OpenAI grants European Commission access to new model as EU considers frontier AI cybersecurity risks

With uncertainty surrounding whether EU regulators will gain access to frontier AI systems, competitors are moving to position themselves as alternatives. 

On 11 May, Politico reported the European Commission is engaging in talks with OpenAI to obtain access to a new AI model capable of identifying cyber vulnerabilities and exploiting gaps in cyber defenses. 

OpenAI's lead executive in the discussions, former U.K. Chancellor of the Exchequer George Osborne, wrote to the Commission earlier this week to offer access and said the company started the "process of contacting member states" regarding the model. 

"The idea is … to work with them to make sure that they are properly defended … the institutions, the utilities, the important infrastructure components of Europe," Osborne said. 

OpenAI's overture to the EU comes as the Anthropic faces continued pressure to grant EU institutions access to its Claude Mythos model. 

Last week, Anthropic declined the opportunity to meet with members of the European Parliament and representatives from the EU's cyber agency, ENISA, to discuss Mythos' cyber risks due to reportedly receiving the invitation "at short notice."

The Commission is also dialing up the pressure on Anthropic. European Commission spokesperson Thomas Regnier said, "once the enforcement powers of the AI Office start in August 2026, we will ensure to receive, if needed, (Mythos) access."

Despite reports of growing frustration in the EU toward Anthropic, officials from the Commission, the EU AI Office and ENISA struck a more measured tone regarding the Mythos issue when addressing European Parliament's Committee on the Internal Market and Consumer Protection during the 6 May hearing.

AI Office Director Lucilla Sioli reiterated to lawmakers that when the AI Act's enforcement provisions enter into force 2 Aug., Anthropic will be subject to her office's jurisdiction in order to operate in the EU. She said because Anthropic signed the voluntary General-Purpose AI Code of Practice, it is her hope that if and when Mythos is released to the general public that Anthropic has taken all precautions to adhere to its commitments in the code. 

Sioli confirmed the AI Office has held some discussions with Anthropic, but the talks have not yielded access to Mythos. Last month, Politico reported officials within the AI Office believe the agency is understaffed and lacks proper authority within the EU regulatory hierarchy to respond to a major crisis, which coincided with the global buzz surrounding the release of Mythos. 

"In our analysis of the model, we have seen it presents significant capabilities," Sioli said. "These leaping capabilities in cyber are actually linked to the fact other capabilities of the model have increased significantly. This is a concern because it is not only this model that may have these capabilities, but soon, other models will have increased capabilities and that will put pressure on our capacity to defend."

Former ENISA Management Board member Hans de Vries downplayed the lack of current access to Mythos becoming an immediate cybersecurity "doomsday" for the EU, despite its potential to exploit vulnerabilities in the hands of bad actors. He discussed existing AI models on the market in use by companies are being leveraged to patch their own vulnerabilities and they have been successful at doing so, despite being "less sophisticated" than Mythos or ChatGPT 5.5, which has also been released to a limited number of entities. 

"While the security industry has utilized AI-assisted security tools for several years, frontier AI models introduce a new level of precision, and this is great for technology, but also challenges the service security community and tests our policy frameworks," de Vries said. "However, we feel (frontier AI) is not security's doomsday. There's going to be a pain situation for a few years, but in the end, it will definitely help us all."

European Commission Directorate-General for Communications Networks, Content and Technology Despina Spanou said as the Commission continues to push for access to Mythos, for the time being, the EU will further layer its cyber defense posture through implementing cyber regulations already on the books. 

She highlighted that "very few" EU member states have yet to transpose the NIS2 directive into national law. According to the European Cyber Security Organisation, 21 of 27 EU member states have passed a domestic NIS2 regulation. Both NIS2 and the Cyber Resiliency Act, which requires all connected devices to be built with security-by-design standards and enters into force December 2027, will help buttress the EU's cybersecurity posture as novel threats from frontier AI emerge. 

"We need to de-mystify the myth that this discussion is all about Mythos," Spanou said. "This discussion is about all these models that will bring change to the way we do our (cyber) preparedness. It is fundamental we ensure that while we're looking at new models that come on the market that indeed bring new solutions and some new challenges, we also need to not forget to do the basics that can already shield our systems from vulnerabilities, attacks and incidents."