EU action plan: advanced AI cybersecurity
European Commission unveils an action plan to evaluate advanced AI for cybersecurity; HR must prepare secure procurement, testing and training.

On 7 July the European Commission published an action plan aimed at addressing the risks and opportunities that advanced AI systems pose for cybersecurity across the EU. The plan sets out steps to evaluate advanced models, develop EU capacity for independent model evaluation and testing, and strengthen cooperative measures between EU actors to detect and mitigate AI-related cyber threats.
What happened
The Commission's 7 July communication outlines a coordinated EU approach to ensure advanced AI does not become a vector for significant cyber risk. Key elements highlighted include model evaluation and testing, building EU evaluation capacity, and closer cooperation among EU institutions and Member States to identify vulnerabilities and share mitigation techniques. The package frames these activities as both risk-management and resilience-building measures to protect critical infrastructure, public services and private-sector systems that increasingly incorporate advanced AI.
Why this matters for HR leaders
Although the plan is framed as a cybersecurity initiative, its measures will intersect directly with employer responsibilities for secure AI deployment. HR and people leaders should note three immediate implications:
- Procurement and vendor management: Employers that procure advanced AI — from large language models to custom tools — will face increasing pressure to demand stronger security guarantees, evidence of independent evaluation, and contractual commitments around vulnerability disclosure and patching. The Commission's emphasis on independent evaluation capacity means suppliers may be asked to submit models or artifacts to testing regimes or to comply with new EU evaluation practices.
- Operational security and incident readiness: The action plan's focus on detecting and mitigating AI-enabled threats implies more rigorous internal processes for monitoring AI outputs, managing access to models, and integrating AI risk scenarios into incident response playbooks. HR teams will need to collaborate with IT, security and legal to update roles, responsibilities and training for employees who design, operate or supervise AI systems.
- Training, skills and oversight: Building resilience against AI-driven cyber incidents requires staff with a mix of security, AI and governance skills. HR should plan for targeted reskilling and recruitment — cyber-savvy AI specialists, red-teamers who can test model behaviour, and compliance officers who can manage vendor evaluation workflows.
The Commission frames its measures as EU-level capacity-building rather than immediate employer mandates. Still, practical consequences will reach employers through procurement expectations, recommended best practices, and evolving norms around model testing and disclosure.
What to watch next
- EU evaluation capacity and guidance: The Commission says it will build EU capacity to evaluate advanced models. HR and procurement teams should track what form that capacity takes — publicly available testing frameworks, accredited labs, or certification schemes — because these will feed into vendor selection and contractual requirements.
- Standards and evidence employers will be asked to collect: Watch for guidance or voluntary standards describing what evidence of security testing is acceptable (e.g., red-team reports, adversarial robustness tests, third-party evaluations). That evidence will become part of due diligence for AI deployments.
- Supplier contracts and SLAs: As evaluation regimes develop, organizations should be ready to renegotiate supplier contracts to include obligations around independent testing, vulnerability disclosure timelines, and breach notification specific to AI-related incidents.
- Internal roles and governance: Expect growing pressure to formalize who within an organisation signs off on AI deployments. HR should prepare role descriptions and training paths for staff who will operate at the intersection of AI, security and compliance.
- Cross-functional coordination: The plan underscores cooperation among EU actors; similarly, employers must coordinate HR, security, legal and procurement to implement changes efficiently. Begin mapping stakeholders, decision authorities and escalation channels now.
For HR leaders, the Commission's July action plan is a signal to move from pilot-stage curiosity to disciplined operational practices around AI security. It does not prescribe employer law in itself, but it is likely to shape the technical expectations, procurement standards and risk assessments that organisations must meet to deploy advanced AI safely in the workplace.