Go to search
Cybersecurity

EU Action Plan on Cybersecurity and AI: Insurers welcome the initiative but warn against regulatory duplication

The German Insurance Association (GDV) welcomes the European Commission's EU Action Plan on Cybersecurity and AI as an important step toward strengthening Europe's digital sovereignty. At the same time, the industry stresses that any future cybersecurity requirements should build on existing regulations rather than create parallel frameworks.

Reading time
© Tai Bui - unsplash

The European Commission has presented its EU Action Plan on Cybersecurity and Artificial Intelligence in response to a development that has long since extended beyond IT departments. Artificial intelligence is fundamentally changing the way cyberattacks are conducted, challenging established cybersecurity strategies across industries.

With the Action Plan, the Commission aims to strengthen cooperation between Member States, businesses, and EU institutions while providing structured access to advanced AI models for cybersecurity applications. As part of this initiative, the EU Agency for Cybersecurity (ENISA), together with the Commission's Joint Research Centre (JRC), will establish a secure platform where AI models can be tested in cybersecurity simulations.

From the insurance industry's perspective, this is a welcome initiative. Insurers are among Europe's most highly digitalized service providers and process particularly sensitive personal and financial data. Protecting these assets increasingly depends on effective collaboration between governments, businesses, and cybersecurity authorities as new technologies emerge.

AI is reshaping the cyber threat landscape

What does this mean in practice? Cybercriminals are already using artificial intelligence for far more than generating convincing phishing emails. Advanced AI models significantly increase both the speed and scalability of cyberattacks. They can help identify vulnerabilities, conduct reconnaissance on potential targets, and even develop exploits; that is, malicious code designed to take advantage of security weaknesses.

As a result, sophisticated attack techniques that once required specialized expertise are becoming widely accessible. Even attackers with limited technical knowledge can now use AI to carry out complex cyberattacks that previously demanded advanced skills.

However, this is only one side of the story. Over the medium to long term, artificial intelligence also has the potential to strengthen cybersecurity. AI can help developers build more secure software from the outset and identify vulnerabilities more quickly, before attackers have an opportunity to exploit them.

Rather than representing a sudden disruption, AI marks the beginning of a challenging transition period in which attackers and defenders are engaged in a race to harness its capabilities more effectively.

Regulatory consistency instead of parallel requirements

From the insurance sector's perspective, the success of the Action Plan will depend largely on how the proposed cooperation between Member States, businesses, and EU institutions is implemented in practice.

Insurers are already subject to extensive cybersecurity requirements under the Digital Operational Resilience Act (DORA) and have invested considerable resources in recent years to establish the necessary resilience and security frameworks.

Should the Action Plan ultimately lead to additional regulatory requirements, these should build on the existing framework rather than introduce separate and overlapping obligations.

Equally important are clearly defined responsibilities. In the event of an AI-enabled cyberattack affecting multiple countries or sectors simultaneously, it must be clear who is responsible for coordinating the response. Close cooperation between public authorities, cybersecurity agencies, and technology providers will be essential to ensure that cross-border incidents can be managed quickly and effectively.

Digital sovereignty and access to AI tools

A second key pillar of the Action Plan is ensuring structured access to advanced AI models for cybersecurity purposes.

Since many of these models are currently developed and operated by providers outside Europe, maintaining reliable access to them will remain essential in the short term. European companies and institutions must be able to use state-of-the-art AI tools if they are to defend themselves effectively against increasingly AI-driven cyber threats.

At the same time, the insurance industry continues to support the long-term objective of strengthening Europe's technological sovereignty. Investing in European AI capabilities and software technologies will gradually reduce dependence on individual non-European providers and enhance Europe's strategic resilience.

These two objectives are not mutually exclusive; rather, they complement one another over time. In the short term, Europe needs secure access to existing AI technologies. In the long term, it should develop stronger domestic capabilities of its own.

Back to top