Banking Supervision
Banking Supervision
Search
Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by
Anneli Tuominen
ECB representative to the the Supervisory Board
  • SPEECH

Navigating risk, cutting complexity: financial conglomerates in the current environment

Speech by Anneli Tuominen, Member of the Supervisory Board of the ECB, at the Meeting of the Pan-European Conglomerate Club, held at OP Financial Group

Helsinki, 5 June 2026

It is a pleasure to be here and I would like to thank the organisers for inviting me.[1] Today, I will discuss the challenges financial conglomerates face in the current environment. As you know, financial conglomerates are cross-sectoral groups combining banking, insurance and sometimes investment services under one roof.[2] While they share risks in common with those faced by individual banks, these conglomerates may also be confronted with more idiosyncratic vulnerabilities or acute manifestations of common risks as a consequence of their differentiated business models and balance sheet characteristics. With this in mind, I will first describe the salient features of the current risk landscape before going on to highlight what makes financial conglomerates different from individual banks in this context. I will conclude by outlining what financial conglomerates, regulators and supervisors can do to successfully navigate these challenges going forward.

The fog of war in banking and finance

My starting premise is one that I hope you will readily accept: the risk landscape facing banks has become significantly more complex. There are three key factors driving this increase in complexity.

First, banks continue to face the traditional challenges that have typically been at the root of troubles in this sector – for example, credit risk, market risk, counterparty risk and, in many cases, governance deficiencies.

Second, in the current environment, banks also face non-traditional risks – such as those arising from cybersecurity, digitalisation, the non-bank financial sector, geopolitical instability and other hybrid threats. While none of these are completely new, the magnitude of the threat has grown to the point where risks we previously thought of as belonging to a tail scenario – in other words, very unlikely to materialise – have now become part of the baseline.[3]

Third, banks must also be aware of the potential interactions between these traditional and non-traditional risks, for example the extent to which geopolitical risks may act as a cross-cutting driver of other risks – for instance, credit and market-related risks. This could be the case through channels such as changes in expectations for real economic growth, inflation and interest rates.

The practical offshoot of this is that banks need to focus not only on a broader set of risks, but also on an increasing number of channels through which those risks may materialise. The need to monitor these risks in a period marked by high policy uncertainty[4] compounds the difficulties for banks in terms of their identification and remediation processes. It is the equivalent of trying to deal with “the fog of war” – but in banking and finance. As you may know, this term, popularised by Prussian military theorist Carl von Clausewitz, refers to the uncertainty, confusion and lack of situational awareness experienced by commanders and soldiers caught up in the maelstrom of military operations, especially when having to make strategic decisions based on inaccurate, incomplete or contradictory intel in an often chaotic conflict setting.[5] If we apply this concept to banking and finance, it captures the uncertainty that executives face during a period – like our current moment – of escalating geopolitical tensions, macroeconomic volatility and sudden market shocks; an uncertainty that forces them to make decisions on the basis of incomplete information and potentially conflicting market signals.

How do financial conglomerates differ from banks on risk transmission?

Having described the complex and uncertain risk landscape that banks are currently forced to navigate, let me discuss the extent to which these vulnerabilities affect financial conglomerates through channels of transmission that could be different from, or more intense than, those of individual financial institutions.

Across standard metrics, risks faced by conglomerates differ from those faced by individual banks on account of their differentiated business models. For example, financial conglomerates face credit risks just as regular banks do, but must also account for underwriting risks from inaccurate insurance assessments. Financial conglomerates – just like individual banks – face liquidity risks with regard to their banking activities (via, for example, the potential for sudden deposit withdrawals), yet the liquidity risks linked to their insurance activities tend to be more moderate. This is because policyholder payouts are generally slower and more predictable, notwithstanding risks arising from insurance surrender options.[6] In addition, while financial conglomerates exhibit the asset and liability mismatch linked to maturity transformation (of short-term liabilities into longer-term assets) that is inherent on the banking side, this feature is of less concern on the insurance side, where longer-term liabilities (such as life insurance) can be better matched with longer-dated assets.

Overall, conglomerates usually benefit from more stable revenue streams than individual banks on account of their more diversified business models. This is because – while on each side income can be sensitive to interest rate volatility – underwriting cycles for banking and insurance do not tend to correlate.[7] Financial conglomerates also benefit from business synergies related to the double usage of branches selling both banking and insurance products, for example by partially turning customers’ bank deposits into life insurance products for those same customers. Nevertheless, financial conglomerates face potential risks related to double-gearing of capital, where the same capital is used twice to cover the bank and insurance arm. In principle this double-gearing is addressed by a deduction requirement set out in the Basel prudential framework and implemented in the EU’s Capital Requirements Regulation. However, in derogation from Basel standards, the Capital Requirements Regulation also introduces a possibility for competent authorities to exempt banks in financial conglomerates from such a deduction and risk weight their insurance participations instead (known as the “Danish Compromise”).[8] This can lead to a more direct transmission channel between insurance market movements and regulatory capital metrics than would be the case for individual banks. This is because financial conglomerates typically maintain large portfolios of long-term fixed income assets. Changes in the valuation of these portfolios (stemming from changes in interest rates) can affect the financial position of the insurance undertaking and, depending on the group's structure and regulatory treatment, may also influence the banking group's capital position.

The residual risks related to the Danish Compromise explain why, from a supervisory point of view, the capital relief afforded by such an exemption has always been understood in a narrow sense[9]. And this is why supplementary supervision of a financial conglomerate is needed to ensure that the group as a whole has enough capital to cover both sectors combined, as mandated by the EU Financial Conglomerates Directive.[10] This aspect is also particularly important in light of the heightened reputational risks financial conglomerates face – arising from intragroup contagion from the insurance side to the banking side, or vice versa. I should note that the European supervisory framework is designed to contain the risk of cross-sector contagion. Prudential requirements are primarily applied at the level of individual legal entities, ensuring that risks are captured and addressed where they arise, while limits on intragroup exposures and safeguards against double-gearing further mitigate the build-up of vulnerabilities at group level. In addition, close cooperation between banking and insurance supervisors, most notably between the European Central Bank and the European Insurance and Occupational Pensions Authority, as well as with national competent authorities, provides a coordinated view of cross-sectoral risks and strengthens the effectiveness of supplementary supervision. This combination of solo-based prudential requirements, group-level oversight and cross-authority cooperation plays a key role in ensuring that potential spillovers remain contained and that the resilience benefits of diversified business models can be realised in practice.

Let’s now turn to risks related to operational resilience, including from artificial intelligence. Currently, these risks are a significant concern for individual banks and, for the following reasons, such concerns may be even more pressing for financial conglomerates.

The first reason for conglomerates facing amplified levels of concern is that they may have a dual-hatted risk profile for cyber and ICT risks. This would be the case if they were not – as individual banks are – just pure users of technology, but also insurers of cyber risks and other risks related to operational resilience. In this case, such entities would face both operational risk from the banking side and underwriting risk from the insurance side.[11]

The second reason for amplified concern is that financial conglomerates have a larger attack surface than individual banks – in other words there are more entry pathways and digital touchpoints with customers, legacy systems and other vulnerabilities that a hacker could exploit to breach a network. Both individual banks and financial conglomerates are exposed to a range of external threats, such as vulnerabilities arising from third-party vendors, as well as internal risks including inadequate change management practices. Financial conglomerates, however, face an additional layer of complexity. While shared ICT infrastructures in banking and insurance have a number of clear benefits in terms of economies of scale and cost efficiency, this also means that risks no longer remain contained within individual entities. Instead, such risks can spread across the group via internal contagion, creating spill-over effects that may amplify disruptions or increase systemic impact.[12]

The third cause for increased concern is interconnected workflows. Risks from artificial intelligence may be potentially higher for financial conglomerates than for individual banks, owing to interconnected workflows between the banking and insurance sides, and this can lead to cross-sectoral contagion.[13] While the increase of AI-based solutions offers a number of synergies that conglomerates can benefit from[14], the use of such technologies in closely integrated work environments also poses some risks that could weaken both banking and insurance pillars simultaneously. For example, this could arise from the use of a centralised customer data platform – known as a shared data lake – to feed AI models across both sides of the business, or from automated, AI-based cross-selling processes where banking behaviour triggers immediate insurance actions. Moreover, the larger attack surfaces of conglomerates means that, in the context of an increasingly interconnected financial system, such entities may be seen as more vulnerable to AI-based attacks than is the case for individual banks.[15]

However, from a regulatory point of view, it is worth noting that, compared with individual banks, financial conglomerates are subject to higher levels of compliance under the EU’s Artificial Intelligence Act.[16] This is because, apart from certain AI-based processes used by banks for assessing creditworthiness, the legislation labels AI systems used for risk assessments and pricing for life or health insurance as “high risk”. Similarly, the degree of scrutiny under the EU’s Digital Operational Resilience Act is also higher for conglomerates than for individual banks.[17] For example, a financial conglomerate must prove it can recover a life insurance payout process even if its banking payment gateway is suffering a cyber attack. Evidently, this is a layer of testing that an individual bank is not subject to. So while financial conglomerates may appear to be more vulnerable to cyber and IT security risks than individual banks, conglomerates are also subject to more regulatory and supervisory scrutiny in this regard.

The fourth reason for heightened concern is market risks from non-bank financial institutions (NBFIs) other than insurance companies. The challenges stemming from the non-bank financial sector are more complex for financial conglomerates than for individual banks, even if the transmission channels are common to both types of entities. Financial conglomerates appear to be more vulnerable on this front because of their double-sided exposure via the banking side and the insurance side. This means that they could be exposed to funding risks on the banking side – for example, through money market funds, which provide large-scale funding to some banks – and to asset risk on the insurance side, as insurance subsidiaries tend to be major investors in NBFI products like private credit or leveraged funds[18] to find yield for long-term policyholder commitments. As is the case with individual banks, conglomerates are also vulnerable to negative loops involving hidden leverage[19] with NBFIs. More broadly, recent studies suggest that while the direct impact on banks from a simulated severe shock to global private credit markets would be small, it would be larger for insurance corporations and pension funds[20]. Taken together, these interlinkages have the potential, in the context of financial conglomerates, to turn what is, for individual banks, an external market-driven risk into a more complex internal risk.

How should financial conglomerates respond to current risks?

We have seen that, while the channels of transmission stemming from the current risk landscape for financial conglomerates are broadly similar to those of individual banks, their differentiated business models and balance sheet characteristics suggest that risks could materialise more intensely. If this is the case, the next question to ask is: what can financial conglomerates do to guard against such risks? I would like to highlight three points in this regard.

First, financial conglomerates should look to reinforce their governance frameworks. The complex risk landscape they face means that the demands placed on their management bodies have also changed as they seek to continue effectively understanding and overseeing their business. This means, for example, that management bodies should have the collective capacity to understand all things digital. This capacity is vital if they are to successfully identify and address the risks stemming from the increasing digitalisation of financial services. The collective expertise of management bodies when it comes to ICT is an area where we at the ECB still see room for improvement among some of the entities under our direct supervision. This is why we have developed a dedicated set of supervisory expectations to help banks bridge the remaining gaps in this area.[21] In addition, the increase in the potential channels of contagion between insurance and banking activities or vice versa (including on account of risks potentially amplified by NBFIs) suggests that financial conglomerates should seek to buttress their internal risk management frameworks to address potential vulnerabilities in this regard.

Moreover, the growing breadth of awareness needed by management bodies amid the current environment of geopolitical risks and high uncertainty suggests that financial conglomerates should keep their crisis management playbooks up to date and develop “what if” scenarios to help with contingency planning. The ECB aims to contribute to these efforts through the reverse stress test on geopolitical risks it has conducted with supervised entities, whose results will be presented later this year. Unlike an ordinary stress test, we have provided an outcome rather than a scenario. It has then been up to each bank to determine what kind of scenario would lead to that particular outcome.

Second, financial conglomerates should strengthen their operational resilience frameworks, particularly as their larger attack surface can make them more vulnerable to cyber and ICT risks. In recent years we have conveyed this message to all our supervised entities regardless of their size or business model and ensured that operational resilience has remained among our top supervisory priorities. Unfortunately, recent events have shown that this recommendation remains fully valid – and will continue to serve banks well for the foreseeable future. While banks have frameworks in place to respond to and recover from severe cyber incidents, there is still room for improvement.[22] Much of our supervisory focus in this area concerns change management risk, since we observed that a sizeable share of the major incidents reported by banks in 2025 had ICT change as their root cause.[23] Moreover, amid growing interconnectedness in the financial system, banks depending on a handful of third parties offering cloud services, including outsourcing of critical functions that are difficult or impossible to replace, opens the door to cascading effects from cyber incidents in the supply chain.

The Digital Operational Resilience Act has given the ECB new tools to help banks keep such digital-related risks in check. These include increased oversight of banks’ third-party dependencies and responsibility for managing banks’ threat-led penetration testing, which mimics the tactics, techniques and procedures of real world actors to test banks’ live systems. A pan-European Systemic Cyber Incident Coordination Framework has also been established. Smooth cooperation between the different national and supranational stakeholders tasked with ensuring cyber resilience in the EU will thus be needed for this framework to work as intended in the event of cross-border or systemic cyber events.

We have also been engaging with directly supervised banks to better understand the potential implications of AI models that can find flaws in software (such as Anthropic’s “Mythos” model[24]). We have reason to believe that these advanced AI models mark a structural shift in cybersecurity-related threats, notably owing to the significantly shorter window between identification and exploitation of vulnerabilities in bank ICT infrastructures. We have thus impressed on banks the need to reinforce existing controls around software development and third-party patches, requiring more investment in cybersecurity. And we have also recommended that they invest more in AI technologies on a sustained, multi-year basis to counter the growing threats to their franchises from malicious actors using those same technologies. Banks should therefore see AI-related cyber resilience as a fast moving target for the long haul, rather than a fixed target for the short term.

Third, financial conglomerates should enhance their communication strategies to better address potential risks as they develop. This applies to both internal communications strategies (including updating crisis management playbooks and developing “what if” scenarios) and external communications strategies (communicating with clients in case of potential operational disruptions to services). During the cyber resilience stress test conducted by the ECB in 2024, we found that many banks did not have sufficiently well-developed communication plans to reach out to their customers in crisis situations, including during cyber incidents. Our supervisors have therefore been following up on the findings with the affected banks to ensure that effective communication contingency plans are in place. Separately, we know that the digital information age has turbocharged potential reputational and other disinformation-related risks to financial entities more broadly, including through possible flash crashes and bank runs.[25] As noted earlier, financial conglomerates may be more exposed to risks with reputational implications than individual banks, owing to the potential for contagion between the banking and insurance sides (or vice versa). This is why I would also include social media monitoring under this category – for example to actively identify and counter misinformation, so that inaccurate or misleading narratives do not undermine trust in financial entities.

What can bank regulators do to help?

Significant steps could also be taken from a regulatory point of view to help financial conglomerates navigate the current risk landscape and, in doing so, facilitate banking supervision. In recent years, the EU has made progress on legislation to help banks and their supervisors address sharply increasing vulnerabilities, particularly in the area of cyber resilience through initiatives such as the Digital Operational Resilience Act and the Artificial Intelligence Act. However, less attention has been paid to measures that support bank resilience indirectly, even though they are just as important. These could include, for example, promoting a more integrated banking market and thereby better shielding the European banking sector from external shocks or freeing up banks’ time and resources so they can pay closer attention to significant sources of risk.

How to promote bank competitiveness in the EU has risen to the forefront of the supervisory and regulatory policy agenda – and with good reason. The European Commission is preparing a landmark report on the competitiveness of the EU banking sector for publication in July 2026. As part of its scoping exercise, the Commission launched a targeted consultation with different stakeholders, including the ECB, to gather views on what needs to be done. I will briefly highlight three proposals we included in our public response which, if enacted, would be particularly beneficial for financial conglomerates.[26]

First, we proposed a host of measures, which could be grouped under the heading “more Europe”. European banking markets remain fragmented at national level, while persisting barriers hinder banks from fully capitalising on the advantages offered by the Single Market. By way of remedy, we need to make progress on completing banking union as it was originally conceived, in particular by setting up a European deposit insurance scheme. In parallel, we need to deepen banking integration by further harmonising rules and removing barriers to the free flow of capital and liquidity between cross-border groups. And we need to foster deeper capital markets by advancing the savings and investment union. As part of these efforts, the legal framework underpinning banking activity should be reworked to increase comparability and give it a true European character. In particular, shifting the focus of EU banking rules away from directives and towards directly applicable regulations would create a harmonised toolkit, significantly improving the effectiveness of the EU prudential framework. These are all ambitious but necessary measures, in that they would yield a stronger and more efficient financial sector that would better serve European citizens.

Our second proposal is to streamline banks’ capital requirements and buffers, also known as capital stacks, and their reporting burdens. We have made it clear that simplification and harmonisation are not tantamount to deregulation, and that we do not see a case for reducing the banking system’s hard-won overall resilience. That said, we acknowledge there is scope to simplify regulation and reduce banks’ compliance costs. On streamlining banks’ capital stacks, a natural starting point would be to harmonise the macroprudential framework. The ECB has proposed merging the existing five macroprudential buffers into two, namely a non-releasable buffer (comprising the current capital conservation buffer and the buffers for global and other systemically important institutions) and a releasable buffer (consisting of the current countercyclical capital buffer and systemic risk buffer). We also proposed that, to increase the consistency of the macroprudential stance across the banking union and to avoid unwarranted overlaps or inconsistencies, the calibration of all elements in the framework should be guided by clear common principles and methodologies.

With regard to easing the level of reporting required of banks, achieving a more integrated and streamlined reporting framework is key to enhancing efficiency, both for banks and supervisory authorities. The ECB has outlined a number of areas for simplification, including fostering data sharing among European authorities through the Joint Bank Reporting Committee, establishing a fully integrated European reporting system, defining a supervisory tolerance margin for errors based on a materiality concept, publishing an inventory of non-market sensitive reporting requirements imposed on banks, periodically reviewing the relevance of reporting requirements and reforming the EU public disclosure process. These improvements would particularly benefit financial conglomerates given their reporting requirements to different authorities. And this can be achieved while upholding the supervisory “need to know” principle.

Third, we proposed establishing a more level playing field between banks and NBFIs. Adjusting the prudential framework to close regulatory gaps between banks and non-banks would reduce disintermediation risks while supporting innovation. Currently, non-banks may re-bundle bank activities while remaining subject to lighter regulatory regimes and solo entity supervision, creating a risk of regulatory arbitrage and unfair competition. Some of these entities have a substantial footprint in the system, serving both end users and financial institutions, and play a critical role in the financial infrastructure. To safeguard the financial system’s resilience while supporting innovation, comprehensive oversight of the full range of financial and ancillary services provided by these entities is needed, together with enhanced prudential requirements for large and complex non-bank groups. This approach aims to ensure that similar risks are subject to comparable regulatory treatment irrespective of an entity’s legal form. It would also give supervisors a better handle on where the risks related to banks’ exposures to NBFIs actually lie.

Conclusion

To conclude, in recent times the risk landscape in which individual banks and financial conglomerates operate has become significantly more complex, especially owing to the intensification of non-traditional risks such as cyber and ICT risks, risks from NBFIs, geopolitical risks and hybrid threats.

I have likened the current situation in banking and finance to the fog of war – where escalating geopolitical tensions, macroeconomic volatility and sudden market shocks are forcing bank executives to make decisions on the basis of incomplete information and potentially conflicting market signals. In this environment, both individual banks and financial conglomerates face broadly similar risks. However, given their differentiated business models and balance sheet characteristics, such risks could materialise with greater intensity for conglomerates.

To cope with these challenges, conglomerates should reinforce their governance mechanisms, strengthen their operational resilience frameworks – including through sustained investment in cybersecurity and AI – and improve their communication strategies. And regulatory authorities also have an important role to play, albeit indirectly, by working to achieve a more integrated banking system that is better able to withstand external shocks, thus allowing banks to focus on addressing core risks.

I would like to close by returning once more to Carl von Clausewitz. In his view, the fog of war – and its inherent frictions that lead to unforeseen difficulties accumulating – could never be eliminated entirely. So, instead of depending on perfect information, von Clausewitz’s proposed relying on adaptability, speed and decisive leadership. Now is the time for European policymakers to step up and show these qualities in order to achieve an even more resilient financial system.

  1. I am grateful to Francisco Ramon-Ballester for preparing a first draft of this speech, and to Giorgio Buono, Limdara Chea, Thomas Jorgensen, Patrick Montagner, Alberto Partida, Raphael Poignet and Mikulas Prokop for helpful comments. I am solely responsible for the views expressed here and for any errors.

  2. Under EU law, a group is generally identified as a financial conglomerate only when its cross-sectoral activities meet certain thresholds based on a percentage of the balance sheet and/or the absolute size of the smallest of the two sectors in the total balance sheet. See Montagner, P. (2025), “Stronger together, separately strong: ECB expectations for financial conglomerates”, Speech at the Meeting of the Pan-European Conglomerate Club at DZ Bank, Frankfurt am Main, June.

  3. Tuominen, A. (2025), “Improving banks’ resilience to hybrid threats”, speech at the conference “The Current Hybrid Threat Environment and Financial Stability”, jointly organised by Commerzbank and the European Centre of Excellence for Countering Hybrid Threats, 18 November.

  4. European Central Bank (2026), “Financial stability implications of geopolitical and geoeconomic risks”, Financial Stability Review, May.

  5. Von Clausewitz, C. (1832), On War.

  6. Grochola, N., Gründl, H. and Kubitza, C. (2023), “Life insurance convexity”, Working Paper Series, No 2829, ECB.

  7. Chen, S. H., Chang, T., & Lee, C. C. (2018). "The dynamic linkage between insurance and banking activities." International Review of Economics & Finance, 58, pp. 203-217. See also Timmer, Y. (2016), “Cyclical investment behavior across financial institutions”, Working Paper Series, No 18, ESRB, July.

  8. The Danish Compromise was introduced in 2012 during the Danish Presidency of the EU Council in connection with the European Union’s Capital Requirements Regulation.

  9. European Banking Authority (2026), EBA report on the completeness and appropriateness of the definitions and provisions on consolidation under article 18 (10) of the CRR, January.

  10. Directive 2002/87/EC of the European Parliament and of the Council of 16 December 2002 on the supplementary supervision of credit institutions, insurance undertakings and investment firms in a financial conglomerate and amending Council Directives 73/239/EEC, 79/267/EEC, 92/49/EEC, 92/96/EEC, 93/6/EEC and 93/22/EEC, and Directives 98/78/EC and 2000/12/EC of the European Parliament and of the Council (OJ L 35, 11.2.2003, pp. 1).

  11. International Association of Insurance Supervisors (2026), Cyber risk and operational resilience.

  12. European Systemic Risk Board (2020), Systemic Cyber Risk, February.

  13. Labini, S. S., D’Apolito, E. and Nyenno, I. (2025), “Systemic Risk and the Insurance Sector: A Network Perspective”, in Pacelli, V. (ed.), Systemic Risk and Complex Networks in Modern Financial Systems, New Economic Windows, Springer, Cham.

  14. Cecchetti, S., Lumsdaine, R. L., Peltonen, T. and Serrano, A.S. (2025), “Artificial intelligence and systemic risk”, Advisory Scientific Committee Reports, No 16, European Systemic Risk Board, December.

  15. Adrian, T., Gaidosch, T. and Ravikumar, R. (2026), “Financial Stability Risks Mount as Artificial Intelligence Fuels Cyberattacks”, IMF Blog, International Monetary Fund, 7 May.

  16. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance) PE/24/2024/REV/1 (OJ L, 2024/1689, 12.7.2024).

  17. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) PE/41/2022/INIT (OJ L 333, 27.12.2022, pp. 1).

  18. Montagner, P. (2025), “Non-bank financial institutions: understanding transmission channels and regulatory challenges”, Contribution for Eurofi Magazine, Copenhagen, 17 September.

  19. Buch, C. (2025), “Hidden leverage and blind spots: addressing banks’ exposures to private market funds”, The Supervision Blog, ECB, 3 June.

  20. ECB (2026) ,Stress in global private credit markets and its implications for euro area financial stability, Financial Stability Review, May.

  21. ECB (2024), “New policy for more bank board expertise on ICT and security risks”, Supervision Newsletter, 21 February.

  22. ECB (2024), “ECB concludes cyber resilience stress test”, press release, 26 July.

  23. Tuominen, A. (2026), “Upgrading banks’ capacity to deal with digital risks”, Contribution for Eurofi Magazine, 24 March.

  24. Anthropic (2026), Project Glasswing: An initial update, May.

  25. Tuominen, A. (2025), “Improving banks’ resilience to hybrid threats”, speech at the conference “The Current Hybrid Threat Environment and Financial Stability”, jointly organised by Commerzbank and the European Centre of Excellence for Countering Hybrid Threats, 18 November.

  26. European Central Bank (2026), Eurosystem response to the EU Commission’s targeted consultation on the competitiveness of the EU banking sector, April.

CONTACT

European Central Bank

Directorate General Communications

Reproduction is permitted provided that the source is acknowledged.

Media contacts