The European Commission unveiled its Action Plan on Cybersecurity and Artificial Intelligence in Strasbourg on July 7, 2026, and the most consequential thing about it’s what isn’t in it: any new legislation. Executive Vice-President Henna Virkkunen framed the omission as strategy, telling reporters the existing statutes are sufficient and that the gap is in implementation.

Those statutes are already a dense stack, the AI Act, NIS2, the Cyber Resilience Act, DORA, and the Cyber Solidarity Act. Rather than adding to it, Brussels is retooling how the pieces talk to each other. ENISA is tasked with co-developing a European Blueprint for structured access to frontier AI models for cybersecurity purposes. The Joint Research Centre and ENISA will stand up a secure EU AI testing platform by the end of 2026. The AI Office will work with specialised evaluators to assess advanced models before EU market placement, with general-purpose AI obligations under the AI Act entering enforcement on 2 August 2026. An EU Grand Challenge on AI for cybersecurity, per MLex, will fund homegrown security tools.

The Commission’s own framing, as Euronews reported, concedes that advanced models can now “build cyber exploits in minutes or hours at a fraction of the cost of vulnerability discovery by trained humans.” That’s the operational reality forcing the plan.

It’s also where the plan quietly admits its own ceiling. Euronews notes the document “lays bare the EU’s dependency,” with Brussels negotiating access to US models including Anthropic’s Mythos. MEP Aura Salla (EPP, Finland) put the point more sharply: “Our dependency is not primarily about AI models. It is about the infrastructure they rely on.”

Every enforcement instrument Brussels can reach for assumes European authorities can actually inspect what they’re regulating. The Blueprint is an attempt to negotiate that inspection into existence, statute by statute, model by model.

Sources

Sources