The Council of the European Union on 9 July 2026 published a Commission Communication outlining an Action Plan on Cybersecurity and Artificial Intelligence, setting out measures to support Member States and EU organisations in addressing cybersecurity opportunities and risks from frontier AI. The plan builds on existing EU laws including the AI Act, Cyber Resilience Act, NIS2 Directive, and Cyber Solidarity Act, and includes the establishment of an EU evaluation capacity for AI models, a structured access framework for advanced AI cyber tools, and secure testing environments, all to be operational by 2027.
The Action Plan, presented as a cover note from the Commission to the Council, comes as the Commission prepares to exercise its AI Act supervisory powers from 2 August 2026, including enforcement against providers of general-purpose AI models with systemic cyber risks, with fines of up to 3% of global annual turnover. Key Action 1 commits the Commission to support the establishment of an EU evaluation capacity for AI models that must include cybersecurity, with a target date of 2027. Key Action 2 tasks the Commission, in coordination with ENISA, with defining a European Blueprint for structured access to advanced AI capabilities for cybersecurity purposes by Q4 2026. The Blueprint will include contingency measures if a provider or third-country authority restricts or withdraws access. Key Action 3 directs ENISA and the Joint Research Centre to develop a secure testing platform for AI with advanced cyber capabilities for cybersecurity use cases, also by Q4 2026. The testing platform will not evaluate general-purpose AI models for AI Act compliance.
The plan aims to reduce strategic dependencies on non-EU AI providers and prepare for AI-powered cyber threats. For EU regulatory bodies, the plan expands their role in AI oversight and cybersecurity coordination, requiring new technical capacities and inter-agency cooperation. National authorities of EU countries will benefit from shared evaluation and testing infrastructure but may face pressure to align national cybersecurity strategies with EU-level frameworks. EU producers of AI systems and cybersecurity tools face new compliance requirements and potential liability under the AI Act's enforcement regime, but also gain access to EU-backed testing and evaluation resources. EU consumers and businesses stand to benefit from improved cybersecurity resilience and reduced exposure to AI-related cyber risks, though the effectiveness of the measures will depend on timely implementation and international cooperation.
The Commission's Action Plan now awaits consideration by the European Parliament and the Council, with further legislative or implementing measures expected to follow the completion of the Blueprint and testing platform in late 2026.