The European Commission has presented an Action Plan to provide a structured response to address the risks and capitalise on the opportunities presented by advanced artificial intelligence (AI) models in the field of cybersecurity.
New advanced AI models are redefining cybersecurity. AI can be misused to identify vulnerabilities, automate attacks and increase the scale and speed of cyber incidents at an unprecedented rate.
Building on the EU’s single legal framework for AI and cybersecurity, the Action Plan will bring together Member States, industry and organisations at EU level to strengthen the cybersecurity of our digital environment in the face of the vulnerabilities posed by advanced AI.
Assessment of AI models
To achieve effective security, it is essential to have a thorough understanding of how new technologies can be used, misused and exploited. Under the AI Act, advanced artificial intelligence models must be assessed and mitigation measures carefully analysed before they are placed on the market in the EU.
To foster the development of specialist expertise at national level, the Commission will launch a specific call for proposals to establish an EU cybersecurity assessment capacity, which is expected to be operational by 2027. This new capacity will support the AI Office’s regulatory role by strengthening third-party assessment of AI capabilities and risks at a global level.
Access to advanced AI models
Europe also needs clear and transparent conditions for accessing the most advanced AI systems.
The Commission will work with the European Cybersecurity Agency (ENISA) to define an European model that facilitates structured access to advanced AI capabilities for cybersecurity. This guidance will help relevant European public and private organisations to access advanced AI models.
AI testing for cybersecurity
ENISA and the Commission’s Joint Research Centre will create a secure platform for testing AI in cybersecurity, including the use of simulated environments. This will provide insights into the secure use of AI for operators in critical sectors, such as finance, energy, healthcare, transport and public administration.
Strengthening the EU’s cybersecurity and addressing vulnerabilities.
The EU must protect its critical infrastructure against vulnerabilities arising from the potential misuse of these technologies.
As set out in EU cybersecurity rules, organisations must step up their cyber hygiene practices, risk management measures and the principles of security by design.
Organisations should start using the AI capabilities already available, including through open-source models, to identify and fix vulnerabilities more quickly, as well as to prevent and respond to cyberattacks.
To assist organisations in this transition, ENISA will support and facilitate collaboration between public authorities, businesses and open-source communities within the cyber ecosystem. This will include guidance, recommendations and best practices, as well as a campaign to protect critical open-source software.
Expanding European AI capabilities for cybersecurity
To drive growth in the European market, the Commission will launch the EU Grand Challenge on AI for cybersecurity. This competition will bring together businesses, researchers and organisations to develop AI solutions in this field.
The EU must continue to invest in developing its own sovereign advanced AI capabilities, drawing on the infrastructure providedby AI Factories and future Gigafactories. In this context, the forthcoming European capital initiative for the technology sector, announced inthe Technological Sovereignty Package, could attract private investment to expand internally developed AI capabilities.
Background
The EU has an appropriate legal framework to address cybersecurity in the era of emerging technologies, such as AI. The AI Act requires the risks arising from AI models to be assessed and mitigated, whilst the Code of Good Practice on General-Purpose AI further specifies these requirements and facilitates compliance by providers of advanced models. These provisions will come into force on 2 August 2026.
The Cyber Resilience Act, which will come into force at the end of 2027, requires security by design for hardware and software products. In addition, the Network and Information Systems Directive(NIS2) aims to strengthen security in critical sectors such as transport and energy, alongsidethe Digital Operational Resilience Act (DORA) for the financial sector. The Cyber Solidarity Act strengthens the EU’s capabilities to detect, prepare for and respond to significant, large-scale cyber threats and attacks.
More information: European Commission






Leave a Reply