The EU Action Plan on Cybersecurity & Artificial Intelligence | What It Means for Your Business
The EU Action Plan on Cybersecurity & Artificial Intelligence | What It Means for Your Business
A new chapter in Europe’s digital rulebook
On 7 July 2026, the European Commission presented its Action Plan on Cybersecurity and Artificial Intelligence. It addresses one of the defining tensions of the digital economy: AI is both the most powerful new tool for defending digital infrastructure and the most potent new weapon for attacking it.
- AI as defender: advanced models can detect vulnerabilities, prevent attacks and strengthen the protection of critical infrastructure.
- AI as threat: the same capabilities allow malicious actors to automate attacks and carry out cyber operations at unprecedented speed and scale.
The Action Plan is the EU’s structured answer to this dual reality.
The three objectives of the Action Plan
1. Safe and responsible use of advanced AI
- Strengthened EU capacity to evaluate advanced AI models before they reach the market, in line with the AI Act
- A European Blueprint, developed with ENISA, for secure access to advanced AI systems for cybersecurity purposes
- A secure testing platform so organisations in critical sectors (energy, transport, health, finance, public administration) can safely trial AI solutions before deployment
2. Reinforcing the EU’s cybersecurity and resilience
- No new legislation: the focus is on implementing the existing framework, notably the NIS2 Directive and the Cyber Resilience Act
- Active encouragement for organisations to use AI, including open-source models, to detect and fix vulnerabilities faster and respond to attacks more effectively
3. Scaling up Europe’s AI capabilities for cybersecurity
- An EU Grand Challenge on AI for cybersecurity, bringing together companies, researchers and other stakeholders
- Continued investment in sovereign AI capacity through AI Factories and future Gigafactories, alongside efforts to mobilise private capital
The key point: no new obligations, but real compliance pressure
The Action Plan does not create new legal duties on its own. It is a coordination and implementation instrument sitting on top of an already dense framework:
- The AI Act
- The NIS2 Directive (already transposed into Greek law, with obligations for a much wider range of entities and personal accountability for management)
- The Cyber Resilience Act
- DORA for the financial sector
- The Cyber Solidarity Act
In practice, the pressure businesses will feel from the Action Plan will arrive through intensified enforcement and operationalisation of these existing instruments.
What businesses should be doing now
From our practice advising clients on AI governance and technology regulation, we highlight five priorities:
- NIS2 entities (essential or important): review your risk management measures, supply chain security assessments and incident reporting readiness now, before the first enforcement wave.
- AI developers and deployers: map your exposure under the AI Act. Pre-market evaluation of advanced models will be strengthened, so conformity, documentation and transparency obligations must be in order.
- Manufacturers of connected products: accelerate preparation for the Cyber Resilience Act. Its security-by-design and vulnerability handling requirements align directly with the Action Plan’s agenda.
- Financial entities under DORA: AI-driven threats are now explicitly on the regulatory radar. ICT risk management frameworks will be expected to address AI-enabled attack vectors.
- Critical sector organisations: watch for the ENISA secure testing platform and the European Blueprint. Early engagement may offer a lower-risk pathway to adopting AI security tools and a genuine competitive advantage.
The strategic dimension
The Action Plan is also industrial policy. By pairing regulatory implementation with the Grand Challenge and sovereign AI investment, the EU signals that cybersecurity is no longer a pure compliance matter but a field of technological competition in which Europe intends to lead. For innovative companies in the security and AI space, this opens funding, partnership and procurement opportunities.
How Tsamichas Law Firm can assist
Our firm advises clients across the full spectrum of EU digital regulation:
- AI governance under the AI Act
- NIS2 compliance and incident response readiness
- Cyber Resilience Act preparation
- DORA implementation for financial entities
- Data protection and technology contracting
If your organisation develops, deploys or depends on AI systems, or falls within the scope of the EU cybersecurity framework, we would be pleased to discuss how the Action Plan affects your operations.
Sources: European Commission, EU Action Plan on Cybersecurity and Artificial Intelligence, 7 July 2026.
Μοιραστείτε αυτήν την ανάρτηση
Κλείστε το ραντεβού σας.
Πετυχαίνουμε μαζί αγωνιζόμενοι για Δικαίωμα και Δικαιοσύνη.
Καλέστε μας
+30 210 363 8590
