The European Commission on Tuesday unveiled an Action Plan on Cybersecurity and Artificial Intelligence that promises pre-market evaluation of advanced AI models, a shared testing platform for critical infrastructure operators, and a Grand Challenge to fund European AI-for-cyber solutions — the bloc's first structured attempt to treat frontier models as dual-use cyber assets.
What the Plan Actually Does
Under the plan, the Commission will build an EU evaluation capacity that strengthens third-party assessment of AI capabilities and risks, backstopping the AI Office's regulatory role under the AI Act. It will also work with the EU Agency for Cybersecurity (ENISA) to write a European blueprint for structured access to advanced AI systems for cybersecurity teams in energy, transport, health, finance and public administration.
ENISA and the Commission's Joint Research Centre will jointly stand up a secure testbed — including simulated environments — so operators of essential services can trial AI defenses before deploying them on live networks. The Commission will also launch an EU Grand Challenge on AI for cybersecurity, aimed at pulling companies, researchers and public bodies into shared innovation projects.

Framing: AI as Both Weapon and Shield
"AI is transforming the meaning of cybersecurity. And we must keep pace," Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen said. The plan explicitly recognizes that advanced models can be misused to identify vulnerabilities, automate attacks and multiply the speed and scale of incidents — while also being the most promising defensive tool available to European critical-infrastructure operators.
Sovereignty and Scale
The plan explicitly ties EU cybersecurity ambitions to continued investment in sovereign AI via the AI Factories and future Gigafactories network, plus the European Tech equity capacity announced in the Tech Sovereignty Package. It layers on top of the AI Act, the Cyber Resilience Act, the NIS2 Directive and the Cyber Solidarity Act. Related themes appear in Ukraine's parallel move to on-premise AI and the broader wave of recent critical CVE activity that CISA and European agencies are tracking together.
What Comes Next
The Commission did not attach a firm budget line to the plan but pointed to existing funding streams — Horizon Europe, the Digital Europe Programme and the European Cybersecurity Competence Centre — as the immediate sources of Grand Challenge and testbed money. ENISA is expected to publish operational guidance within months, with a stated goal of a running secure testing platform before the end of 2026.
Reporting based on coverage from the European Commission press corner and Shaping Europe's Digital Future.
