The European Commission dropped its Action Plan on Cybersecurity and Artificial Intelligence on July 7, a strategic framework designed to help member states and companies deal with AI-powered cyber threats. There’s just one problem: the plan is heavy on recommendations and light on mandates, arriving at a moment when Europe’s dependence on US-built AI systems has never been more visible.
At the center of that dependency sits Anthropic’s Mythos model, which the EU secured negotiated access to after months of back-and-forth. Mythos has earned a reputation for strong vulnerability detection capabilities, but it’s also attracted US export restrictions and cybersecurity red flags in the AI community.
A plan with no teeth
The action plan was unveiled during European Parliament discussions, positioning it as a companion piece to the EU AI Act. That legislation became enforceable on August 1, 2024, and entered its full applicability phase on August 2, 2026, just days before the cybersecurity plan’s announcement.
The cybersecurity action plan contains no binding enforcement timelines. No disclosed funding figures. No hard mandates that member states must follow.








