What does this offer really reveal about American tech strategy and European vulnerabilities?

The European Union is in active negotiations with Anthropic to gain access to Mythos, the AI-powered cybersecurity model that the California-based startup had itself deemed too powerful to make publicly available. Delegations from the European Commission and ENISA — the EU’s dedicated cybersecurity agency — have engaged in talks with the company, both in San Francisco and remotely. The conditions of any potential access remain unresolved. The file is open. And it is far from straightforward.

At a Glance

• Anthropic has invited the EU to join “Glasswing,” a tightly restricted program — composed almost entirely of American organizations — granted early access to Mythos.

• ENISA has confirmed that negotiations are underway; the European Commission dispatched a delegation to San Francisco to discuss terms.

• Mistral AI, Europe’s leading AI company, is sounding the alarm: granting a U.S. tool access to European state systems would create a dependency that may prove irreversible.

This image is used for illustrative purposes only.

Mythos: a tool that frightens its own creators

Mythos is not a chatbot. It is a system capable of identifying and patching software vulnerabilities at a speed no existing tool can match. Its power is also its liability: in the wrong hands, it could be used to design cyberattacks as easily as it could be used to prevent them.

That is precisely why Anthropic initially chose not to release it publicly. The model is currently restricted to a select group of large American companies deemed to face “critical” cybersecurity risk — Apple, Amazon, Google, JP Morgan, among others — brought together under the Glasswing program. Within the same framework, Washington is currently testing and deploying Mythos across several federal government agencies for internal protection purposes.

The invitation extended to the EU would mark a first: outside the United States, only the United Kingdom has so far been granted access to Mythos, through an evaluation conducted by the country’s AI Safety Institute.

What Brussels has said — and what it has yet to decide

European Commission spokesperson Thomas Regnier described the prospect of accessing Mythos on June 2, 2026, as a development “of the utmost importance” for gaining a clearer picture of the model’s potential risks. ENISA confirmed that discussions are active, while noting that the conditions are still being negotiated.

Two nuances are worth underscoring. First, no agreement has been reached. Second, the concerns raised internally are substantial: sources close to the file have raised questions about what level of access Anthropic would obtain to the IT systems of EU member states under any such arrangement. This is not a peripheral worry — it is the core of the negotiation.

The Amodei strategy: selling fear to sell the cure

Anthropic’s approach follows a well-rehearsed logic. In April 2026, CEO Dario Amodei publicly expressed his intention to share Mythos with U.S.-allied governments, citing the defense of Ukraine, Taiwan, and what he called “threatened democracies.” The messaging is consistent with Anthropic’s long-standing posture — a company that has made catastrophism a corporate philosophy as much as a commercial argument.

This pattern deserves to be named clearly. Offering a cybersecurity technology while simultaneously publicizing its dangers is a proven market strategy. Anthropic’s own confirmation of an “unauthorized access” incident — whose origin remains unidentified — reinforces the mechanism: the more threatening Mythos appears, the more indispensable its acquisition seems. The EU is being invited to join a protection program against a risk that its very sponsor is helping to amplify.

The real European dilemma: efficiency versus sovereignty

Beneath the technical debate lies a political choice. Arthur Mensch, CEO of Mistral AI — France’s leading AI company and Europe’s most credible challenger to U.S. dominance in the sector — made the stakes explicit during a May 12, 2026, hearing before France’s National Assembly:

“We cannot allow the source code of the French military to be analyzed by Mythos. This creates a dependency so irreversible that we absolutely must find solutions.” [translated from French]

Mistral is now working to develop its own comparable tool.

The underlying tension is structural. Mythos is likely more capable than anything Europe could produce in the near term for detecting software vulnerabilities. But the effectiveness of a tool cannot be assessed in isolation from the question of who controls its data and access. Every line of code analyzed by Mythos within a European government system would, by definition, pass through American infrastructure governed by American law.

This tension is not new — it has shaped years of debate over the role of U.S. tech giants in European digital sovereignty. What is new is the intensity: this is no longer about cloud storage or messaging apps. It is about the offensive and defensive security of critical infrastructure.

The bottom line

Europe is confronting a question it has faced before, but never with such urgency: can it delegate the protection of its most sensitive systems to a foreign operator — however trustworthy — without surrendering an irreducible degree of strategic control? And if the answer is no, as Mistral argues, is Europe prepared to fund and wait the years it would take to build a credible alternative, while remaining exposed in the interim?

Sources: L’Express · France’s National Assembly