The European Court of Auditors has identified significant design flaws in the European Commission's fraud prevention framework, warning that gaps in risk assessment and monitoring are weakening defenses just as artificial intelligence begins to supercharge the sophistication of fraud schemes targeting EU funds.
The audit, published this week in Special Report 18/2026, singles out structural weaknesses that hinder consistent application of anti-fraud measures across member states — a concern that carries direct consequences for Portugal, which channels billions in EU recovery funds through systems now under scrutiny.
For Portugal, which is channeling €16.6 billion through these systems, the implications are direct and immediate. The country's funds are flowing through frameworks the Court of Auditors has flagged as vulnerable to both conventional and AI-driven fraud.
Why This Matters
• The Recovery and Resilience Mechanism, which includes Portugal's €16.6 billion recovery plan, has been flagged for systemic fragilities in fraud detection and reporting.
• Portugal has reported 8 suspected fraud cases tied to its recovery plan to the European Public Prosecutor's Office. This represents a small fraction of reported cases EU-wide, but auditors warn that inconsistent detection systems mean many more may go unnoticed in Portugal and across member states.
• AI-driven fraud is becoming cheaper to execute and harder to trace, with deepfakes and synthetic identities now accounting for 11% of global fraud attempts in 2026.
• The EU's anti-fraud office (OLAF) recommended recovery of €597 M in misused funds during 2025, yet only one-third of 27,000 fraud allegations led to actual investigations.
What Residents Should Watch Now
For anyone in Portugal navigating public services, applying for EU-funded programs, or simply managing personal finances, the audit's findings underscore a troubling reality: the systems designed to protect EU money are not keeping pace with the threats.
Be alert to AI-powered scams. If you receive an unexpected call, email, or video message requesting payment or personal information — even if it appears to come from a familiar source — verify independently before responding. Deepfake technology can now replicate voices and faces with near-perfect fidelity.
If you're a beneficiary of recovery funds — whether as a business, municipality, or nonprofit — expect heightened scrutiny in the coming months. The Commission is ramping up audits, and national authorities are under pressure to tighten controls.
The Core Problem: Execution Over Impact
The European Court of Auditors acknowledges that the Commission's Anti-Fraud Strategy, first adopted in 2019 and updated with an action plan in 2023, follows best practices on paper. Yet the tribunal found that monitoring focuses heavily on whether actions are being carried out, rather than whether they're delivering measurable results.
This approach — prioritizing whether tasks are completed rather than whether fraud is actually prevented — obscures the real question: Is fraud being stopped, or simply reported after the fact? The Commission's action plans lack ambition, and poorly defined objectives have led to uneven implementation across its departments.
The audit also highlights that institutional oversight has gaps: while roles and responsibilities are clearly assigned, the coordination between the Commission and OLAF remains inconsistent. Departments do not systematically use OLAF's findings to refine their own anti-fraud strategies, creating silos that fraudsters can exploit.
Risk Assessment Under Fire
One of the sharpest criticisms concerns risk evaluation. The Court found that the Commission's risk assessments are insufficiently robust, reducing the strategic value of the entire framework. Without accurate risk mapping, resources are misallocated, and high-threat areas — such as cross-border schemes or digitally enabled fraud — may go under-monitored.
This matters acutely for Portugal. The country's National Anti-Fraud Strategy, approved in July 2023 under Dispatch 7833/2023 for the 2023–2027 period, relies on EU guidelines to shape its own action plans. If the EU template is flawed, national adaptations inherit those weaknesses.
Portugal's Inspectorate-General of Finance (IGF) coordinates domestic anti-fraud efforts, but auditors note that member state systems vary widely in rigor and timeliness. In some cases, Commission audits were completed after initial payments had already been made under the Recovery and Resilience Mechanism, meaning money flowed before fraud controls were verified.
AI: The New Frontier for Fraudsters
The tribunal emphasizes that the stakes are rising as criminals integrate artificial intelligence into their operations. AI enables the creation of hyper-realistic deepfakes — fake voices, videos, and documents — that can bypass traditional identity checks and authentication protocols.
Synthetic identities, built by blending real data with fabricated details, are proliferating in financial fraud. AI also powers automated, personalized phishing campaigns capable of targeting thousands of victims simultaneously, mimicking trusted voices with alarming accuracy.
In the insurance sector, fraudsters are submitting digitally manipulated images and videos to support false claims. Online inspections — increasingly common in auto insurance — are being gamed with altered timestamps, GPS coordinates, and authenticity markers.
The European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority issued a joint warning in February, urging citizens never to share banking details in response to unsolicited requests, no matter how legitimate they appear.
Financial institutions are responding with defensive measures. While 62% of banks in the eurozone now use AI for fraud detection, according to the European Central Bank, and 88% deploy it operationally, regulators acknowledge that defensive AI still lags behind the tools criminals are using — and the gap is widening.
What This Means for Recovery Funds
The Recovery and Resilience Mechanism, Europe's €650 billion post-pandemic stimulus, has been singled out by auditors as particularly vulnerable. A separate Court of Auditors report published in February flagged systemic fragilities in how member states detect, report, and correct fraud in these funds.
Portugal's recovery plan, worth €16.6 billion, includes investments in digitalization, climate transition, and social resilience. The country has reported 8 fraud cases to the European Public Prosecutor's Office, but the broader picture is opaque. The Commission lacks a comprehensive overview of total fraud exposure across all member states, auditors found.
Tools like Arachne, a data analytics platform designed to flag suspicious patterns, have been underutilized. Whistleblower channels, meanwhile, generated few actionable fraud reports, raising questions about whether they are properly publicized or trusted.
OLAF reported in April 2026 that it was investigating 42 suspected irregularities linked to the Recovery and Resilience Mechanism, though none had yet been formally classified as fraud. The low conversion rate — only one in three fraud allegations leads to an investigation — suggests either that many tips lack substance or that investigative capacity is stretched thin.
Information Sharing Breakdowns
A January report (Special Report 26/2025) revealed coordination failures among Europe's fraud-fighting bodies. Though the mandates of OLAF, the European Public Prosecutor's Office (EPPO), Eurojust, and Europol are clearly defined, information exchange between them remains inconsistent.
EU institutions report fraud suspicions to OLAF three times more often than to the EPPO, despite the prosecutor's office having expanded powers since its 2021 launch. There is also a substantial mismatch between a member state's share of the EU budget and the number of fraud cases it reports — a discrepancy the Commission has not analyzed.
The EPPO itself is under pressure. At the end of 2025, it had 3,602 active cases involving an estimated €67 billion in suspected fraud. Of these, 68% (2,450 cases) related to misuse of EU funds, totaling €18.67 billion. VAT and customs fraud, though representing just 27% of cases, accounted for 67% of total financial damage.
Regulatory Response and Upcoming Reforms
The Commission is not standing still. A public consultation for a new EU Anti-Corruption Strategy ran from May 11 to July 6, with adoption expected in the fourth quarter of 2026. The Financial Regulation, which governs EU budget management, is being revised to expand the Early Detection and Exclusion System (EDES) to include shared management funds.
OLAF's own mandate is under review. A consultation closed in May to strengthen its investigative capacity and improve coordination with the EPPO. The goal is to eliminate duplication and streamline case handoffs.
The AI Act, Europe's landmark artificial intelligence regulation, is phasing in throughout 2026. Key provisions include:
• A ban on "nudifier" apps and tools generating non-consensual sexual imagery, effective by December 2.
• Mandatory labeling of AI-generated content, including deepfakes, by December 2.
• Stricter compliance requirements for high-risk AI systems used in hiring, banking, and law enforcement, enforceable from August 2.
In June, the Commission published a Code of Practice to help platforms implement transparency obligations for AI-generated content. Meanwhile, the Digital Operational Resilience Act (DORA) is tightening cybersecurity requirements for financial institutions, forcing banks and insurers to bolster defenses against AI-enhanced attacks.
The Bottom Line
The Court of Auditors has made clear that while the EU's anti-fraud architecture follows the right principles, it suffers from critical gaps: poor risk assessment, fragmented information sharing between agencies, and a monitoring culture that counts completed actions rather than measuring real fraud prevention. Until those gaps close, opportunities for criminals — especially those equipped with AI tools — remain open. The good news is that policymakers are aware of the problem. The challenge now is closing the gap between diagnosis and action before fraudsters fully capitalize on it.
