EU unveils AI cybersecurity Action Plan

The European Commission has published an Action Plan to address the cybersecurity risks and opportunities created by advanced AI models. Released on 7 July 2026, the initiative sets out a coordinated approach to strengthening Europe’s cyber resilience as AI capabilities continue to advance.

The Action Plan brings together member states, industry and EU institutions to coordinate responses to AI-related cybersecurity challenges. Rather than introducing new legislation, it builds on the EU’s existing regulatory framework while adapting it to risks posed by increasingly capable AI systems.

The Commission says the plan will strengthen defences against vulnerabilities that AI systems may introduce or exploit. It also promotes closer cooperation between public and private stakeholders, reflecting the view that AI governance and cybersecurity must increasingly be treated as interconnected policy areas.

The Action Plan forms part of the EU’s broader strategy to strengthen digital resilience while maintaining technological competitiveness. Its implementation will depend on cooperation between governments, regulators, businesses and cybersecurity organisations across the Union.

Why does it matter?

The Action Plan reflects growing recognition that advanced AI models are changing the cybersecurity landscape by strengthening defensive capabilities while also creating new opportunities for attackers. As AI systems become more capable and autonomous, policymakers are increasingly treating AI safety and cybersecurity as part of the same strategic challenge.

The initiative also reinforces the EU’s broader digital sovereignty agenda. Rather than creating separate policies for AI and cybersecurity, the Commission is integrating the two into a common governance framework. That approach could influence how organisations deploy AI in critical sectors and provide a model for other jurisdictions developing AI cybersecurity strategies.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

UK Treasury highlights economic value of cyber resilience

HM Treasury has published a report arguing that cyber resilience in financial services should be treated as a strategic capability rather than simply a compliance requirement or technical cost.

The report, The Value of Resilience: Cyber Resilience in Financial Services, brings together evidence on the economic and operational value of resilience, focusing on the growing impact of cyber disruption across the financial sector.

The report argues that cyber risk has intensified as financial institutions become more dependent on digital infrastructure, third-party providers, cloud services and shared technologies. It cites the Bank of England’s 2026 H1 Systemic Risk Survey, in which 82% of UK banks, insurers and asset managers identified cyberattacks as one of the financial system’s a top five risks.

HM Treasury also cites National Cyber Security Centre data showing a sharp rise in nationally significant cyber incidents during 2024–25. Highly significant incidents increased by 50% year on year, while nearly half of all incidents handled by the NCSC met the threshold for national significance.

The financial impact can be considerable. KPMG Cyber Risk Insights modelling cited in the report estimates plausible worst-case annual ransomware losses of more than £230 million for mid-sized financial firms and around £466 million for large institutions, illustrating how average loss estimates can underestimate severe but plausible cyber events.

Beyond direct financial losses, the report links major cyber incidents to operational disruption, reputational damage, lost revenue and reduced investor confidence, noting that affected firms may underperform the market for a year or longer.

At the same time, HM Treasury argues that stronger cyber resilience can reduce both the likelihood and impact of disruption through earlier detection, faster containment, more effective escalation procedures, recovery planning, service prioritisation and fallback arrangements.

The report also presents resilience as a driver of growth rather than simply a defensive measure. Citing Accenture research, it argues that highly resilient organisations generate faster revenue growth, achieve stronger profit margins and are better positioned to modernise systems, adopt AI and pursue digital transformation without disruption undermining progress.

Why does it matter?

The report reframes cyber resilience as a source of competitive advantage rather than simply a risk management function. For financial institutions, stronger resilience is presented not only as a way to protect customers and market confidence, but also as an enabler of AI adoption, digital transformation and long-term business performance.

The findings also reflect a broader shift in cyber policy. As financial services become increasingly dependent on cloud infrastructure, AI and interconnected digital ecosystems, regulators are treating operational resilience as a strategic capability that underpins both financial stability and economic growth.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Parliament updates Digital Agenda for Europe factsheet

The European Parliament has updated its factsheet on the Digital Agenda for Europe, outlining how the EU’s digital policy has shifted from setting strategic goals to implementing rules on platforms, data, digital identity, AI and cybersecurity.

The factsheet says digital platforms and emerging technologies continue to reshape how Europeans work, communicate, shop and learn. Since 2024, the EU has focused on implementing legislation designed to strengthen digital security, promote fair competition and support digital sovereignty alongside the green transition.

The updated overview of the Digital Agenda for Europe situates current policy within a longer trajectory, from the 2010 Digital Agenda and the 2015 Digital Single Market strategy to the 2030 Digital Compass and the Digital Decade framework. Together, these initiatives set targets for digital skills, public services, business transformation and resilient digital infrastructure.

The document highlights several core policy areas. On data, it points to the EU’s framework built around the GDPR, the Data Governance Act and the Data Act. On AI, it notes that the AI Act has been in force since August 2024, with its provisions applying in stages under the oversight of the EU AI Office.

The factsheet also identified the Digital Services Act (DSA) and Digital Markets Act (DMA) as key pillars of the EU’s digital single market. It notes that the DSA has applied in full since February 2024, while DMA enforcement intensified in 2025 with the first fines imposed on designated gatekeepers.

Cybersecurity is another major focus. The document highlights the expanded scope of the NIS2 Directive, the Cyber Resilience Act, which entered into force in December 2024, and the Cyber Solidarity Act, aimed at strengthening EU-wide cyber detection and incident response.

The update also highlights digital identity, interoperability, platform work, media freedom, digital education and infrastructure resilience as continuing priorities within the EU’s broader digital policy agenda.

Why does it matter?

The update illustrates how the EU’s digital strategy has entered a new phase focused on implementation rather than legislation. With most of its major digital laws now in force, attention is shifting from adopting new rules to enforcing them consistently across member states and ensuring they deliver tangible results.

That shift is significant because the success of the EU’s digital agenda will increasingly be judged by its practical impact on competition, cybersecurity, AI governance, digital sovereignty and the functioning of the single market, rather than by the number of new regulatory initiatives.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Commission takes four countries to EU court over NIS2 delays

The European Commission has referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to transpose the NIS2 Directive fully into national law.

The Directive strengthens the EU cybersecurity rules and sets common requirements for organisations operating in critical sectors.

Member states were required to transpose NIS2 by 17 October 2024, but the four countries have not notified the Commission of full implementation.

The referrals follow earlier infringement steps. The Commission sent letters of formal notice on 28 November 2024 and reasoned opinions on 7 May 2025.

The Commission is asking the Court to impose financial sanctions, including a lump sum and daily penalties until the countries notify complete transposition.

NIS2 applies to entities in 18 critical sectors, including health, energy, transport and public administration.

The Directive aims to improve national and EU-wide cyber resilience by strengthening risk management, incident response and security obligations for public and private entities.

The Commission said full implementation is essential for improving the EU’s overall resilience and the incident response capacity of organisations operating in critical sectors.

Why does it matter?

The referral shows that the Commission is prepared to enforce cybersecurity law against member states that fail to meet implementation deadlines. NIS2 is designed to create a more consistent baseline of cyber resilience across the EU, but delays in national transposition can leave organisations facing fragmented obligations and uneven enforcement. For critical sectors, consistent implementation is central to risk management, incident response and cross-border resilience.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ECB urges banks to prepare for AI cyber threats

The European Central Bank has called on major euro area banks to prepare action plans to address AI-enabled cybersecurity threats.

In a letter to bank CEOs, ECB Banking Supervision said emerging AI models can identify software vulnerabilities and generate functioning exploits at unprecedented speed.

The ECB warned that AI is compressing the time between vulnerability discovery and exploitation, with potentially serious implications for the confidentiality, integrity and resilience of banks’ ICT systems.

The central bank said the change is a long-term shift in the threat landscape, not a temporary risk linked to a single tool.

Banks have been asked to submit action plans to their Joint Supervisory Teams by 31 October 2026.

The plans should set out concrete measures, resources, roles, responsibilities and implementation timelines for strengthening cyber resilience.

Short-term priorities include faster vulnerability and patch management, stronger monitoring and detection, AI-enabled defensive capabilities and updated third-party risk management.

The ECB also called for structural measures such as defence-in-depth, improved cyber hygiene, infrastructure modernisation, crisis management, recovery arrangements and information-sharing.

The letter follows a European Systemic Risk Board warning about systemic cyber risks posed by frontier AI models.

ECB Banking Supervision also said it will address cybersecurity risks linked to quantum computing in a separate letter.

Why does it matter?

The ECB letter turns AI-enabled cyber risk into a concrete supervisory issue for major euro area banks. If AI accelerates vulnerability discovery and exploit generation, banks will face shorter windows for patching, detection and response. The focus on third-party providers and supply chains is also important because financial institutions depend heavily on external ICT services. The ECB’s approach links AI cyber threats with DORA-style operational resilience, showing that advanced AI is now part of mainstream financial supervision.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

ESRB urges EU action on frontier AI cyber risks in finance

The European Systemic Risk Board has warned that frontier AI models could strain cyber resilience in the EU financial system by increasing the speed, scale and sophistication of cyberattacks.

The warning follows the ESRB General Board’s assessment that systemic cyber risk has risen to ‘severe’, up from ‘elevated’ earlier this year.

The ESRB defines frontier AI models as advanced AI models capable of materially affecting offensive or defensive cyber operations.

According to the Board, these models may eventually strengthen cyber resilience, but in the short to medium term, they are likely to give threat actors an advantage.

The ESRB said frontier AI can help attackers discover vulnerabilities and execute cyberattacks more quickly and at greater scale.

It also warned that the concentration of leading AI providers outside the EU creates strategic dependency and geopolitical risks.

The Board called on the EU to scale up capacity, expertise and strategic autonomy in frontier AI and cybersecurity.

It said the response should involve AI providers, software providers, security firms, open-source maintainers, financial institutions and authorities at the national and the EU level.

The ESRB said it will continue monitoring the development and use of frontier AI models with cyber capabilities and their impact on the financial sector from a systemic risk perspective.

Why does it matter?

The ESRB warning puts frontier AI into the financial stability debate. If advanced AI models help attackers identify vulnerabilities and launch cyberattacks more quickly, financial institutions could face shorter response windows and greater systemic risk. The warning also links cybersecurity to the EU strategic autonomy, because dependence on non-EU AI providers could affect the resilience of Europe’s financial infrastructure during crises.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

X expands creator tools to reduce AI slop and recycled content

X has introduced new video editing and recording tools to encourage users to create original content directly on the platform.

The update includes multilingual caption overlays, customisable subtitles, trimming tools, and green-screen features that let creators to combine videos with photos from their devices or existing X posts.

X head of product Nikita Bier said the company wants to make it easier for users to create videos natively rather than relying on content first published elsewhere.

The update comes as X faces growing pressure over recycled posts, stolen videos and low-quality content that can be amplified through engagement and monetisation systems.

Bier said many high-performing accounts continue to repost videos that went viral years earlier, reducing incentives for original creators to publish directly on X.

Video now accounts for almost half of all impressions on the platform, making content quality and attribution increasingly important for X’s creator strategy.

The company has also taken steps to reduce rewards for accounts that reupload material from smaller creators to game its revenue-sharing programme.

The new tools are therefore part of a wider push to make original video creation easier while discouraging recycled and unattributed content.

Why does it matter?

X’s update shows how platform design and creator incentives are becoming part of the response to low-quality, recycled and synthetic content. Native editing tools can help users produce original material, but the harder governance problem is attribution and monetisation. As AI makes it cheaper to generate or repackage text, images and video at scale, platforms will need stronger systems to distinguish original human creativity, authorised reuse and automated content farming.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Digital investment gains momentum in South Africa

South Africa is strengthening its position as a digital investment destination, with growing commitments from global technology companies, according to the Presidency of the Republic of South Africa. The government says new investments in cloud infrastructure, AI and digital skills will support economic growth, job creation and innovation.

Recent announcements include Google’s plans for a Digital Exchange Port in the Eastern Cape, a digital innovation centre in Soweto and AI support for local start-ups. The government also highlighted previous investments by Amazon Web Services, Microsoft and Mastercard to expand cloud infrastructure and cybersecurity capabilities.

The Presidency says cloud computing and AI can improve productivity, support small businesses and enhance public services, while helping address challenges in education, healthcare and climate change. It also believes stronger digital infrastructure will reinforce South Africa’s role as Africa’s largest cloud market.

The government says digital expansion must be matched by safeguards that protect privacy, sovereignty and security. It adds that investment in domestic cloud infrastructure and collaboration between government, business and civil society will help build a secure and inclusive digital future.

Why does it matter?

The statement highlights the growing importance of digital infrastructure as a driver of economic development. The Presidency argues that cloud computing, AI and digital skills can improve business competitiveness, public services and employment while attracting further private investment.

It also reflects a broader focus on digital sovereignty. Alongside expanding AI and cloud adoption, the government emphasises the need to protect data, strengthen cybersecurity and develop domestic digital capabilities to reduce long-term dependence on external providers.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Global Dialogue highlights need for interoperable AI governance

Building safe, secure and trustworthy AI requires countries to align their governance frameworks rather than adopt a single global regulatory model, participants heard on the second day of the UN Global Dialogue on AI Governance. Speakers from governments, international organisations, industry and civil society argued that interoperability, backed by common standards, scientific evidence and inclusive participation, is essential to address AI risks that increasingly cross national borders.

The discussion also highlighted a growing imbalance in global AI development, with participants warning that governance should not be shaped solely by the countries and companies leading frontier AI. Instead, they called for developing countries to become co-creators of international AI governance through stronger capacity development, shared standards and multilateral cooperation.

AI concentration risks becoming governance concentration

Opening the session, co-chair Paula Bogantes Zamora, Costa Rica’s Minister of Science, Innovation, Technology and Telecommunications, argued that the world has reached a point where agreeing on AI principles is no longer enough.

‘The world does not need more AI principles, it needs a common way to prove they’re being implemented.’

Bogantes Zamora warned that AI development remains heavily concentrated. She noted that institutions in the United States produced 59 notable AI models in 2025 and China another 35, while the rest of the world produced just 13. She argued that this concentration of infrastructure also creates a concentration of evidence, allowing a small number of actors to determine which risks are measured, which benchmarks are accepted and how AI safety is evaluated.

She also pointed to findings showing that 118 countries, primarily in the Global South, remain largely absent from major international AI governance discussions.

Rather than pursuing regulatory uniformity, Bogantes Zamora proposed what she called ‘minimal viable interoperability’ by 2027, including shared terminology, comparable risk classifications, interoperable incident reporting and multilingual evaluation methods that allow different governance systems to function together.

Interoperability should connect governance systems, not replace them

Co-chair Rebecca Finlay, CEO of the Partnership on AI, argued that governance efforts must be grounded in stronger scientific evidence and greater transparency.

She outlined three priorities: strengthening independent scientific research, improving public access to evidence through greater disclosure by AI developers, and creating shared baselines for measuring progress in the public interest.

‘The panel provides the evidence and the dialogue provides the direction,’ Finlay said, describing the UN scientific panel and the Global Dialogue as complementary processes.

UN Under-Secretary-General and Special Envoy for Digital and Emerging Technologies Amandeep Singh Gill echoed that message, warning that fragmented AI governance creates regulatory arbitrage, accountability gaps and unnecessary compliance burdens, particularly for smaller companies and developing countries.

Rather than harmonising all AI rules into a single global framework, Singh Gill argued that countries should focus on building practical bridges between different governance approaches.

He also highlighted the emergence of increasingly autonomous agentic AI systems as a new governance challenge requiring adaptive oversight mechanisms, including cross-border regulatory sandboxes and continuously updated risk assessment frameworks.

Existing frameworks provide building blocks

During the first panel, speakers pointed to several initiatives that could serve as foundations for greater interoperability.

Yoichi Iida, adviser at Japan’s Ministry of Economy, Trade and Industry, highlighted the OECD AI Principles and the Hiroshima AI Process as examples of frameworks already helping countries align governance approaches despite different legal systems.

Syed Ahmed of Infosys said that translating broad principles into practical implementation remains technically challenging.

Using transparency as an example, he explained that the concept carries different technical requirements across governance frameworks, requiring detailed mapping of individual controls rather than simply aligning high-level principles.

Nouf Al Hameli of the UAE Ministry of Foreign Affairs similarly argued that countries define concepts such as ‘high-risk AI’ in different ways, making common incident reporting and mutual recognition of governance practices increasingly important.

Leonardo Cervera Navas, Secretary-General of the European Data Protection Supervisor, compared AI governance to aviation safety, arguing that while countries operate different legal systems, they nevertheless follow common international safety rules.

‘The higher the risk, the higher the care and supervision required,’ he said, referring to the EU AI Act’s risk-based approach.

Inclusive evaluation and trustworthy evidence remain critical

Several speakers argued that trustworthy AI depends not only on technical standards but also on ensuring that governance reflects linguistic, cultural and demographic diversity.

Dr Joy Buolamwini, founder of the Algorithmic Justice League, warned that widely used AI benchmarks often fail to represent the global majority, noting that some have historically included less than 5% of the world’s population.

She called for harm reporting systems that record not only technical failures but also who was affected, creating stronger foundations for accountability and redress.

Celeste Saulo, Secretary-General of the World Meteorological Organization, drew lessons from more than 150 years of international weather cooperation, arguing that trust cannot simply be declared.

‘Trust must be built through verification,’ she said, pointing to the organisation’s longstanding use of shared standards and independent validation across 193 countries.

Qinghua Lu of Australia’s CSIRO proposed greater collaboration through shared evaluation methods, common risk management principles and international testing exercises that include multiple languages and national contexts.

Global South calls for a stronger role in shaping AI governance

Interventions from member states and stakeholders repeatedly stressed that interoperability should not become another mechanism for exporting governance models developed elsewhere.

Pakistan argued that AI safety standards are currently shaped by a small group of countries and companies, calling instead for genuinely multilateral governance under the UN.

Brazil similarly stressed that interoperability must not undermine digital sovereignty, while South Africa argued that governance frameworks should reflect the realities of developing countries and support technology transfer and capacity development.

Other speakers highlighted practical priorities, including multilingual benchmarks, common standards for documenting AI training data, cross-border incident reporting systems and greater participation from local governments, academia and civil society.

Concluding the discussion, both co-chairs argued that trustworthy AI depends not on identical regulations but on governance systems that can communicate, exchange evidence and recognise one another’s safeguards.

They identified shared technical standards, independent evaluation, multilingual benchmarks, human rights protections and continuous multistakeholder cooperation as the foundations for AI governance capable of working across borders, while warning that progress will depend on maintaining momentum between international meetings rather than restarting discussions each year.

Track all key moments from the Global Dialogue on AI Governance inaugural meeting on our dedicated page.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

European Commission launches AI cyber defence strategy

The European Commission has presented an Action Plan on Cybersecurity and Artificial Intelligence to strengthen Europe’s response to AI-related cyber risks.

The plan aims to help member states, businesses and public authorities use AI safely while addressing the cybersecurity risks created by advanced AI models.

The Commission said AI can help detect vulnerabilities, prevent cyberattacks and protect critical infrastructure. However, it warned that malicious actors can also use AI to automate attacks, identify weaknesses and carry out cyber operations at greater speed and scale.

The Action Plan focuses on three objectives: promoting the safe and responsible use of advanced AI, reinforcing EU cybersecurity and resilience, and scaling up Europe’s AI capabilities for cybersecurity.

The Commission said it will strengthen Europe’s capacity to evaluate AI models before they are placed on the EU market, in line with the AI Act.

It will also work with ENISA to develop a European Blueprint for secure access to advanced AI systems for cybersecurity purposes.

A secure testing platform will support organisations in critical sectors, including energy, transport, health, finance and public administration, in testing and deploying AI solutions safely.

The plan also encourages the use of AI, including open-source models where appropriate, to detect vulnerabilities faster and improve prevention and response to cyberattacks.

The Commission said it will launch an EU Grand Challenge on AI for cybersecurity to support the development of new AI-powered security solutions.

Why does it matter?

AI is becoming central to both cyber defence and cybercrime. The EU Action Plan recognises that advanced models can help defenders detect vulnerabilities and respond faster, but can also help attackers automate operations and scale incidents. By linking AI model evaluation, critical-sector testing, ENISA cooperation, existing cybersecurity laws and investment in sovereign AI capabilities, the Commission is trying to turn AI cybersecurity into a coordinated EU policy area rather than leaving it to fragmented national or private-sector responses.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!