ECB Tells Eurozone Banks: Claude Mythos Has Changed the Cybersecurity Rules

The Catalyst: Anthropic's Claude Mythos Preview

The specific AI model at the center of this regulatory storm is Anthropic's Claude Mythos Preview . The model was not released to the public. Instead, Anthropic restricted it to a vetted partner program called Project Glasswing, comprising around 40 "critical" technology and finance companies, including major Wall Street banks, for defensive cybersecurity testing only . Despite these restrictions, the model's demonstrated capabilities have had a profound and immediate impact on global financial regulators .

What Makes Mythos a Novel and Systemic Threat

Claude Mythos Preview is not a narrow vulnerability scanner. It represents a step-change in offensive AI capability, with the practical skills to act as an autonomous cyber operator.

Autonomously executes multi-stage attacks. In controlled evaluations by the UK AI Security Institute (AISI), Mythos Preview was given a target and network access. It was able to autonomously execute multi-stage attacks on vulnerable networks, including discovering and exploiting security flaws—tasks that would take human professionals days of work . Incredibly, it became the first model to solve a 32-step simulated corporate network attack from start to finish, achieving a complete compromise in 3 out of 10 attempts .

Finds thousands of critical vulnerabilities at machine speed. Anthropic's own testing revealed the model found "thousands of high-severity vulnerabilities, including some in every major operating system and web browser" . The model can identify and then exploit zero-day vulnerabilities—flaws that are unknown to a software vendor and for which no patch exists—before human defenders are even aware they exist . This fundamentally collapses the traditional window between vulnerability disclosure and real-world exploitation, pressuring banks that rely on fragmented, decades-old IT systems .

Poses a systemic risk to the entire financial system. The International Monetary Fund (IMF) issued an early warning, stating that fast-moving, AI-driven cyber risks of this kind could "destabilise the financial system if not managed carefully," urging authorities to move beyond treating these developments as purely technical or operational issues . The concern is that Mythos, or a comparable model, could be weaponised to launch large-scale, simultaneous attacks on the interconnected financial infrastructure, turning a cyber incident into a financial stability crisis.

How the Mythos Directive Fits the ECB's 2026–2028 Supervisory Master Plan

The urgent action on Mythos is not an isolated panic. It is the most aggressive early enforcement strike within the ECB's newly streamlined 2026–2028 supervisory priorities, which for the first time in five years narrow the focus to two core pillars .

The directive sits squarely under Priority 2: strengthening banks' operational resilience and fostering robust ICT capabilities . This priority is a broad mandate that expects banks to do the following:

• Fully comply with DORA, specifically around ICT third-party risk, incident reporting, and digital operational resilience testing .
• Address known cybersecurity and third-party risk management deficiencies that have been flagged in past reviews .
• Develop a mature, long-term digital strategy with robust AI-specific governance, including managing risks around data quality, model explainability, concentration risk from a handful of non-EU AI providers, and vendor lock-in .

The Mythos-driven meeting and directive represent the ECB shifting from "AI risk as a tech topic" to "AI risk as a prudential supervision topic," with an implied expectation of concrete, funded remediation plans, not pilots and principles . The underlying message is that within this three-year cycle, a bank's ability to survive and maintain critical services through a severe, AI-enabled cyber disruption is no longer a technical nicety—it is a core measure of its safety and soundness.