EU Unveils Cybersecurity & AI Action Plan Amid Foreign Dependency Concerns
The European Commission has launched a new action plan for cybersecurity and artificial intelligence, outlining nine key measures aimed at bolstering EU's strategic autonomy in frontier AI. The initiative addresses growing concerns over the bloc's reliance on non-European powers for access to advanced AI models and seeks to fortify its cyber ecosystem.
# EU Unveils Cybersecurity & AI Action Plan Amid Foreign Dependency Concerns
The **European Commission** has published an action plan on cybersecurity and artificial intelligence, committing to nine measures focused on model evaluation, access to frontier systems, and vulnerability management. This move comes amidst anxieties that the EU's access to cutting-edge AI models is entirely dependent on foreign powers.
Adopted in Strasbourg, the communication revolves around three core pillars: making frontier AI "safe, accessible and deployable" for European cybersecurity, preparing the EUβs cyber ecosystem, and scaling European AI capabilities.
**Henna Virkkunen**, the Commissionβs executive for technology, clarified that the plan would not introduce new legislation. Instead, the emphasis will be on enforcing existing rules. This means the action plan itself carries no legal force, highlighting the urgent need for member states to adopt and implement existing European laws, particularly **NIS2** and the **Cyber Resilience Act**.
## A Blueprint for AI Access
The most significant measure is a "European Blueprint for structured access to advanced AI capabilities for cybersecurity purposes." This document, to be drafted by the Commission and the **EU Agency for Cybersecurity (ENISA)** by year-end, aims to set clear criteria for granting access to these models for EU institutions, member state authorities, critical infrastructure operators, security vendors, and researchers.
The action plan acknowledges that access to frontier models is increasingly dictated by "provider-specific and often non-European decisions." It notes that while restrictions might be justified on safety grounds, they "often lack transparency regarding the criteria applied." This follows instances like the **United States** introducing and later withdrawing export restrictions on **Anthropic's Mythos** and **Fable** models, and **OpenAI's GPT-5.6**, which temporarily barred access to foreign nationals, including EU customers.
The Blueprint will also include "contingency measures in case of restricted or withdrawn access," outlining actions at the EU level should a provider or third-country authority cut off a model. The Commission will also explore joint procurement to collectively secure access.
## Europe's AI Dependency
Currently, no frontier AI laboratory is headquartered in the EU. Commission figures show that EU providers' share of the European cloud market has dwindled to approximately 15%, down from 29% in 2017, with three non-EU hyperscalers now commanding over 70% of the market. The plan concedes that frontier capabilities are predominantly developed outside the EU, with their availability often determined by non-transparent, foreign-led processes.
Without significant domestic capabilities, the EU plans to leverage its substantial market size of around 450 million customers and its regulatory power to advance its interests.
From August 2, the Commission will begin exercising enforcement powers under the **AI Act**, the world's first binding legal framework of its kind. This framework will apply to general-purpose models deemed to pose systemic risk, with potential fines reaching up to 3% of global annual turnover and the power to demand a model's withdrawal from the EU market.
While the **United Kingdom**, now outside the EU, lacks comparable regulation, its **AI Security Institute (AISI)** has become a benchmark for state-led evaluation of frontier systems. The EUβs plan cites AISI research indicating that the length of cybersecurity tasks advanced models can complete unaided has been doubling rapidly. The Commissionβs **AI Office** will participate in an evaluation network coordinated by AISI.
Brussels also intends to support the creation of an EU capacity to evaluate AI models, explicitly stating this "must include cybersecurity," by 2027, acknowledging that most third-party evaluators are currently based outside the Union.
## Bridging the Investment Gap
The plan highlights that building frontier AI capabilities within the EU will necessitate hundreds of billions of euros in investment, which public finances can only partially cover. It points to existing pledges of β¬200 million under the **Horizon Europe** and **Digital Europe** programs, and β¬100 million through the **European Innovation Council Fund** for strategic defense tech. In stark contrast, a single American technology company like **Meta** is projected to spend around $125 billion on capital expenditure this year alone.
The plan suggests a European equity vehicle, floated in Juneβs **Tech Sovereignty Package**, to attract private capital. Without robust compute, models, and data infrastructure, the document warns that Europe risks remaining "a vulnerable user of frontier AI systems made elsewhere that others can suddenly switch off."
