European Commission presents action plan on cybersecurity and AI

The European Commission has set out an action plan to address cybersecurity risks linked to advanced AI models, while supporting their use for defence, testing, vulnerability management and European AI capabilities.

European Commission presents action plan on cybersecurity and AI

The European Commission has presented an action plan on cybersecurity and artificial intelligence, aimed at addressing the risks created by advanced AI models while supporting their use in strengthening digital security.

The Commission says advanced AI models are changing cybersecurity. They can help detect vulnerabilities, support incident response and improve security testing. But they can also be misused to find weaknesses, automate attacks and increase the speed and scale of cyber incidents.

The action plan is intended to create a structured EU response. It brings together Member States, industry and EU-level bodies to strengthen cybersecurity across Europe’s digital environment.

A central part of the plan is the evaluation of advanced AI models. Under the EU AI Act, advanced AI models must be assessed and risks must be mitigated before they are placed on the EU market. The Commission says it will launch a dedicated call to establish EU evaluation capacity, including for cybersecurity. This capacity is expected to become operational in 2027 and will support the regulatory work of the AI Office.

The Commission also says Europe needs clearer conditions for accessing advanced AI systems for cybersecurity purposes. It will work with the EU Agency for Cybersecurity, ENISA, to develop a European blueprint for structured access to advanced AI capabilities. The aim is to help relevant public and private organisations use advanced AI models for cybersecurity in a transparent and organised way.

Testing is another part of the plan. ENISA and the Commission’s Joint Research Centre will create a secure platform to test AI for cybersecurity, including through simulated environments. This is intended to help operators in critical sectors such as finance, energy, health, transport and public administration understand how AI can be used safely.

The plan also calls on organisations to strengthen cyber hygiene, risk management and security-by-design practices. The Commission says organisations should use available AI capabilities, including open-source models, to identify and fix vulnerabilities faster and to improve prevention and response to cyberattacks.

ENISA will support partnerships between public authorities, businesses and open-source communities. This will include guidance, recommendations, best practices and a campaign focused on securing critical open-source software.

To support European AI capabilities, the Commission will launch an EU Grand Challenge on AI for cybersecurity. The competition will bring together companies, researchers and organisations to develop AI-based cybersecurity solutions.

The Commission also links the action plan to the EU’s broader technology sovereignty agenda. It says Europe should continue investing in its own advanced AI capabilities, including through AI Factories, future Gigafactories and the planned European Tech equity capacity.

The action plan builds on several existing EU laws. The AI Act requires assessment and mitigation of risks from AI models, while the General-Purpose AI Code of Practice is intended to help advanced model providers comply with these obligations. These provisions are due to start being enforced on 2 August 2026.

The Cyber Resilience Act will require security by design for hardware and software products by the end of 2027. The NIS2 Directive covers cybersecurity in critical sectors, while the Digital Operational Resilience Act applies to the financial sector. The Cyber Solidarity Act is intended to strengthen EU capacity to detect, prepare for and respond to large-scale cyber threats and attacks.

The Commission’s action plan therefore treats AI as both a cybersecurity risk and a cybersecurity tool. Its focus is on evaluation, access, testing, vulnerability management and European capacity-building.

Go to Top