AMF Warns AI Is Reshaping Cyber Risk as It Intensifies Oversight of Financial Firms

Key Takeaways

• AI Is Changing the Cyber Threat Landscape: The AMF warned that advances in artificial intelligence could accelerate vulnerability discovery, facilitate exploitation, and increase the scale and efficiency of cyberattacks against financial institutions.
• DORA Implementation Remains a Supervisory Priority: The regulator continues to monitor compliance with the EU's Digital Operational Resilience Act, with a review of French firms' implementation efforts expected after European authorities publish incident-reporting findings.
• AMF Will Survey Firms on AI Cyber Risks: Beginning in July, the regulator will assess how portfolio managers, crypto-asset service providers, and crowdfunding platforms are incorporating AI-related threats into cyber risk management and vulnerability remediation programs.
• Cybersecurity Inspections Will Focus on AI-Driven Threats: Ongoing supervisory reviews will evaluate client data protection, incident management capabilities, and measures designed to address evolving risks associated with artificial intelligence.
• Senior Management Is Expected to Take Ownership: The AMF stressed that cyber risks should be regularly tested, monitored, and integrated into internal control and risk management frameworks, with particular attention paid to resilience, recovery, and crisis response.

Deep Dive

Artificial intelligence is rapidly changing the cybersecurity equation for financial institutions, and France’s securities regulator wants firms to move faster in adapting their defenses. The French regulator, the Autorité des marchés financiers (AMF), said Thursday that strengthening cyber resilience remains a strategic priority as advances in artificial intelligence create new opportunities for both defenders and attackers.

The warning comes as financial regulators across Europe and beyond grapple with the implications of increasingly sophisticated AI systems capable of accelerating vulnerability discovery, simplifying exploitation techniques, and enabling malicious actors to scale cyber campaigns more efficiently than before.

While AI also offers benefits for threat detection, incident analysis, and cyber response capabilities, the AMF said financial institutions must ensure their risk management frameworks evolve alongside the technology.

"The rapid development" of AI technologies requires firms to adapt their cybersecurity and operational risk management arrangements, the regulator said, emphasizing that it intends to remain active across international policymaking, domestic supervision, and industry engagement.

AI Becomes a Financial Stability Concern

The AMF framed the issue not simply as a technology challenge but as a broader operational resilience concern. In its 2026 supervisory priorities, the regulator identified both the anticipation of emerging risks and the operational resilience of regulated entities as key focus areas. The growing capabilities of AI models have elevated those concerns, particularly as specialized systems become increasingly capable of identifying weaknesses in digital infrastructure and supporting more automated attack campaigns.

The regulator is participating in a range of international initiatives aimed at understanding those risks and coordinating regulatory responses. Its work includes contributions through the International Organization of Securities Commissions, the European Systemic Risk Board, the Financial Stability Board, and the G7 Cyber Expert Group.

The AMF noted that the Financial Stability Engagement Group within IOSCO is co-chaired by the AMF Chair and the chief executive of the Financial Conduct Authority.

DORA Compliance Remains Under the Microscope

The regulator also reaffirmed its focus on implementation of the Digital Operational Resilience Act (DORA) which became applicable across the European financial sector on January 17, 2025.

The AMF oversees compliance with DORA among entities under its supervision, including portfolio management companies, crypto-asset service providers, crowdfunding service providers, and market infrastructures.

Under the framework, firms must identify critical and important business processes and systems, establish cyber risk mitigation strategies, maintain incident management capabilities, conduct resilience testing, and manage risks associated with third-party technology and digital service providers.

European supervisory authorities are expected to publish a report on major incidents reported under DORA in the near future. Following that publication, the AMF plans to release its own assessment of how French entities under its supervision have implemented the regulation.

According to the regulator, the review will highlight lessons learned from incident notifications, the types of incidents being reported, and areas that warrant additional attention across the sector.

Survey Will Examine AI-Specific Cyber Controls

The AMF intends to gather information directly from firms about how they are addressing risks linked to AI systems. Beginning in July, the regulator will survey portfolio management companies, crowdfunding service providers, and crypto-asset service providers regarding measures already implemented, or planned, to manage AI-related cyber risks.

The exercise is intended to assess whether institutions have integrated those risks into their broader cyber risk management frameworks and vulnerability management processes, including identification, detection, and remediation activities.

The regulator said it will apply a proportionate, risk-based approach and plans to publish the survey's findings during the autumn. The initiative will complement a broader awareness campaign scheduled for the second half of 2026, including an educational webinar for industry participants on July 1.

Inspections Will Focus on AI-Era Threats

The AMF also confirmed that cybersecurity inspections will continue across regulated entities. Those reviews will examine how firms protect client data and assess the effectiveness of arrangements for preventing, detecting, managing, and remediating cyber incidents.

Inspectors will pay particular attention to measures designed to address emerging threats associated with advances in artificial intelligence.

The regulator reiterated that cybersecurity remains fundamental to investor protection, financial service continuity, and confidence in financial markets. As part of that message, the AMF called on senior management teams to ensure cyber risks are properly identified, monitored, tested, and embedded within internal control and risk management frameworks.

The regulator also urged supervised entities to align with established cybersecurity practices, including guidance issued by France's national cybersecurity agency, the Agence nationale de la sécurité des systèmes d'information, alongside DORA requirements and related European supervisory guidance.

Among the practices highlighted by the AMF were maintaining inventories of critical systems and service providers, strengthening access controls, protecting sensitive information through appropriate cryptographic safeguards, accelerating patch management, conducting regular backups and recovery testing, training employees on common cyber threats, and deploying mechanisms capable of detecting cybersecurity events.

The regulator also emphasized regular incident-response testing, technical security audits of critical assets, red-team exercises where appropriate, cyber crisis simulations, and the incorporation of AI-related threats into cybersecurity scenarios.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.