As advanced artificial intelligence models redefine the technological landscape, the dual-use nature of these systems presents both unprecedented opportunities and critical risks. Advanced AI can now identify software vulnerabilities and craft weaponised cyber exploits in mere minutes, achieving for a fraction of the cost what once required highly paid human specialists and substantial resources.
To address these shifting dynamics, the European Commission has presented its new Action Plan on Cybersecurity and Artificial Intelligence. Delivering on remarks by Executive Vice-President Henna Virkkunen, the plan coordinates Member States, industry and EU-level organisations to secure the digital landscape and build sovereign, resilient AI capabilities.
The initiative moves the EU from establishing robust legal foundations—including the AI Act, NIS2, the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA)—to direct operational action.
Core Pillars of the Action Plan
| Core Pillars of the Action Plan | Key Initiatives |
|---|---|
| 1. MODEL SAFETY & ACCESS | • Pre-market evaluations (AI Act) • EU testing platform by end of 2026 • European access blueprint (ENISA) |
| 2. REINFORCED DEFENCE | • Rapid vulnerability patching • NIS2 & DORA implementation • Critical Open Source Campaign |
| 3. SOVEREIGN CAPABILITIES | • Mobilising private equity • AI Factories & Gigafactories • EU Grand Challenge on Cyber-AI |
Looking Ahead
The next eighteen months will serve as the critical launchpad for this strategy.
By August 2026, the AI Act's rules on General-Purpose AI (GPAI) will be actively enforced. By the end of 2026, the secure testing platform will go live, giving critical infrastructure operators their first hands-on environment to benchmark AI safety. Looking further out, 2027 will mark both the full operational launch of the EU's independent AI evaluation capacity and the final compliance deadline for the Cyber Resilience Act.
Impact on ERTICO Partners
The intersection of AI and cybersecurity is highly relevant across the ERTICO partnership network:
- Automotive and Mobility OEMs: With vehicles increasingly becoming software-defined, the Cyber Resilience Act and NIS2 place strict security-by-design obligations on manufacturers. The upcoming guidelines, testing platforms and open-source campaigns will provide valuable resources for securing vehicle architectures and OTA update pipelines.
- Public Authorities and Road Operators: As transport systems digitize, traffic management centres and road infrastructure are highly exposed targets. Operators should actively utilize the defensive AI toolkits promoted by this Action Plan to automate threat detection across transport networks.
- Technology, Telecoms and Connectivity Providers: The demand for low-latency, secure V2X communication will grow as autonomous fleets deploy. Telecom partners will play a vital role in securing the edge-computing and cloud pipelines that feed data into these advanced AI systems.
- Research and Academia: The EU Grand Challenge on AI for Cybersecurity and the upcoming call for the 2027 EU evaluation capacity present direct, funded opportunities for ERTICO’s research partners to lead development in AI risk assessment and defensive cyber models.
Sources
Virkkunen, H. (2026, July 6). Remarks by Executive Vice-President Virkkunen on the Action plan on Cybersecurity and Artificial Intelligence [Speech]. European Commission. https://ec.europa.eu/commission/presscorner/detail/en/speech_26_1546
European Commission. (2026, July 6). Commission presents EU Action Plan on Cybersecurity and Artificial Intelligence [Press release]. https://ec.europa.eu/commission/presscorner/detail/en/ip_26_1544