The Commission says advanced AI could help attackers find weaknesses and automate cyberattacks, forcing Europe to rethink how it tests and defends critical systems.
The European Commission released a new Action Plan on Cybersecurity and Artificial Intelligence, warning that advanced AI could make cyberattacks faster, larger, and easier to automate.
The plan treats advanced AI as both a cybersecurity tool and a cybersecurity risk. The Commission said AI can help detect vulnerabilities, prevent attacks and protect critical infrastructure. But it also warned that malicious actors can use the same technology to find weaknesses, automate attacks and carry out cyber operations at greater speed and scale.
“AI is transforming the meaning of cybersecurity. And we must keep pace,” said Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy. She said the goal is to turn advanced AI into a tool for stronger cyber defense while limiting its use by attackers.
What the plan does
The plan lays out several steps for managing advanced AI in cybersecurity.
First, the Commission said it will create a process for independent experts to test advanced AI models before they enter the EU market, giving the AI Office outside assessments of what those models can do and what risks they may create.
Second, the Commission said it will work with the European Union Agency for Cybersecurity (ENISA), the EU’s cybersecurity agency, to set rules for giving trusted public agencies, researchers and companies controlled access to advanced AI systems for cybersecurity testing and defense.
Third, ENISA and the Commission’s Joint Research Centre will create a secure testing platform for AI cybersecurity tools. The platform will use simulated environments so organizations can test AI systems safely before using them in sensitive settings.
The Commission said the testing effort will focus on critical sectors, including energy, transport, health, finance, and public administration.
Critical infrastructure
The plan also tells organizations not to treat AI as a substitute for basic cybersecurity. The Commission said companies and public agencies should first strengthen core defenses, including risk management, secure system design, and incident response.
Once those basics are in place, the Commission said organizations should use available AI tools, including open-source models where appropriate, to identify software weaknesses more quickly and improve cyber defense.
The European Union Agency for Cybersecurity (ENISA) will support that work with guidance and best practices. The Commission also said ENISA will work to secure critical open-source software, though it did not provide details on what that will entail.
Europe’s AI cyber capacity
The Commission said it will launch an EU Grand Challenge on AI for cybersecurity, a competition-style program meant to bring companies, researchers and other organizations together to build AI-powered cyber defense tools.
The plan also says Europe will need more computing power, AI infrastructure and investment to build those tools, instead of relying entirely on technology developed elsewhere.
The plan builds on existing EU rules, including the AI Act.

