Executive Vice-President Henna Virkkunen, in a written answer on 19 June 2026, outlined the European Commission's strategy to counter cybersecurity risks posed by advanced AI models such as Anthropic's Claude Mythos, which can detect and exploit software vulnerabilities at unprecedented scale. The answer, responding to a parliamentary question from MEPs including Leila Chaibi (The Left) and Kim Van Sparrentak (Verts/ALE), signals a shift from existing regulation toward operational capacity-building, with implications for EU businesses, critical infrastructure operators, and cybersecurity agencies.
The question, submitted on 16 April 2026, warned that Claude Mythos—withheld from public release by Anthropic on 7 April—could identify hundreds of critical flaws in tested software and that open-source competitors might catch up within six to twelve months, leaving the EU's digital ecosystem exposed. Virkkunen acknowledged the urgency, noting that while the existing EU legal framework—including the AI Act, NIS 2 Directive, and Cyber Resilience Act—provides a robust baseline, it must now be translated into operational capacity.
Virkkunen pointed to a dedicated Action Plan on AI and Cybersecurity announced by the Commission on 19 May 2026, which aims to step up EU preparedness by pooling expertise, supporting Member States and critical infrastructure operators, and strengthening Europe's advanced AI cybersecurity capabilities. The plan builds on existing rules: under the AI Act, providers of advanced AI models must notify the Commission and mitigate systemic risks, including cyber misuse. Since 2025, the AI Office has engaged with providers on compliance.
Looking ahead, Virkkunen highlighted the proposed revision of the Cybersecurity Act, which would nearly double the resources of the EU Agency for Cybersecurity (ENISA), and the European Competitiveness Fund under the next Multiannual Financial Framework, which would bolster AI cybersecurity capabilities. The answer did not set specific numerical targets or deadlines for the action plan, but it framed the response as a matter of urgency, with concrete steps to be taken in cooperation with like-minded partners.
The Commission's approach balances regulatory enforcement with investment in sovereign capabilities, aiming to protect EU businesses and public infrastructure from a predicted surge in AI-driven cyberattacks, while also leveraging AI for defensive purposes.