Anthropic Mythos: why Europe is pushing for controlled access

Germany has been the loudest public voice. Michael Theurer, a member of the executive board of the Bundesbank — Germany’s central bank — told Reuters that European banks needed access to Mythos to prepare for cyberattacks that could be powered by this new generation of AI tools . Bundesbank President Joachim Nagel also called for broad access, arguing that it would help preserve a level playing field and reduce the risk of misuse .

That is still political pressure, not a finished policy. The public record shows contacts, briefings, monitoring and demands for access. It does not show an announced EU decision or a completed access mechanism .

Why banks care

For banks, vulnerability discovery is not an abstract technical issue. Financial institutions run complex software estates, legacy systems and customer-facing digital services. A tool that can help find weaknesses in code could, in a defensive setting, help institutions test their own systems, rank fixes and close holes before attackers find them.

Handelsblatt reported, citing insiders, that Anthropic planned to give European banks access soon so they could test their computer systems for possible vulnerabilities and close security gaps . The reported timing was not precise: the insiders’ estimates ranged from a few days to several weeks .

The access debate also reflects a possible information gap. Reuters reported that Mythos had so far been made available only to some U.S. banks . The Next Web also reported that no EU government had access to the model . If European supervisors are expected to judge a security-relevant AI system only through briefings and second-hand reporting, their push for controlled testing is easy to understand.

The dual-use problem

The reason Mythos is controversial is the same reason it is attractive: vulnerability-finding is dual-use. Reuters reported that cybersecurity experts view Mythos as a potential accelerator for attacks on banks’ technology systems . Nagel described Mythos as a model that appears able to quickly identify and exploit security vulnerabilities in financial institutions’ software, while also noting that it could improve digital defence as well as be misused .

German authorities are watching closely. The BSI, Germany’s federal cyber-security agency, said a model capable of finding hidden software vulnerabilities could have significant effects on the cyber threat landscape, according to ZDF . BaFin, Germany’s financial regulator, is also examining risks from Mythos and similar AI models because such systems can find security gaps independently and at scale, Handelsblatt reported .

The Next Web reported that Mythos can find zero-day vulnerabilities in major operating systems and browsers . That should be read as part of the current reporting picture rather than as an official EU finding. What is publicly established is that the Commission has received technical information from Anthropic and is assessing the implications .

Where the AI Act fits in

Mythos is also a test case for Europe’s broader AI rulebook. Bloomberg reported that the Commission’s AI Office is in dialogue with Anthropic on implementing the EU’s Code of Practice for general-purpose AI systems under the AI Act . Investing.com likewise reported, citing a Commission spokesperson, that Anthropic had committed to comply with that EU Code of Practice .

That matters because Mythos is not merely a bank cyber tool in the European debate. It sits at the intersection of financial supervision, cybersecurity and general-purpose AI governance: how should a powerful AI system with cyber capabilities be evaluated, limited and deployed under oversight ?

Access is the real policy question

The choice is not a clean yes or no. Too little access could leave European banks and regulators trying to assess a potentially important cyber tool from the outside. Too much access, or access handed to the wrong actors, could spread precisely the capabilities supervisors are worried about .

Several controlled routes are conceivable: supervised testing by selected banks, vulnerability assessments run by Anthropic, a joint process with regulators, or the sharing of verified flaws with affected institutions. None of those mechanisms has been publicly confirmed. The reporting so far points to talks, possible testing and an access path still being negotiated .

The bottom line

Europe is pushing for controlled ways to test or benefit from Anthropic’s Mythos, not for a public release. The appeal is clear: if Mythos can surface software weaknesses earlier, banks may be able to fix them sooner. The risk is just as clear: the same capability could help attackers move faster .

That is why the mechanism matters more than the slogan. Europe does not want to stay blind to a powerful cyber-AI system. But a defensive tool that finds hidden flaws can itself become a new source of danger if access is not tightly designed.