Summary
- The European Commission has set out an AI and cybersecurity action plan covering safe deployment, resilience, and sovereign capability.
- Critical sectors including energy, transport, health, finance, and public administration are expected to test and deploy AI cyber tools more safely.
- The plan connects AI policy with Europe’s wider infrastructure, sovereignty, and cyber resilience agenda.
The European Commission has turned the collision between artificial intelligence and cybersecurity into a formal policy programme, setting out an action plan designed to help Europe use advanced AI for defence while reducing the risk that the same systems accelerate attacks.
Published through the Commission’s digital strategy directorate, the plan has three main objectives: supporting the safe and responsible use of advanced AI, reinforcing Europe’s cybersecurity and resilience, and scaling up European AI capabilities for cybersecurity. Although it sits within the familiar machinery of Brussels policy, the practical focus is sharper than another abstract AI governance note because it treats AI as both an operational security tool and a source of systemic exposure for critical services.
The Commission will work with the European Union Agency for Cybersecurity, ENISA, on a European blueprint for secure access to advanced AI systems for cybersecurity purposes. It also plans a secure testing platform to help organisations in critical sectors, including energy, transport, health, finance, and public administration, test and deploy AI systems safely.
Cyber teams are already under pressure from vulnerability volumes, fragmented telemetry, supply chain dependencies, and talent shortages, while AI promises faster detection, triage, and remediation. However, the same tools also raise difficult questions about explainability, authorisation, operational control, and recovery when defensive systems begin to act rather than merely advise.
The action plan also links AI cyber defence with existing and incoming European rules, including the AI Act, the NIS2 Directive, the Cyber Resilience Act, the Digital Operational Resilience Act, and the Cyber Solidarity Act. Instead of standing alone, the document becomes a bridge between regulatory regimes that businesses and public authorities are already trying to translate into workable controls.
Although compliance mapping will absorb attention, the harder work sits inside technical capability. A bank, hospital, energy operator, transport authority, or government department cannot defend itself with policy language alone. It needs secure data access, reliable tooling, skilled teams, governed automation, and tested response procedures that still work when services are under pressure.
The Commission says AI can help detect vulnerabilities, prevent attacks, and strengthen critical infrastructure protection. At the same time, malicious actors can use AI to automate attacks, identify weaknesses, and carry out cyber operations at greater speed and scale. That dual use character is now central to enterprise and public sector cyber planning, particularly as agentic systems become capable of chaining together reconnaissance, exploitation support, social engineering, and post compromise activity.
Europe’s policy choice is not only about managing model risk. The Commission is also trying to ensure that European organisations can access powerful AI capabilities without deepening dependency on non-European infrastructure and vendors for the most sensitive parts of their security operations. Its proposed EU Grand Challenge on AI for cybersecurity points towards a more active industrial policy role, drawing companies, researchers, and open source communities into the development of AI powered security tools.
Any attempt to build sovereign cyber capability around AI will run into the same constraints visible across Europe’s wider digital strategy. Compute capacity, trusted datasets, skilled specialists, procurement speed, and cross border coordination remain uneven, while critical infrastructure often runs on legacy systems and operational technology that cannot be treated like ordinary cloud software.
The plan is best read as an early attempt to make AI cyber defence governable before adoption runs too far ahead of assurance. It gives Europe a policy structure, but the real test will sit inside security operations centres, procurement teams, regulated industries, and public bodies asked to turn frontier AI into controlled, explainable, and recoverable defensive capability.










