European Commission — EU Action Plan on Cybersecurity and AI

AI relevance: The EU's Action Plan directly addresses how advanced AI models can be used to identify vulnerabilities, automate attacks, and scale cyber incidents — while also proposing structured access to those same models for defensive cybersecurity operations across critical infrastructure.

  • On July 7, 2026, the European Commission published an Action Plan for a structured response to address the risks and harness the opportunities of advanced AI models for cybersecurity.
  • The plan explicitly acknowledges that AI can be misused to identify vulnerabilities, automate attacks, and significantly increase the scale and speed of cyber incidents — a direct reference to the agentic AI threat landscape documented in campaigns like JadePuffer and the rise of AI-driven exploit tooling.
  • Key action: The Commission will help establish an EU evaluation capacity to strengthen third-party assessment of AI capabilities and risks globally, supporting the regulatory function of the AI Office under the AI Act.
  • Key action: The EU Agency for Cybersecurity (ENISA) will work with the Commission to define a European blueprint for structured access to advanced AI capabilities for cybersecurity — supporting public and private organizations in accessing frontier models for defensive purposes.
  • Key action: ENISA and the Commission's Joint Research Centre will create a secure platform to test AI for cybersecurity, including simulated environments — bringing know-how on safe AI use to operators in critical sectors.
  • Key action: The EU must protect critical infrastructure by intensifying cyber hygiene practices, risk management measures, and security-by-design principles — and start using available AI capabilities to fix vulnerabilities faster, prevent and respond to cyberattacks.
  • Key action: The Commission will launch the EU Grand Challenge on AI for cybersecurity, bringing together companies, researchers, and organizations to develop AI solutions for cybersecurity and support the growth of the EU market.
  • The plan builds on existing EU rules: the AI Act (model evaluation and risk assessment before market placement), the Cyber Resilience Act (security-by-design for digital products), NIS2 (critical infrastructure security), and the Cyber Solidarity Act.
  • AI Factories and future Gigafactories infrastructure, plus the European Tech equity capacity announced in the Tech Sovereignty Package, will be available to scale European AI capabilities for cyber defense.

Why it matters

This is the first time a major regulatory body has explicitly connected AI model evaluation (under the AI Act) with cybersecurity operational needs. The plan recognizes a tension: the same frontier models that can automate vulnerability discovery and attack execution are also the most capable tools for defensive security operations. By proposing structured access to advanced AI for cybersecurity, the EU is acknowledging that critical infrastructure operators need frontier model capabilities — not just smaller, safer models — to defend against AI-driven threats. The secure testing platform for AI in cybersecurity is also significant: it suggests the EU wants to build a shared evaluation environment where AI tools can be stress-tested against realistic attack scenarios before deployment in production critical infrastructure.

What to do

  • If you operate critical infrastructure in the EU, track ENISA's upcoming guidance on structured access to advanced AI models — this will define what capabilities are available and under what conditions.
  • Review your organization's AI model evaluation posture: the AI Act requires advanced AI models to be evaluated and their risks assessed before market placement. If you deploy frontier models internally, ensure you have documentation of capability and risk assessment.
  • Watch for the EU Grand Challenge on AI for cybersecurity announcements — this will likely include funding, partnership opportunities, and technical specifications for AI-driven cybersecurity tools.
  • If you build AI security tools, the secure testing platform (once launched) will be a validation environment — plan for integration testing against ENISA's simulated environments.
  • For non-EU organizations: this plan will influence global norms around AI model evaluation for cybersecurity. If you sell into EU markets, expect procurement requirements to reference AI Act compliance and ENISA guidance within 12–18 months.

Sources