EU AI regulation / digital sovereignty

Brussels Chooses Enforcement Over New Law, but Its AI Access Blueprint Risks Becoming a Rationing Regime

The EU's July 7 AI cybersecurity plan skips new legislation, but its year-end 'structured access' blueprint could ration frontier AI by government criteria.

Europe's AI Dependency, By the Numbers People of Internet Research · EU ~70% Non-EU hyperscaler cloud share AWS, Azure and Google Cloud domina… 30% EU cloud share target by 2035 Up from roughly 15% today, under t… 9 Concrete measures in the plan Spanning model evaluation, frontie… Q4 2026 Access blueprint deadline Commission and ENISA to publish th… peopleofinternet.com
Europe's AI Dependency, By the Numbers People of Internet Research · EU ~70% Non-EU hyperscaler clou… 30% EU cloud share target by 2035 9 Concrete measures in the plan Q4 2026 Access blueprint deadline peopleofinternet.com

Key Takeaways

On July 7, 2026, the European Commission adopted an Action Plan on Cybersecurity and Artificial Intelligence in Strasbourg, and the most notable thing about it is what's missing: a bill. Technology commissioner Henna Virkkunen told reporters the plan would not be accompanied by any new legislation. Instead, its nine measures rest almost entirely on getting member states to actually implement two laws already on the books — the NIS2 Directive and the Cyber Resilience Act — which Brussels itself says national capitals must adopt "as a matter of urgency."

The plan is organized around three pillars:

That restraint — enforce what exists rather than legislate something new — deserves credit before anything else. But the plan's one genuinely new deliverable, a Commission-drafted access framework due by year-end, is where the analysis gets more complicated.

The case Brussels is making

The anxiety underneath the document is specific, and on the facts, fair. No frontier AI laboratory is headquartered in the EU — every state-of-the-art model available to European banks, hospitals, and power grids for cyber-defense purposes originates outside the bloc. And three non-EU hyperscalers — AWS, Microsoft Azure, and Google Cloud — hold roughly 70% of the European cloud services market, according to Synergy Research Group analyst John Dinsdale. When both the infrastructure layer and the intelligence layer of cybersecurity are foreign-controlled, it's not paranoid to worry that one company's compliance decision or one government's export-control designation could leave a member state's grid operator without the AI tooling it relies on for defense, with zero European input into that outcome. The plan says as much, noting that gating access to frontier models

"often lacks transparency regarding the criteria applied."

That fear had a recent, concrete trigger. Months before the July 7 announcement, Washington imposed export restrictions on Anthropic's Mythos and Fable models after Mythos was used to identify vulnerabilities in US government systems. Those controls have since been lifted, restoring global access — but they briefly demonstrated exactly the chokepoint Brussels is describing: a foreign government's decision, taken for its own reasons, can sever European access to safety-critical AI tools overnight.

What "structured access" actually builds

Here is where the plan's restraint runs out. Its single biggest deliverable isn't oversight of existing law — it's a new allocation mechanism. By the fourth quarter of 2026, the Commission and the EU Agency for Cybersecurity (ENISA) are due to publish a "European Blueprint for structured access to advanced AI capabilities for cybersecurity purposes," specifying who gets access to frontier models and on what terms, with separate criteria for EU institutions, national authorities, critical-infrastructure operators, cybersecurity vendors, and research bodies.

That is a rationing framework, and rationing frameworks have a track record. Once Brussels writes formal criteria for who "deserves" priority access to frontier AI, those criteria become a lobbying target, a compliance cost for smaller players who can't navigate them, and eventually a template for extending the same logic beyond cybersecurity. A document that opens by lamenting that no frontier lab operates in the EU and closes by building a government-mediated access queue is hard to read as pure risk management. It reads, at least in part, as industrial policy wearing a cybersecurity badge.

The fix already underway is the better one

The Commission has a more honest answer to its own dependency problem sitting right next to this plan: the Cloud and AI Development Act, which aims to lift European cloud providers' share of their home market from roughly 15% today to 30% by 2035. Building European compute — and, eventually, European frontier labs — addresses the root cause of dependency. An access blueprint, by contrast, only exists because Europe currently has no domestic alternative to manage access to; it treats the symptom.

The parts of the plan built on enforcement are genuinely sound. Patchy transposition of NIS2 and the Cyber Resilience Act across 27 member states is a real gap, and closing it doesn't require picking winners. An ENISA-run testing platform so hospitals and utilities can validate AI tools before deployment adds assurance without gatekeeping who may build or sell.

The Blueprint is the piece worth watching closely as it's drafted. If it stays a transparency and continuity mechanism — providers disclosing objective criteria, guaranteed notice before access terms change — it will do real good without distorting the market. If it hardens into a permissioning regime where Brussels decides which European organizations may use which foreign models for which purposes, the EU will have recreated, through its own 2026 policy, the exact brittleness in access that this document says it fears from foreign export controls. European cybersecurity would then depend not on one company's discretion, but on one Brussels committee's — a trade that looks like sovereignty but functions like a single point of failure with better branding.

Sources & Citations

  1. European Commission — Action Plan press release (July 7, 2026)
  2. European Commission — Cloud and AI Development Act
  3. The Record — EU unveils cyber plan to reduce reliance on foreign AI
  4. Euronews — Brussels pitches AI cybersecurity plan amid dependence on US models
  5. The Register — CISPE warns EU against 'sovereignty washing' by hyperscalers