The European Commission has presented its strategy for addressing cybersecurity risks from advanced artificial intelligence, but the plan largely consists of recommendations and efforts to secure early access to US-developed AI models. The initiative underscores the bloc's technological reliance on the United States, where most frontier AI innovation occurs.
Artificial intelligence is transforming the cyber threat landscape, enabling malicious actors to conduct cheaper, faster, and more sophisticated attacks. The Commission's action plan, unveiled by EU digital chief Henna Virkkunen, aims to coordinate a response across member states.
"These advanced AI models can now build cyber exploits in minutes or hours at a fraction of the cost of vulnerability discovery by trained humans," Virkkunen told the European Parliament on Tuesday. "Once weaponised, these vulnerabilities endanger the security of our infrastructure and society."
Dependence on US Models
The plan's centerpiece is a European blueprint for structured access to advanced AI capabilities for cybersecurity, intended to help public authorities and private companies obtain these models. However, the initiative reveals the EU's limited leverage: Brussels must negotiate access with US companies, as most cutting-edge AI development happens across the Atlantic.
Anthropic's most powerful AI model, Mythos, recently demonstrated its ability to identify vulnerabilities in highly sensitive US government computer systems within hours, according to American security agencies. The US initially imposed export controls on Anthropic's advanced models, later lifted by the Department of Commerce, restoring global access.
European authorities and the EU's cybersecurity agency, ENISA, gained restricted access to Mythos through Anthropic's Project Glasswing, following intense lobbying by Brussels. The Commission acknowledges that the process for granting initial testing access often lacks transparency, hence the blueprint to clarify how European players can acquire AI with advanced cyber capabilities.
"Our dependency is not primarily about AI models. It is about the infrastructure they rely on," said MEP Aura Salla (Finland/EPP) during the parliamentary debate. "Europe has strong AI research, but too few companies operating at this frontier."
The Commission says its AI Office will work with specialized model evaluators to assess and mitigate risks posed by advanced AI models before they reach the EU market, under the bloc's AI Act. However, whether these rules apply before market launch remains contested by tech companies. So far, leading AI labs including OpenAI and Anthropic have favored model evaluations with the UK AI Security Institute, which holds no regulatory power.
The plan also includes guidance on defending against AI-powered cyber threats, speeding up patching of vulnerabilities, and assessing critical infrastructure preparedness. Critics view the action plan as a typical EU reflex to generate paperwork rather than solve complex problems, stitching together existing regulatory tools and new initiatives.
This dependency on US models mirrors broader European challenges in technology sovereignty, as seen in other sectors. The EU's push for digital autonomy continues, but the AI cybersecurity plan highlights the gap between ambition and capability.

