commission.europa.eu web signal

EU unveils AI cybersecurity plan with pre-market model testing

TL;DR

  • The Commission's five-action plan builds on the AI Act, Cyber Resilience Act, and NIS2 rather than proposing new legislation.
  • Executive VP Henna Virkkunen said advanced AI models can build cyber exploits in minutes or hours at a fraction of human cost.
  • Deliverables include an EU evaluation capacity, a structured access blueprint, a JRC testing platform, and an EU Grand Challenge.

The European Commission's new Action Plan on Cybersecurity and AI, published on 7 July 2026, starts from a premise that would have read as paranoid two years ago and now reads as basic threat modelling: the same frontier models can be defensive tools and offensive weapons in the same afternoon. Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen put it plainly, saying "AI is transforming the meaning of cybersecurity. And we must keep pace," and warning that advanced models "can now build cyber exploits in minutes or hours at a fraction of the cost of vulnerability discovery by trained humans."

What the Commission is proposing is not new legislation but implementation scaffolding on top of the AI Act, the Cyber Resilience Act, the Cyber Solidarity Act, and NIS2. Five actions structure the plan: build an EU evaluation capacity so the AI Office can assess advanced models before they are placed on the EU market; design, with the EU Agency for Cybersecurity, a "European blueprint for structured access to advanced AI capabilities" so public and private defenders can probe the same models attackers might use; stand up a secure platform with the Joint Research Centre to test AI for cybersecurity in simulated environments; push organisations toward better cyber hygiene and security-by-design; and invest in sovereign compute through AI Factories and future Gigafactories, plus an EU Grand Challenge on AI for cybersecurity.

The structured access pillar is the one worth staring at. Europe has spent the last few years watching frontier models get built mostly inside US labs, and the plan is an attempt to change the terms on which European regulators and defenders can touch them. Finnish MEP Aura Salla told Euronews that "our dependency is not primarily about AI models. It is about the infrastructure they rely on." A blueprint that lets European agencies actually inspect the models they are supposed to regulate is the difference between a regulator and a rubber stamp.

The honest caveat is that this is a plan, not a rulebook. The announcement I can point to does not attach funding figures, does not give a hard timeline for when the evaluation capacity or JRC testing platform will be operational, and does not name which model providers will accept structured access on European terms rather than their own. Dutch MEP Bart Groothuis's warning that "your software and IT systems will be tested by hackers, aided by the latest AI models" is the pressure the Commission is racing against.

For anyone building or defending critical infrastructure in Europe, the useful takeaway is that the AI Office is about to become a real customer for evaluations, red-team simulations, and structured access tooling. That is a market that did not exist a year ago.