The European Union has launched a comprehensive action plan to address the changing intersection of cybersecurity and artificial intelligence (AI). Released on Tuesday, the strategy acknowledges that recent developments in AI represent a shift in cybersecurity, in which capabilities enable “faster and more scalable cyber operations.”
While the EU warns these tools can be exploited by malicious actors, it maintains they are “crucial in addressing emerging threats more effectively.” In a LinkedIn post, legal expert Ian Gauci, Managing Partner at GTG Legal, said that the proposed Cloud and AI Development Act (CADA) serves as the “spine of this action plan,” providing the “sovereign compute” necessary to run these systems.
EU seeks independence from foreign AI providers through strategic blueprints
A primary objective of the initiative is to “understand
advanced AI and related risks before market release.” To achieve this, the EU intends to gain specific “know-how in using advanced AI models for cybersecurity.”
The plan outlines a “Blueprint” to be developed with the European Union Agency for Cybersecurity (ENISA) to determine who in the region gets structured access to advanced AI cyber capabilities.
Gauci highlights that the Commission is “openly preparing” for a scenario in which foreign providers might suddenly withdraw that access. Looking further ahead to 2027, the EU will nurture homegrown expertise by launching a call to establish a dedicated evaluation capacity for AI models.
Comprehensive enforcement via the AI Act ecosystem
The plan strengthens the enforcement of the AI Act without introducing new obligations. It establishes a third-party evaluator ecosystem designed to make work regarding systemic risk on cyber misuse more concrete. By the fourth quarter of 2026, the Commission intends to develop secure testing environments specifically for cybersecurity AI models.
This framework allows the EU to understand advanced AI and related risks through rigorous testing before any market release. This involves deep cooperation between EU organisations, Member States, businesses, open-source communities, and international partners to ensure a robust safety standard.
Shift in expectations for the financial sector
For financial services, the strategy changes regulatory expectations rather than the rules themselves. Gauci notes that regulators will now “assume attackers use AI,” meaning “attacks come faster, at scale, and exploit vulnerabilities within days, not months.”
In
the plan, the EU says it aims to “accelerate vulnerability management and patching to match AI-speed.” Starting in the third quarter of 2026, ENISA will issue guidance, best practices and advisories to protect against AI-enabled threats. Also, a “Critical Open Source Resilience Campaign” will pilot joint efforts to accelerate patching of the most critical software in late 2026.
Scaling industrial power and the digital workforce
The final phase focuses on stimulating the European market for AI-enabled
cyber solutions and building frontier AI capabilities. A central feature is the “EU Grand Challenge,” intended to help scale European AI-powered cybersecurity solutions across the continent. To support the human element, the “Cybersecurity Skills Academy” will begin developing training for professionals in late 2026 to ensure the workforce can effectively use AI across all sectors.
Furthermore, the EU will facilitate access to AI Factories as they become operational, enabling organisations to test, train, and deploy advanced AI models to enhance cyber resilience.