The European Commission on July 7 presented an Action Plan on Cybersecurity and Artificial Intelligence, establishing a coordinated framework to govern how advanced AI is used defensively — and to mitigate its exploitation by malicious actors 123.
The plan is structured around three complementary objectives: promoting the safe and responsible use of advanced AI, reinforcing the EU's cybersecurity and resilience, and scaling up Europe's AI capabilities for cybersecurity 3.
On the safety front, the European Commission will strengthen Europe's capacity to evaluate AI models before they are placed on the EU market, in line with the AI Act 3. The plan also encourages organisations to use AI, including open-source models where appropriate, to detect and address vulnerabilities more quickly and improve cyberattack prevention and response 3.
The European Commission will work with the European Union Agency for Cybersecurity (ENISA) to develop a European Blueprint for secure access to advanced AI systems for cybersecurity purposes 3. Separately, the European Commission will establish a secure testing platform to help organisations in critical sectors safely test and deploy AI solutions 3.
To stimulate capability development, the European Commission will launch an EU Grand Challenge on AI for cybersecurity 3. The EU will continue investing in sovereign AI capabilities, building on AI Factories and future Gigafactories 3.
The Action Plan builds on the EU's existing legal framework for AI and cybersecurity, including the AI Act, the Cyber Resilience Act, the NIS2 Directive, DORA, and the Cyber Solidarity Act 3. It promotes implementation of existing EU cybersecurity legislation, including the NIS2 Directive and the Cyber Resilience Act 3.
The plan frames AI as a dual-use technology in the cybersecurity domain: AI can help detect vulnerabilities, prevent cyberattacks, and strengthen the protection of critical infrastructure, but it can also be exploited by malicious actors to automate attacks, identify weaknesses, and carry out cyber operations at unprecedented speed and scale 3.
[ANALYSIS] The Action Plan represents a regulatory layering strategy — rather than introducing new standalone legislation, the European Commission is building operational guidance and institutional infrastructure on top of existing statutes like the AI Act and NIS2 Directive. The ENISA partnership and the secure testing platform signal an intent to create centralized EU-level resources for AI-cybersecurity governance, rather than leaving implementation entirely to individual member states. The inclusion of open-source models as an encouraged tool for vulnerability detection is notable, positioning the EU's approach as technology-neutral rather than restrictive on model provenance.