EU unveils cyber plan to reduce reliance on foreign AI systems
The European Commission published on Tuesday an action plan on cybersecurity and artificial intelligence, committing to nine measures on model evaluation, access to frontier systems and vulnerability management, amid the concern that its access to frontier models depends entirely on foreign powers.
The communication, adopted in Strasbourg on July 7, is built around three pillars: making frontier AI “safe, accessible and deployable” for European cybersecurity, preparing the EU’s cyber ecosystem and scaling European AI capabilities.
Henna Virkkunen, the Commission’s executive for technology, told reporters the plan would not be accompanied by any new legislation, with the focus instead being on enforcing existing rules.
The lack of legislation will mean the action plan carries no legal force, with the document highlighting how existing European laws — particularly NIS2 and the Cyber Resilience Act — must be adopted and implemented by member states “as a matter of urgency.”
Its most significant measure is a “European Blueprint for structured access to advanced AI capabilities for cybersecurity purposes,” which the document says will be drafted by the Commission and the EU Agency for Cybersecurity (ENISA) by the end of this year.
The action plan notes that access to frontier models is increasingly governed by “provider-specific and often non-European decisions,” and that gating that access, while potentially justified on safety grounds, “often lacks transparency regarding the criteria applied.”
It follows the United States introducing export restrictions on Anthropic’s Mythos and Fable models and, later, other restrictions on OpenAI’s GPT-5.6, which were imposed and then withdrawn earlier this year.
During the restriction, access was barred to foreign nationals, including EU customers. The Blueprint intends to set criteria for granting access to these models for EU institutions, member state authorities, critical infrastructure operators, security vendors and researchers.
It will also include “contingency measures in case of restricted or withdrawn access,” which will be actions to be taken at EU level should a provider or third-country authority cut off a model, as the United States did. The Commission separately says it will explore joint procurement to obtain access collectively.
…then Europe is the less
No frontier AI laboratory is headquartered in the EU. The Commission's own figures put EU providers’ share of the European cloud market at around 15%, down from roughly 29% in 2017, with three non-EU hyperscalers now holding more than 70% of market share.
The plan concedes that frontier capabilities similarly “are mainly developed outside of the EU, and their availability is often determined by non-transparent, foreign-led processes.”
Without a significant domestic capability, the EU is set to turn to its market size of around 450 million customers, and regulation, as a way of pursuing its interests.
From August 2, the Commission will begin exercising enforcement powers under the AI Act — the first binding legal framework of its kind — over general-purpose models judged to pose systemic risk, including fines of up to 3% of global annual turnover and the power to require a provider to withdraw a model from the EU market.
The United Kingdom, which has been outside the EU since 2020, has no comparable regulation, but its AI Security Institute (AISI) has become a reference point for state evaluation of frontier systems.
The EU’s plan cites AISI research indicating that the length of cybersecurity tasks advanced models can complete unaided has been doubling over months rather than years, and commits the Commission’s AI Office to participate in an evaluation network that AISI coordinates.
Brussels, meanwhile, says it will support the creation of an EU capacity to evaluate AI models, which “must include cybersecurity,” in 2027 while noting that most third-party evaluators currently sit outside the Union.
The plan states that building frontier capability within the European Union “will entail hundreds of billions of euro investment needs which can only be partly covered by public finances.”
It cites investment pledges of €200 million ($228.1 million) under the Horizon Europe and Digital Europe programs, and €100 million ( $114.1 million) through the European Innovation Council Fund for strategic defence tech, as examples. In comparison, a single American technology company, Meta, is expected to spend around $125 billion on capital expenditure this year.
The plan points instead to a European equity vehicle floated in June’s Tech Sovereignty Package, intended to draw in private capital. Without compute, models and data infrastructure, it says, Europe “is bound to remain a vulnerable user of frontier AI systems made elsewhere that others can suddenly switch off.”
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow at the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal on: AlexanderMartin.79



