Europe's New AI Cybersecurity Plan Reveals a Deeper Problem: How to Avoid Becoming Dependent on America
The European Commission has launched a coordinated action plan to address how advanced artificial intelligence can both strengthen and threaten Europe's cybersecurity, but the strategy reveals a fundamental vulnerability: the EU lacks homegrown frontier AI models and risks becoming more dependent on American technology in pursuit of safety oversight.
On July 7, 2026, EU tech chief Henna Virkkunen unveiled the EU Action Plan on Cybersecurity and Artificial Intelligence, a response to urgent questions about how Europe can access cutting-edge AI systems like Anthropic's Mythos, which the U.S. company unveiled in April to a restricted group of American entities. The plan attempts to balance two competing needs: gaining early access to frontier models for safety testing while building Europe's own advanced AI capabilities.
Why Does Europe Need a Cybersecurity AI Plan Right Now?
Artificial intelligence presents a paradox for cybersecurity. On one hand, AI can detect vulnerabilities, prevent cyberattacks, and strengthen protection of critical infrastructure. On the other hand, malicious actors can exploit AI to automate attacks, identify weaknesses, and carry out cyber operations at unprecedented speed and scale. The new plan aims to help EU member states, businesses, and public authorities benefit from AI's defensive capabilities while managing the risks it creates.
The timing is not accidental. When Anthropic first invited organizations to test Mythos for cybersecurity risks, no Europeans were on the original list of approved testers. Then, last month, the U.S. government blocked Anthropic from exporting its latest AI models, though that ban was later partially lifted. These moves exposed a vulnerability in Europe's approach to AI governance: the bloc has strong regulatory frameworks but lacks the technological leverage to ensure it has a seat at the table when frontier models are developed.
What Does the EU's New Action Plan Actually Do?
The Commission's plan focuses on three complementary objectives to address the AI-cybersecurity challenge:
- Evaluating AI Models Before Market Entry: The EU will establish an evaluation capacity to strengthen third-party assessment of AI capabilities and risks globally, supporting the regulatory function of the AI Office and ensuring advanced models meet safety standards before release in Europe.
- Securing Access to Advanced AI Systems: The Commission will work with the EU Agency for Cybersecurity to define a European blueprint for structured access to advanced AI capabilities, helping public and private organizations in critical sectors access frontier models safely.
- Creating a Secure Testing Platform: The EU Agency for Cybersecurity and the Commission's Joint Research Centre will establish a secure platform where organizations in critical sectors like energy, transport, health, finance, and public administration can test AI solutions in simulated environments.
- Reinforcing European AI Development: The EU will invest in sovereign AI capabilities through AI Factories and future Gigafactories infrastructure, and launch an EU Grand Challenge on AI for cybersecurity to bring together companies, researchers, and organizations to develop homegrown solutions.
The plan builds on existing EU rules, including the AI Act, the Cyber Resilience Act, the Network and Information Systems Directive (NIS2), and the Cyber Solidarity Act.
What's the Hidden Risk in Europe's Strategy?
While the action plan addresses immediate safety concerns, it may inadvertently deepen Europe's technological dependence on the United States. To properly test how models like Mythos work, European regulators would need to share crucial source code with American companies, essentially handing over what experts describe as the digital "crown jewels" of the bloc. Anthropic's data retention policies require even more sensitive assets to be shared, raising questions about whether Europe is trading long-term sovereignty for short-term access.
"The Commission must avoid falling into a trap where pushing for access to the top-tier U.S. models could just deepen our dependency on American cloud infrastructure," said Aura Salla, a Finnish lawmaker with the center-right European People's Party.
Aura Salla, Finnish Lawmaker, European People's Party
European policymakers have worried for years about U.S. tech dominance and the possibility that President Donald Trump might restrict access to essential digital platforms. Mythos became a symbol of those anxieties in the AI era. The concern is not hypothetical: the U.S. government's recent export controls on Anthropic's models demonstrated how quickly American policy can shift, leaving European organizations vulnerable.
"Why would we willingly give this away? This seems to me that we are creating again the very type of dependency that we would want to not have," explained Jaya Baloo, co-founder of European AI security firm Aisle.
Jaya Baloo, Co-founder, Aisle
The fundamental challenge is structural. The United States has Mythos and other frontier models. China has DeepSeek. The European Union, by contrast, is responding with an action plan. While the plan is well-intentioned, it addresses the symptoms of Europe's AI gap rather than the root cause: the bloc is dramatically behind the U.S. and China in developing frontier models and accessing the computing infrastructure that underpins them.
How Can Europe Build Real Sovereignty in AI?
The action plan does include provisions for scaling European AI capabilities. The Commission will continue investing in sovereign AI infrastructure through AI Factories and future Gigafactories, and will launch the EU Grand Challenge on AI for cybersecurity to stimulate innovation among European companies and researchers. However, no new funding has been announced to support these initiatives, raising questions about whether Europe's ambitions match its financial commitment.
The EU's approach reflects a broader strategic dilemma. By focusing on safety testing and regulatory oversight of U.S. models, Europe positions itself as a rule-maker but not a rule-breaker in AI development. This may provide short-term influence over how frontier models are deployed, but it does not address the long-term challenge of building homegrown alternatives that could reduce dependence on American technology.
For now, the action plan represents the EU's best available tool for managing the immediate risks posed by advanced AI in cybersecurity. But as one observer noted, when the United States has Mythos and China has DeepSeek, an action plan may be the only thing Europe has to offer. Whether that is enough to protect European interests in the long run remains an open question.