Skip to Content
OPINION

A view from Brussels: EU tackles AI and cyber

The EU Action Plan on Cybersecurity and Artificial Intelligence responds to the growing cyber risks posed by advanced AI, calling for safer AI models, stronger enforcement of existing rules and faster vulnerability detection.

Published
Subscribe to IAPP Newsletters

Contributors:

Isabelle Roccia

CIPP/E

Managing Director, Europe

IAPP

Editor's note

The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains. 

"(Artificial intelligence) is transforming the meaning of cybersecurity. And we must keep pace," Executive Vice-President of the European Commission for Technological Sovereignty, Security and Democracy Henna Virkkunen said as she presented the commission's EU Action Plan on Cybersecurity and Artificial Intelligence Tuesday. 

The action plan is a direct response to unprecedented cybersecurity capabilities of the latest AI models, that also change the "economics of malicious actors," she explained. It follows suit with recent declaration from the G7 Cybersecurity Working Group to strengthen global digital resilience. It also builds on a call to action from the Five Eyes cybersecurity agencies: AI undeniably accelerates the sophistication of cyber threats at unpresented scale and speed. 

The AI cyber action plan therefore reflects a growing reality for digital governance teams: AI-enabled cyber shock is already prompting them to use AI automation to triage and remediate against cyberthreats, to list cyberattacks and third-party vendors management among top digital risks, and to improve efficiencies between trust, governance and security across the business. 

The IAPP's Navigate: Digital Risk Index 2026 attests to the significance of risks related to nation-state or sponsored cyberattacks, espionage and warfare on one hand, and AI technologies as accelerating or compounding risks on the other. 

The European Commission is accelerating three priorities. 

First, AI models with high cyber capability deployed in Europe must be safe. AI Act enforcement will play a role to ensure providers establish appropriate safeguards against misuse including in the cyber domains. Brussels will also launch a call to step up evaluation capacity of AI models by 2027 and strengthen know-how to deploy advanced AI models for Europe's own cybersecurity. 

Second, the Commission wants to identify and fix critical vulnerabilities faster. That means full implementation of the NIS2 Directive, Digital Operational Resilience Act and the Cybersecurity Resilience Act "now," insisted Virkkunen.  

Third, Virkkunen wants to build Europe's own AI-powered cyber capabilities. In addition to talent, infrastructure and financing remain a huge challenge but a crucial one to Europe's sovereignty strategy. 

During the parliamentary debate following Virkkunen's presentation, members of Parliament from across the political spectrum largely supported the action plan. They showed that cyber and AI require a whole-of-EU approach, across rules, capability building, innovation policy, public procurement and even diplomacy.

Several interventions reflected clearly how this issue plays into the broader, hotter political debate agitating Brussels. There is broad adherence to the need to solidify Europe's digital sovereignty, including by creating demand domestically via public procurement rules. But whether that then demands deregulation or to double down on efficiently implementing and enforcing existing rules seems to still divide MEPs. 

This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.

Contributors:

Isabelle Roccia

CIPP/E

Managing Director, Europe

IAPP

Tags:

AI and machine learningAI governance

Related Stories