On 7 July 2026, European Commission Executive Vice-President Henna Virkkunen outlined an action plan on cybersecurity and artificial intelligence, warning that advanced AI can create cyber exploits in minutes at a fraction of the cost of human experts. Speaking on the Action plan on Cybersecurity and Artificial Intelligence, she said the EU must turn its existing legal foundations into action, capability, and resilience along three priorities: ensuring high-capability AI models are safe, protecting against malicious AI misuse, and building Europe's own AI-powered cyber capabilities.
Virkkunen stressed that the EU is not starting from scratch, citing the AI Act as the world's strongest framework for managing advanced AI risks. She noted that the AI Office is already working with AI companies to implement the rules, and that in less than a month the office will have enforcement powers. Under the AI Act, advanced models must be evaluated and mitigation measures assessed before market placement. To build expertise, the Commission will launch a call to boost AI evaluation capacity, especially in cybersecurity, aiming to be operational by 2027. Together with ENISA, the Commission will develop a European Blueprint for structured access to advanced AI models, focusing on cybersecurity, to support AI providers and European organisations. Additionally, a secure platform to test AI for cybersecurity will be set up by the end of 2026, allowing assessment of models for safe use in critical sectors such as finance, energy, health, transport, and public administration.
On protection against malicious attacks, Virkkunen called for full and effective implementation of existing cybersecurity legislation, including the NIS2 Directive, DORA, and the Cyber Resilience Act, highlighting the urgency of implementing NIS2. She also announced a Critical Open Source Resilience Campaign to support maintainers in fixing the most critical vulnerabilities in key open-source projects. For building Europe's own AI-powered cyber capabilities, Virkkunen argued that relying solely on non-European solutions is not an option. She said frontier AI requires very large-scale investment beyond public funding, and that the new European tech equity capacity announced in the Tech Sovereignty Package could be a game changer. She pointed to Europe's talent, solid cybersecurity and AI ecosystem, and AI Factories and future AI Gigafactories as components of a sovereign European infrastructure for AI and cybersecurity.
a call for AI evaluation capacity by 2027, a secure testing platform by end of 2026, a Blueprint for structured access, and a Critical Open Source Resilience Campaign. It did not provide specific budget figures or deadlines for the Blueprint or the resilience campaign beyond the 2027 operational target for evaluation capacity. The policy orientation shifts the EU toward a more assertive, self-reliant stance in cybersecurity, emphasising sovereign capabilities and mobilising private capital, while maintaining regulatory oversight through the AI Act.
AI providers will face mandatory pre-market evaluations and structured access requirements, increasing compliance costs but potentially gaining a clearer regulatory pathway. Critical infrastructure operators in finance, energy, health, transport, and public administration will benefit from improved AI-driven threat detection and incident response, though they may need to invest in new tools and training. EU cybersecurity agencies and member state authorities will gain enhanced evaluation and testing capabilities, but face pressure to implement NIS2 fully and quickly. European open-source projects will receive targeted support to fix critical vulnerabilities, reducing risk for downstream users, though maintainers may need to coordinate with the Commission's campaign.