Europe’s banks have a problem they can’t hack their way out of. Anthropic’s Claude Mythos Preview, the AI model capable of identifying and exploiting zero-day software vulnerabilities, remains available only to a handful of US partners. The EU has been trying to change that, and it’s not going well.

Talks between the European Union and Anthropic over testing arrangements for European financial institutions and companies have effectively stalled, according to reports from Spanish officials in mid-May 2026. That means the continent’s critical financial infrastructure still can’t stress-test itself against one of the most powerful cybersecurity tools ever built.

What Mythos does and who gets to use it

Anthropic released Claude Mythos Preview on April 7-8, 2026. The model demonstrated something that made cybersecurity professionals both excited and uneasy: advanced capabilities in finding and exploiting zero-day vulnerabilities, the kind of software flaws that exist before anyone knows about them, making them extraordinarily dangerous.

In English: Mythos can probe systems the way a sophisticated attacker would, but at a speed and scale that no human red team can match. For a bank or tech company, running Mythos against your own systems is like hiring the world’s best burglar to test your locks.

Here’s the thing. That burglar currently only works for Americans.

Access to Mythos Preview has been restricted to a select group of mainly US companies and government agencies. Amazon and JPMorgan Chase are among the firms that have been granted access. European banks and firms? Not on the list.

The asymmetry is stark. US financial institutions can probe their own defenses using an AI that thinks like a next-generation attacker. European institutions cannot. In a world where cyber threats don’t respect borders, that gap matters.

Where the talks stand

EU Economy Commissioner Valdis Dombrovskis confirmed on May 4, 2026, that discussions with Anthropic were ongoing regarding the policy implications for the EU. The framing was diplomatic, the kind of language officials use when they want to signal engagement without overpromising results.

Two weeks later, the diplomatic veneer cracked. Spanish officials reported that negotiations had made minimal progress, a polite way of saying things were stuck.

The EU has raised the issue in multiple forums. Eurogroup meetings, where finance ministers from eurozone countries coordinate policy, have addressed the restricted access. The European Parliament has also weighed in. The consensus across these bodies is clear: Europe needs a plan.

But consensus and results are different things. Anthropic, a private American company, has no obligation to extend access to foreign governments or their regulated institutions. The EU’s leverage here is limited to persuasion, potential regulatory pressure, and the slow machinery of transatlantic diplomacy.

Look, this isn’t the first time Europe has found itself on the wrong side of a US tech company’s access decisions. But the stakes here are different from arguing about data privacy or app store rules. This is about whether European banks can defend themselves against threats that Mythos itself has helped define.

The cybersecurity gap and what it means

The core concern is straightforward. If Mythos can find zero-day vulnerabilities in complex software systems, then the systems it hasn’t tested remain blind to whatever it would have found. European financial infrastructure, already under escalating cyber threat, is flying without one of the most advanced radar systems available.

This isn’t hypothetical risk. Financial institutions across Europe have faced increasingly sophisticated cyberattacks in recent years. The ability to proactively identify vulnerabilities before attackers do is the difference between patching a hole and explaining a breach to regulators and customers.

The exclusivity problem also creates a competitive dynamic. US banks that can test against Mythos gain a measurable security advantage. Their European counterparts, competing in the same global markets, do not. Over time, that translates into different risk profiles, different insurance costs, and potentially different levels of customer and investor confidence.

Discussions within EU institutions have started to focus on mitigation. If Anthropic won’t, or can’t, extend access, Europe may need to invest in alternative capabilities. That could mean funding homegrown AI cybersecurity tools, partnering with other AI labs, or creating regulatory frameworks that require equivalent testing standards regardless of which tool performs them.

For investors in the financial technology and cybersecurity space, the stalled talks create a clear signal. European demand for advanced AI-driven security testing is real and currently unmet. Companies offering competitive solutions to Mythos, whether through proprietary AI models or novel approaches to vulnerability detection, could find themselves in an increasingly favorable position.

The regulatory dimension adds another layer. If the EU moves toward requiring banks and critical infrastructure operators to undergo AI-powered penetration testing as part of compliance, that mandate would need tools to fulfill it. A compliance-driven market for cybersecurity AI in Europe could emerge faster than anyone expected, not because of innovation, but because of frustration.

The broader geopolitical picture is hard to ignore. AI capabilities are increasingly becoming a dimension of national and bloc-level security. The EU’s difficulty in securing access to a single company’s product illustrates a deeper dependency that European policymakers have been warning about for years. Whether this particular impasse becomes the catalyst for a more aggressive European AI sovereignty push remains to be seen, but the political pressure is building in that direction.