The rapid rise of advanced AI systems sparks fears in Brussels that Europe’s cybersecurity rules may not be keeping pace. The concerns are growing over powerful new models developed by US companies, including Anthropic’s Claude Mythos and OpenAI’s GPT-5.5-Cyber. So far, the European Commission is counting on its current legislation but plans additional measures soon.
The Mythos system reportedly identified critical flaws in software that had been through extensive testing, raising questions about whether EU rules are ready for AI models with highly sophisticated offensive cyber capabilities. Concerns about these risks resurfaced during a European Parliament debate on EU cybersecurity preparedness in view of advanced AI systems. While OpenAI has offered EU institutions and partners access to GPT-5.5-Cyber, Anthropic has not.
Cypriot Deputy Minister for European Affairs Marilena Raouna warned MEPs that while advanced AI systems can help Europe strengthen its cyber defences, in the wrong hands “they can also endanger our systems”. “The European Union needs to be prepared and anticipate such threats,” she added. To address the issue, the Council is planning a dedicated discussion on 1 June.
Raouna also pointed to the AI Act as one of the EU’s main tools. “With the AI Act, we already have a solid legislative framework. From August this year, we will be able to enforce transparency, documentation, and risk mitigation requirements.”
You might be interested
But the deputy minister warned that regulation alone will not be enough. “We must also strengthen our technological autonomy. Today, Europe remains highly dependent on external actors for critical cloud infrastructure, semiconductor supply chains, advanced computing resources, or cybersecurity tools.”
Is the EU ready?
Commission Executive Vice-President Henna Virkkunen said further actions will be presented in the coming weeks, bringing together EU expertise in AI and cybersecurity. Still, to her, Brussels’ priority must be to apply the one it already has faster. She pointed to the AI Act, NIS2, and the Cyber Resilience Act for responding to cyber risks.
But she also acknowledged that the technology is moving quickly. “In recent weeks, we have had the launch of such models for cybersecurity by two of the most advanced AI players from the US. We will see more and more of that kind of model entering the markets,” Virkkunen told MEPs.
That, she argued, makes implementation urgent. “The emergence of frontier AI models makes the swift transposition and implementation of this legal framework a key priority.” The Commissioner argued that advanced models can operate at a speed that “outpaces traditional defensive cycles”.
So far, Brussels’ response puts ENISA, the EU cybersecurity agency, at the centre of the debate. “Our proposal for a revised Cybersecurity Act is designed precisely to equip ENISA and the Commission with the resources, powers, and clarity of mandate that this new threat picture is requiring,” Virkkunen said. She added that ENISA remains “a very small agency” compared with national cybersecurity authorities and other EU bodies.
Critical infrastructure at risk
MEPs repeatedly pointed to risks for critical infrastructure. This includes hospitals, transport, banks, cloud services, water treatment facilities and energy networks. The EPP pointed out concrete threats, a “cyberattack today can stop production lines, paralyse transport, disrupt hospitals, expose personal data, and weaken citizens’ trust in public institutions”.
Also, MEP Stefano Cavedagna (ERC/ITA) recalled a real case of an attack. Servers in the Italian region of Emilia-Romagna were targeted, which exposed health data and compromised the regional system.
Renew pushed for more immediate operational measures. MEP Bart Groothuis called for ENISA to be turned into “a dedicated AI cybersecurity task force” and urged the Commission to introduce mandatory AI red-teaming, develop and host AI-powered defences, and establish a certification scheme for AI cybersecurity tools so businesses know which systems to trust. “We stand on the brink of a potential cyber bloodbath,” he warned. “AI models can now hack any system on a large scale and with the speed of light.”
Dependence is a soft spot
The debate also brought Europe’s digital sovereignty back into focus. Europe remains highly dependent on external actors for critical cloud infrastructure, semiconductor supply chains, advanced computing resources, and cybersecurity tools.
Commissioner Virkkunen acknowledged that Europe needs to invest in its own frontier of capabilities. “There is no reason to wait” she said, arguing that public and private European organisations should rapidly adopt advanced cyber tools for their own defence.
In the same line, MEP Markéta Gregorová (Greens/CZE), warned that Europe may learn about vulnerabilities too late and on terms set by others. Socialist MEP Ana Catarina Mendes (PRT) linked the issue to Europe sovereignty. “Any strategy we develop should invest in European resources, in cybersecurity, in high-level cloud computing, and protection of critical infrastructures,” she said.
Besides, she framed it as a broader political project: “A digital industrial strategy for Europe, combining regulation, protection of fundamental rights, protection of data and fostering alliances.”
