The European Commission’s Action Plan on Cybersecurity and Artificial Intelligence, published July 7, 2026, does something the EU AI Act alone doesn’t: it builds the testing infrastructure to back up the law.
The plan establishes a dedicated EU evaluation capacity to conduct third-party assessments of advanced AI models before they can be placed on the EU market. This isn’t a future aspiration, the Commission aims to have it operational by 2027, working in direct support of the EU AI Office’s enforcement function. The plan also directs the Commission to work with the European Union Agency for Cybersecurity (ENISA) to develop a “European Blueprint” establishing secure access conditions for frontier AI systems, and to create a secure testing platform for organizations in critical sectors including energy, transport, health, finance, and public administration.
Why it matters
The EU AI Act created obligations. This Action Plan creates the capacity to enforce them at the frontier. Without an independent evaluation body, even well-drafted rules about advanced AI models depend on vendors’ own documentation and self-assessment. The 2027 evaluation capacity changes that calculus for any provider seeking EU market access, third-party assessment becomes the path to market, not an optional audit.
The real question is what “advanced AI model” means in practice. That threshold will determine which providers must submit to pre-market evaluation and which can proceed under lighter-touch compliance regimes. Companies with EU exposure should monitor how the EU AI Office defines this scope ahead of the 2027 launch.
Who This Affects
Context
The Action Plan builds on the EU AI Act’s existing framework for general-purpose AI models and frontier systems. It doesn’t create new law, it operationalizes what the Act requires. The EU AI Office, established under the Act, already holds enforcement authority over general-purpose AI providers. What it has lacked is independent technical capacity to evaluate the most capable models. This plan fills that gap.
Euractiv reports the plan also includes a “European Blueprint,” developed with ENISA, to establish secure access conditions for advanced models, a measure Euractiv reports was prompted in part by access concerns around Anthropic’s Mythos model. These claims are based on Euractiv’s reporting and have not been independently confirmed from the Commission’s published document.
What to watch
Don’t expect the 2027 target to arrive quietly. The EU evaluation capacity will need to define its technical methodology, staffing, and legal basis for compelling model access before it can function. Watch for EU AI Office guidance on which model categories trigger pre-market evaluation requirements, that guidance, not the Action Plan itself, will set compliance timelines for providers.
Euractiv also reports that EU contingency measures could include direct purchase of frontier model access by EU institutions or member states, though this remains unconfirmed from primary sources. If accurate, it signals that Brussels is treating AI sovereignty as a structural policy problem, not just a procurement question.
What to Watch
TJS synthesis
Two things are happening simultaneously in Brussels. The first is architectural: the EU is building the independent technical infrastructure needed to make frontier AI regulation credible. The second, if Euractiv’s reporting holds, is strategic: the contingency purchase provision isn’t about procurement efficiency, it’s about leverage. A regulator that can buy its own access to a model it might otherwise be locked out of is a regulator that can’t be held hostage by a vendor’s access policy. Whether that provision survives in final implementation, the signal it sends to frontier AI providers about EU market access dependency is already meaningful.
Sources: European Commission.
Sources: Whitehouse, European Commission.