🔴 ⚖️ Regulation Published: · 5 min read ·

EU Action Plan on Cybersecurity and AI: Commission Coordinates Defense Without New Laws

Editorial illustration: European Commission action plan on cybersecurity and AI

The European Commission today presented a joint Action Plan on Cybersecurity and Artificial Intelligence that builds on the existing EU legal framework, coordinates member states and industry, and addresses AI simultaneously as an attack vector and a defensive tool.

🤖

This article was generated using artificial intelligence from primary sources.

The European Commission today, July 7, 2026, published the Action Plan on Cybersecurity and Artificial Intelligence — a document that for the first time addresses the dual role of AI in digital security under a single strategic umbrella: as an attack vector and as a defensive tool. Alongside the full text of the Action Plan, an accompanying Factsheet summarizing the key measures was also published.

The Dual Challenge: AI as a Weapon and as a Defensive Tool

The central premise of the Action Plan is that the same advanced AI models capable of strengthening cyber defense simultaneously alter the nature of the threats that defense must counter.

Specifically, the Plan addresses three ways in which AI can be weaponized as an offensive tool:

Automated vulnerability discovery — AI can scan software systems and network infrastructure far faster than manual methods, identifying exploitable weaknesses at a scale that was not feasible without automation.

Attack scaling — with AI assistance, attackers can simultaneously target a far greater number of victims with the same resources, shifting the economics of cybercrime in favor of attackers.

Accelerated incident response on the attacker’s side — the window between the discovery of a vulnerability and its exploitation is shrinking, leaving defensive teams less time to react.

On the other side, AI also opens up significant defensive opportunities: automatic network anomaly detection, predictive identification of vulnerabilities before exploitation, and faster orchestration of incident response. The Action Plan aims to harness the defensive potential while simultaneously limiting the offensive one.

Why Is This Plan Needed Right Now?

Executive Vice-President of the European Commission Henna Virkkunen, responsible for Tech Sovereignty, Security and Democracy, directly underscored the urgency: “AI is changing what cybersecurity means. And we need to keep pace.”

Virkkunen has, in her brief tenure, launched several initiatives aimed at reducing the EU’s technological dependence on non-European suppliers. Her direct involvement in this plan signals that the Commission does not treat AI cybersecurity as merely a regulatory matter but also as a strategic priority for Europe’s digital sovereignty.

Context matters: in 2025 and 2026, a series of cyberattacks on European critical infrastructure were recorded in which attackers used AI tools to accelerate the reconnaissance phase and develop tailored exploits. The Plan is therefore not a response to theoretical scenarios but to concrete threats that have already materialized.

The key strategic choice the Plan makes is that the Commission does not introduce new legislative mechanisms but rather builds on the EU regulation it has developed over the past several years:

AI Act — regulates high-risk AI systems, including those deployed in critical infrastructure; the Plan clarifies the application of existing requirements to cybersecurity scenarios.

NIS2 Directive — extends cybersecurity obligations to a broader range of operators of essential and important services; the Plan coordinates implementation with AI-specific threats in mind.

Cyber Solidarity Act — strengthens detection capabilities and coordinated responses to cyberattacks at the EU level; the Plan uses it as the operational foundation for rapid responses to AI-driven incidents.

This approach is a deliberate choice: new legislation requires years of legislative procedure and national transposition, while the urgency of AI cyber threats demands faster action within already established mechanisms.

Three Pillars of Coordination: States, Industry, and EU Agencies

The Plan identifies three groups of stakeholders whose coordination must be achieved under a unified strategic framework:

Member states — all 27 EU countries are developing their own cybersecurity capacities, but the maturity level and resources vary greatly. The Plan provides mechanisms for structured sharing of intelligence on AI-related threats and verified defensive practices between national authorities.

Industry — technology companies, especially AI model developers and critical infrastructure operators, are key partners because they have the fastest visibility into new AI attack techniques and the most direct stake in defensive solutions.

EU agencies — ENISA (the EU Agency for Cybersecurity) plays a central role in threat analysis and response coordination; the Plan provides for an enhanced operational role for ENISA on AI-specific cyber risks.

Documents and Next Steps

Together with the press release on July 7, the Commission published two documents: the full text of the Action Plan and a Factsheet summarizing the measures for a broader audience. Both are available at digital-strategy.ec.europa.eu.

Unlike directives and regulations that go through a complex legislative process, the Action Plan is a policy instrument that the Commission can implement directly — through fund distribution, coordination mechanisms, and operational guidance to EU agencies. This makes it an instrument with a short lead time from adoption to application.

With this plan, the EU has taken a step that many governments worldwide are still deliberating: explicitly placing AI and cybersecurity under the same strategic umbrella, with a clear acknowledgment that in the AI era threat and defense are inextricably intertwined, and that neither can be addressed without simultaneously engaging with the other.

Frequently Asked Questions

What legal framework does the EU Action Plan on Cybersecurity and AI rely on?
The Plan builds on existing EU regulation covering both AI and cybersecurity — including the AI Act, the NIS2 Directive, and the Cyber Solidarity Act — rather than introducing new legislative mechanisms.
Who coordinates the implementation of the Action Plan?
The Plan coordinates all **27** EU member states together with industry and EU agencies such as ENISA under a unified strategic framework led by the European Commission.
Why is AI simultaneously a threat and a defensive tool according to this plan?
The same AI models that assist defense — through automatic anomaly detection and faster incident response — can also be used to automate attacks, locate vulnerabilities, and scale threats. The Plan addresses both sides within a single strategic document.