France’s Autorité des Marchés Financiers (AMF) has called on regulated market participants to reinforce their cybersecurity frameworks. The regulator highlighted the transformative impact of artificial intelligence on both defensive and offensive cyber capabilities, emphasizing the need for proactive adaptation in its latest announcement. Operational resilience, particularly against cyber risks, remains a core strategic focus for the AMF.
This priority aligns with the authority’s 2026 supervisory agenda, which stresses anticipating emerging threats and strengthening the robustness of regulated entities.
Advances in AI models—whether designed for security or malicious use—are accelerating vulnerability discovery, enabling faster exploitation, and scaling up sophisticated attack campaigns.
At the same time, AI offers powerful tools for faster incident detection, analysis, and response.
Financial institutions must therefore evolve their risk management practices to harness these benefits while mitigating new exposures.
The AMF is addressing these challenges on multiple fronts. Internationally, it actively participates in forums such as the International Organization of Securities Commissions (IOSCO)—including its Financial Stability Engagement Group, co-chaired by the AMF Chair and the UK FCA’s CEO—alongside the European Systemic Risk Board, the Financial Stability Board, and the G7 Cyber Expert Group.
These engagements aim to foster shared intelligence, coordinated regulatory responses, and forward-looking risk anticipation.
Locally, the AMF oversees compliance with the EU’s Digital Operational Resilience Act (DORA), which has been in force since January 17, 2025.
This regulation requires entities—including portfolio management companies, crypto-asset service providers, crowdfunding platforms, and market infrastructures—to map critical functions, implement proper cyber risk controls, establish incident management protocols, perform resilience testing, and carefully manage third-party IT and digital service risks.
Upcoming initiatives include an educational webinar for professionals on July 1, 2026, followed by a targeted survey of portfolio managers, crowdfunding providers, and crypto firms starting in July.
The survey will examine how these organizations are incorporating AI-specific risks into their cyber strategies, particularly for vulnerability identification, detection, and remediation.
Results, expected in autumn 2026, will inform future supervisory approaches while maintaining a proportionate, risk-based stance.
The AMF will also continue targeted inspections focusing on client data protection, incident handling, and AI-related threat mitigation.
European Supervisory Authorities are preparing a report on major DORA-reported incidents, after which the AMF plans to release its own assessment of French entities, highlighting key lessons and common pitfalls for broader industry education.
The regulator stressed that senior leadership bears responsibility for embedding cyber risk oversight into governance, internal controls, and overall risk frameworks.
It encouraged firms to adopt recognized standards, including ANSSI cybersecurity hygiene guidelines and DORA-related technical materials from European authorities.
Recommended practices include maintaining detailed inventories of critical assets with strict access controls, using up-to-date encryption, accelerating patch management, conducting frequent backups and recovery tests, delivering staff training, deploying detection tools, rehearsing incident response, performing technical audits (including red teaming by certified experts), integrating AI risks into scenarios, and running cyber crisis simulations.
As cyber threats grow more sophisticated and AI-enabled, the AMF’s main message is quite clear. That being, cybersecurity is fundamental to investor protection, service continuity, and market confidence. The AMF update has concluded that financial entities must treat resilience as a strategic imperative, not a compliance checkbox.