Decoding the world of cybersecurity

EU weighs AI cyber strategy

MEPs are pressing the Commission on AI and cybersecurity proposals as Brussels considers how NIS2, ENISA powers, certification, and ICT supply chain rules should evolve.

EU weighs AI cyber strategy
Summary
  • The European Parliament has scheduled scrutiny of the Commission’s AI and cybersecurity proposals.
  • Work is running alongside “Cybersecurity Act 2”, including NIS2 updates, ENISA reinforcement, certification, and ICT supply chain measures.
  • The debate links AI security with Europe’s wider cyber regulatory framework, supplier oversight, and advanced cybersecurity capability.

The European Parliament is pressing the European Commission on its latest artificial intelligence and cybersecurity proposals, placing AI security, ICT supply chain controls, ENISA’s role, and the future of NIS2 into the same policy frame.

The European Parliament scheduled a scrutiny session for Tuesday 7 July under the heading of an EU strategy on cybersecurity and AI. MEPs are expected to question the Commission on proposals intended to help member states and European companies address AI-related cybersecurity risks and strengthen Europe’s advanced AI cybersecurity capabilities.

The Parliament’s agenda note says the Commission’s action plan is expected to include concrete measures for AI-related cyber risk. It also points to parallel legislative work on two proposals described as “Cybersecurity Act 2”, including an update to the NIS2 Directive and a proposal to reinforce the European Union Agency for Cybersecurity, the EU cybersecurity certification framework, and the ICT supply chain.

The debate is broader than AI model safety or software assurance. AI systems are being embedded into regulated services, public administration, cloud platforms, development workflows, fraud detection, operational decision-making, and customer-facing financial tools. That makes AI cyber risk difficult to contain inside one regulatory category. It crosses identity, software development, vulnerability discovery, incident response, data governance, outsourcing, and supplier assurance.

The Commission has also welcomed the G7 cybersecurity declaration intended to strengthen global digital resilience, giving the Parliament’s scrutiny session a wider diplomatic backdrop. European institutions are increasingly trying to align internal legislation with external commitments, particularly around critical infrastructure, supply chains, and technology dependency.

The NIS2 element will be watched closely because many member states are still transposing or operationalising the existing directive. Parliament is already discussing an update while regulated organisations are still interpreting the current wave of obligations. Operators in energy, transport, health, finance, digital infrastructure, public administration, and managed services face a rolling compliance burden in which legal, technical, procurement, and governance teams must track current duties alongside the likely direction of EU policy.

ENISA’s potential reinforcement could affect certification, cross border incident coordination, risk methodology, and supplier assurance. A more active European cyber agency may reduce fragmentation across member states, while also creating more structured expectations for evidence, controls, and reporting. Vendors selling into European regulated sectors, cloud and ICT providers, and organisations dependent on certified products or services would all be affected by stronger central coordination.

The ICT supply chain component is central to the policy direction. Recent European cyber policy has moved away from treating cybersecurity as an internal IT matter and towards treating suppliers, software, platforms, and outsourced infrastructure as part of the regulated risk surface. AI accelerates that shift because models, training data, inference services, APIs, chips, cloud capacity, and application layers may be provided by different organisations in different jurisdictions.

The Parliament item is a scrutiny session rather than a full legislative package, and the final shape of the Commission’s plan will determine the strongest editorial line. The policy direction is still clear. Brussels is bringing together subjects that are often handled separately: AI security, NIS2, ENISA, certification, and technology dependency.

Any final EU approach will need to give organisations clear expectations on supervision, evidence, certification, procurement, and cross border incident handling. Regulated entities and suppliers will need to understand who oversees AI-related cyber risk, how certification maps to contracts, and how incidents involving AI enabled systems will be coordinated when they affect more than one member state. Without that operational clarity, Europe’s regulatory framework may expand faster than organisations can turn it into measurable resilience.

×