Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Trending Regulation

EU AI Cybersecurity Plan Targets Critical Enterprise Sectors

The European Commission unveiled an AI cybersecurity action plan covering energy, health, finance, and public admin — no new legislation, just enforcement.

Enterprise DNA | | via European Commission
EU AI Cybersecurity Plan Targets Critical Enterprise Sectors

On July 7, 2026, the European Commission presented its Action Plan on Cybersecurity and Artificial Intelligence — the most concrete step the EU has taken to govern how AI is used in sensitive industries. If your business operates in Europe, or if you sell AI products or services to European clients, the implications are worth understanding now.

The plan does not introduce new legislation. Instead, it focuses on making the existing AI Act work properly, closing the implementation gap that has left many businesses uncertain about what “compliance” actually means in practice.

What the Commission Actually Announced

The action plan rests on three pillars.

First: independent model evaluation. The AI Act already requires advanced AI models to be assessed before they reach the EU market. The problem is that third-party evaluation capacity barely exists. The Commission will help build that infrastructure — a European-level assessment capability designed to give regulators and buyers a clearer picture of what a model can and cannot do. For businesses buying AI tools, this eventually means more reliable certifications. For providers selling into Europe, it means independent scrutiny is coming whether or not you’re ready.

Second: a secure testing platform for critical sectors. Working with ENISA (the EU’s cybersecurity agency), the Commission will develop a European Blueprint for secure AI access and stand up a testing environment specifically designed for energy, transport, health, finance, and public administration. These sectors deal with infrastructure that cannot afford AI failures. The testing platform gives them a place to validate solutions before deploying them at scale — something most organisations in these sectors are currently doing informally, or not at all.

Third: an EU Grand Challenge on AI for cybersecurity. The Commission will bring together companies, researchers, and other stakeholders to develop AI-powered security tools. The subtext here is notable: Euronews reported that Brussels is pitching this plan explicitly against a backdrop of dependence on US AI models. The Grand Challenge is partly about building European alternatives and capability — an industrial policy objective dressed as a security initiative.

What This Means for Business

If you run a business that processes data under EU law or sells software to regulated European clients, three things are relevant here.

Compliance is moving from theory to practice. The AI Act’s rules exist. The evaluation and testing infrastructure is now being built to enforce them. The businesses that treat AI Act compliance as a checkbox exercise will be caught out as actual assessments begin. The ones preparing now — documenting model risk, maintaining governance records, testing their AI tools properly — will have a clear advantage.

Sectors matter. Health, finance, energy, transport, and public administration are explicitly named. If you operate in any of these sectors and use AI for anything that touches operations, decision-making, or customer interaction, you are in scope for the testing requirements being built. The guidance coming from ENISA will likely define what “secure AI use” looks like in each of these industries.

The dependence on US models is becoming a policy issue. The Commission’s language about building EU capability is not just talk. Procurement preferences, funding priorities, and regulatory interpretation can all be shaped by this framing. Businesses relying entirely on US-based AI providers for EU operations should be paying attention.

What It Means for AI Strategy

The bigger picture here is that the EU is moving from passing laws to actually implementing them. That shift changes the risk calculation for any business with European exposure.

For years, organisations could reasonably treat AI Act compliance as a future problem. The infrastructure to actually enforce the rules was not there. That infrastructure is now being built deliberately — evaluation capacity, testing platforms, sector-specific guidance from ENISA.

The businesses that will benefit most are the ones that treat this as a prompt to get their AI governance in order rather than a constraint to minimise. Independent model evaluation is less threatening if you have already done that work internally. A secure testing mandate is less disruptive if testing is already part of your AI deployment process.

The EU is not trying to stop AI adoption in these sectors. The plan explicitly acknowledges that AI improves security. The goal is to make sure that the AI being used is actually trustworthy — that organisations can verify what they are deploying, not just take a vendor’s word for it.

For anyone building or deploying AI in European markets, that is the practical question to be asking right now: can you demonstrate that your AI tools meet the standard that regulators are now building the capacity to verify?


The practical next step is the free Working With Claude field guide. Thirty-two pages covering the ecosystem, Claude Code, and how to govern a rollout properly. Get your copy.