California-based artificial intelligence company Anthropic has restricted the European Union access to Claude Mythos, its most advanced cybersecurity model — a move that could heighten cyber security risks for Europe and deepen the region’s dependence on American technology providers.
By limiting Mythos to a select group of primarily U.S. companies — including Amazon, Apple and JPMorganChase — and government agencies to evaluate its hacking capabilities, Anthropic has left European banks, software companies and governments unable to test their defenses against one of the most sophisticated AI cyber tools.
The decision comes amid White House concerns about sharing the Mythos model more broadly and mere days after OpenAI shared its most advanced ChatGPT 5.5-Cyber with EU authorities.
The standoff also underscores a growing divide in global AI access, as frontier systems become available to key actors in the U.S. before their European counterparts that operate within a narrower regulatory framework.
“There’s a risk of weaponization of software vulnerabilities,” said Paul Timmers, a professor at KU Leuven and former European Commission official at the DG CONNECT unit. “By selective distribution of these models you also create a bottleneck for access to this power, and that can have quite an impact on technology sovereignty in Europe.”
Anthropic blocks Europe from Mythos
In April, Anthropic announced that its latest AI model Claude Mythos had far-reaching hacking capabilities that posed a global cybersecurity threat. Instead of launching the model publicly, the company released a preview version to a small group of mainly U.S. companies to plug software vulnerabilities before wide-scale deployment.
The Commission has tried for weeks to gain access to Mythos but to no avail, said Commission Spokesperson Thomas Regnier at a press briefing on Monday. Meanwhile, OpenAI is sharing ChatGPT 5.5-Cyber with the Commission’s AI Office, businesses and governments through an EU Cyber Action Plan that will also include security briefings with OpenAI engineers.
“AI labs like ours shouldn’t be the sole arbiters of cyber safety as resilience depends on trusted partners working together,” said George Osborne, the Head of OpenAI for Countries and former British Chancellor of the Exchequer.
“We welcome the engagement of OpenAI,” said Regnier on Monday. “When it comes to Mythos, there is also a level of engagement. We have already had like four or five meetings with the company. But these two discussions are at different stages.”
While the EU’s AI Act gives it the power to deem certain models systemic risks, the AI Office and the Commission have yet to pull that lever.
Anthropic’s failure to give the EU or other European institutions access to Mythos follows a major clash with the U.S. federal government over military uses of AI, after the company resisted allowing its models to be deployed in certain warfare applications. Now, the company has been left out of a deal to use AI tools in U.S. classified networks.
After the release of Mythos, the White House applied a more hands-on approach to controlling the launch — even weighing an executive order that would require the government to vet models before their release. So far, Washington has opposed Anthropic expanding access to the model due to security concerns.
"Anthropic’s approach... may represent an attempt to ensure that only the highest quality external testers have access to the model while minimizing leak risk and bureaucratic drag," said Harry Law, a researcher at the University of Cambridge. "Right now, the EU AI Office is an unknown quantity while the UK AISI has a proven track record."
Cybersecurity and tech sovereignty risks
The lack of access has infuriated lawmakers in the European Parliament, who argue that the lack of access is yet another signal that the EU needs to develop its own cutting-edge tech capabilities. Last week, a Parliament committee held a meeting on AI safety and cybersecurity that officials from Anthropic were unable to attend at short notice.
“Europe must not be excluded from access to strategic technologies that are becoming essential for cybersecurity,” said MEP Sandro Gozi (Renew, FR). “But this should also be a lesson. Europe cannot depend on private companies or decisions taken outside Europe to understand and protect its own critical vulnerabilities.”
European banks are among the most alarmed by Mythos because of the speed at which it could expose software vulnerabilities — raising the risk of cascading failures across a highly connected finance sector still reliant on aging software infrastructure, according to Timmers. Top U.S. banks have already received access.
The EU has cybersecurity and AI platforms of its own, such as the French company Mistral AI, but these lag far behind U.S. firms in terms of model development and the capital needed to build new data centers.
Sign up to The Parliament's weekly newsletter
Every Friday our editorial team goes behind the headlines to offer insight and analysis on the key stories driving the EU agenda. Subscribe for free here.