The European Commission adopted the Action Plan on Cybersecurity and Artificial Intelligence on 7 July 2026. The Action Plan is a non-legislative initiative setting Commission and ENISA policy priorities; it does not create new directly binding obligations but directs the Commission to act under existing mandates in the AI Act and EU cybersecurity legislation.
The Action Plan operates under Regulation (EU) 2024/1689 (AI Act), Directive (EU) 2022/2555 (NIS2), Regulation (EU) 2022/2554 (DORA), the Cyber Resilience Act, and the Cyber Solidarity Act. The Commission will strengthen capacity to evaluate AI models prior to EU market placement under Article 43 of the AI Act and will work with the European Union Agency for Cybersecurity (ENISA) to develop a European Blueprint for secure access to advanced AI systems for cybersecurity purposes.
AI model providers, critical infrastructure operators in energy, finance, and health, and AI deployers in high-risk sectors face increased scrutiny of pre-market conformity assessments under the AI Act. ENISA will operate a secure testing platform to help organisations in those sectors safely test and deploy AI solutions. The Commission will also launch an EU Grand Challenge on AI for cybersecurity to fund joint research and development across industry and research institutions.
The Action Plan does not introduce delegated acts or implementing measures; those will follow through ENISA rulemaking and subsequent Commission decisions under the AI Act. Funding timelines and eligibility criteria for the EU Grand Challenge have not been published. ENISA coordination will determine how the Action Plan intersects with national cybersecurity strategies under Article 7 of NIS2.
Licentium advises AI developers, critical infrastructure operators, and regulated financial institutions on EU AI Act compliance, NIS2 cybersecurity obligations, and DORA operational resilience requirements. If you are assessing how the Action Plan affects your AI systems or cybersecurity programme, our team and partner network can assist. Work we undertake includes AI Act conformity assessments, cybersecurity regulatory gap analysis, NIS2 incident-response frameworks, and DORA third-party risk advisory.