be stopped, but that a technology this pervasive can no longer be treated as an experiment. As Supervisory Board member Patrick Montagner put it on 3 February 2026, many banks "still need to update their risk management frameworks" to address AI-specific challenges — data quality, explainability, model governance and accountability — even where they believe they can manage AI by building on existing capabilities.

"Technology is neutral, governance is not"

The clearest statement of the approach came from Pedro Machado, the ECB's representative to the Supervisory Board, on 24 February 2026, in a speech titled Technology is neutral, governance is not. His argument: the ECB does not propose to write bespoke binding rules for each new technology. It applies the existing governance expectations — above all the European Banking Authority's internal-governance guidelines — and insists that AI be governed "as a core business and risk topic, not as a technology side project." Accountability sits with the board and senior management; AI does not get a governance carve-out because it is new or technically opaque.

That is a technology-neutral, use-case-and-risk-based stance, and it is the same logic the United Kingdom's Bank of England and FCA and the FSB's sound practices follow: regulate the risk and the outcome, not the algorithm. The difference is that the ECB is already a hard supervisor of the institutions concerned, so the "existing frameworks" it points to are themselves binding.

Where AI sits in the 2026-2028 priorities

In the supervisory priorities for 2026-2028 (set out in November 2025 for the new three-year cycle), AI does not get a priority of its own. It sits under Priority 2 — operational resilience and ICT capabilities, attached to a medium-to-long-term strategy focused on banks' digital and, in particular, AI-related strategies, governance and risk management. The ECB frames AI through use cases and risks rather than AI types, and singles out generative AI for a "more targeted approach," describing it as "a significant technological leap forward, with a potentially high impact on banks." A specific worry is that AI security risks underestimated before deployment could introduce critical vulnerabilities into banks' ICT systems — which is precisely why AI lives in the operational-resilience priority rather than a standalone one.

The planned supervisory activities are concrete: targeted horizontal workshops with selected banks on generative-AI applications, continued monitoring of general AI use through dedicated data collections, and cooperation with the market-surveillance authorities responsible for the EU AI Act. The ECB is, in other words, positioning itself as a prudential supervisor that interfaces with the AI Act's enforcement architecture rather than duplicating it.

Credit scoring, fraud detection — and reward hacking

Two use cases get explicit attention because they touch core banking risk: credit scoring and fraud detection. The ECB has run workshops with banks deploying AI in both. Under the EU AI Act, AI used to evaluate the creditworthiness of natural persons is classified as high-risk, so the prudential interest and the product-regulation interest converge on the same systems. Montagner's February speech also flagged a more forward-looking concern drawn from frontier-AI research: "reward hacking," where advanced systems exploit loopholes in how their performance is measured and "start to respond in unexpected ways" that undermine their intended purpose — a governance problem that conventional model-validation may not catch.

The framework stack the ECB leans on

The ECB is explicit that it is building on instruments that already bind euro-area banks, using them as "a common language for managing risks consistently":

• the EU AI Act, for the high-risk classification of credit and other

in-scope use cases and for the interface with market-surveillance authorities;

• DORA (in application since 17 January 2025),

for ICT and third-party risk — including the cloud and model dependencies that generative AI creates; the ECB's July 2025 guide on outsourcing cloud services already addresses these;

• MiCAR, for the crypto-asset perimeter where AI tooling increasingly

operates.

Why this is a pillar, not a press release

Read alongside the rest of this knowledge base, the SSM stance closes a gap. The international layer is covered — the FSB for global financial stability, IOSCO for securities regulators, the Hiroshima reporting framework and the US financial-services adaptation of the NIST approach. What was missing was the euro area's own hard prudential supervisor saying how it will actually examine AI inside the banks it controls. The answer — no new rulebook, existing frameworks applied with conviction, a sharpening focus on generative AI and a standing dialogue with AI Act enforcement — tells European banks that their AI governance will be tested through the ordinary supervisory cycle, not a separate AI regime. It also complements the national picture: the national market-surveillance authorities enforce the AI Act itself, while the ECB supervises the prudential consequences of the same systems.