The window to prepare is limited, and it is closing.
Spain's Bank of Spain, in its latest Financial Stability Report, has called upon the country's financial institutions to begin preparing now for cybersecurity threats that advanced artificial intelligence and quantum computing will eventually pose — even as no immediate danger exists. The warning reflects a recurring tension in human affairs: the difficulty of acting urgently against risks that remain, for the moment, hypothetical. Like a navigator charting storms not yet visible on the horizon, the regulator is asking banks to trust the mathematics and the trajectory of technology over the comfort of present calm.
- The Bank of Spain has issued a rare preemptive alarm, warning that the window to build defenses against AI and quantum computing threats is already narrowing — before either has struck.
- Anthropic's newly released Mythos model has rattled European regulators enough that the ECB has demanded contingency plans from eurozone banks, and Spain is now amplifying that pressure.
- Quantum computing poses a deeper, more structural danger: it could unravel the mathematical foundations of modern financial encryption, rendering current security systems obsolete almost overnight once the technology matures.
- Spanish banks are being urged to tighten software development, intensify pre-deployment testing, and reduce exploitable vulnerabilities — not in response to a crisis, but in anticipation of one.
- The regulator has stopped short of mandating access to models like Mythos for stress-testing, but the suggestion that banks should be able to examine the tools that may threaten them carries unmistakable urgency.
Spain's banking regulator has issued a warning about threats that do not yet exist but almost certainly will. The Bank of Spain's Financial Stability Report, released Thursday, delivers a clear message to the country's financial institutions: the time to prepare for cybersecurity risks from advanced artificial intelligence and quantum computing is now, because that opportunity will not last.
The alert follows Anthropic's release of Mythos, an AI model powerful enough to prompt the European Central Bank to demand contingency plans from banks across the eurozone. The Bank of Spain is amplifying that signal while being careful to note that no immediate systemic danger has been identified. The institution's position is not one of alarm but of strategic foresight — waiting for evidence of harm before acting would itself be a failure of judgment.
David Pérez Cid, who oversees financial stability at the Bank of Spain, put the challenge plainly: banks cannot prepare for a threat they cannot examine. He suggested that European institutions should have access to models like Mythos precisely so they can test their own defenses against them — a pointed recommendation, even if not a formal requirement.
Quantum computing represents a more fundamental vulnerability. The encryption protecting today's financial transactions depends on mathematical problems that are effectively unsolvable for conventional machines — but not for quantum ones. The technology remains years from maturity, and its pace of development is uncertain. The mathematics, however, are not. When sufficiently powerful quantum computers arrive, they will be capable of breaking the cryptographic systems that currently secure the financial world.
The regulator's response is methodical: strengthen software quality controls, work more closely with technology providers, test systems more rigorously before deployment, and invest in specialized talent. The Bank of Spain is not predicting catastrophe — it is insisting that the window for orderly preparation is open now, and that it will close faster than most institutions expect.
Spain's banking regulator has sounded an alarm about threats that don't yet exist but almost certainly will. On Thursday, the Bank of Spain released its Financial Stability Report with a message aimed squarely at the country's financial institutions: prepare now for the cybersecurity risks posed by advanced artificial intelligence and quantum computing, because the window to do so is closing fast.
The warning arrives in the wake of Anthropic's recent release of Mythos, an AI model powerful enough to have already prompted the European Central Bank to demand contingency plans from banks across the eurozone. The Bank of Spain is now amplifying that signal, but with a broader scope. The regulator is not claiming that AI models or quantum computers pose an immediate threat to the stability of the financial system. The report is explicit on this point: there is no evidence of imminent systemic danger. But the institution's leadership has concluded that waiting for proof would be foolish.
David Pérez Cid, who oversees financial stability, regulation, and resolution at the Bank of Spain, framed the challenge in practical terms. He noted that in an interconnected world, it would be reasonable to expect that European banks should have access to models like Mythos so they could test their defenses against them. The logic is straightforward: you cannot prepare for a threat you cannot examine. The regulator stopped short of demanding such access, but the suggestion carried weight.
Quantum computing presents a different and potentially more severe problem. Current encryption systems that protect financial transactions rely on the difficulty of solving certain mathematical problems—problems that are extraordinarily hard for conventional computers but would be substantially easier for quantum machines. The Bank of Spain has warned that this vulnerability is real, even if quantum computers capable of exploiting it remain years away. The technology is still in early stages of development, surrounded by uncertainty about how quickly it will advance. But the mathematics are not uncertain. When quantum computers become powerful enough, they will be able to crack the cryptographic locks that currently secure the financial system.
The regulator's prescription is methodical rather than alarmist. Banks should strengthen quality control in how they develop and deploy new software, working closely with their technology providers. More intensive testing before systems go live. Fewer exploitable vulnerabilities left behind. The Bank of Spain is essentially saying: tighten your processes now, because you will not have time to do it later.
What makes this warning distinctive is its acknowledgment of a paradox. Technology advances spread quickly—faster than regulation, faster than institutional readiness, faster than most organizations can absorb. This creates what the report calls a limited window for preparation. That window is open now. It will not stay open indefinitely. The regulator is urging Spanish banks to move through it before it closes.
Notable Quotes
Technological advances tend to spread rapidly, opening a limited window for preparation during which it is critical to strengthen technical capabilities, improve coordination between institutions and technology providers, and invest in specialized talent.— Bank of Spain Financial Stability Report
In an interconnected world, it would be reasonable to expect that all could prepare to improve their defensive mechanisms.— David Pérez Cid, Bank of Spain
The Hearth Conversation Another angle on the story
Why is the Bank of Spain warning about threats that don't exist yet? Isn't that premature?
Because the history of technology shows that when something becomes possible, it spreads before institutions are ready for it. They're trying to get ahead of the curve instead of chasing it.
But the report says there's no immediate systemic threat. So what's the actual risk?
The risk is that quantum computers will eventually solve math problems that currently protect every financial transaction. That's not theoretical—it's inevitable. The question is whether banks will have updated their defenses by then.
Why does the regulator want European banks to have access to Anthropic's Mythos model?
So they can test their systems against it. You can't defend yourself against a threat you've never seen. If only some banks have access, only some will be prepared.
Is quantum computing actually close to being a problem?
Not immediately. But it's in early development, and the timeline is uncertain. That uncertainty is exactly why you start preparing now rather than waiting for the threat to materialize.
What are banks supposed to do differently?
Test their software more rigorously before deploying it. Work more closely with their technology providers. Invest in people who understand these risks. Basically, tighten everything before the window closes.
And if they don't?
Then when the technology arrives, they'll be scrambling to patch systems that were never designed to withstand it. The regulator is trying to prevent that panic.