The European Commission recently released a new Action Plan on Cybersecurity and Artificial Intelligence, outlining how it intends to manage the growing cybersecurity risks associated with frontier AI models and strengthen Europe’s own AI-enabled cybersecurity capabilities.
The Commission has faced mounting pressure from Member States and other EU institutions to develop a strategy for managing these risks since Anthropic first launched its Mythos model in April. The plan comes after months of concern from European governments about access to the world’s most advanced AI models. Temporary U.S. export controls and Europe’s broader push for greater technological independence have added urgency to those discussions.
The July 7 Action Plan also arrives amid broader transatlantic tensions over technology policy. The EU has accelerated its push for digital sovereignty with the Commission recently unveiling its Tech Sovereignty Package, a broad set of legislative and policy initiatives aimed at reducing Europe’s strategic dependence on non-European technology providers to enhance the resilience of the EU’s digital infrastructure.
Contents of the Action Plan
The Action Plan emphasizes that the EU already has a legal and policy framework capable of managing the cybersecurity risks posed by cutting-edge AI. It points to a range of recently adopted legislation – including the AI Act, Cyber Resilience Act (CRA), and NIS2 Directive – as the foundation of this approach, and encourages Member States and the private sector to prioritize implementation. The Commission also highlights ongoing efforts to strengthen Europe’s AI ecosystem, including the proposed Cloud and AI Development Act (CADA), which is currently open for public comment through Sept. 9, 2026.
The Commission acknowledges that frontier AI presents new cybersecurity challenges that require additional action. The Action Plan outlines how the Commission intends to address these emerging risks by leveraging existing authorities and working with the European Union Agency for Cybersecurity (ENISA), other EU institutions, Member States, and the private sector. Importantly, the Action Plan creates no new legal compliance obligations and does not propose new legislation.
The Commission organizes its proposed actions around three pillars:
Pillar 1: Making frontier AI safe, accessible, and deployable for European cybersecurity
The first pillar focuses on how the Commission intends to facilitate and ensure continued access to frontier AI models with advanced cybersecurity capabilities for EU institutions, Member State governments, and European organizations. Key actions include:
- Developing criteria for independent third-party evaluators by 2027 to support pre-deployment evaluations of frontier AI models.
- Working with ENISA to develop a “European Blueprint for Structured Access to Advanced AI Capabilities for Cybersecurity Purposes” by Q4 2026 that will establish guidance for how frontier AI labs can grant access to their models for cybersecurity purposes. It will also include “contingency measures” in the event access is restricted or withdrawn by either model providers or third-country governments, as well as a “mechanism to streamline access for eligible entities.”
- Exploring, with Member States, the creation of a joint funding instrument or joint procurement mechanism to obtain access to advanced AI models with cybersecurity capabilities.
- Working with ENISA to develop a secure testing platform for AI with advanced cybersecurity capabilities by Q4 2026 to support the timely and secure deployment of frontier AI for cybersecurity use cases.
If successful, these initiatives would reduce the EU’s reliance on the United States and People’s Republic of China for access to frontier AI models. However, the Commission will need to ensure these efforts complement – not duplicate – similar initiatives being developed by trusted partner countries, such as the United States. If these efforts diverge significantly, labs could be forced to navigate multiple, potentially inconsistent access and evaluation processes, increasing administrative burdens and slowing the responsible deployment of tools crucial to defenders.
Pillar 2: Preparing the EU’s cyber ecosystem for the age of AI
The second pillar focuses on strengthening the resilience of Europe’s digital ecosystem against the cybersecurity challenges posed by frontier AI, particularly as AI accelerates vulnerability discovery, enables cyberattacks at greater speed and scale, and lowers the level of expertise required to conduct increasingly sophisticated operations. Key actions include:
- Issuing guidance, recommendations, advisories, and best practices through ENISA by Q3 2026 on defending against AI-powered cyber threats and securely integrating AI into cybersecurity operations.
- Working with Member States, ENISA, and industry to modernize vulnerability management practices and tools by Q3 2026, including the European Union Vulnerability Database (EUVD) and the Cyber Resilience Act Single Reporting Platform ( CRA SRP), to ensure they remain effective in the age of AI.
- Launching a pilot Critical Open Source Resilience Campaign by Q4 2026, with ENISA, Member States, open-source communities, and industry, to accelerate patching of critical open-source software using AI. The initiative supports the EU’s recently adopted Open Source Strategy and will establish a voluntary sponsorship scheme that pairs organizations with maintainers of critical open-source projects to strengthen their maintenance and security. Lessons learned from the pilot will inform the implementation of the Commission’s planned Open Source Maintenance Instrument.
The Commission’s proposal to update the CRA SRP could prove to be one of the most consequential aspects of the Action Plan. The CRA’s vulnerability reporting framework was designed before advanced AI systems fundamentally changed the speed and scale of vulnerability discovery. As AI dramatically increases the number of vulnerabilities that can be identified, organizations reporting under current CRA rules may struggle to investigate, validate, and report them within existing deadlines, while ENISA may face similar challenges processing the resulting surge in reports.
The Critical Open Source Resilience Campaign should build on the ecosystem of industry initiatives already taking shape. The Linux Foundation’s Akrites, Chainguard’s Athena, and IBM, Red Hat, and Palo Alto Networks’ Project Lightwell are being developed as complementary, interoperable clearinghouses that coordinate vulnerability discovery, validation, disclosure, and remediation across the open source ecosystem. Many of the companies supporting these efforts – including AWS, Anthropic, Cisco, Google, IBM, Microsoft, Nvidia, OpenAI, Palo Alto Networks, Red Hat, and Zscaler – also have significant operations in the EU. By integrating with this emerging network, the EU can strengthen coordinated support for the open source projects that underpin critical digital infrastructure while avoiding unnecessary fragmentation.
Pillar 3: Scaling European AI capabilities for cyber
The third pillar focuses on strengthening Europe’s own AI ecosystem by expanding sovereign AI capabilities, including frontier AI models, computing power, and cybersecurity expertise. Key actions include:
- Launching an EU Grand Challenge by Q4 2026, with support from the European Cybersecurity Competence Centre and ENISA, to accelerate the development and scaling of European AI-powered cybersecurity solutions.
- Working with Member States to leverage existing AI Factories, which provide free access to computing power and customized support services to EU-based SMEs and startups, to support the testing, training, and deployment of European sovereign frontier AI models and capabilities.
- Working with Member States and industry to develop AI-focused cybersecurity training modules by, helping cybersecurity professionals effectively deploy AI in defensive operations.
Collaborating with international partners
In addition to the three pillars, the Action Plan emphasizes the need for enhanced international cooperation to address the growing cybersecurity risks associated with these models. The Commission argues that cooperation among trusted partners will be essential to avoid fragmentation, promote interoperability, and pool efforts to mitigate AI-enabled cyber threats. Accordingly, the Action Plan calls for the European Union to play a leading role in shaping global approaches to AI-enabled cybersecurity and states that it will continue engaging through international governmental and standards bodies, bilateral cyber dialogues and digital partnerships, and strengthened cooperation with NATO.
Achieving this vision will not be easy as the United States and the People’s Republic of China continue to compete for leadership in frontier AI. While the G7 discussed developing a “trusted partners” framework to facilitate access to these capabilities during its annual summit last month in France, no concrete progress has yet been announced. Nevertheless, the Commission’s emphasis on international cooperation leaves the door open for these efforts to converge as trusted partners continue to develop their respective approaches.
Read Next
Child Online Protection in Latin America
Digi Americas Alliance's latest report examines national approaches across six Latin American countries, highlights leading international frameworks, and offers recommendations to strengthen regional cooperation while respecting national differences.
CDM 2.0: Advancing Federal Cybersecurity
As federal agencies modernize IT systems, the Continuous Diagnostics and Mitigation Program must as well. This paper details recommendations on how CDM can evolve to meet new demands and threats.
Digital Evidence in Europe: Persistent Challenges, Practical Solutions
"Digital Evidence in Europe: Persistent Challenges, Practical Solutions" focuses on the transformative opportunity — and challenges ahead — presented by the EU’s upcoming e-Evidence framework.
