№189|04:05 PM ET
Independent reporting on technology, markets & policy
TechEchelon
№01 / Anchor·ARTIFICIAL INTELLIGENCE

EU Publishes AI Cybersecurity Action Plan Amid Growing Dependence on Foreign Models

The European Commission adopted a nine-measure cybersecurity and AI action plan on July 7, aiming to reduce the bloc's dependence on foreign frontier AI systems after U.S. export restrictions temporarily cut off EU customers from models including OpenAI's GPT-5.6.

TE
TechEchelon Staff
JUL 8, 2026 · 03:06 PM ET · 3 MIN READ
via Wikipedia (European Commission)

The European Commission on Tuesday published a cybersecurity and artificial intelligence action plan committing to nine measures designed to reduce the bloc's reliance on foreign frontier AI systems — a dependence that officials say leaves Europe exposed to decisions made by non-European providers and governments.

The communication, adopted in Strasbourg on July 7, is organized around three pillars: making frontier AI safe, accessible, and deployable for European cybersecurity purposes; preparing the EU's cyber ecosystem; and scaling domestic AI capabilities.

Its most significant measure is a "European Blueprint for structured access to advanced AI capabilities for cybersecurity purposes," to be drafted jointly by the Commission and the EU Agency for Cybersecurity, known as ENISA, before the end of 2026. The Blueprint will establish criteria for granting access to frontier models for EU institutions, member state authorities, critical infrastructure operators, security vendors, and researchers.

It will also include contingency measures should a provider or third-country government cut off access to a model — a scenario that already materialized this year. The United States imposed export restrictions on Anthropic's Mythos and Fable models and, later, on OpenAI's GPT-5.6, temporarily barring access to foreign nationals including EU customers before those restrictions were withdrawn.

The action plan acknowledges the structural problem directly. No frontier AI laboratory is headquartered within the EU, and the Commission's own figures show EU providers hold roughly 15% of the European cloud market, down from approximately 29% in 2017, with three non-European hyperscalers now controlling more than 70% of market share.

Henna Virkkunen, the Commission's executive for technology, told reporters the plan would not be accompanied by any new legislation, with enforcement of existing rules — particularly NIS2 and the Cyber Resilience Act — to be the immediate priority.

The absence of new legislation means the action plan carries no binding legal force on its own. The Commission instead pointed to the AI Act, under which it will begin exercising enforcement powers over general-purpose models judged to pose systemic risk from August 2, including fines of up to 3% of global annual turnover and the authority to require a provider to withdraw a model from the EU market.

The plan cites research from the United Kingdom's AI Security Institute indicating that the length of cybersecurity tasks advanced models can complete unaided has been doubling over months rather than years. The Commission's AI Office will participate in an evaluation network coordinated by the UK body, while Brussels separately commits to building its own EU model evaluation capacity — one that "must include cybersecurity" — by 2027.

The Commission also said it would explore joint procurement as a mechanism for member states to collectively obtain access to frontier models.

On financing, the plan concedes that building frontier AI capability within the EU "will entail hundreds of billions of euro investment needs which can only be partly covered by public finances." It cites investment pledges of €200 million under the Horizon Europe and Digital Europe programs and €100 million through the European Innovation Council Fund for strategic defense technology. For context, the document notes that a single American technology company, Meta, is expected to spend around $125 billion on capital expenditure this year alone.

The plan points to a European equity vehicle proposed in June's Tech Sovereignty Package as a means of drawing in private capital to close that gap.

Without domestic compute, models, and data infrastructure, the Commission warned, Europe "is bound to remain a vulnerable user of frontier AI systems made elsewhere that others can suddenly switch off" — language that signals the bloc intends to treat AI access as a strategic security issue, not merely a regulatory or commercial one. How quickly member states move to implement existing directives will determine whether the plan carries any practical weight in the near term.

Disclaimer

TE
━ ABOUT THE BYLINE
TechEchelon Staff

TechEchelon Staff bylines are produced collectively by the newsroom for short, breaking, and wire-style coverage. Longer-form reporting is published under the responsible reporter's name.

More from the Staff
● THE BRIEF · DAILY NEWSLETTER

Five stories every morning. Before the opening bell.

Written for readers who already know the basics — markets, AI, and the policy decisions that shape both.

Mon — Fri · 06:30 ET · Free

No spam · Unsubscribe anytime