The European Commission on Tuesday presented its Action Plan on Cybersecurity and Artificial Intelligence to the European Parliament, and pointedly declined to attach any new legal obligations to it. Tech chief Henna Virkkunen framed the plan as an implementation exercise, resting on the AI Act’s general-purpose model provisions taking effect August 2, 2026 and the Cyber Resilience Act applying by end-2027.
The plan sets three objectives: promoting safe and responsible use of advanced AI, strengthening EU cybersecurity with AI, and securing the bloc’s AI ecosystem. Underneath that vocabulary sits a more revealing project. The Commission will launch a dedicated call to stand up an EU evaluation capacity for frontier models, meant to be operational in 2027 and to feed the AI Office rather than outsource judgment to third-party evaluators. ENISA and the Joint Research Centre will build a secure platform to test AI for cybersecurity in simulated environments. ENISA and the Commission will also draft a European blueprint for structured access to advanced AI systems, non-binding by design.
The subtext is dependency. Euronews reports that European authorities and ENISA already secured restricted access to Anthropic’s Mythos model through Project Glasswing, after direct lobbying by Brussels. U.S. security agencies said last month that Mythos identified exploitable vulnerabilities in sensitive government systems within hours, prompting export controls from the U.S. Department of Commerce that were subsequently lifted.
That’s the frame the plan is quietly built around. Europe is negotiating structured access to American capabilities it can’t yet reproduce, while the AI Office assembles the domestic evaluation muscle to eventually assess them on its own terms. It’s the familiar Brussels choreography: no new statute, existing instruments repurposed as scaffolding, and a two-year runway to build the institutional capacity the legislation already assumes exists.
Sources
- https://commission.europa.eu/news-and-media/news/new-eu-plan-address-risks-and-opportunities-advanced-ai-cybersecurity-2026-07-07_en
- https://digital-strategy.ec.europa.eu/en/library/eu-action-plan-cybersecurity-and-artificial-intelligence
- https://www.euronews.com/my-europe/2026/07/07/brussels-pitches-ai-cybersecurity-plan-amid-dependence-on-us-models
- https://www.govinfosecurity.com/eu-pushes-for-domestic-ai-momentum-a-32171
- https://www.mlex.com/mlex/artificial-intelligence/articles/2498071/eu-cybersecurity-ai-action-plan-focuses-on-implementation-not-new-legislation