cognitive cybersecurity intelligence

News and Analysis

Search

Exploited before the patch exists: inside the EU’s Cybersecurity and AI Action Plan

Exploited before the patch exists: inside the EU’s Cybersecurity and AI Action Plan

The European Commission has published its Action Plan on Cybersecurity and Artificial Intelligence. It introduces no new law. What it offers instead is a map of instruments, funding and opportunity for organisations that intend to stay ahead of the threat.

Not long ago, defenders had time on their side. The interval between a vulnerability becoming public and its first real-world exploitation was measured in weeks, occasionally in months. That interval has now turned negative. According to analysis highlighted by CERT-EU, the average time to exploitation has moved to minus seven days, which means an attacker weaponises a flaw before the vendor has even shipped a fix. Modern AI can turn a vulnerability description into a working exploit in minutes.

This is the shift the new Action Plan on Cybersecurity and Artificial Intelligence responds to, presented by the European Commission in Strasbourg on 7 July 2026 (reference document COM(2026) 577 final, press release IP/26/1544).

A framework, not a law

One point deserves to be clear from the outset. The plan is not new legislation and imposes no new obligations on companies. It is a coordinating framework that builds on rules already in force across the EU and adds a layer of instruments, funding and market opportunity on top. Executive Vice-President Henna Virkkunen put the rationale plainly: AI is changing what cybersecurity means, and the Union has to keep pace. The plan rests on three pillars.

Why now

The numbers leave little room for doubt. According to the Black Duck 2026 OSSRA report, open source is present in 98 percent of all analysed codebases, and the average number of vulnerabilities per project more than doubled year-on-year, rising 107 percent to 581. In its 2025 threat landscape, ENISA ranks phishing as the leading initial access vector, with vulnerability exploitation close behind, and notes that more than two-thirds of exploited vulnerabilities lead directly to malware deployment.

The deeper problem is not the speed of the attack alone. It is an imbalance. AI has accelerated the discovery of vulnerabilities far more than their remediation. Defenders now find holes faster than they can close them, and that gap works squarely in the attacker’s favour. Closing it is what the plan is built to do.

AI-assisted vulnerability discovery now outpaces AI-assisted remediation. The result is a structural advantage for the attacker.

The three pillars in brief

The first pillar aims to make frontier AI safe and accessible for European cybersecurity. By 2027 the Commission intends to build a dedicated European capacity to evaluate AI models with a cybersecurity focus, to define a European Blueprint for structured access to advanced models together with ENISA, and to launch a secure testing platform, developed by ENISA and the Joint Research Centre (JRC), by the end of 2026.

The second pillar prepares the cyber ecosystem for the age of AI. Alongside its emphasis on full implementation of the existing directives and regulations, it introduces two concrete initiatives. The first is an EU Grand Challenge on AI-assisted vulnerability remediation, run by the Commission with ENISA and the European Cybersecurity Competence Centre (ECCC). The second is a Critical Open Source Resilience Campaign to support the maintainers of key open source projects, with a pilot planned for the fourth quarter of 2026.

The third pillar sets out to scale Europe’s own AI capabilities for cyber. It includes a further Grand Challenge and, above all, investment in sovereign European AI capacity through the AI Factories and the future Gigafactories.

The legal foundation, and what it means on the ground

The legal foundation rests on a familiar set of instruments. The AI Act (Regulation 2024/1689), whose enforcement against providers of the most capable models begins on 2 August 2026. The Cyber Resilience Act (CRA, Regulation 2024/2847), fully applicable from 11 December 2027. The NIS2 Directive, the DORA Regulation and the Cyber Solidarity Act, which established the EU Cybersecurity Reserve.

For companies operating in the region, NIS2 is the instrument that bites first. In Slovakia it has been transposed through an amendment to the Cybersecurity Act (Act No. 366/2024 Coll.), in force since January 2025 and supplemented by Decree No. 227/2025 Coll. of the National Security Authority (NBÚ). Oversight sits with the NBÚ, and the new rules reach more than 3,400 organisations across critical sectors. The transition period for existing entities runs only until the end of 2026, so the window to prepare is narrow.

Where the funding and the opportunities are

This is the part most organisations will care about. The EU Cybersecurity Reserve, operated by ENISA, is backed by 36 million euro and built on the teams of 45 trusted European providers who have passed an ownership control assessment. Since June 2026 the European Innovation Council has also opened to defence and dual-use technology. Its new EIC STEP call carries a budget of 100 million euro, allows direct equity investments of up to 30 million euro, and accepts applications until 28 October 2026. In parallel, an ECCC call under Horizon Europe, worth up to 56.2 million euro with a deadline of 15 September 2026, covers the resilience of AI models and security in software development among other topics.

To these add both Grand Challenges and the open source campaign. For firms focused on cybersecurity and AI, this is an unusually dense set of entry points, and most of them are open right now, in the third and fourth quarters of 2026.

A question of sovereignty

Beneath the technical layer sits a question of geopolitics. Europe depends on non-European providers for its most capable models, and the plan does not disguise it. As Euronews observed, the Union relies on negotiated access to models developed beyond its borders. The fragility of that dependence was on display recently, when US authorities temporarily restricted access to Anthropic’s frontier models for users outside the United States and then lifted the restriction weeks later. Part of the EU’s answer is the EUROPA consortium, which in June 2026 won the competition to build a European open source frontier model across all 24 official languages of the Union.

What to take from it

The plan’s sharpest message is a simple one. AI has accelerated the discovery of vulnerabilities but not their repair, and that gap has to be closed before an adversary exploits it. The Grand Challenge on AI-assisted remediation is aimed precisely there. For European firms, and especially those with a footprint in defence and dual-use, a narrow but real window is opening: the clearances, calls and competitions are available now.

At Decent Cybersecurity we observe this shift at first hand. The post-quantum cryptography and dual-use work that has long been our focus maps almost point by point onto the plan’s priorities. A closing note of caution is warranted. Some of the specific figures and the exact structure of the measures are, for now, available only in the full text of COM(2026) 577 final, so decisions of consequence are best taken after reading it.
The post Exploited before the patch exists: inside the EU’s Cybersecurity and AI Action Plan appeared first on Decent Cybersecurity.

Source: decentcybersecurity.eu –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts

Summer of Clearinghouses

Summer of Clearinghouses

Everyone seems to have announced a clearinghouse over the past few weeks. We did too. Ours is called Athena, and the main thing that sets