What the Commission actually announced

On 7 July 2026 the European Commission presented its Action Plan on Cybersecurity and Artificial Intelligence, and Executive Vice-President Henna Virkkunen framed it plainly, that AI is transforming the meaning of cybersecurity and the Union must keep pace. The striking choice is what the plan does not contain, no new legislation. Instead it promotes the implementation of laws already on the books, the NIS2 Directive, the Cyber Resilience Act and the AI Act. Three concrete moves sit inside it, an EU evaluation capacity to assess the capabilities and risks of advanced AI models, a European Blueprint and a secure testing platform built with the EU cyber agency ENISA so critical sectors can trial AI safely, and an EU Grand Challenge that funds researchers and companies to build AI-powered defence. It reads less like a rulebook and more like a decision about where Europe puts its own hands.

Why the plan builds its own testing capacity

The centre of gravity is the EU evaluation capacity. The AI Act already requires advanced models to be assessed for risk before they reach the market, and the plan says Europe will strengthen third-party assessment rather than accept a provider grading its own homework. That is a sovereignty statement as much as a security one, since most frontier models are American and Europe does not want to depend on the labs that build them to certify that they are safe. The secure testing platform extends the same logic to operators, giving banks, hospitals and grid operators a controlled place to try advanced AI without exposing production systems. And the timing carries weight, because from 2 August 2026 the Commission gains its enforcement powers over general-purpose AI, including the ability to demand information and measures from providers. The plan is the scaffolding that goes up just before that date.

What an operator takes from it

Nothing new lands on your compliance desk this week, and that is the point worth internalising. Your obligations under NIS2 and the Cyber Resilience Act do not change, but they now sit inside an explicit AI-threat frame, because the same models that draft your reports can also automate reconnaissance, write exploit code and escalate an intrusion faster than a human team can. If you run a critical-sector service, expect the secure testing platform to become the sanctioned route for proving an AI deployment before it touches regulated workloads, and expect your national authority, the NCSC in the United Kingdom, to translate the Blueprint into guidance you will be measured against. The action to take is not filing, it is pace, since a defence tuned to human attackers is now facing machine ones.