Brussels has begun to flex its regulatory muscle in a new direction. No longer content to set rules from afar, the European Commission now seeks direct hands-on experience with the most advanced AI systems coming out of American labs. Talks with OpenAI and Anthropic have accelerated in recent weeks. The stakes involve not just compliance but the ability to understand and counter risks that could reshape cybersecurity across the continent.
OpenAI moved first. On Monday the company offered the EU preview access to its new GPT-5.5-Cyber model, a specialized variant focused on offensive and defensive cyber capabilities. European Commission spokesperson Thomas Regnier welcomed the move at a press briefing. “We welcome OpenAI’s transparency and intent to give commission access to new model,” he said, according to a Reuters report. Further discussions are scheduled this week. The arrangement would extend to the EU AI Office, national cyber authorities, and vetted businesses.
OpenAI framed the decision as pragmatic partnership. George Osborne, head of OpenAI for Countries, issued a statement. “AI labs like ours shouldn’t be the sole arbiters of cyber safety as resilience depends on trusted partners working together.” He added that the latest cyber AI capabilities should be available for Europe’s many defenders, not just the few. The company also outlined an “OpenAI EU Cyber Action Plan” to collaborate with policymakers and institutions. Such openness stands in contrast to the more guarded posture taken by its rival.
Anthropic has held multiple meetings with Commission officials. Four or five sessions have taken place so far. Yet conversations have not advanced to the point of granting access to its models. “With one (OpenAI), you have a company proactively offering to give access to the company. With the other one (Anthropic), we have good exchanges though we’re not at a stage where we can speculate on potential access or not,” Regnier explained in the same briefing. The difference in approach highlights how individual corporate strategies can shape regulatory outcomes.
At the center of tension sits Mythos. Anthropic released the model in early April. It demonstrates exceptional skill at identifying and chaining exploits. In tests it uncovered thousands of high-severity vulnerabilities in days. One example involved a 27-year-old bug in OpenBSD. Another exposed a 16-year-old remote code execution flaw in FreeBSD along with 271 issues in Firefox. These feats worry officials on both sides of the Atlantic. A single capable adversary armed with such a tool could threaten critical infrastructure.
The EU AI Office, tasked with overseeing systemic-risk models under the AI Act, finds itself without access. “The Commission is currently not one of the 40 unnamed organizations that have access,” Regnier confirmed in mid-April, as reported by Politico. That limited circle includes select tech firms and government partners, reportedly with heavy U.S. involvement. The UK’s AI Security Institute gained entry quickly. It produced a detailed technical analysis within a week that regulators praised. Europe has not matched that pace.
Staffing and expertise gaps compound the problem. The AI Office employs roughly 140 people overall. Its dedicated safety unit numbers 36. A coalition of eight AI safety organizations sent a letter urging expansion to 160 specialists by 2030. Italian lawmaker Brando Benifei called for more staff, deeper technical expertise, and a budget that matches the speed of frontier development. Without these resources, the office struggles to evaluate models at the edge of capability. Stanislav Fort, chief scientific officer at European AI security firm Aisle, observed that the kind of frontier evaluation performed by the UK “is not present right now at the EU AI Office.”
Finance ministers took notice. The Eurogroup met on May 4 to discuss operational resilience and the implications of Mythos for banking systems. No European government holds access. A White House decision reportedly blocked Anthropic’s plan to expand availability to about 70 additional entities. ECB President Christine Lagarde described Anthropic as a responsible operator yet warned that the model in the wrong hands “could be really bad.” The Bundesbank had earlier pressed for EU-level demands. European Central Bank officials convened calls with chief risk officers at eurozone lenders to gauge preparedness.
These conversations occur against the backdrop of the EU AI Act. Rules for general-purpose models took effect last August. High-risk systems face stricter requirements starting in August 2026. The legislation demands technical documentation, risk assessments, and mitigation steps for the most powerful systems. Yet enforcement hinges on real understanding. Regulators cannot assess what they cannot examine. Access to frontier models therefore becomes a prerequisite for credible oversight.
And the clock ticks. Hostile actors will likely obtain the technology eventually. Defenders left in the dark operate at a permanent disadvantage. Without equivalent tools, banks and infrastructure operators cannot simulate the attacks they may face. A structural imbalance emerges. Some officials now speak of the need for European investment in comparable domestic models to reduce reliance on foreign providers.
OpenAI’s offer changes the dynamic. Granting access to GPT-5.5-Cyber, rolled out in limited preview to cybersecurity teams last week, signals willingness to treat the EU as a serious partner. It also allows the Commission to monitor deployment closely and address concerns in real time. Whether this sets a precedent for Anthropic remains uncertain. The company has not commented publicly on next steps.
Broader questions linger. How much transparency should frontier labs provide to regulators? Can governments build sufficient in-house expertise to evaluate models without becoming dependent on the companies they oversee? The EU positioned itself as the world’s leading tech regulator. That claim now faces a practical test. Success depends on bridging the gap between ambitious rules and operational capacity.
Recent reporting underscores the urgency. A CNBC article published hours ago detailed OpenAI’s concrete commitment and the continued distance with Anthropic. Coverage from The Next Web earlier in the month highlighted the Eurogroup’s frustration and the defensive gap created by zero-day capabilities. These accounts paint a picture of regulators racing to catch up with technology that advances faster than bureaucratic processes.
So the negotiations continue. OpenAI appears ready to open the door. Anthropic proceeds with caution. For Brussels the goal stays clear. Understand the models. Assess the risks. Equip Europe to defend itself in an era when code can hunt its own vulnerabilities. The outcome of these talks may influence not only AI governance in Europe but the balance of technological power between governments and the private labs that build the future.


WebProNews is an iEntry Publication