Skip to main content
Cybersecurity

Europe Bolsters Defenses Against AI-Powered Cyberattacks

European Commission Vice President speaks at a podium in a formal Parliament setting.

"We have not waited for these models to appear to anticipate future cybersecurity capabilities," Commission Vice President Henna Virkkunen told the European Parliament on Tuesday.

Henna Virkkunen's parliamentary commitments

In a session convened two weeks after dozens of lawmakers demanded urgent action on hacking-capable AI models, Virkkunen defended the European Commission's posture and set out a short list of concrete moves. She said the commission will investigate activating the EU Cybersecurity Reserve — a pool of cybersecurity service providers that can be deployed during a crisis — and promised to "present a list of actions in the coming weeks, bringing together the best EU expertise in AI and cybersecurity" to "ramp up our preparedness in the face of emerging AI threats." She also urged rapid adoption by public and private European organizations of "already-available advanced cyber tools" to harden defenses.

EU Cybersecurity Reserve, ENISA, and the Cybersecurity Act revisions

Virkkunen argued the commission already has tools to handle the new threat picture and called on Parliament to approve the commission's existing proposal for revisions to the Cybersecurity Act. She said those revisions would "equip ENISA and the commission with the resources, powers and clarity of mandate that this new threat picture is requiring." Separately, she urged member states to accelerate transposition of the Network and Information Security 2 Directive (NIS2) into national law, which places cybersecurity obligations on critical infrastructure providers.

Tech Sovereignty Package and pressure on open‑source infrastructure

The commission's top tech official said the upcoming Tech Sovereignty Package — expected later this month — will include language aimed at "ensuring the maintenance, security and integrity of our open-source digital infrastructures, that are coming under increased cybersecurity pressure resulting from the weaponization of AI." Marilena Raouna, a Cypriot deputy minister speaking on behalf of EU member states while Cyprus holds the Council presidency, reinforced the sovereignty framing. She warned that "today Europe remains highly dependent on external actors for critical cloud infrastructure, semiconductor supply chains, advanced computing resources, or cybersecurity tools" and said the Tech Sovereignty Package "will be an integral part of our overall strategic autonomy."

Access to hacking-capable models: Mythos, GPT-5.5-Cyber, and Mistral

Lawmakers had demanded urgent access to Anthropic's Mythos model, described in the parliamentary debate as a hacking-capable AI, but Virkkunen did not provide an update on why Anthropic refuses to allow European access. She acknowledged that providers of such advanced AI models are "essential to safeguarding our critical infrastructure" in the current geopolitical context, without offering a change in the access picture. By contrast, OpenAI "stepped in" last week to let some European authorities — including the commission — and companies gain access to its new GPT-5.5-Cyber model, which the commission said is roughly in the same class of capability as Mythos. France's Mistral has reportedly developed a hacking-capable model it may give to big European banks, and the report noted a "distinct panic in the European financial sector ... regarding the danger that is likely looming."

What this means for European banks, the Commission, and AI model providers

  • European banks: The parliamentary record cites acute alarm in the financial sector; Mistral's reported willingness to supply a hacking-capable model to "big European banks" signals private-sector moves to shore up defenses even as demand for vetted, controlled access grows.
  • The Commission and member states: The commission has signaled immediate preparatory steps — investigating the EU Cybersecurity Reserve and promising a public set of actions in the coming weeks — while pressing for institutional upgrades (Cybersecurity Act revisions, NIS2 transposition) and a Tech Sovereignty Package later this month.
  • AI model providers: Providers are framed as both essential partners and gatekeepers. Anthropic's refusal to allow access was noted without resolution; OpenAI's decision to grant some European access to GPT-5.5-Cyber was highlighted as a partial response to European needs.

Some members of the European Parliament pushed for still-firmer measures — mandatory red-teaming, a certification scheme for AI cyber tools, and activation of the EU's integrated political crisis response mechanism — but commission representatives did not respond to those specific suggestions during the session.

The immediate, verifiable next steps named on the record are procedural and institution-focused: the commission will investigate the EU Cybersecurity Reserve and will "present a list of actions in the coming weeks," and the Tech Sovereignty Package is expected later this month. Whether those measures will alter access dynamics to frontier AI models such as Mythos, or calm the financial sector's alarm, remains the operational question European policymakers and security teams now face.

Original story at GovInfoSecurity