EU AI Cybersecurity Debate: Parliament Weighs Mandatory Risk Assessments for Advanced Models

Members of the European Parliament engaged in heated debate on 21 May over the cybersecurity risks posed by advanced artificial intelligence systems, with lawmakers divided over whether to impose mandatory security testing requirements on developers of frontier AI models or maintain a more flexible, risk-based approach.

The plenary session saw MEPs grapple with how to balance innovation against emerging threats, as concerns mount over the potential for sophisticated AI systems to be exploited for malicious purposes. The debate comes as Parliament continues its work on implementing the EU’s landmark AI Act, with cybersecurity provisions emerging as a key battleground between different political groups.

Push for Mandatory Red-Team Testing

At the centre of the debate were proposals to require developers of frontier AI models to conduct mandatory red-team testing—a practice where systems are deliberately probed for vulnerabilities—before deployment. Rapporteur Brando Benifei, representing the Socialists and Democrats group, made a forceful case for binding obligations on AI developers, arguing that voluntary measures would prove insufficient given the scale of potential risks.

„We cannot leave the security of critical AI systems to voluntary commitments alone,” Benifei told fellow MEPs, emphasising the need for enforceable standards. The S&D rapporteur’s position reflects growing concerns within progressive political groups that market-led approaches may not adequately protect European citizens from cyber threats emanating from AI systems.

EPP Advocates Risk-Proportionate Approach

However, shadow rapporteurs from the European People’s Party pushed back against what they characterised as overly prescriptive requirements, advocating instead for a risk-proportionate framework that would calibrate regulatory burdens according to the actual threats posed by different AI applications. The EPP position suggests concern that blanket mandatory testing could stifle innovation and place European developers at a competitive disadvantage.

The centre-right MEPs argued that smaller developers and start-ups could struggle with the costs and technical demands of comprehensive red-team testing, potentially concentrating the AI market in the hands of large technology firms with greater resources. This tension between security imperatives and competitiveness concerns has become a recurring theme in Parliament’s approach to AI regulation.

Stricter Incident Reporting Requirements

Beyond testing requirements, the debate also addressed proposals for enhanced incident reporting obligations when AI systems suffer security breaches or are exploited for harmful purposes. MEPs discussed how such reporting mechanisms might integrate with existing cybersecurity frameworks, including the Network and Information Security Directive, to create a coherent oversight system.

The incident reporting proposals would require developers to notify authorities when their AI systems are compromised or used in ways that pose risks to users or critical infrastructure. However, questions remain about the threshold for mandatory reporting and whether such obligations should apply uniformly across all advanced AI systems or be limited to those deemed highest risk.

Commission Action on ‘AI Nudifier’ Tools

The parliamentary debate also touched on a separate but related concern: the Commission’s preparation of a delegated act to ban so-called ‘AI nudifier’ applications. These tools use artificial intelligence to generate non-consensual intimate images by digitally removing clothing from photographs of individuals, raising serious concerns about privacy violations and image-based abuse.

The Commission’s move to address this issue through delegated legislation—which allows for faster implementation than ordinary legislative procedures—signals the urgency with which EU institutions view certain harmful AI applications. MEPs across the political spectrum have expressed support for swift action on such tools, though the debate continues over whether the ban should be implemented through delegated acts or incorporated into primary legislation.

Broader Implications for AI Governance

The cybersecurity debate reflects broader tensions within Parliament over how to operationalise the AI Act’s provisions for high-risk systems. With the legislation now adopted, attention has shifted to implementing measures and technical standards that will determine how requirements apply in practice. The outcome of these discussions will significantly shape Europe’s AI landscape for years to come.

As Parliament and Commission officials work to finalise the technical details of AI cybersecurity requirements, industry stakeholders are watching closely. The coming months will prove critical in determining whether the EU can strike an effective balance between fostering innovation and ensuring robust protection against the cybersecurity risks that advanced AI systems increasingly pose. Further debates on these implementation measures are expected before the summer recess, with final decisions likely to emerge following consultation with technical experts and member state representatives.