The EU Commission reaches out to Anthropic Mythos: Dombrovskis confirms EU involvement in a confidential AI model

The European Commission confirmed on May 4 that it has contacted Anthropic for a technical briefing on its weapons-grade cybersecurity AI model Mythos, and to assess the potential impact on EU policies and laws. Reuters reported that Valdis Dombrovskis, the European Commission’s executive vice president for economic affairs, told reporters that Commission representatives had met with Anthropic, heard technical details from Mythos regarding “cyberattack capabilities” and “research preview risks,” and are currently “assessing the possible impact in the context of EU policies and legislation.” Dombrovskis also revealed that Mythos has not been made available to any European bank so far.

What is Mythos: an AI model that automatically hunts for zero-day vulnerabilities

Mythos is Anthropic’s flagship model designed for cybersecurity research, able to autonomously identify and exploit zero-day vulnerabilities (zero-day) in major operating systems and browsers. The model is currently only available in the form of a research preview to about 40 vetted U.S. companies and national security entities, including intelligence organizations such as the U.S. National Security Agency (NSA)—this limited list has been a central topic in multiple previous abmedia reports.

For the banking industry, Mythos’s capabilities are a double-edged sword: (1) if used by defenders, it can greatly accelerate vulnerability scanning and strengthen cybersecurity; (2) if it falls into the hands of attackers, it could accelerate attacks on banks’ core systems in a short time. Anthropic’s “tiered access” design aims to give Mythos only to defenders, but the execution details and vetting mechanisms continue to trigger controversy.

Why the EU is stepping in: anxiety among banks about U.S.-exclusive cybersecurity AI

The trigger for the European Commission’s contact was that the euro zone finance ministers collectively demanded access to Mythos at a meeting in Brussels earlier. Bloomberg reported that the euro zone finance ministers said Mythos can automatically find and exploit zero-day vulnerabilities in major operating systems and browsers, but this capability is currently limited to the “Project Glasswing” program led by U.S. tech companies and the NSA, and European governments and banks do not have access.

The euro zone finance ministers’ core concern is an asymmetric cybersecurity gap:

U.S. banks can do defensive testing of their own systems with Mythos under the Project Glasswing program

European banks lack equivalent resources, so their defensive capabilities may fall behind

If similar capabilities flow to attackers outside the U.S., Europe’s financial infrastructure will be hit first

This demand effectively lifts Anthropic from a “private U.S. AI company” onto the EU-level regulatory agenda—not just a “commercial choice by Anthropic,” but a geopolitical issue about the distribution of transatlantic cybersecurity capabilities.

EU toolbox: the AI Act, foreign subsidies rules, and data security requirements

Dombrovskis said that in “assessing EU policies and legislative context,” the toolbox the Commission can use includes:

AI Act (AI Act)—If Mythos is defined as a “high-risk AI system,” Anthropic providing services in the EU would need to meet requirements such as transparency, risk management, and human oversight

Foreign Subsidies Regulation (Foreign Subsidies Regulation)—If Mythos has a material link to a U.S. government plan (Project Glasswing), it may trigger reviews

Critical infrastructure protection directive (NIS2, DORA)—cybersecurity requirements faced by European banks and financial institutions, which could potentially work in reverse to require Anthropic to provide “European equivalent access”

In practice, the EU is most likely not to impose a direct ban, but to adopt “conditional access”—requiring that if Anthropic wants to provide Claude commercial services in the EU, it must open Mythos to equivalent access for European banks, or provide authorized test results.

What to watch next: Anthropic’s response, the EU’s specific policy, and Project Glasswing’s increased transparency

Key observation points for the next phase:

Whether Anthropic publicly responds to the EU’s outreach, especially Dario Amodei’s personal position—abmedia reported on 4/19 that Amodei went to the White House to negotiate over Mythos issues; if he also personally intervenes at the EU level this time, it would be a signal that Anthropic takes the matter seriously

Specific policies the European Commission may take—whether it will propose conditional access requirements for Mythos before Q3

Transparency around Project Glasswing—whether the U.S. government discloses the plan’s scope, participating companies, and whether there could be cooperation with Europe

Alignment of other cybersecurity-grade AI models—whether the EU also reviews OpenAI’s GPT-5.5-Cyber released on 4/30

For Taiwan’s financial and cybersecurity industries, the observation focus of this case is a template of “asymmetric AI cybersecurity capabilities”—Taiwanese financial institutions’ access to U.S. cybersecurity-grade AI models is also currently restricted by U.S. national security controls. If the EU manages to secure equivalent access, whether Taiwan can raise the same demands under similar logic will be an important topic in the coming months.

This article EU Commission contacts Anthropic Mythos: Dombrovskis confirms EU involvement in a confidential AI model first appeared on Chain News ABMedia.