ESMA Chair Verena Ross issued a public warning in April 2026 that AI systems are compressing the timeline of potential cyberattacks on financial markets. Speaking ahead of a key regulatory deadline for crypto firms operating in the European Union, Ross identified the convergence of elevated market valuations, the recent escalation of conflict in the Middle East, and AI-assisted cyber threats as pressing risks facing EU financial infrastructure. ESMA's March 2026 Trends, Risks and Vulnerabilities (TRV) Risk Monitor placed market, contagion, and operational risks at their highest level.

The statement came alongside renewed pressure on crypto-asset service providers to obtain MiCA authorization before July 1 or face being in breach of EU law.

AI Is Changing the Speed Equation

Ross was specific about the nature of the concern. "We are closely watching how bringing AI models into this could increase the potential speed with which such attacks could happen," she said. ESMA's March 2026 TRV Risk Monitor, a quarterly risk assessment, placed market, contagion, and operational risks at their highest possible level, with cyber and hybrid threats flagged as separately elevated concerns.

According to wire reports of the interview, ESMA named Anthropic's Mythos model as an example of an AI system capable of identifying and exploiting previously unknown software vulnerabilities. Anthropic has not issued a standalone statement on this designation, and the attribution has not been independently confirmed.

The regulator said it is now actively contacting supervised financial entities to assess their cyber defenses and stress-test preparedness. That outreach is backed by the Digital Operational Resilience Act, known as DORA, which entered into force in January 2025 and applies to banks, insurers, investment firms, and crypto-asset service providers. Under DORA, ESMA together with the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) designated 19 critical technology providers in November 2025, including AWS, Google Cloud, Microsoft, Bloomberg, and Euroclear. Those firms now face joint examination teams, annual risk analyses, and on-site inspections, with binding recommendations expected from their first comprehensive exams in 2026.

Ross called for regulators to move faster. "We collectively between the national and the EU level need to up our game to try to ensure that we have the capability to properly look at what financial entities are doing in this space," she said.

The MiCA Clock Is Running Out

The regulatory pressure does not stop at cyber risk. MiCA, the EU's comprehensive crypto-asset regulation, became fully applicable to crypto-asset service providers in December 2024. Member states offered transitional periods, all of which expire on June 30, 2026. From July 1, any crypto firm serving EU clients without authorization will be operating illegally under EU law. MiCA draws a key distinction between two categories of stablecoins: e-money tokens (EMTs) and asset-referenced tokens (ARTs), each carrying distinct licensing and reserve requirements that issuers must satisfy to remain accessible within the EU.

The compliance urgency has intensified in part because of an October 2025 crypto flash crash that triggered an extended sell-off across crypto markets, an episode documented in ESMA's TRV Risk Monitor as a contributor to the current elevated market risk environment.

The compliance picture across the bloc is uneven. According to wire reports citing France's financial regulator, the AMF, roughly one-third of unlicensed crypto companies in France have not indicated any plans to seek MiCA authorization. That figure is provisional and had not been confirmed in a standalone AMF press release as of the time of publication. More than 40 percent of EU crypto exchanges flagged difficulty meeting MiCA's reporting requirements in 2025, according to figures aggregated by Coinlaw.io, a regulatory tracking service.

Ross acknowledged the enforcement problem directly. "One of the challenges we will face from the first of July onwards is how do we then deal with the policing of the perimeter," she said.

A Push Toward Centralized Supervision

The European Commission's Market Integration and Supervision package, proposed on December 4, 2025, would transfer direct oversight of crypto-asset service providers from 27 national regulators to ESMA itself.

The European Central Bank has formally endorsed the proposal, saying it would "ensure supervisory convergence, reduce fragmentation and mitigate cross-border risks in crypto-asset markets." The proposal is currently in trilogue negotiations, with smaller EU states including Ireland, Luxembourg, and Malta pushing back. Those countries have built crypto licensing hubs under the current national model and stand to lose influence under centralized ESMA authority.

The push toward centralization is unfolding within a broader global trend: 14 non-EU countries have already adopted MiCA-aligned regulatory frameworks, treating the EU regulation as a template for their own crypto oversight regimes.

What This Means Outside Europe

The ripple effects extend well beyond EU borders. For users in South Asia and Africa, two regions where crypto adoption is driven heavily by remittance flows and inflation hedging, the tightening of MiCA's stablecoin rules is the most immediate concern. MiCA imposes strict reserve and licensing requirements on stablecoins. Tokens that do not meet those requirements will effectively be blocked from EU on-ramps after July 1, reshaping which instruments are available for Euro-corridor transfers to West and East Africa or for the Indian diaspora sending money home. India is the world's largest remittance recipient, making the question of stablecoin access especially consequential. Among the stablecoins currently preferred under MiCA's framework are USDC, EURC, and USDG; tokens that fall outside those standards face exclusion from EU payment channels.

The AI-related threats ESMA is raising also land harder in markets with less robust institutional protection. Nigeria recorded 4,701 cyberattacks per organization per week in January 2026, a 12 percent year-on-year increase and the highest rate globally. The CBEX scam drained an estimated 250 million dollars from Nigerian users. In India, the Treasure NFT scheme caused roughly 800 million dollars in losses with extensive reach across the country.

In sub-Saharan Africa, South Africa stands apart as the continent's most MiCA-aligned crypto market. The Financial Sector Conduct Authority (FSCA) had approved 300 crypto licenses by December 2025, reflecting a 59 percent approval rate, and South Africa has implemented the zero-threshold Travel Rule. That regulatory posture may position South Africa for EU passporting arrangements or formal partnership structures as centralized supervision takes shape across the bloc.

What Comes Next

Ross is scheduled to step down on October 31, 2026, making this assessment among her final major public risk statements. The ESMA centralization proposal, the July 1 MiCA enforcement cliff, and the August 2, 2026 deadline for high-risk AI systems deployed in the EU financial sector to comply with the EU AI Act are all converging in the same narrow window.

Her successor will inherit a significantly expanded mandate if the Commission's supervision package clears trilogue, along with the task of enforcing a crypto perimeter that still has significant gaps. The incoming chair's position on ESMA's expanded crypto supervision powers has not yet been made public, adding a layer of uncertainty to the transition at a pivotal moment for EU financial oversight.