New EU plan links advanced model scrutiny with protection for energy, health, finance and public services
The European Commission has launched a new action plan to confront the cybersecurity risks created by advanced artificial intelligence, warning that the same systems able to strengthen digital defences can also help attackers find vulnerabilities, automate intrusions and accelerate cyber incidents. The move, published on 7 July, pushes the EU from broad AI rulemaking toward practical preparedness for critical sectors.
The plan arrives at a sensitive moment for Europe’s digital policy. The EU has already built a dense legal framework around artificial intelligence, cyber resilience and platform responsibility. The new question is whether institutions, companies and public authorities can make those rules operational quickly enough as powerful models become more capable and more widely available.
Advanced models move up the risk agenda
At the centre of the Commission’s AI cybersecurity action plan is a three-part approach: promote safe and responsible use of advanced AI, reinforce the EU’s wider cybersecurity resilience, and scale up European AI capabilities for cyber defence.
That reflects a dual reality. AI systems can help defenders detect weaknesses, analyse malicious code and respond faster to attacks. But they can also lower the barrier for hostile actors, allowing cyber operations to be carried out at greater speed and scale. For hospitals, transport networks, energy operators and public administrations, that shift is not theoretical. It affects services that people rely on daily.
The Commission says it will strengthen Europe’s ability to evaluate advanced AI models before they are placed on the EU market. That capacity is expected to support the regulatory work of the European AI Office and contribute to third-party assessment of model capabilities and risks.
ENISA role and critical-sector safeguards
The Commission will work with the European Union Agency for Cybersecurity, ENISA, on a blueprint for secure access to advanced AI systems for cybersecurity purposes. It also plans a secure testing platform to help organisations in critical sectors, including energy, transport, health, finance and public administration, examine and deploy AI tools more safely.
The initiative is designed to sit alongside existing EU laws, including the AI Act, the NIS2 Directive, the Cyber Resilience Act, the Digital Operational Resilience Act and the Cyber Solidarity Act. The Commission’s own AI Act implementation guidance says the cybersecurity plan will support model evaluation capacity and secure deployment in high-risk environments.
Brussels is also promising an EU Grand Challenge on AI for cybersecurity, intended to bring together companies, researchers and other stakeholders to develop AI-powered defensive tools. That strand points to a broader industrial goal: Europe wants to reduce dependence on foreign technologies while avoiding a regulatory system that slows responsible innovation.
Security and rights remain linked
The action plan is framed as a cybersecurity measure, but its implications reach into civil liberties and public trust. AI-enabled security tools can protect infrastructure and users. They can also raise difficult questions about access to private systems, oversight, data handling and proportionality.
Those tensions are already visible in Europe’s wider digital agenda. Recent European Times coverage of the child-safety scanning debate showed how EU lawmakers are trying to reconcile protection from severe online harm with the privacy of private communications. AI cybersecurity will require a similar discipline: strong defensive capacity without creating vague or excessive surveillance powers.
The Commission’s announcement does not create a single new obligation overnight. Its significance lies in the infrastructure it tries to build around existing law: evaluation capacity, secure access rules, sector-specific deployment support and cooperation between EU bodies, national authorities, industry and researchers.
For Europe, the coming test will be execution. If the plan produces credible safeguards, shared expertise and usable tools for vulnerable sectors, it could strengthen public confidence in both AI and cybersecurity policy. If implementation is slow or uneven, the gap between fast-moving AI risks and institutional readiness will remain exposed.
