The European Commission has laid out a cybersecurity and AI action plan aimed at reducing Europe’s exposure to foreign decisions over access to frontier models, a dependency Brussels now sees as a security problem as well as an industrial one.
The plan, adopted in Strasbourg on July 7 and published Tuesday, commits the Commission to nine measures covering model evaluation, access to advanced systems and vulnerability management. Henna Virkkunen, the Commission executive responsible for technology, told reporters the package will not come with new legislation. Brussels is instead leaning on existing rules, including the NIS2 directive and the Cyber Resilience Act, which the Commission says member states need to adopt and implement urgently.
That choice matters: without new law, the action plan is a policy program rather than a binding legal instrument. Its weight will come from procurement, enforcement of existing statutes and the Commission’s ability to coordinate member states, agencies and critical sectors.
A blueprint for access to frontier models
The central proposal is a European blueprint for structured access to advanced AI capabilities for cybersecurity. The Commission and the EU Agency for Cybersecurity, known as ENISA, are expected to draft it by the end of 2025.
According to the Commission, access to frontier AI is increasingly controlled by provider-by-provider decisions, many of them made outside Europe. The document says safety-based restrictions can be justified, but also says the criteria are often opaque.
The blueprint is supposed to define how EU institutions, national authorities, critical infrastructure operators, cybersecurity companies and researchers can get access to advanced models for defensive work. It will also include contingency measures for cases where a provider or a third-country government restricts or withdraws access. The Commission says it will also examine joint procurement, which would let European buyers seek access collectively instead of knocking on the same doors one by one.
The concern is not hypothetical in Brussels. Earlier this year, the United States imposed and then withdrew export controls affecting Anthropic’s Mythos and Fable models, and later restrictions on OpenAI’s GPT-5.6. During the restrictions, foreign nationals, including EU customers, were barred from access.
Europe has little leverage without its own stack
The Commission’s plan states plainly that frontier AI capabilities are mostly built outside the EU and that their availability is often shaped by foreign, non-transparent processes. No frontier AI lab is headquartered in the bloc.
The same dependency shows up in cloud computing. Commission figures put EU providers at about 15% of the European cloud market, down from roughly 29% in 2017. Three non-EU hyperscalers now account for more than 70% of the market, according to the Commission.
Brussels plans to use what leverage it has: a market of around 450 million people and regulation. From August 2, the Commission will begin using enforcement powers under the AI Act for general-purpose models judged to pose systemic risk. Those powers include fines of up to 3% of global annual turnover and the ability to require a provider to withdraw a model from the EU market.
The plan also points to outside technical work. It cites research from the United Kingdom’s AI Security Institute saying the length of cybersecurity tasks that advanced models can complete without help has been doubling over months, rather than years. The Commission’s AI Office will join an evaluation network coordinated by the UK institute.
Brussels says it will support an EU capacity to evaluate AI models in 2027, and that this work must include cybersecurity. The plan notes that most third-party evaluators currently sit outside the Union.
The money question remains awkward. The Commission says building frontier capability in Europe will require hundreds of billions of euros, only part of which can come from public budgets. It cites €200 million in pledges under Horizon Europe and Digital Europe, plus €100 million through the European Innovation Council Fund for strategic defence technology. By comparison, the plan notes that Meta alone is expected to spend about $125 billion on capital expenditure this year.
The Commission points instead to a European equity vehicle proposed in June’s Tech Sovereignty Package as a way to pull in private capital. Its blunt assessment: without compute, models and data infrastructure, Europe remains stuck using frontier AI systems built elsewhere, under terms someone else can change.
This story draws on original reporting from The Record.