On July 7, 2026, the European Commission presented an EU Action Plan on Cybersecurity and Artificial Intelligence, a non-binding Communication (IP/26/1544) that aligns the AI Act, the Cyber Resilience Act, NIS2 and RED cybersecurity rules into a single operational roadmap for connected-product compliance teams. The plan lands 26 days before the AI Act's general-purpose AI (GPAI) obligations and most high-risk provisions become enforceable on August 2, 2026, and it signals where ENISA, the AI Office and the Joint Research Centre will concentrate supervisory and testing capacity through 2027.
For manufacturers of radio, telecom and electrical equipment already adjusting to RED Article 3.3(d)-(f) cybersecurity under Delegated Regulation (EU) 2022/30 and the EN 18031 harmonised standard, the Action Plan is a forward signal, not a new legal obligation. It tells conformity-assessment teams which AI-adjacent controls, evaluation channels and secure-testing infrastructure will be referenced by enforcement from 2026 into 2027, and where the Commission expects industry to invest now.
What the Action Plan actually changes for connected-product compliance
The Communication introduces no new binding rule. Its weight is operational: it commits the Commission, ENISA and the JRC to deliver four concrete artefacts that compliance teams for connected products should track and, where relevant, plug into their AI Act and CRA readiness programs.
- An EU evaluation capacity for AI cybersecurity, established via a dedicated call, expected operational in 2027. It will feed the AI Office's third-party assessment of advanced model capabilities and risks, complementing the GPAI Code of Practice that starts binding on August 2, 2026.
- An ENISA European Blueprint for structured access to advanced AI capabilities, giving public and private European organisations transparent conditions for reaching the most capable models for cybersecurity use cases.
- A secure JRC-ENISA testing platform for AI cybersecurity, including simulated environments, aimed at operators in critical sectors (finance, energy, health, transport, public administration).
- An EU Grand Challenge on AI for cybersecurity, plus ENISA-facilitated partnerships between authorities, businesses and open-source communities, including a campaign to secure critical open-source software.
None of these replaces a CE-marking conformity assessment under RED or the CRA. They are the public-sector capacity that supervisory authorities will lean on when assessing AI-enabled features inside connected products, and that vendors can engage with voluntarily before obligations bite.
Who is impacted, and by when
Compliance leads and product cybersecurity managers at EU manufacturers of radio, telecom and connected electrical equipment are the primary industrial audience, alongside essential and important entities under NIS2. The binding deadlines the Action Plan orbits are unchanged but tightly clustered:
| Date | Obligation in force | Instrument |
|---|---|---|
| August 2, 2026 | GPAI obligations and most high-risk AI Act provisions enforceable; GPAI Code of Practice compliance expected | Regulation (EU) 2024/1689 (AI Act) |
| August 2, 2026 | RED Article 3.3(d)-(f) cybersecurity already applicable since August 1, 2025; presumptions of conformity via EN 18031 | RED Delegated Regulation (EU) 2022/30 |
| End of 2027 | Cyber Resilience Act fully applicable: security-by-design, vulnerability and incident reporting, CE-marked conformity for products with digital elements | Regulation (EU) 2024/2847 (CRA) |
| 2027 | EU evaluation capacity for AI cybersecurity operational | Action Plan commitment (non-binding) |
For a radio or connected-device vendor placing an AI-enabled feature on the EU market, the practical sequence is: AI Act conformity for the high-risk component from August 2, 2026, RED cybersecurity conformity for the radio interface already in force, and CRA conformity for the product's digital elements by end of 2027. The Action Plan does not move those dates; it tells you which EU bodies will be available to support each layer.
What compliance teams should do now
First, map every AI-enabled feature in your radio, telecom or electrical product portfolio against the AI Act risk tiers and the RED 3.3(d)-(f) cybersecurity essential requirements. Where a feature qualifies as high-risk, the conformity assessment and risk-management documentation must be ready before August 2, 2026, not after. Second, prepare your CRA readiness file early: vulnerability and incident reporting processes, software bill of materials discipline and security-by-design evidence will all be examined under the CRA's December 2027 applicability, and the AI Office and ENISA testing platform are positioned to query that evidence for AI-bearing components. Third, track the ENISA Blueprint and the EU evaluation capacity call as they move from commitment to deliverable, and consider engaging your testing laboratory or notified body early, since capacity will be scarce in the run-up to 2027.
Obsidian's continuous per-jurisdiction monitoring surfaces Commission Communications, ENISA guidance and harmonised-standard updates the moment they publish, so a connected-product compliance team can fold each new artefact into its readiness file without re-running the same daily checks manually.
Take advantage of this real-time watch
Next steps for compliance leads: confirm your August 2, 2026 AI Act conformity posture for every high-risk feature, brief your notified body and cybersecurity testing partner on the Action Plan's four deliverables, and lock the CRA December 2027 milestone into your product roadmap reviews now rather than after the summer break.


