Decoding the world of cybersecurity

EU sets cyber plan for advanced AI

The European Commission has set out an action plan linking advanced AI, cyber defence, model evaluation, and existing EU laws including NIS2, DORA, and the Cyber Resilience Act.

EU sets cyber plan for advanced AI
Summary
  • The Commission’s action plan addresses malicious use of advanced AI and defensive use of AI in cybersecurity.
  • It links AI security work to the EU’s existing cyber and digital regulatory framework.
  • The plan points to model evaluation, secure testing, vulnerability detection, and critical-sector deployment.

The European Commission has set out an action plan on cybersecurity and artificial intelligence, aiming to coordinate how the EU manages risks created by advanced AI models while using AI to strengthen vulnerability detection, prevention, and response.

The plan says advanced AI models are changing cybersecurity because they can be misused to identify vulnerabilities, automate attacks, and increase the speed and scale of cyber operations. At the same time, the Commission says AI can help detect weaknesses, prevent attacks, and protect critical infrastructure when it is used under appropriate controls.

The policy direction draws on the EU’s existing legal framework rather than creating a standalone AI security regime. The Commission links the action plan to the AI Act, NIS2, the Cyber Resilience Act, the Digital Operational Resilience Act, and the Cyber Solidarity Act. It also identifies three objectives: promoting safe and responsible use of advanced AI, reinforcing EU cybersecurity and resilience, and scaling up Europe’s AI capabilities for cybersecurity.

The Commission says it will strengthen Europe’s ability to evaluate AI models before they enter the EU market, working in line with the AI Act. It also plans to work with the European Union Agency for Cybersecurity, ENISA, on a European blueprint for secure access to advanced AI systems for cybersecurity purposes, alongside a secure testing platform for organisations in critical sectors such as energy, transport, health, finance, and public administration.

That coordination cuts across several regulatory tracks already moving through European organisations. Financial entities are preparing for DORA resilience obligations, essential and important entities are working through NIS2 implementation, product manufacturers face requirements under the Cyber Resilience Act, and AI providers and deployers are adjusting to the AI Act. The action plan attempts to connect those regimes before AI security becomes another fragmented compliance layer.

AI will accelerate both offensive and defensive cyber activity. Attackers can use models to support reconnaissance, social engineering, vulnerability discovery, malware development, and operational scaling. Defenders can use them for triage, detection engineering, code review, vulnerability prioritisation, and response support. The gap between those uses will be determined by access to reliable data, testing environments, governance, skills, procurement controls, and accountability.

The plan is not an immediate rulebook for organisations. Its practical effect will depend on funding, guidance, standards, testing infrastructure, and future supervisory expectations. Regulators already expect organisations to understand material technology dependencies and operational resilience risks. AI systems used in security monitoring, software development, identity workflows, customer operations, or decision support will increasingly sit inside that assessment.

The Commission also places cybersecurity inside Europe’s technology sovereignty agenda. If advanced models are built, hosted, accessed, or evaluated outside European control, regulated sectors and public bodies will need credible ways to assess data exposure, dependency, and security assurance. The same issue arises where cloud-based AI capabilities are embedded into productivity suites, development tools, enterprise software, and cyber platforms.

The Commission’s Action Plan on Cybersecurity and Artificial Intelligence brings AI-enabled cyber risk into Europe’s wider resilience architecture. The operational work now sits in governance, testing, procurement, and control over where advanced AI is used inside critical services and enterprise security functions.

×