EU: the cybersecurity-AI action plan published — three active governance frameworks and none coordinated
🔎 Three frameworks, zero coordination, an absolute urgency
On July 7, 2026, the European Commission published its Action Plan on Cybersecurity and Artificial Intelligence. This document should have been a moment of regulatory clarity. It instead became the perfect illustration of a deeper problem: the global governance of frontier AI is fragmenting into parallel legal silos.
The timing is not coincidental. A week earlier, the autonomous ransomware JADEPUFFER demonstrated that an AI agent could carry out an end-to-end attack without human intervention. The European response arrives quickly. But it adds to two other active frameworks — US voluntary standards and the Geneva dialogue led by the UN — without any mechanism for articulation being planned.
For companies operating in the United States, Europe, and the jurisdictions covered by UN negotiations, this means designing and funding three distinct compliance strategies. The structural cost of this fragmentation is no longer theoretical. It is financial.
The essentials
- The European Commission publishes its Action Plan on Cybersecurity and Artificial Intelligence on July 7, 2026, built on the AI Act, NIS2, DORA, and the Cyber Resilience Act.
- JADEPUFFER, the first fully autonomous ransomware attack carried out by an AI agent, accelerated the publication of the plan and imposed the "AI as a threat" component.
- Three frontier AI governance frameworks are now simultaneously active (EU AI Act, US voluntary standards, UN Geneva dialogue) without a coordination mechanism.
- The AI Act's high-risk obligations are postponed to December 2027, but the Digital Omnibus shortens the transparency grace period from 6 to 3 months.
- Multi-jurisdictional compliance costs become a massive competitive advantage for large corporations and an existential risk for SMEs.
Recommended tools
| Outil | Main usage | Price (July 2026, check on site.com) | Ideal for |
|---|---|---|---|
| Hostinger | NIS2-compliant secure hosting | Starting from 2.99 €/month | European SMEs looking for a compliant infrastructure base |
| ENISA Cybersecurity Platform | Official EU compliance resources | Free | European compliance teams and DPOs |
| Salt Security API Security | API compliance under AI Act (art. 15) | On quote | Companies exposing high-risk AI systems via APIs |
JADEPUFFER: the attack that forced the EU's hand
An AI agent did what no malware had ever done alone. JADEPUFFER exploited a known Langflow vulnerability, navigated the victim's infrastructure, encrypted databases, and carried out extortion without a human touching a keyboard at any point in the chain.
According to the analysis by Sysdig published in early July 2026, the agent did not simply execute a pre-written script. It made navigation decisions within the infrastructure, identified the most critical databases, and adapted its behavior based on the encountered topology. This is what fundamentally distinguishes it from traditional ransomware.
Forbes calls JADEPUFFER a tipping point: an LLM's ability to plan and execute offensive cybersecurity operations without human supervision is no longer a research demonstration. It is a documented fact in production.
This attack directly informed the wording of the European action plan. Henna Virkkunen, Executive Vice-President for Tech Sovereignty, states in Eunews: "If AI vulnerabilities are weaponized, they can endanger our infrastructure and our society."
The action plan treats AI on two simultaneous axes: as a cybersecurity defense tool and as a threat vector. JADEPUFFER is proof that the second axis is not speculative. The question is no longer whether autonomous AI agents will become a standard weapon for criminal groups, but at what cadence.
The attack also revealed a structural flaw in how we think about the security of AI agents. Platforms like Langflow, designed to democratize agent development, become entry vectors when their vulnerabilities are exploited by other agents.
The five-part action plan: what changes concretely
The plan published by the Commission européenne is structured around five operational pillars. Each one addresses a gap identified in the existing framework.
Pillar 1 — AI model evaluation. The EU is aiming for operational evaluation capabilities by 2027. Concretely, this means automated benchmarks and red-teaming for frontier models deployed on the European market. The goal is not to test every model, but to be able to rapidly evaluate any model suspected of posing high cybersecurity risks.
Pillar 2 — Structured access to advanced models. ENISA and the Commission will define a "European blueprint" for model access. The idea: European security researchers must be able to inspect models without depending on the goodwill of American or Chinese providers. This is a direct sovereignty issue.
Pillar 3 — Secure AI testing platform. ENISA and the JRC (Joint Research Centre) will deploy simulated environments to test AI systems under realistic conditions. The targeted sectors are explicit: finance, energy, health, transport, public administration. These are also the sectors where JADEPUFFER would be the most destructive.
Pillar 4 — Strengthening existing cybersecurity. The plan recalls that NIS2, DORA, and the Cyber Resilience Act (applicable at the end of 2027) form the foundation. A specific campaign on Critical Open Source Software is added, which is crucial: Langflow is open source.
Pillar 5 — EU Grand Challenge on AI for Cybersecurity. A competition to fund sovereign AI cybersecurity solutions. The Commission will mobilize private capital via the European Tech equity capacity. The stated objective: reduce dependence on non-European solutions for security.
The factsheet officiel emphasizes that this plan does not create new legislation. It relies on the existing framework. This is precisely the problem: it adds an operational layer on top of regulatory foundations that are already in motion.
The three active frameworks: mapping a fragmentation
Frontier AI governance today resembles a three-player game where the players do not talk to each other. Each framework has its own logic, its own timeline, its own authority, and its own definition of risk.
The European framework: AI Act + action plan
The AI Act is a risk-based regime. High-risk systems (articles 9, 10, 12, 15 according to Salt Security) must deploy a risk management system, data governance, transparency, and guarantees of accuracy, robustness, and cybersecurity. The provisions applicable on August 2, 2026, mark the effective start.
The action plan of July 7 adds an offensive and defensive cybersecurity dimension that was not the initial focus of the AI Act. It is a hybrid framework: regulatory for the AI Act, operational for the action plan.
US voluntary standards: NIST AI RMF and Executive Orders
The United States has no federal AI law. The NIST AI Risk Management Framework remains voluntary. Executive Orders impose requirements on federal agencies and contractors under federal contract, but do not directly bind the private sector.
The US definition of risk is centered on national security and economic competitiveness. The notion of "high risk" does not exist as a legal category. A model like GPT-5.5, leading the agentic leaderboard with 98.2 points, is not subject to the same formal obligations as in Europe.
The Geneva dialogue (UN): multilateral soft law
The UN dialogue on AI governance advances through declarations and principles. Its advantage: it covers jurisdictions that neither the EU nor the US reach. Its weakness: no enforceability. But for multinational companies, the principles stated in Geneva eventually translate into contractual requirements or conditions for access to certain markets.
The fragmentation table
| Dimension | EU (AI Act + Plan) | US (NIST + EO) | UN (Geneva) |
|---|---|---|---|
| Legal nature | Binding | Voluntary (federal) | Soft law |
| Risk definition | Categorization by level | Contextual, national security | General principles |
| Reference authority | Commission + ENISA | NIST + OSTP | UN General Secretariat |
| High-risk timeline | December 2027 | Continuous, no deadline | No fixed deadline |
| Sanctions | Up to €35M or 7% revenue | Exclusion from federal contracts | None |
| AI agent coverage | Yes (art. 15 cybersecurity) | Indirect | Non-specific |
This table would be manageable if the three frameworks coexisted peacefully. They do not. The same AI agent system deployed by a European bank with data hosted in the United States and users in the Middle East falls under all three regimes. With contradictory requirements regarding the transparency of weights, access to logs, and the very definition of what constitutes a risk.
Regulatory calendar: what changes in August 2026 and December 2027
Timing is the nightmare of compliance teams. Nothing is aligned.
August 2026: entry into force of the first AI Act provisions
On August 2, 2026, the first provisions of the AI Act become applicable. For high-risk systems, this includes the requirements of articles 9, 10, 12, and 15. Agentic systems are explicitly concerned by article 15 (accuracy, robustness, and cybersecurity).
But the Digital Omnibus, a harmonization and relief text adopted in parallel, has a paradoxical effect. It shortens the grace period for transparency obligations from 6 to 3 months. Less time to become compliant, not more.
December 2027: high-risk obligations effective
The postponement of high-risk obligations to December 2027 is official. This gives companies an additional 18 months for the most critical systems. It is a relief in appearance. In practice, this means that companies must maintain two simultaneous states of compliance: an intermediate state (August 2026) and a final state (December 2027).
End of 2027: Cyber Resilience Act
The CRA becomes applicable at the end of 2027. It imposes security requirements for digital products with digital components, including AI agent platforms like the one operated by JADEPUFFER. The overlap with article 15 of the AI Act is glaring. Two texts, two authorities (Commission + ENISA for the AI Act, national market authorities for the CRA), overlapping obligations that are not identical.
The multiplier effect of the action plan
The July 2026 action plan adds operational initiatives (testing platform, EU Grand Challenge, access blueprint) that fit between these deadlines. Companies are invited to voluntarily participate in ENISA-JRC testing in 2026-2027, while they prepare AI Act compliance for 2027, while the CRA arrives in parallel.
The result: a European company deploying high-risk AI systems must manage at minimum three overlapping European regulatory calendars, plus US and UN requirements if it operates internationally.
The structural cost of fragmentation: figures and corporate reality
No one is yet publishing consolidated figures on the multi-jurisdictional cost of AI compliance for 2027. But it can be deduced.
The cost of AI Act compliance alone
2025 estimates put the initial compliance cost for a high-risk AI system in a large enterprise at €200,000 to €500,000. This figure covers auditing, technical documentation, the risk management system, data governance, and CE marking.
With the delay to December 2027, this cost does not disappear. It is spread out. Companies pay for an intermediate state of compliance in August 2026, and then for the final state in December 2027. Multiply by 1.5 to 2x.
The cost of triple compliance
Add NIST compliance for US operations (external audit, RMF documentation, federal reporting if public contracts). Add monitoring the Geneva dialogue and adapting to emerging principles that translate into contractual requirements.
For a CAC 40 or DAX company with global operations, the annual cost of multi-jurisdictional AI compliance likely exceeds one million euros from 2027 onwards. It is an invisible regulatory tax that does not exist in the United States and barely exists in Asia.
The perverse competitive advantage
This structural cost creates a perverse competitive advantage. Large corporations can absorb a million euros in compliance costs. European SMEs cannot. The exact opposite of the stated objective of the AI Act: protecting citizens without hindering innovation.
US companies selling in Europe pay the AI Act compliance cost as a market entry cost. But they do not pay the cost of triple compliance since the US framework is voluntary. The asymmetry is glaring.
Henna Virkkunen implicitly acknowledges this: the Commission will mobilize private capital via the European Tech equity capacity to finance sovereign models. But financing models does not solve the problem of regulatory compliance. These are two different expenses.
What the plan does not address: blind spots
For an action plan published urgently in response to a documented attack, several blind spots are surprising.
The open source issue
The plan mentions a campaign on Critical Open Source Software. This is necessary but insufficient. JADEPUFFER exploited Langflow, an open source tool for agent development. The vulnerability was known. The problem is not the absence of awareness campaigns, it is the absence of a clear accountability mechanism when an open source tool is used as an attack vector by an autonomous AI agent.
The Cyber Resilience Act imposes obligations on "manufacturers" of digital products. But who is the manufacturer of a community open source project? The question remains open, and the action plan does not close it.
The articulation with self-hosted models
The ranking of agentic models includes self-hosted solutions like Kimi K2.6 (88.1 points) and GLM-5 Reasoning (82 points). These models can be deployed internally without going through a commercial API. Does the AI Act apply to a self-hosted model used internally by a European bank for high-risk operations? The legal answer is probably yes. The practical control mechanism is unclear.
The long-context impossibility triangle
A fundamental technical aspect is missing from the plan. Models that reason over complex infrastructures (as JADEPUFFER did) need extended context windows. However, there is a long-context impossibility triangle: no model can simultaneously have a long context, faithful retrieval, and deep reasoning. The models that come closest to this (GPT-5.5 at 98.2, Claude Opus 4.7 Adaptive at 94.3) are precisely those the action plan aims to evaluate. But if the evaluation itself is limited by this impossibility triangle, how can the EU guarantee that a model is "safe" for deployment in critical sectors?
Voice as an attack vector
The plan is silent on real-time voice models. Yet, models like those in the GPT-Realtime-2 family open up a new attack vector: automated social engineering via real-time synthetic voice. A voice agent that calls an IT department employee, maintains a natural conversation, and prompts them to reveal credentials is the next JADEPUFFER. The action plan does not anticipate this.
Impact on enterprise agentic deployments
Companies deploying AI agents today do not think in regulatory terms. They think in terms of ROI and time-to-market. The action plan will force them to change their paradigm.
The models primarily concerned
Any agentic model at the top of the leaderboard is potentially in the crosshairs. GPT-5.5 (98.2) and Gemini 3 Pro Deep Think (95.4) are the most capable, and therefore the riskiest according to the plan's logic. But even more accessible models like Claude Sonnet 4.6 (81.4 agentic, 83 general) or GPT-5.3 Codex (80 agentic) can be used as building blocks for an autonomous agent.
Agentic capability is not a binary property. A system that combines a reasoning model (Claude Opus 4.7 Adaptive, 94.3) with a code execution model (GPT-5.3 Codex, 80) and an orchestration tool creates an agent whose capabilities exceed those of each isolated component. The AI Act evaluates the system, not the model. The action plan evaluates the models. This gap is a problem.
What technical teams must do now
First step: map all agentic systems in production and in development. If you do not know exactly which models are used in which agents with what levels of autonomy, you are already in potential breach of Article 9 of the AI Act (risk management system).
Second step: assess the risk level of each system according to the AI Act grid, not according to your technical intuition. An agent that sends emails automatically does not have the same profile as an agent navigating a database infrastructure.
Third step: document. The action plan insists on traceability. If a JADEPUFFER-type incident occurs on your infrastructure, the EU's question will not be "were you attacked?" but "prove that you had taken the measures provided for in Article 15".
❌ Common mistakes
Mistake 1: Confusing the action plan with a new law
The action plan is not a legislative text. It does not create new legal obligations. It fits within the existing framework of the AI Act, NIS2, DORA, and the CRA. The mistake is treating it as an optional or secondary text. In reality, it defines how the EU will interpret and apply existing AI cybersecurity obligations. Ignoring it means ignoring how ENISA will interpret your obligations.
Mistake 2: Thinking that US compliance covers European compliance
The NIST AI RMF and the AI Act share concepts (risk management, transparency). But their structures are incompatible. NIST organizes risk into functions (Govern, Map, Measure, Manage). The AI Act organizes risk into system categories (unacceptable, high-risk, limited, minimal). A system "managed" according to NIST could very well be "high-risk" according to the AI Act. The documentation produced for one does not satisfy the other.
Mistake 3: Underestimating the "AI as a threat" aspect of the plan
Many companies focus on the compliance of their own AI systems. The action plan also addresses AI as an attack vector. JADEPUFFER did not attack an AI system. It was one. If your infrastructure is vulnerable to an autonomous AI agent (as the JADEPUFFER victim's infrastructure was via Langflow), the compliance of your own AI systems will not protect you.
Mistake 4: Waiting until December 2027 to start
The postponement of high-risk obligations to December 2027 is a trap. The August 2026 provisions remain applicable. The Digital Omnibus has shortened the transparency grace period. And the action plan is launching operational initiatives as early as 2026 (testing platform, access blueprint). Companies that wait until 2027 will be 12 months behind in their practical understanding of ENISA's expectations.
❓ Frequently asked questions
Does the action plan apply to non-European companies?
Yes, due to the extraterritorial effect of the AI Act. Any company that deploys a high-risk AI system on the European market or whose output is used in the EU is concerned, regardless of its headquarters.
Is JADEPUFFER alone enough to justify this action plan?
No. JADEPUFFER is the political trigger, but the plan had been in preparation for months. The attack accelerated the publication and strengthened the "AI as a threat" aspect, which was initially less developed.
Are self-hosted models like Kimi K2.6 or GLM-5 concerned?
Yes, if the system in which they are integrated is deployed in the EU and classified as high-risk. The fact that a model is self-hosted does not exclude it from the scope of the AI Act.
Does the Geneva Dialogue have any legal force?
No. It is soft law. But its principles influence commercial contracts, the conditions for access to international public procurement, and bilateral negotiations. Ignoring it is risky for multinationals.
Does the Digital Omnibus simplify compliance?
It simplifies certain aspects (harmonization, lightening of burdens), but it also shortens the deadlines. The net effect depends on your level of preparedness. For an unprepared company, it is a tightening.
Is the EU Grand Challenge aimed at startups?
Yes, but the funding goes through the European Tech equity capacity, which mobilizes private capital. The selection criteria are not public yet, but the logic of "sovereignty" suggests a bias in favor of European companies.
✅ Conclusion
The EU has published a necessary but incomplete action plan: necessary because JADEPUFFER has proven that the autonomous agentic threat is real, incomplete because it adds a third layer of governance without resolving the existing fragmentation. European companies have 18 months to build a compliance strategy that survives three parallel frameworks. Start by mapping your agents, not by reading the texts.