EU unveils an AI cybersecurity action plan, but offers mostly recommendations as Brussels leans on negotiated access to US AI models like Anthropic's Mythos, exposing its tech dependency.
The European Commission has presented its plan for tackling the cybersecurity risks posed by cutting-edge AI, but Brussels has little to offer beyond recommendations and an attempt to negotiate early access with US AI companies.
Artificial intelligence is redefining the cyber threat landscape, letting malicious actors run cheaper, more scalable and more sophisticated operations.
In what critics see as a typical EU reflex to generate paperwork rather than solve complicated problems, the Commission has produced an action plan — a patchwork of existing regulatory tools and new initiatives stitched together into a supposedly coherent response.
"These advanced AI models can now build cyber exploits in minutes or hours at a fraction of the cost of vulnerability discovery by trained humans. Once weaponised, these vulnerabilities endanger the security of our infrastructure and society," EU digital chief Henna Virkkunen told the European Parliament on Tuesday, presenting the initiative.
Anthropic's most powerful AI model, Mythos, was able to identify vulnerabilities exploitable for hacking in highly sensitive US government computer systems within a few hours, American security agencies said last month.
These unprecedented capabilities, and the potentially catastrophic consequences should they fall into the wrong hands, prompted Washington to impose export controls on Anthropic's advanced models. Those controls have since been lifted by the US Department of Commerce, restoring global access to the models.
European authorities and the EU's cybersecurity agency, ENISA, gained restricted access to Mythos through Anthropic's Project Glasswing, following intense lobbying by Brussels.
The plan promises a European blueprint for structured access to advanced AI capabilities for cybersecurity, helping public authorities and private companies obtain access to these models.
For the Commission, the process for granting a restricted number of organisations initial testing access often lacks transparency — hence the blueprint, meant to clarify how European players can get hold of AI with advanced cyber capabilities.
At the same time, the initiative lays bare the EU's dependency in this space: Brussels is reduced to negotiating access with the US, where most of the innovation happens.
"Our dependency is not primarily about AI models. It is about the infrastructure they rely on. Europe has strong AI research, but too few companies operating at this frontier," MEP Aura Salla (Finland/EPP) said during the plenary debate.
The Commission says its AI Office will work with specialised model evaluators to assess and mitigate the risks posed by the most advanced AI models before they reach the EU market, under the bloc's flagship AI Act.
Whether the rules apply before market launch, however, remains contested by tech companies. So far, leading AI labs including OpenAI and Anthropic have favoured model evaluations with the UK AI Security Institute, since it holds no regulatory power.
The plan also sets out guidance on how companies can defend against AI-powered cyberthreats, speeding up the patching of hackable vulnerabilities, and includes an assessment of how prepared critical infrastructure is for potential cyberattacks.
"It's not business as usual anymore. Your software and IT systems will be tested by hackers, aided by the latest AI models. Hackers will operate at the speed of light and will try to put you out of business," said Bart Groothuis (the Netherlands/Renew).