Brief № 049 · Strategy
The EU cyber-AI plan needs an SME asset list
Brussels' new cyber-AI plan is not a buying list. EU SMEs should first map the systems, data and privileges an AI-assisted attack can reach.
On this page
The European Commission’s new cyber-AI action plan is easy to misread as a catalogue of clever new defences. It is more useful to a small business as a warning: an AI-assisted attack travels through the systems, data and permissions the business already has.
Published on 7 July, the plan sets three connected objectives: safer use of advanced AI, stronger European cyber resilience and more European AI capability for security. Its practical measures include model evaluation, structured access to advanced systems and a secure testing platform for critical sectors. The Commission’s plan is a coordination programme, not a new product catalogue.
Start with the reachable surface
An asset register sounds dull beside a model evaluation lab. It is nevertheless where an SME can act this week. The useful version is not a list of laptops. It is a short map of the workflows an attacker could redirect with an AI-written email, a convincing voice note or a poisoned document.
For each workflow that moves customer data, money, staff records or production decisions, record four things:
- the business owner who can halt it;
- the system of record and its recovery route;
- the external AI model, automation or supplier connected to it;
- the accounts, API keys and shared inboxes with the power to approve or change it.
That is the missing join between an AI conversation and a real operational consequence. A finance mailbox with a payment workflow, for example, is not just an email service. It is a chain of identity, approval and bank-detail change.
The plan reinforces old disciplines
The Commission says the action plan builds on the AI Act, the Cyber Resilience Act and NIS2. Its proposed secure testing platform is aimed at organisations in critical sectors including energy, transport, health, finance and public administration; it is not a substitute for a company’s own access control or incident process.
NIS2 is also a useful boundary. The directive generally places medium-sized and large entities in covered critical sectors under risk-management and significant-incident reporting duties. It does not make every small company a regulated operator. But its underlying disciplines—asset management, access control, incident handling and security training—are the same ones that stop an AI-enabled mistake from becoming an incident. ENISA’s NIS2 guidance sets those areas out plainly.
| Question | Evidence to keep | Owner |
|---|---|---|
| What can this workflow change? | System, data class and business consequence | Process owner |
| Who can trigger it? | Named accounts, service accounts and approval path | System owner |
| Where does AI touch it? | Model, plug-in, automation and supplier | Technical owner |
| How is it stopped and restored? | Kill switch, fallback and incident contact | Operations lead |
Source: European Commission action plan and NIS2 material. Last verified 2026-07-11.
Test one plausible failure
The Commission plans to develop testing capacity with ENISA and the Joint Research Centre. An SME does not need to wait for that platform to test a smaller question: could a persuasive AI-generated request get a person or automation to use a privilege it should not use?
Choose one high-consequence workflow from the register. Simulate a request to change a supplier bank account, export a customer file or grant a new integration access. Do it without live data and stop at the approval point. The result should be a concrete fix: remove a shared credential, add a second check, reduce an API permission or document an escalation route.
The plan is right to connect advanced models with faster vulnerability discovery and faster attacks. The practical response is not to chase every new security tool. It is to know which ordinary systems an AI-assisted request can reach, then make that path shorter, named and reversible.
Frequently asked questions
Does the EU cyber-AI plan create a new obligation for every SME?
No. The Commission describes it as an action plan built on existing EU AI and cybersecurity rules. NIS2 generally targets medium-sized and large entities in covered critical sectors; a small SME should still use the plan as a prompt to improve basic cyber hygiene.
What is the smallest useful first step?
List the systems that handle customers, money, staff or production; record their owners, privileged accounts, AI connections and recovery route. Use that list for one short incident exercise before choosing another tool.
Sources
- Official EU Action Plan on Cybersecurity and Artificial Intelligence European Commission accessed
- Official New EU plan to address the risks and opportunities of advanced AI for cybersecurity European Commission accessed
- Official NIS2 Directive: securing network and information systems European Commission accessed
- Official Supporting NIS2 implementation through actionable guidance ENISA accessed
- Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
Image credit: Photo: Modern data server room with network racks and cables — Brett Sayles, Pexels License (Pexels)
Iris Van Loon covers SME operational reality and advisors for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).