OpenAI Offered the EU Its Cyber Model. Anthropic Hasn't.
The European Commission confirmed on May 11 that it's in formal strategic dialogue with both OpenAI and Anthropic ahead of August 2, 2026, when the EU AI Office's full enforcement powers over general-purpose AI model providers activate. The two conversations are,not going the same way.
OpenAI agreed to grant EU access to GPT-5.5-Cyber, its new cyber AI model. European Commission spokesperson Thomas Regnier said that while the Commission had held "four or five" meetings with Anthropic, those discussions were "not yet at the same stage as the solution we have on the table from OpenAI."
That's a named EU official drawing a public contrast between two labs in the same regulatory proceeding. The gap it describes isn't just a product availability question. It's a pre-enforcement positioning problem for Anthropic, and August 2 is a fixed date.
What OpenAI is actually offering
OpenAI said it will grant European partners access to GPT-5.5-Cyber in a limited preview. The model will be accessible to selected cybersecurity teams in governments, enterprises, cyber agencies, and EU institutions, including the EU AI Office itself.
George Osborne, OpenAI's head of OpenAI for Countries, framed the offer in terms of shared responsibility: "AI labs like ours shouldn't be the sole arbiters of cyber safety as resilience depends on trusted partners working together.
The latest cyber AI capabilities should be available for Europe's many defenders, not just the few." Osborne sent an explanatory letter to the Commission and to EU member states outlining the EU Cyber Action Plan, which positions the model access as a structured partnership rather than a one-off provision.
The framing is worth reading carefully. "Defenders, not just the few" is a direct reference to Anthropic's Glasswing deployment structure, in which Mythos access was initially restricted to roughly 40 curated organizations, including AWS, Apple, and Microsoft. OpenAI is explicitly positioning its access model as more open, and it's doing so to EU regulators who are currently deciding which lab is the more cooperative counterpart.
What the AI Office has said publicly about Anthropic
AI Office Director Lucilla Sioli told the European Parliament's Committee on the Internal Market and Consumer Protection that when the AI Act's enforcement provisions enter into force on August 2, Anthropic will be subject to her office's jurisdiction in order to operate in the EU. She confirmed the AI Office has held discussions with Anthropic, but that those talks haven't yielded access to Mythos.
"In our analysis of the model," Sioli said, "we have seen it presents significant capabilities."
Commission spokesperson Regnier separately put a sharper point on the access question: "Once the enforcement powers of the AI Office start in August 2026, we will ensure to receive, if needed, (Mythos) access."
That's not a threat exactly, but it's as close as EU regulatory language gets to one. The implication is clear: if Anthropic doesn't provide access voluntarily before August 2, the Commission is prepared to compel it. Under the AI Act, labs that refuse access to systemic-risk models face fines of up to 3% of global revenue or €15 million, whichever is higher.
The safety framing has a second interpretation now
Anthropic's position on Mythos access has been framed consistently as a safety-motivated decision. The model is powerful enough at finding and exploiting vulnerabilities that releasing it broadly, without controls, creates a genuine dual-use risk.
That framing is substantively defensible. Benchmark testing by the UK's AI Security Institute placed Mythos slightly ahead of GPT-5.5-Cyber in one relevant evaluation: Mythos completed a 32-step simulated corporate cyberattack in 3 out of 10 runs, while GPT-5.5-Cyber succeeded in 2 out of 10. Before Mythos launched, no AI model had passed that test at all.
The capability gap is real, and Anthropic's caution about broad access to a model at that level is coherent. But that framing is now operating inside a regulatory proceeding with a hard deadline, and the two things interact in ways Anthropic may not have fully accounted for when it set its access policy.
Anthropic skipped a European Parliament hearing on Mythos's cybersecurity implications, a move one Dutch lawmaker called "extremely worrying." The UK's AI Security Institute got hands-on evaluation access to Mythos. No EU government or institution has, as of the time of this reporting. That's not a neutral fact inside a regulatory dialogue that concludes when enforcement powers activate.
Anthropic has committed to the EU's voluntary General-Purpose AI Code of Practice, and discussions include the Mythos cybersecurity model. But no access provision has been agreed. Signing a voluntary code while withholding the specific model the regulator has flagged as a significant capability isn't a non-compliance position yet. It will become a much more complicated one on August 2 if nothing has changed.
What both labs are actually negotiating
The strategic dynamic here isn't only about regulatory compliance. It's about who gets to set the terms of how frontier AI cybersecurity models are deployed in the EU's single market.
OpenAI has made an access offer that frames regulators and EU institutions as partners and defenders, not overseers. That framing buys goodwill that's worth something in proceedings where discretion matters. Anthropic's position, whatever its internal rationale, reads externally as a lab that is still negotiating what it's willing to disclose to the only regulatory body with authority to compel disclosure.
The outcome of the next 12 weeks will depend on how Anthropic characterizes the Mythos restriction directly to the AI Office. A safety-framed delay with a defined resolution pathway looks different to a regulator than an indefinite hold with no public timeline. Anthropic hasn't put a public timeline on Mythos access for EU regulators, and that absence is now carrying regulatory weight.
