The EU cybersecurity and AI action plan and the UK’s different route

EU cybersecurity and AI action plan, European Commission, 7 July 2026, Bratby Law

In short: the EU cybersecurity and AI action plan, published by the European Commission on 7 July 2026 (COM(2026) 577 final), sets nine actions to make frontier AI safe for cyber defence, harden critical infrastructure under NIS2 and the Cyber Resilience Act, and build sovereign AI capacity. The UK pursues the same goals without a single horizontal AI law.

By Rob Bratby, Managing Partner, Bratby Law. Chambers UK Band 2 (Telecommunications). Legal 500 Leading UK Telecoms Partner. 30+ years in telecoms regulation, including Oftel and senior operator roles.

A business that runs critical systems in both the UK and the EU must now read two cyber-and-AI rulebooks, not one. On 7 July 2026 the European Commission published its EU cybersecurity and AI action plan (COM(2026) 577 final), a coordinated programme of nine actions layered on the binding law the EU already has in force. The UK is pursuing the same outcome, securing critical infrastructure against faster, AI-assisted attacks, but through a different route: sector rules and institutional capability, backed by public investment, rather than one horizontal statute.

What the EU cybersecurity and AI action plan does

The EU cybersecurity and AI action plan sets nine actions across three objectives: making frontier AI safe and available for cyber defence, hardening the EU’s critical infrastructure, and scaling Europe’s own AI capacity for cybersecurity. It is a communication, not a regulation, so it creates no new binding duties. It directs the Commission, the European Union Agency for Cybersecurity (ENISA) and the Member States to act on the law already in force.

That law is now substantial, though not settled. The AI Act (Regulation (EU) 2024/1689) already governs general-purpose AI. From 2 August 2026 the Commission can enforce against providers of general-purpose AI models with systemic risk, including the risk of cyber misuse, with fines of up to 3% of worldwide annual turnover or 15 million euros. The Act’s separate duties for high-risk AI systems have just been pushed back: the Digital Omnibus on AI, which the European Parliament and Council adopted in June 2026 and which awaits publication in the Official Journal, defers the standalone high-risk obligations to 2 December 2027 and the product-embedded ones to 2 August 2028. The Cyber Resilience Act (Regulation (EU) 2024/2847) requires security by design and vulnerability management for products with digital elements, and becomes fully applicable on 11 December 2027. The NIS2 Directive (Directive (EU) 2022/2555) sets the cybersecurity baseline for essential and important entities across eighteen sectors, and the Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied the same discipline to the financial sector since 17 January 2025. The Cyber Solidarity Act (Regulation (EU) 2025/38) adds an EU Cybersecurity Reserve and a cross-border alert system.

Operationally, the plan sets up new bodies and programmes: a European Blueprint, prepared with ENISA, to give European operators structured access to frontier AI for cyber defence (Q4 2026); a secure ENISA and Joint Research Centre testing platform with cyber ranges, so critical infrastructure operators can test AI before deploying it (Q4 2026); an EU evaluation capacity for AI models, including cybersecurity (2027); a Critical Open Source Resilience Campaign to patch the open-source components embedded in most critical systems; and an EU Grand Challenge on AI-assisted vulnerability remediation. On sovereignty, the Commission points to its AI Factories and future Gigafactories and to the European equity capacity floated in the Tech Sovereignty Package of 3 June 2026.

Key actions in the European Commission plan

  • A European Blueprint for structured access to advanced AI capabilities for cybersecurity, prepared with ENISA, due Q4 2026. Source: European Commission, 7 July 2026.
  • A secure ENISA and Joint Research Centre testing platform for AI in cybersecurity, including cyber ranges, due Q4 2026. Source: European Commission, 7 July 2026.
  • An EU evaluation capacity for AI models that must include cybersecurity, due 2027. Source: European Commission, 7 July 2026.
  • A Critical Open Source Resilience Campaign, first pilot in 2026, to accelerate patching of critical open-source software. Source: European Commission, 7 July 2026.
  • An EU Grand Challenge on AI-assisted vulnerability remediation, and a Cyber Skills Academy training action, due Q4 2026. Source: European Commission, 7 July 2026.

How the UK approaches cybersecurity and AI

The UK has no horizontal AI statute. It relies on the pro-innovation, regulator-led model set out in the 2023 White Paper, A pro-innovation approach to AI regulation, under which the Information Commissioner’s Office, Ofcom, the Financial Conduct Authority and other regulators apply five cross-sector principles within their existing remits. There is no UK conformity assessment for AI, no prohibited-use list, and no general-purpose AI regime of the kind the AI Act creates.

On cyber resilience, by contrast, the UK does legislate. The Cyber Security and Resilience (Network and Information Systems) Bill, brought from the Commons to the House of Lords on 17 June 2026, amends the Network and Information Systems Regulations 2018. It brings managed service providers and large data centres into scope and strengthens incident reporting. Public electronic communications network and service providers stay outside that regime: they remain regulated under the Telecommunications (Security) Act 2021, and the carve-out in regulation 8(1A) is preserved. A Communications Provider’s security duties therefore come from the 2021 Act, not the amended NIS regime.

The UK relies on institutions it already has rather than building new ones by regulation. The AI Security Institute evaluates frontier models, including their offensive-cyber uplift, and the action plan itself names the UK institute as coordinator of the international Network for Advanced AI Measurement, Evaluation and Science. The National Cyber Security Centre sets the threat picture: its assessment Impact of AI on cyber threat from now to 2027 (7 May 2025) judged that AI will almost certainly increase the volume and impact of attacks, and the Five Eyes agencies restated the point in their joint statement of 22 June 2026. On sovereign capacity, the UK routes investment through the AI Opportunities Action Plan of January 2025 and the public compute of the AI Research Resource rather than through a cyber-specific instrument.

IssueWhat the EU is doingWhat the UK is doing
Overarching AI lawBinding AI Act (Regulation (EU) 2024/1689): GPAI enforcement from 2 August 2026, high-risk duties deferred to 2027 and 2028 by the Digital OmnibusNo horizontal AI statute; pro-innovation, regulator-led principles from the 2023 White Paper
Cyber baseline for critical infrastructureNIS2 Directive and DORA, backed by the Cyber Solidarity ActNIS Regulations 2018, expanded by the Cyber Security and Resilience Bill (in the Lords, 17 June 2026)
Telecoms and network securityTelecoms operators fall within the NIS2 digital-infrastructure sectorCommunications Providers regulated under the Telecommunications (Security) Act 2021, outside the NIS regime
Frontier AI evaluationNew EU evaluation capacity and secure testing platform (2026 to 2027)Existing AI Security Institute and National Cyber Security Centre
Sovereign AI capacityAI Factories, Gigafactories and a proposed European equity capacityAI Opportunities Action Plan and the AI Research Resource

What this means for UK-facing regulated businesses

For a UK business with EU operations, the EU instruments apply regardless of where that business is based. The AI Act’s rules for general-purpose AI models with systemic risk become enforceable from 2 August 2026; the Cyber Resilience Act applies to products with digital elements from 11 December 2027; and NIS2 and DORA already apply to entities that operate in the EU. The action plan does not change any of these dates, but it signals that the Commission and ENISA will press Member States and operators to use the powers they have.

The exposure differs by sector. A Communications Provider with EU networks takes its UK security duties from the Telecommunications (Security) Act 2021 and its EU duties from NIS2; a financial entity falls under DORA; a maker of connected products falls under the Cyber Resilience Act. Firms that straddle both regimes carry two sets of obligations and, in an incident, two questions about which regulator to notify and when. Bratby Law’s telecoms security and UK and EU divergence pages set out where the two frameworks meet. If you are assessing how AI and cyber rules apply to a regulated product or service, Bratby Law’s AI and data governance guide covers the direct-advice route.

Viewpoint

I read the plan as a shift of effort from writing rules to defending networks. The EU spent five years passing the AI Act, NIS2, the Cyber Resilience Act, DORA and the Cyber Solidarity Act; the harder problem now is operational, getting frontier AI to defenders and patching critical open-source software faster than attackers can exploit it. The National Cyber Security Centre has said as much since its 7 May 2025 assessment. The EU plan relies on the UK’s own AI Security Institute to coordinate international model evaluation. Through the Digital Omnibus, the EU has also deferred the AI Act’s high-risk duties before they take effect. That is a recalibration, and it narrows the gap between the two approaches. In our experience advising telecoms operators and payments firms on security compliance, the constraint is the speed of patching and knowing which regulator to notify when an incident crosses both regimes, not the headline rule.

Frequently asked questions

What is the EU cybersecurity and AI action plan?

It is a European Commission communication (COM(2026) 577 final) published on 7 July 2026, setting nine actions across three objectives: making frontier AI safe for cyber defence, hardening EU critical infrastructure, and scaling Europe’s AI capacity for cybersecurity. It creates no new binding duties; it directs the Commission, ENISA and Member States to act on existing law.

Does the action plan create new legal obligations?

No. The binding obligations come from the AI Act, the Cyber Resilience Act, the NIS2 Directive, DORA and the Cyber Solidarity Act. The action plan coordinates how the Commission, ENISA, the Joint Research Centre and the Member States use those instruments, and adds programmes such as the European Blueprint and the secure testing platform.

How does the UK regulate AI and cybersecurity?

The UK has no horizontal AI law. It uses a pro-innovation, regulator-led model under which sector regulators apply five cross-sector principles. On cyber resilience it legislates: the Cyber Security and Resilience Bill, in the House of Lords since 17 June 2026, expands the NIS Regulations 2018, while telecoms operators remain regulated under the Telecommunications (Security) Act 2021.

Does the EU action plan affect UK businesses?

Indirectly, yes. UK firms with EU operations are already subject to the AI Act, the Cyber Resilience Act, NIS2 and DORA. The action plan does not change those obligations, but it sets the operational benchmark against which the EU expects critical infrastructure to defend itself, and UK-facing firms will be measured against the same expectations by counterparties and regulators.

For advice on how the EU cybersecurity and AI action plan and the UK’s cyber and AI rules apply to your operations, contact Rob Bratby at Bratby Law.

Select topics of interest

Similar Posts