From the journal

European Commission Presents Cybersecurity and AI Action Plan on 7 July 2026

On 7 July 2026, the European Commission presented an Action Plan on Cybersecurity and Artificial Intelligence. The plan directs the Commission and ENISA to evaluate advanced AI models before they reach the EU market, establish a secure testing platform for critical-sector organisations, and launch an EU Grand Challenge on AI-powered cybersecurity solutions. It operates alongside the AI Act, NIS2 Directive, DORA, Cyber Resilience Act, and Cyber Solidarity Act, and introduces no new directly binding obligations.

2 min read

The European Commission adopted the Action Plan on Cybersecurity and Artificial Intelligence on 7 July 2026. The Action Plan is a non-legislative initiative setting Commission and ENISA policy priorities; it does not create new directly binding obligations but directs the Commission to act under existing mandates in the AI Act and EU cybersecurity legislation.

The Action Plan operates under Regulation (EU) 2024/1689 (AI Act), Directive (EU) 2022/2555 (NIS2), Regulation (EU) 2022/2554 (DORA), the Cyber Resilience Act, and the Cyber Solidarity Act. The Commission will strengthen capacity to evaluate AI models prior to EU market placement under Article 43 of the AI Act and will work with the European Union Agency for Cybersecurity (ENISA) to develop a European Blueprint for secure access to advanced AI systems for cybersecurity purposes.

AI model providers, critical infrastructure operators in energy, finance, and health, and AI deployers in high-risk sectors face increased scrutiny of pre-market conformity assessments under the AI Act. ENISA will operate a secure testing platform to help organisations in those sectors safely test and deploy AI solutions. The Commission will also launch an EU Grand Challenge on AI for cybersecurity to fund joint research and development across industry and research institutions.

The Action Plan does not introduce delegated acts or implementing measures; those will follow through ENISA rulemaking and subsequent Commission decisions under the AI Act. Funding timelines and eligibility criteria for the EU Grand Challenge have not been published. ENISA coordination will determine how the Action Plan intersects with national cybersecurity strategies under Article 7 of NIS2.

Licentium advises AI developers, critical infrastructure operators, and regulated financial institutions on EU AI Act compliance, NIS2 cybersecurity obligations, and DORA operational resilience requirements. If you are assessing how the Action Plan affects your AI systems or cybersecurity programme, our team and partner network can assist. Work we undertake includes AI Act conformity assessments, cybersecurity regulatory gap analysis, NIS2 incident-response frameworks, and DORA third-party risk advisory.

Source: European Commission, Press Release IP/26/1544, Action Plan on Cybersecurity and Artificial Intelligence, 7 July 2026

AI Regulatory

More from the journal

See all
Illia Prokopiev

From Cloud Concentration to AI Dependence: The UK’s Critical Third Parties Regime

The United Kingdom now directly oversees designated technology suppliers whose service failures could threaten financial stability. The question is whether the first cloud designations show a legal expansion toward AI-model providers, and what the present regime requires. This analysis assumes the quoted statement concerns the UK financial-services Critical Third Parties regime and assesses the law through 14 July 2026.

Alberta Regulated iGaming Market Launched on 13 July 2026 with 22 Operators

Alberta's regulated private iGaming market launched on 13 July 2026, making Alberta the second Canadian province to permit private online gambling operators after Ontario. The Alberta Gaming, Liquor and Cannabis Commission serves as market regulator and the Alberta iGaming Corporation oversees commercial operations and operator contracts. Twenty-two operator sites went live on day one, including FanDuel, DraftKings, BetMGM, and BetRivers. Operators must fully launch or exit the Alberta market by 13 October 2026.

Hong Kong Gazetted Crypto-Asset Reporting Framework Bill on 22 May 2026

The Inland Revenue (Amendment) (Crypto-Asset Reporting Framework and Amended Common Reporting Standard) Bill 2026 was gazetted in Hong Kong on 22 May 2026 and had its first reading in the Legislative Council on 3 June 2026. The bill implements the OECD Crypto-Asset Reporting Framework and 2023 CRS amendments. Crypto-asset service providers with a Hong Kong reporting nexus must register with the Inland Revenue Department, conduct client due diligence, file annual returns, and maintain records from 1 January 2027.