From the journal

BoE, FCA and HM Treasury issue joint frontier AI cyber statement, 15 May 2026

On 15 May 2026, the Bank of England, the Financial Conduct Authority and HM Treasury published a joint statement on frontier AI models and cyber resilience. The authorities say current frontier models already exceed skilled human attackers in speed, scale and cost, and direct regulated firms to lift board oversight, vulnerability management, third-party controls, protective measures and recovery capability.

3 min read

On 15 May 2026, the Bank of England, the Financial Conduct Authority and HM Treasury issued a joint statement on frontier AI models and cyber resilience. The text is published supervisory expectation. It is not new rule text and not a consultation. It directs regulated firms to apply existing operational resilience and cyber-risk rules to risks arising from frontier AI capabilities.

The statement sits within the regulators' existing operational resilience perimeter. For PRA-authorised firms the relevant sources are the PRA Rulebook on Operational Resilience and supervisory statement SS1/21. For FCA solo-regulated firms the operative chapter is SYSC 15A. The PRA's model risk expectations in SS1/23 are also engaged. HM Treasury contributes policy direction through the Cross Market Operational Resilience Group. The joint text records that frontier model capability already exceeds a skilled human attacker in speed, scale and cost.

The direct addressees are UK-perimeter banks, insurers, asset managers, payments firms, e-money issuers and crypto-asset firms. The authorities expect board and executive understanding of frontier AI risk. They expect mapped vulnerability identification and supplier oversight that covers AI model providers and cloud hosts. They expect protective controls, including segmentation and authentication, and tested response and recovery plans. Firms should feed lessons learned into the Cross Market Operational Resilience Group.

The statement does not impose a new threshold for reporting AI-driven incidents. It does not change DORA-equivalent intra-group rules. It does not displace the FCA AI Update of April 2024 or the PRA's model risk principles. Firms should expect supervisory dialogue and possible thematic review activity. Rule-making could follow if controls remain immature.

We may advise on the application of frontier AI obligations to UK-regulated firms. We can call on a partner network of UK counsel where additional specialist input is required. Contact us to scope a piece of work. Work we undertake includes operational resilience gap assessment, AI vendor due diligence, board reporting templates, model risk policy review and incident playbooks.

Source: Bank of England, Financial Conduct Authority and HM Treasury, Joint Statement on Frontier AI Models and Cyber Resilience, 15 May 2026, https://www.bankofengland.co.uk/news/2026/may/boe-fca-and-hm-treasury-joint-statement-on-frontier-ai-models-and-cyber-resilience

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.

AI Regulatory

More from the journal

See all

EU Council Formally Adopts AI Omnibus, Extending High-Risk AI Deadlines to December 2027

On 29 June 2026, the Council of the European Union formally adopted the AI Omnibus regulation, completing co-legislative passage following the European Parliament's plenary vote on 16 June 2026. The regulation amends Regulation (EU) 2024/1689 to extend compliance deadlines for high-risk AI systems, introduce new prohibited AI practices, and establish a transitional watermarking period for systems already on the market. The act enters into force on the third day after publication in the Official Journal.

FCA Finalises UK Cryptoasset Regime Rules, Authorisation Window Opens 30 September 2026

On 30 June 2026, the Financial Conduct Authority published five policy statements setting out final rules for the full range of regulated cryptoasset activities in the UK. The rules cover admissions and disclosures, market abuse, stablecoin issuance, prudential requirements, and FCA Handbook application. Firms must apply for authorisation between 30 September 2026 and 28 February 2027 to retain access to transitional provisions until the regime takes full effect on 25 October 2027.

European Commission Publishes Code of Practice on Marking and Labelling AI-Generated Content, June 2026

On 10 June 2026, the European Commission published the Code of Practice on Marking and Labelling of AI-Generated Content. The Code supports compliance with Article 50(2) and (4) of Regulation (EU) 2024/1689 and sets technical marking standards aligned with C2PA specifications. Adherence is voluntary, but the Code establishes the benchmark against which providers and deployers of generative AI systems will be assessed from the 2 August 2026 Article 50 compliance date.