Main Logo Expert commentary on tech and security

How AI can help fulfil the promises of Europe’s Cyber Resilience Act

Christopher Covino 14 February 2025
Share On:
To deliver on Europe's Cyber Resilience Act, policymakers must work to unlock AI's potential to reduce vulnerabilities and create a more secure software ecosystem
Main Top Image
Visual created by Martin Rästa

Every day, defenders across Europe race to secure their networks. They must update vulnerable code in thousands of products or face ransomware attacks and network breaches. This reactive paradigm, which burdens countless organisations, from multinational corporations to small businesses, is not sustainable. The EU’s Cyber Resilience Act and artificial intelligence’s rapid progress present an opportunity to transform cybersecurity – shifting focus from racing against threats to securing code before deployment.

The burden of vulnerabilities  

Software vulnerabilities, like cracks in armour, are small faults in code that malicious cyber actors exploit to launch disruptive cyberattacks. Research shows that one-third of ransomware attacks start with an unpatched vulnerability. Vulnerabilities are so commonly exploited that the US Cybersecurity and Infrastructure Security Agency created a Known Exploited Vulnerability Catalog in 2021. Today it has over 1,200 entries.

Developers bear primary responsibility for introducing software vulnerabilities, through coding errors or design flaws. Once developers identify and remediate these errors, downstream software customers must patch these vulnerabilities or face the consequences of exploitation. This leaves the customers, many with limited resources, constantly needing to update systems. 

In one survey of over 3,000 IT security professionals across Europe, the US, and Asia, 77% of respondents reported lacking the resources to keep up with the volume of patches. Worse, if a software manufacturer is unaware of a vulnerability, there will be no patch. These are the infamous ‘zero-day’ vulnerabilities that hackers are increasingly exploiting to compromise networks.

Aside from endangering individual organizations, these vulnerabilities create systemic risk. Widespread dependency on a single vulnerable software product or component could lead to mass disruptions across sectors and continents. 

The devastating 2017 NotPetya attack combined the exploitation of a single known Windows vulnerability with a well-known post-exploitation tool, Mimikatz, causing €9.2 billion ($9.53 billion) in damages across 60 countries. In Europe, victims included the shipping giant Maersk and construction company Saint-Gobain, each losing hundreds of millions. In 2021, a vulnerability in Log4j, an open-source code used in thousands of other software products, again put worldwide networks at risk. The code was so widely used that over two years later, this vulnerability still haunts the security community.

Shifting to a proactive paradigm

This current paradigm is risky and reactive. It burdens customers, requiring every downstream deployer to patch or pray. Compare this with how the EU prevents foodborne illness through proactive upstream interventions at farms and food processing facilities. We don’t expect consumers to test for bacteria or accept emergency rooms filled with patients. Good policy focuses on prevention and addressing root causes.

This preventive approach is needed for software vulnerabilities. By proactively addressing vulnerabilities during design and development, we could reduce the downstream burdens, consequences, and costs. Society must adopt a public health approach to aggressively and systematically eradicate the most common and egregious vulnerabilities, treating them with the same urgency we bring to eliminating diseases. 

Fortunately, the EU has taken an important first step. In October 2024, the EU passed the Cyber Resilience Act, with specific provisions addressing software vulnerabilities and driving secure-by-design practices. This includes requirements for software manufacturers to proactively reduce vulnerabilities and quickly deploy patches. 

Artificial intelligence’s potential   

This is where AI could be transformative. By providing scalable solutions, AI could revolutionise how we develop software, identify vulnerabilities, and deploy patches. Researchers are already using AI to detect and patch vulnerabilities. Recently, Google’s Project Zero team employed an AI agent to uncover a previously unknown vulnerability. AI-cyber competition teams have created systems that can autonomously identify and patch real software bugs.

More foundational coding and software engineering capabilities continue to progress as well. AI coding assistants like GitHub Copilot and Cursor demonstrate potential in generating secure code, while new models continually improve their ability to solve real-world software engineering tasks

Next generation models and AI agents will unlock new possibilities. In late 2024, OpenAI’s newest system, o3, obtained a record high score on an infamously difficult abstract reasoning problem-solving test. Models like this could power future AI agents to think and act more like humans. 

These agentic systems can work independently, reason through complex problems, use tools and applications, and collaborate with both people and other systems. Multi-agent AI systems could revolutionise secure software development through specialised agents that collaborate to create code, detect vulnerabilities, and simulate real-world attacks before release.

Though attackers will have access to similar AI tools, finding and fixing vulnerabilities during development gives defenders a critical advantage: attackers will have fewer flaws to exploit, and downstream defenders, with fewer vulnerabilities to patch, can redirect their limited resources to other security efforts. Consider the impact of eliminating common and ‘unforgivable’ vulnerabilities like memory safety issues, which accounted for 70% of Microsoft’s vulnerabilities between 2006 and 2018. With these AI-powered tools democratised, even small and open-source developers could eliminate vulnerabilities without requiring the resources of larger companies.

A path forward for policymakers 

AI coding and vulnerability capabilities, like any technology, need to mature and be adopted. The first light bulb was invented in 1879, but it took decades for artificial light to change the world. Innovation always comes with setbacks and adoption takes time. However, investments now could pay off long term. On the heels of the Cyber Resilience Act, European policymakers should make a dedicated effort to drive research, push adoption, and set goals. 

First, policymakers should fund research to mature AI capabilities for secure software development and vulnerability remediation. We need accessible tools that can scale across industry, governments, and open-source developers. 

While the US has begun investing in AI-enhanced secure development, Europe must take the lead by offering training resources and research funding through programmes like Horizon Europe. Secure software products and vulnerability discovery already fall within the scope of Horizon’s Civil Security for Society funding cluster.

Second, as these AI capabilities mature, the EU and its member states should drive adoption. The Cyber Resilience Act already creates incentives for large developers. However, policymakers should support developers, both big and small, by providing publicly funded tools and services. For example, the EU could provide no-cost tools, similar to how the US government shares cybersecurity tools today. The EU could also leverage AI systems to detect and remediate vulnerabilities in widely-used open-source code, helping prevent incidents like Log4j. This could be a no-cost service offered by the public sector or provided through grants to civil society, security researchers, academia, and open-source developers.

Finally, European leaders, working closely with all stakeholders, should embrace a public health approach to vulnerabilities by setting long-term strategic goals. A European goal could be to systematically eliminate pervasive flaws like cross-site scripting and SQL injection through a multi-pronged effort of research grants, industry engagement, and publicly available open-source tools.

The convergence of the Cyber Resilience Act and the rapid progress of AI presents a pivotal moment. By harnessing AI’s potential to transform software development, Europe can lead a shift from reactive security to proactive prevention. Success will require sustained commitment to research, widespread adoption, and forward-thinking policy – but the potential reward is a fundamentally more secure digital foundation for Europe and the world.

This essay was awarded 4th place in the AI-Cybersecurity Essay Prize Competition 2024-2025, organised in partnership between Binding Hook and the Munich Security Conference (MSC), and sponsored by Google.

avatar
Christopher Covino

Related

Featured image
Binding Edge
Europe’s cyber rapid response teams should pivot to proactive missions
Taylor Grossman 1 March 2024
Read more arrow
Featured image
Binding Edge
‘Safety by design’ could prevent domestic abuse through smart devices
Andi Brown 28 February 2024
Read more arrow
Featured image
Binding Edge
Pell Mell or Pas Mal? Governing commercial cyber intrusion capabilities
James Shires 11 November 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.