The European Commission has set out an EU Action Plan on cybersecurity and artificial intelligence, warning that advanced AI models can be misused to find vulnerabilities, automate attacks and increase the scale and speed of cyber incidents.
The plan proposes a “structured response” bringing together EU member states, industry and EU bodies to address risks linked to advanced AI while supporting its use in cybersecurity, the Commission announced in a release on Tuesday.
Under the EU’s AI Act, advanced AI models must be evaluated and mitigation measures assessed before they are placed on the EU market.
A dedicated call will be launched to establish an EU capacity to evaluate advanced AI models for cybersecurity, which is expected to be operational in 2027, the Commission said.
It added that this would support the work of the EU’s AI Office by strengthening third-party assessments of AI capabilities and risks.
The Commission will also work with the EU Agency for Cybersecurity, known as ENISA, to define a “European blueprint” setting conditions for structured access to advanced AI capabilities for cybersecurity by relevant public and private organisations.
Testing and fixing vulnerabilities
ENISA and the Commission’s Joint Research Centre will create a secure platform to test AI for cybersecurity, including in simulated environments, according to the Commission.
It said the platform would share know-how on the safe use of AI with operators in sectors including finance, energy, health, transport and public administration.
Organisations in the EU should intensify “cyber hygiene” practices, risk management and “security by design” principles to protect critical infrastructure from vulnerabilities linked to the potential misuse of advanced AI, the Commission said.
It added that organisations should start using already available AI capabilities, including open-source models, to identify and fix vulnerabilities faster and to prevent and respond to cyberattacks.
ENISA will support partnerships between public authorities, businesses and open-source communities, including guidance and a campaign to secure critical open-source software, the Commission said.
To encourage new tools, the Commission said it will launch an “EU Grand Challenge on AI for cybersecurity”, described as a competition bringing together companies, researchers and organisations to develop AI solutions for cyber defence.
Rules under the AI Act and the EU’s General-Purpose AI Code of Practice will start to be enforced on 2 August 2026, while the Cyber Resilience Act — requiring security by design for hardware and software products — will apply by the end of 2027, the Commission said.
“AI is transforming the meaning of cybersecurity. And we must keep pace,” said Henna Virkkunen, the Commission Executive Vice-President for Tech Sovereignty, Security and Democracy.

