Dear CEO: The Letter That Tells You Everything About the Next Decade of Governance

On the structural shift the European Central Bank has just confirmed, why it landed on a chief executive's desk rather than a CISO's, and what it means for every board in Europe as Ireland takes the wheel of the Union.

By Paul C Dwyer — President, ICTTF International Cyber Threat Task Force · CEO, Cyber Risk International

There is a particular kind of letter that changes things. Not because of what it says — the words are usually measured, even dry — but because of who signs it, and who it is addressed to. When a regulator stops writing to the engine room of an organisation and starts writing to the person whose name is on the door, the letter is no longer about the subject it appears to concern. It is about accountability. And accountability, once it moves, does not move back.

The European Central Bank is now writing such a letter. In a keynote delivered on 3 June 2026 at the Goldman Sachs European Financials Conference, Frank Elderson — Member of the Executive Board of the ECB and Vice-Chair of its Supervisory Board — confirmed that the Single Supervisory Mechanism will send a so-called "dear CEO letter" to every bank it supervises across the euro area. The letter asks banks to take proactive measures to ensure the continued robustness and security of their systems in the face of a rapidly changing threat landscape shaped by frontier artificial intelligence. Individual supervisory teams will follow up with banks in a targeted manner.

I want to be precise about the status of this, because precision is the currency of credibility at board level, and because a good deal of the commentary already circulating online has run ahead of the facts. As of late June 2026, the letter has been announced, not yet sent. The ECB's own published speech describes it as a next step. The ECB does not, as a rule, publish supervisory letters of this kind, so a public copy may never appear. None of that diminishes the significance of what has happened. The direction of travel is on the public record, in the ECB's own words, and that record is more than sufficient to act upon.

What follows is not a news summary. It is an attempt to explain why this single piece of supervisory correspondence belongs in a much larger story — a story that runs from a bank's balance sheet to a chief information officer's personal bank account, from Whitehall to Brussels to Dublin, and that arrives, by every available road, at the same destination: the boardroom table, with your name beside it.


"The ECB is writing to the CEO. Not the CISO. Not the CTO. The address line is the message."
"When a regulator stops writing to the engine room and starts writing to the person whose name is on the door, the letter is no longer about its subject. It's about accountability."

I. The address line is the message

Let me begin with the detail that most commentary glosses over, because it is the detail that matters most. The ECB's letter is addressed to the chief executive. Not to the Chief Information Security Officer. Not to the Chief Technology Officer. To the CEO.

This is deliberate, and Elderson was explicit about why. The challenges posed by new generations of AI models, he argued, should not be viewed solely as a cybersecurity issue. They are a firm-wide strategic challenge with potential implications for a bank's safety and soundness. It is therefore essential, in his words, that banks' management bodies take clear ownership of the issue, ensuring that resources and tools are commensurate with its scale.

Read that sentence again as a director. Management bodies take clear ownership. Resources and tools commensurate with the scale of the challenge. This is not the language of a technical advisory. It is the language of governance — of duty, oversight, and the personal responsibility that attaches to both.

There is a pattern here that anyone who has watched this field for three decades will recognise immediately. For twenty years, cybersecurity sat in the engine room of the organisation. It was delegated. It was technical. It was, frankly, somebody else's problem. That era is over. The message from supervisors and governments across Europe is no longer addressed to the IT department. It is addressed to the board. And the ECB's letter is simply the latest, and arguably the most authoritative, confirmation of it.


"The technology changes with every generation — infrastructure, outsourcing, cloud, now AI. The governance challenge does not."
"The ECB is not asking boards to become AI experts. It's asking them to become accountable."

I. This is not a story about AI

Here is the part I find most genuinely interesting, and it is the part most people miss entirely.

This is not, at its heart, a story about artificial intelligence. It is a story about critical dependencies.

Every generation of operational resilience has had its defining dependency. There was a time when the defining dependency was physical infrastructure — power, premises, the mainframe in the basement. Then it was outsourcing, as organisations handed critical functions to third parties. Then it was cloud, as the third parties themselves consolidated into a handful of providers on whom entire sectors came to depend. And now it is AI.

The technology changes with each generation. The governance challenge does not. In every era, the same question recurs: does the board understand which dependencies have become critical to how the organisation actually operates — and does it have the ownership, oversight and investment commitment to govern them appropriately?

That is why the ECB's message goes deliberately beyond investment in technology or cyber defences. Elderson was clear that the critical infrastructure on which banks depend — cloud providers, telecommunications networks, payment systems, and even electricity and water supplies — could itself become a target. As a result, he warned, scenarios once considered tail risks may become more likely: a vulnerability in a single, widely used piece of infrastructure escalating quickly into disruption across an entire sector, with knock-on effects on banks' ability to operate.

When a dependency becomes critical to how an organisation operates, oversight of that dependency can no longer be delegated. That is the real message behind the ECB letter. It is not about AI. It is about governance. The ECB is not asking boards to become AI experts. It is asking them to become accountable.


"Frontier AI is collapsing the time between a vulnerability being discovered and being exploited — from weeks, to days, to hours."
"The patch you deploy becomes a map to the weakness it was meant to close."

III. Why the ECB believes the ground has shifted

A board is right to ask for evidence rather than assertion, so let me set out the ECB's reasoning, because it is structural rather than rhetorical.

Frontier AI models, in the ECB's assessment, are compressing the time between the discovery of a vulnerability and its exploitation. Activities that once took attackers weeks can now happen in days, sometimes hours. Until very recently, launching a sophisticated cyberattack required deep technical expertise, extensive reconnaissance, and often weeks or even months of trial and error. Not any more.

Elderson described the latest generation of large-scale models as more than an incremental improvement. They represent, in his words, a structural shift in the economics of cyber risk. He identified three specific ways in which these tools differ from what came before. First, they can discover and exploit vulnerabilities at a speed and scale far beyond anything previously seen. Second, they can combine seemingly minor vulnerabilities — individually trivial, easily dismissed — into serious, compound attacks. And third, they can reverse-engineer security patches back into exploitable vulnerabilities, and do so at unprecedented speed. The very fix you deploy becomes a map to the weakness it was meant to close.

The consequence, the ECB argues, is that the "price of admission" for sophisticated attacks will fall, possibly by orders of magnitude. Capabilities that once required significant expertise, time and resources may in future be available to a far broader set of malicious actors. And — this is the part that should concentrate the mind — current evidence suggests these models may be effective not only against weak defences but against standards once considered state of the art.

This is not abstract. The ECB grounds it in lived experience. Consider the 2023 ransomware attack on the New York branch of the Industrial and Commercial Bank of China — the largest bank in the world by assets. Despite the institution's enormous financial strength, the incident disrupted settlement in the US Treasury market, one of the most systemically important markets on earth. The bank reportedly resorted to dispatching a courier with a USB stick across Manhattan to meet its obligations. Consider the 2024 CrowdStrike incident, when a single faulty update produced the "blue screen of death" across systems worldwide, cascading through firms in every sector, financial services among them. A bank can be exceptionally well capitalised and highly liquid and still be unable to operate. Resilience, today, is not only about absorbing losses. It is about maintaining critical services under severe operational stress.

And the scale of exposure is not marginal. The ECB's own annual data collection shows that more than 85% of banks under European supervision already use artificial intelligence. The technology is not coming. It is embedded. Which means the dependency is already critical — whether or not the board has formally recognised it as such.

Elderson reached for a musical metaphor to capture the change of tempo required. Where banks once moved andante — at a comfortable walking pace — they must now move presto. "This is not about creating a sense of alarm," he said, "but rather a sense of urgency."


"A senior executive was personally fined — not for dishonesty, but for an assurance he gave the board that turned out not to be robust. That is the world we now operate in."
"Whitehall warns. Brussels mandates. The supervisor writes to the CEO. Three roads, one destination — your boardroom table."

IV. The unprecedented letters — and why this is a pattern, not an event

The ECB is not acting in isolation. To understand why this matters so much, you have to see it as part of a coordinated shift in how the state and its regulators view this risk — and the clearest evidence of that shift is the extraordinary sequence of letters that boards across these islands have already received.

In October 2025, the United Kingdom government did something genuinely without precedent. Senior ministers — the Chancellor of the Exchequer, the Business Secretary, the Technology Secretary and the Security Minister — together with the heads of the National Cyber Security Centre and the National Crime Agency, wrote directly to the chairs and chief executives of every FTSE 350 company.

Pause on that roster of signatories. You do not assemble the Chancellor, the intelligence community and the National Crime Agency to co-sign a letter to boardrooms unless something fundamental has shifted in how the state perceives the risk. And, crucially, the letter did not go to the CISO. It did not go to IT. It went to the board. The Security Minister put it plainly: for too long, cybersecurity had been treated as a concern of middle management, escalated to the top only in a crisis.

The asks in that letter were not technical. They were governance asks. Make cyber risk a board responsibility. Rehearse — actually rehearse — how you would operate and rebuild after a destructive incident. Take genuine ownership of your supply chain. This was the state telling boards, in writing: this is yours now.

Then, in May 2026, the Bank of England, the Financial Conduct Authority and HM Treasury published a joint statement on frontier AI and cyber resilience, warning that these models represent a step-change in capability, with significant implications for operational resilience, and that organisations which have underinvested in core cybersecurity fundamentals will become progressively more exposed.

And now the ECB. Whitehall warns. Brussels mandates. The supervisor writes to the CEO. Three roads, one destination. The ECB's "dear CEO letter" is not an isolated initiative. It is the European supervisory expression of a continent-wide repositioning of where this risk sits — and it sits, unambiguously, at board level.


"Can you prove your organisation is resilient? Not believe it. Not hope it. Not assert it. Prove it."
"A green dashboard is a belief. A framework you adopted two years ago is a hope. A reassurance from the team being assured is an assertion. None of it is proof."

V. Ireland takes the wheel

The timing of all this is not incidental for organisations operating in Ireland. On 1 July 2026, Ireland assumes the Presidency of the Council of the European Union.

For a country that hosts the European headquarters of so many of the world's largest technology, financial and digital infrastructure companies, this is not a ceremonial detail. The Presidency places Ireland — and the boards of organisations operating here — at the very centre of Europe's conversation about digital sovereignty, operational resilience and the governance of artificial intelligence. The country holding the pen on the Union's agenda is the same country whose data centres, cloud regions and European headquarters underpin a substantial share of the digital economy the regulations are designed to protect.

Ireland's own legislative approach is instructive, and it carries a nuance boards need to grasp. The Regulation of Artificial Intelligence Bill 2026 gives domestic effect to the EU AI Act and establishes a new statutory body — the AI Office of Ireland, Oifig IS na hÉireann — required to be operational by 1 August 2026. The government describes it, fairly, as a strong, independent, central coordinating authority. But Ireland has chosen a distributed enforcement model. The AI Office coordinates; actual enforcement is dispersed across roughly fifteen sectoral regulators, each acting as a Market Surveillance Authority within its own domain. The Central Bank for financial-services AI. The Data Protection Commission where personal data is involved. The Competition and Consumer Protection Commission, the Health and Safety Authority, ComReg, and others besides.

The practical implication for a board is threefold. Coordination sits in one place, but you may find yourself answerable to several regulators at once, depending on how you use AI. You must classify your AI systems and document the reasoning, because under-classification is the first thing an authority will examine if a concern arises. And AI governance must sit inside your enterprise risk framework and board oversight — not as a side project run out of a lab. The maximum penalties mirror the Act itself: up to €35 million or 7% of global turnover. The Bill runs to 139 sections across ten parts. This is a serious, detailed instrument, and Ireland is building it precisely as it steps onto the European stage to amplify the Union's message on resilience.


"Your defence is the record."
"The organisations that emerge strongest won't be the ones with the biggest security budgets. They'll be the ones that could prove their resilience — before they were forced to."

VI. Three regulations, one destination

The ECB letter does not exist in a legal vacuum. It lands on top of an architecture of binding law that has already moved board accountability from advisory guidance to enforceable duty. Three instruments matter most, and the crucial point is not their differences but their convergence.

DORA — the Digital Operational Resilience Act — applies to the financial sector and its ICT providers and has been directly applicable since 17 January 2025. No transposition, no national variation, no ambiguity about the deadline. Its heart, for a board, is Article 5, which places explicit, non-delegable accountability on the management body to define, approve, oversee and be responsible for the implementation of the ICT risk-management framework. You cannot push this down to the CISO and consider your duty discharged. Article 5 goes further still: members of the management body must actively keep their knowledge and skills up to date, including by following specific training on a regular basis. The law requires directors, personally, to be trained. Articles 28 to 30 demand active oversight of the ICT supply chain, analysis of concentration risk, and documented exit strategies. And the incident clock is unforgiving: an initial notification within four hours of classifying a major incident, an intermediate report within seventy-two hours, a final report within one month. Critically, DORA requires Member States to ensure management-body members can be held personally accountable for infringements, and supervisors can temporarily ban senior managers from holding management functions. The 2026 supervisory cycle has been signalled as the point at which serious reporting and governance failures begin to attract action.

NIS2 — the second Network and Information Security Directive — casts a far wider net than many organisations realise: eighteen sectors, an estimated 160,000 entities across the EU, split into "essential" and "important" categories. The size threshold is low. Fifty or more employees, or €10 million or more in turnover, in a covered sector, and you are very likely in scope. The governance core is Article 20, under which management bodies must approve cybersecurity risk-management measures, oversee their implementation, and — in the directive's own words — can be held liable for infringements. Like DORA, it mandates regular cybersecurity training for directors themselves. Article 21 requires direct management of supply-chain and supplier security. The incident clock is tighter still at the front end: an early warning within twenty-four hours of becoming aware of a significant incident. For essential entities, regulators can suspend executives from management functions and impose fines up to €10 million or 2% of global turnover. And enforcement has begun: in the final quarter of 2025, Germany's BSI issued dozens of formal notices; an assessment in the Netherlands found that more than half of the essential entities reviewed in digital infrastructure lacked a management-body-approved cybersecurity policy.

The EU AI Act — Regulation 2024/1689 — is the world's first comprehensive law governing artificial intelligence, structured as a risk-based ladder from unacceptable-risk practices banned outright, through high-risk systems carrying strict obligations, to limited and minimal-risk uses. The misconception I most want to correct for a board is the assumption that the Act is a problem only for AI vendors. It is not. The Act imposes obligations on deployers — ordinary organisations that use AI. Article 26 requires deployers of high-risk systems to ensure human oversight and to use those systems in accordance with their instructions. If you use AI to screen job applicants or assess creditworthiness, that obligation is yours. The penalties exceed even GDPR: up to €35 million or 7% of global turnover.

A note on the politics, because the rulebook is itself a moving target. Following sustained industry and diplomatic pressure, the Commission's "Digital Omnibus" package has deferred certain high-risk timelines — standalone high-risk obligations pushed toward December 2027, and AI embedded in regulated products toward August 2028. But a delay is not a reprieve. The deferral touches only the high-risk timelines of the AI Act; DORA and NIS2 are in force right now, with no delay whatsoever. General-purpose AI and transparency obligations under the Act are already live. And the genuinely hard part of AI Act compliance was never the documentation template — it is finding every AI system in your organisation, classifying each correctly, and keeping that inventory current. That work takes the better part of eighteen months whether you begin now or in late 2027. The attackers, in any case, did not read the Digital Omnibus. The threat never paused for the regulation.

Different scopes. Different sectors. Different mechanics. But every one of these instruments arrives at the same place: the board approves, the board oversees, the board is accountable — and the board must be able to prove it.


"The country holding the pen on the Union's agenda is the same one whose data centres and European headquarters underpin the digital economy these rules exist to protect."

VII. The lesson written through every enforcement case

If you want to understand why "prove it" is the operative phrase, you need only one case, and it is a case every board should know intimately.

In April 2018, TSB Bank attempted to migrate 5.2 million customers onto a new IT platform. The data migrated successfully — but the platform failed on launch. Branch, telephone, online and mobile banking went down. Some customers could see other people's account details. Opportunistic fraud ran at seventy times the normal level. It took until December — eight months — to return fully to business as usual. By TSB's own account, the episode cost around £330 million and lost it 80,000 customers. A profitable bank was pushed into a loss.

In December 2022, the FCA and PRA jointly fined the institution £48.65 million. But they did not stop at the institution. In April 2023, the PRA fined the bank's former Chief Information Officer personally — a penalty equating to roughly 15% of his annual income. And the reasoning is the part that should stay with every director. The regulator did not find that he was dishonest, reckless or lacking in integrity. His failing was narrower and, for that reason, far more frightening: he gave assurance to the board that a third-party supplier was ready for migration when he had not taken reasonable steps to verify that readiness. He relied on a confirmation letter. He did not challenge it. He did not even annex it to the board papers.

Read that back as a board. A senior executive was personally fined for an assurance he gave to the board that turned out not to be robust. That is the world the ECB letter now hard-wires across the entire European financial sector. The TSB case happened under the predecessor UK regime; DORA, NIS2 and the supervisory posture the ECB is now adopting carry that same personal accountability forward, and widen it.


"The technology changes with every generation — infrastructure, outsourcing, cloud, now AI. The governance challenge does not."

VIII. Can you prove it?

So let me turn the lens around, away from the external picture and onto you, with the single most uncomfortable question in the room.

Can you prove your organisation is resilient? Not believe it. Not hope it. Not assert it. Prove it.

Sit with the difference between those words, because the entire regulatory shift turns on it. A status report that says "green" is a belief. A framework adopted two years ago and never independently tested is a hope. A reassurance from the team that runs the very systems being assured is an assertion. None of it is proof. Increasingly, "prove it" is precisely the question you will face — from a regulator after an incident, from an insurer at renewal, from a major customer conducting supply-chain due diligence, and, in the worst case, from the public and the press. As TSB demonstrated, when the answer comes back thin, the accountability is now personal.

There is a gap between what boards typically have and what proof actually requires. I call it the assurance gap. What boards often have is a green dashboard, a framework adopted but never independently tested, assurance provided by the same people being assured, and point-in-time audits that began ageing the moment they were filed. What proof actually requires is fundamentally different. It requires independent validation, by someone outside the reporting line with no incentive to report green. It requires evidence mapped to the specific frameworks the regulators name — DORA's articles, NIS2's Article 21 measures, the AI Act's risk tiers. It requires maturity that is measured rather than asserted, and tracked over time so you can demonstrate a trajectory. And it requires a board-ready narrative you can actually defend under scrutiny, not a forty-page technical appendix nobody on the board has read.

Closing that gap is not a mysterious technical undertaking. It is a leadership discipline, and it follows four logical moves: anchor, validate, measure, report. Anchor your programme to a single recognised framework — I recommend the NIST Cybersecurity Framework 2.0 — and map DORA, NIS2 and the EU AI Act onto it, so you run one coherent programme rather than three parallel ones that never speak to each other. Validate independently, from outside the reporting line, because this is the step that converts assertion into evidence, and the step most organisations skip precisely because it risks telling leadership something it would rather not hear. Measure your maturity and track it quarter on quarter, because a single snapshot tells a supervisor nothing about your trajectory. And report: produce the board-ready narrative and evidence pack you can put in front of a regulator, an insurer or a court and say — here is what we did, here is when, here is who approved it. Because the lesson written through every enforcement case is the same: your defence is the record.


"When a dependency becomes critical to how an organisation operates, oversight of it can no longer be delegated."

IX. What this means for Monday morning

Let me be practical, because principle without action is just commentary.

Put resilience on the board agenda as a standing item, not an annual review. Get a clear, written answer to a deceptively simple question — which of DORA, NIS2 and the EU AI Act apply to us, and to which of our entities? Commission an independent view of where you genuinely stand, from someone whose job is to tell you the truth rather than to reassure you. Map your most critical third parties and your concentration risk — the suppliers who, if they failed, would take several of your critical functions down at once — and check that your contracts actually contain the assurance and notification clauses the regulations require. Test the clock: run an incident exercise against the real twenty-four-hour and four-hour deadlines, not a comfortable tabletop that ends in a friendly debrief. And keep the evidence — every approval, every training session, every oversight review, with dates and names — because the TSB CIO's confirmation letter was never even put in the board papers.

There is one further move that the ECB's emphasis on board understanding makes unavoidable. Both DORA and NIS2 already require directors, personally, to maintain sufficient knowledge to provide meaningful oversight. The ECB has now made the same point about frontier AI specifically: boards and senior management must develop sufficient understanding of these risks to provide meaningful oversight, set strategic direction, and ensure investment decisions reflect the scale of the challenge. This is no longer optional, and it is no longer something a board can wholly outsource. It is a capability the board must hold.

It is precisely this capability gap that the ICTTF EU Cyber Academy was built to close. Our Certified AI Resilience Professional (CAIRP) pathway is a deliberately non-technical, senior-level programme designed for those accountable for governance, resilience and regulatory readiness — equipping them to understand AI in plain English, evaluate and govern AI tools responsibly, and explain AI-driven risk to boards and regulators with confidence. It sits alongside a broader curriculum, from our Certified Cyber Risk Officer programme to DORA-focused training delivered through our DORA Centre of Excellence. Professionals from global banks, governments and universities have trained with the Academy, and the design philosophy is consistent throughout: not abstract theory, but regulator-facing reality and board-ready judgement.

And capability, on its own, still has to be evidenced. That is where measurement comes in. At Cyber Risk International, our work is to help leaders move from believing they are resilient to proving it — through Independent Validation Assessments conducted outside your reporting line, and through CyberPrism, our digital resilience platform, which lets boards measure and manage governance, oversight and resilience against exactly these instruments: mapping evidence to DORA's articles, NIS2's measures and the AI Act's risk tiers, scoring maturity, tracking it over time, and producing the board-ready record that is, in the end, your defence. The ECB is about to ask European banks to demonstrate ownership, oversight and investment commensurate with the scale of the AI challenge. CyberPrism exists to let you answer — with evidence rather than assertion.

"A structural shift in the economics of cyber risk — the price of admission for a sophisticated attack is falling by orders of magnitude."

X. Different roads, one destination

Let me return to where we began — to the letter, and to what it really signifies.

The ECB's "dear CEO letter" is, on its surface, a piece of supervisory correspondence about frontier AI and cyber risk. But it is not, fundamentally, about AI at all. It is about a dependency becoming critical, and oversight of that dependency becoming non-delegable. It is the latest expression of a shift that runs through the FTSE 350 letters, through the Bank of England's joint statement, through DORA and NIS2 and the EU AI Act, and through Ireland's own Bill as the country takes up the Presidency of the Council on 1 July: a shift that has taken something which used to live in the engine room and placed it squarely on the boardroom table, with the chief executive's name beside it.

The organisations that emerge strongest from this era will not be the ones with the largest security budgets. They will be the ones that recognised resilience as a leadership challenge — and could prove it — before they were forced to. The ECB is not asking boards to become AI experts. It is asking them to become accountable. The only question that remains is whether your board is ready to answer when the letter arrives.


Check Out the CAIRP Certified AI Resilience Professional Education Path

Paul C Dwyer is President of the ICTTF International Cyber Threat Task Force and CEO of Cyber Risk International. He delivers the live executive briefing "Dear Board: Digital Resilience Is Now Your Responsibility" on Wednesday 1 July 2026, 11:00–12:00 (IE/UK), online. Details and registration at www.cri.ie.