Updated:
July 15, 2026
EU Unveils Cybersecurity and AI Action Plan
The European Commission launched the EU Action Plan on Cybersecurity and Artificial Intelligence on July 7, 2026, outlining measures for advanced AI model evaluation, controlled cybersecurity testing, faster vulnerability remediation, and European investment in AI security.
The plan arrives before the Commission begins exercising AI Act enforcement powers for covered general-purpose AI providers on August 2, 2026.
The action plan focuses on 3 objectives: promoting the safe use of advanced AI, strengthening EU cyber resilience, and expanding European AI capabilities for cybersecurity.
Planned measures include an EU model-evaluation capacity, an ENISA access blueprint, a secure testing platform, the Critical Open Source Resilience Campaign, and new funding for AI and cybersecurity projects.
The plan coordinates existing obligations under the AI Act, NIS2, DORA, the Cyber Resilience Act, and the Cyber Solidarity Act rather than creating a separate compliance regime.
This article explains the plan’s objectives, implementation timeline, affected organizations, testing and open-source initiatives, legal connections, funding measures, business actions, and unresolved implementation details.
Organizations can use Bright Defense’s Security Assessments, Continuous Compliance, Penetration Testing, and vendor-risk reviews to address AI-related cybersecurity risks.
What Does The EU Cybersecurity And AI Action Plan Cover?
The EU Cybersecurity and AI Action Plan covers 3 objectives: promoting the safe and responsible use of advanced AI, reinforcing EU cybersecurity and resilience, and expanding European AI capabilities for cybersecurity. Access to advanced models is one action within the first objective rather than the objective itself.
| Action Plan Objective | Planned EU Actions |
| Safe and responsible use of advanced AI | Expand pre-release model evaluation, create access guidance and open a secure testing platform |
| EU cybersecurity and resilience | Apply current cybersecurity rules, accelerate vulnerability remediation and pilot the Critical Open Source Resilience Campaign |
| European AI capabilities for cybersecurity | Launch an EU Grand Challenge, support AI Factories, develop cyber skills and direct investment toward European AI providers |
The Commission said advanced AI can help organizations detect vulnerabilities, prevent attacks and protect critical infrastructure. The same capabilities can give malicious actors faster methods for vulnerability discovery, attack automation and large-scale cyber operations.
The second objective includes a named Critical Open Source Resilience Campaign. ENISA will work with the Commission, member states, open-source communities, EU bodies and industry on a first pilot in the fourth quarter of 2026. The campaign will connect open-source maintainers with organizations that can provide skilled personnel, AI tools or security services.
The plan relies on existing EU funding instruments rather than a dedicated action-plan budget line. The Commission identified €200 million in planned Horizon Europe and Digital Europe spending on advanced AI cybersecurity technologies before the end of the current Multiannual Financial Framework. Three Horizon Europe projects are scheduled to begin at the end of 2026.
The Commission further plans to permit EIC Fund investments in cyber and AI companies as part of €100 million for strategic defense technology startups and scaleups before the end of 2026. Other funding routes include the Internal Security Fund, the Scaleup Europe Fund and the proposed European Competitiveness Fund. The €100 million figure covers the wider strategic defense technology allocation and should not be described as a cyber-only fund.
Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen said the EU intended to concentrate its current legal framework, networks and technical capabilities on the cybersecurity risks created by emerging technology.

How Will The EU Evaluate Advanced AI Models Before Market Entry?
The Commission plans to support an EU evaluation capacity for advanced AI models during 2027. The capacity must cover cybersecurity and will conduct independent third-party testing of model capabilities and provider safeguards before or around deployment, including evaluations that can support AI Act compliance work.
The initiative will examine systemic risks associated with highly capable models. Cybersecurity concerns can include vulnerability discovery, offensive automation and model misuse. Other systemic-risk areas may fall within the evaluation program where advanced model capabilities could affect public safety or security.
The Commission plans to propose criteria for third-party evaluators under the General-Purpose AI Code of Practice. The evaluation capacity will provide an EU-based option for independent testing and supply early warning information when evaluators find significant capabilities or ineffective safeguards.
The capacity will not operate as an AI Act conformity-assessment body. Its evaluations can support providers’ risk-management and compliance evidence, while the European AI Office retains its regulatory authority.
The model-evaluation capacity is distinct from the secure testing platform. Evaluation will focus on model risks and mitigation measures. The testing platform will examine whether AI systems are operationally suitable for cybersecurity tasks.
What Will The ENISA Cybersecurity And AI Blueprint Provide?
The Commission and ENISA will complete a European Blueprint for structured access to advanced AI cybersecurity capabilities in the fourth quarter of 2026. ENISA and the Commission’s Joint Research Centre will develop a separate secure testing platform during the same quarter for controlled cybersecurity trials.
The Blueprint will give model providers guidance on granting European organizations safe and timely access to advanced cyber capabilities. It will address eligibility, security criteria, information sharing and access procedures for organizations such as EU bodies, national authorities, critical infrastructure operators, security providers and researchers.
The guidance will not impose new legal obligations on model providers. It will provide a European reference process for structured access and may support safeguards used under the General-Purpose AI Code of Practice.
The Blueprint will include contingency measures for situations in which a provider or foreign authority restricts or withdraws access to an advanced model. The Commission and member states may examine joint procurement or other available funding instruments when European organizations need timely access.
The secure testing platform will support organizations in critical sectors, including energy, transport, health, finance and public administration. These sectors are examples rather than a closed eligibility list.
Participants will use their own model-access keys under shared security and confidentiality rules. Each participant will cover its own costs, use its own testing tools and remain responsible for its methods. ENISA and the Joint Research Centre will control access and aggregate test outcomes.
The platform will use controlled environments and cyber ranges to test functions such as vulnerability scanning, triage, threat intelligence, remediation and incident response. It is scheduled for development in the fourth quarter of 2026, so the launch target is no longer an unresolved issue.
How Does The Critical Open Source Resilience Campaign Work?
The Critical Open Source Resilience Campaign will pilot an EU program for securing open-source components used in critical infrastructure. ENISA will accelerate the mapping of important components and use an initial list to select projects for the first campaign in the fourth quarter of 2026.
The campaign will use a voluntary sponsorship model. Member states, EU bodies, critical infrastructure operators, manufacturers and other organizations may contribute personnel, AI models, technical tools or other forms of support directly to open-source maintainers.
ENISA will create a catalogue of AI-powered services for patching and remediating open-source vulnerabilities. Eligible users may draw on trusted providers in the EU Cybersecurity Reserve for vulnerability scans of open-source dependencies used in critical infrastructure.
The first pilot will inform the EU Open Source Maintenance Instrument. The Commission said it could expand the campaign after the pilot when the initial model proves effective.
How Does The EU Action Plan Connect To Existing Cybersecurity Laws?
The action plan coordinates existing EU requirements rather than creating a separate compliance regime. Organizations remain responsible for determining which laws apply to their AI systems, digital products, operational networks and regulated sectors.
| EU Law | Connection To The Cybersecurity And AI Action Plan |
| AI Act | Regulates systemic risks, cybersecurity and evaluation requirements for covered AI systems and general-purpose AI models |
| NIS2 | Requires covered essential and important entities to manage cyber risk and report significant incidents |
| Cyber Resilience Act | Requires secure product development, lifecycle vulnerability management and regulatory reporting |
| DORA | Requires financial entities to manage ICT risk, test operational resilience and oversee technology providers |
| Cyber Solidarity Act | Supports cross-border threat detection, preparedness testing and emergency response resources |
The European Commission begins using its AI Act supervisory and enforcement powers for general-purpose AI models on August 2, 2026. Those powers include requesting model information, seeking access for evaluations, ordering risk-reduction measures and pursuing penalties where providers fail to meet applicable systemic-risk duties.
NIS2’s cybersecurity risk-management rules reach essential and important entities across 18 critical sectors and require documented incident reporting and control testing.
Member states were required to transpose the directive by October 17, 2024. The Commission referred Ireland, Spain, France and the Netherlands to the Court of Justice on July 8, 2026, over incomplete transposition and requested financial sanctions.
Manufacturers of software and connected products face the Cyber Resilience Act’s 2026 reporting duties, which require notice of actively exploited vulnerabilities and severe product-security incidents from September 11, 2026.
Most of the regulation applies from December 11, 2027. AI-supported vulnerability discovery may increase the number and speed of reports that manufacturers must assess.
DORA has applied to covered financial entities since January 17, 2025. The action plan’s testing work includes finance among the example sectors, placing AI security testing within an industry that already has binding ICT risk, resilience and third-party oversight duties.
How Did The EU Reach The July 7, 2026, Action Plan?
The action plan follows several years of EU laws addressing AI governance, critical-sector security, digital-product security and coordinated incident response. It adds AI-specific actions and delivery dates to that existing structure.
- December 14, 2022: The EU adopted NIS2.
- August 1, 2024: The AI Act entered into force.
- October 17, 2024: The NIS2 national-transposition deadline passed.
- January 17, 2025: DORA became applicable.
- February 4, 2025: The Cyber Solidarity Act entered into force.
- July 7, 2026: The Commission published the Cybersecurity and AI Action Plan, COM(2026) 577 final, and press release IP/26/1544.
- July 8, 2026: The Commission referred 4 member states to the Court of Justice over incomplete NIS2 transposition.
- Third Quarter 2026: ENISA guidance on AI-powered threats and work on vulnerability-management practices are scheduled to begin.
- August 2, 2026: The Commission begins exercising its AI Act enforcement powers for covered general-purpose AI providers.
- September 11, 2026: Cyber Resilience Act vulnerability and severe-incident reporting duties begin.
- Fourth Quarter 2026: The Commission targets completion or launch of the access Blueprint, secure testing platform, open-source campaign pilot, AI remediation Grand Challenge and cyber-AI training modules.
- 2027: The EU model-evaluation capacity is scheduled for establishment.
Which Organizations Are Affected By The EU Cybersecurity And AI Action Plan?
The action plan is most relevant to advanced-model providers, critical infrastructure operators, public authorities, cybersecurity vendors, researchers, open-source maintainers and organizations that plan to use AI for defensive security. The plan calls for cooperation among EU institutions, member states, industry, research groups, open-source communities and international partners.
The plan does not place every organization under a new set of legal duties. Legal exposure continues to depend on the organization’s role under existing laws.
A general-purpose AI provider may face AI Act obligations. A hospital, energy company or managed service provider may fall within NIS2. A financial entity may fall within DORA. A software or hardware manufacturer may face Cyber Resilience Act requirements. One organization may fall within several regimes.
Critical-sector organizations may receive access to the secure testing platform. Open-source maintainers and sponsors may participate in the Critical Open Source Resilience Campaign. Detailed participant-selection procedures have not yet been published.
What Should Companies Do After The EU Cybersecurity And AI Action Plan?
Companies should incorporate AI-specific threats into current cybersecurity and compliance programs. Current legal duties remain the starting point while the Commission, ENISA and the Joint Research Centre develop the new evaluation, access and testing initiatives.
- Create An AI System Inventory. Record models, external APIs, security tools, agents, data sources, integrations and accountable owners.
- Map Applicable EU Laws. Determine whether each system falls under the AI Act, NIS2, DORA, the Cyber Resilience Act or sector rules.
- Assess AI Security Risks. Examine prompt injection, model extraction, data leakage, poisoned inputs, insecure tool access and unauthorized autonomous activity.
- Review AI Suppliers. Obtain evidence concerning model testing, security controls, incident notices, data use, subcontractors and material model changes.
- Control Advanced Model Access. Apply role-based permissions, approval procedures, logging and restrictions for exploit-related or vulnerability-research functions.
- Test AI Integrations. Examine applications, APIs, plugins, cloud environments and data stores connected to AI services.
- Review Open Source Dependencies. Map critical components, monitor vulnerability disclosures and prepare for faster AI-supported discovery and remediation cycles.
- Update Incident Procedures. Define when AI-related events trigger notifications under NIS2, DORA, the Cyber Resilience Act or the AI Act.
- Retain Compliance Evidence. Keep risk assessments, test results, access records, vendor reviews, approvals, remediation records and incident decisions.
- Monitor Fourth Quarter Programs. Track eligibility information for the secure testing platform, access Blueprint and Critical Open Source Resilience Campaign.
What Remains Unclear About The EU Cybersecurity And AI Action Plan?
The plan sets target dates for its principal near-term actions, including a fourth-quarter 2026 target for the secure testing platform and the first Critical Open Source Resilience Campaign pilot. Unresolved matters now concern implementation design rather than the absence of delivery dates.
The plan relies on current funding instruments rather than a dedicated budget line. It identifies funding amounts and programs, but it does not allocate a separate amount to every action, platform or participating organization. Future calls will determine how available funding is divided among evaluations, testing, remediation, skills and commercial development.
The Commission has not yet published full details covering:
- Secure testing platform eligibility
- Participant-selection procedures
- Testing capacity and sector sequencing
- Model-evaluation methodologies
- Confidentiality and liability terms
- Vulnerability-disclosure procedures
- Sponsorship selection under the open-source campaign
- Individual funding allocations for each action
The Commission communication states that platform participants will use their own access keys, tools and funds while retaining responsibility for their testing methods. Formal operating rules will need to clarify how those responsibilities work where testing exposes a serious vulnerability or affects several organizations.
How Bright Defense Helps Organizations Address EU AI Cybersecurity Requirements
Bright Defense helps organizations examine AI-related security and compliance risks through Security Assessments, Continuous Compliance, Penetration Testing, vendor reviews and incident-response preparation.
Security Assessments can document AI systems, data flows, access paths, suppliers and applicable controls. Penetration Testing can examine applications, APIs and cloud infrastructure connected to AI services. Continuous Compliance can track control failures, evidence gaps and remediation work between formal assessments.
Bright Defense’s compliance services include scoping, risk assessments, control design, evidence review, remediation planning, security awareness training, penetration testing, vCISO support and audit preparation.
These services do not replace legal advice, ENISA guidance or participation in an authorized EU testing program. Qualified EU counsel should determine an organization’s formal duties under EU and national law.
Sources Cited In This EU Cybersecurity And AI Action Plan Report
- European Commission, COM(2026) 577 final, “Action Plan on Cybersecurity and Artificial Intelligence,” July 7, 2026.
- European Commission, press release IP/26/1544, “Commission Presents EU Action Plan on Cybersecurity and Artificial Intelligence,” July 7, 2026.
- European Commission, “Factsheet: Action Plan on Cybersecurity and Artificial Intelligence,” July 7, 2026.
- European Commission, “EU Action Plan on Cybersecurity and Artificial Intelligence,” July 7, 2026.
- European Union, Directive (EU) 2022/2555, NIS2 Directive.
- European Union, Regulation (EU) 2024/1689, Artificial Intelligence Act.
- European Union, Regulation (EU) 2024/2847, Cyber Resilience Act.
- European Union, Regulation (EU) 2022/2554, Digital Operational Resilience Act.
- European Commission, “EU Cyber Solidarity Act.”
- European Commission, “Commission Refers Ireland, Spain, France and the Netherlands to the Court of Justice for Failing to Transpose the Rules on Cybersecurity,” July 8, 2026.
Get In Touch



