Anthropic Opens Claude Mythos to the EU

Anthropic has offered the European Union access to Claude Mythos, its premier model previously restricted to a select group of partners. On June 1, Bloomberg reported that Anthropic proposed granting Mythos access to the EU Agency for Cybersecurity (ENISA), making it the first EU body poised to receive the model.

This expansion extends beyond European regulators. On May 28, Anthropic announced plans to deploy Mythos-class models to all customers "in the coming weeks" alongside the launch of Opus 4.8. The moves mark the easing of access restrictions that had remained in place for nearly two months.

However, the two initiatives represent distinct tracks. The ENISA agreement provides controlled access tailored for regulatory and defensive operations, whereas the upcoming release is a separate commercial rollout. Understanding the boundaries between these tracks is crucial to analyzing the development.

ENISA as the First EU Gateway

The European regulatory track operates under Glasswing, Anthropic's defensive cybersecurity initiative. ENISA is set to become the first EU institution to participate in the program following weeks of negotiations with the European Commission.

The arrangement has not yet been finalized. Politico reported that while the offer has been made, the formal terms remain under negotiation. The precise scope of use, safety protocols, and the deployment schedule are still being resolved.

Crucially, this partnership does not constitute a public launch. Access is restricted to an EU cybersecurity authority solely for defensive purposes, specifically to identify and remediate vulnerabilities in critical software and infrastructure. The agreement does not permit immediate commercial use by European enterprises or consumers.

Why Anthropic Restricted Mythos

The decision to restrict access to defensive applications stems from the model's offensive capabilities. When Anthropic introduced the preview of Claude Mythos on April 7, it deferred a general release, citing concerns over the system's ability to autonomously identify software vulnerabilities and exploit zero-day flaws.

The New York Times characterized the preview as a pivotal moment for cybersecurity, reflecting deep concerns that misuse of the model could facilitate systemic cyberattacks.

Consequently, Anthropic established the Glasswing initiative to control distribution. It provided the preview to only about 50 select entities—including Apple, Microsoft, Google, AWS, Nvidia, CrowdStrike, and JPMorgan—the vast majority of which are U.S. corporations. Rather than pursuing a broad release, the strategy aimed to equip defensive teams first.

Europe Excluded as OpenAI Advances

However, European entities were noticeably absent from the initial Glasswing roster. Throughout April and May, neither ENISA nor the European Commission was granted access to Mythos. While the UK AI Safety Institute and select German agencies secured early access, the core EU institutions remained excluded.

This exclusion created an opportunity for OpenAI. According to CNBC, the EU secured access to OpenAI's 'GPT-5.5-Cyber' cybersecurity model in May, allowing a key competitor to establish a foothold while Anthropic kept its gates closed.

Geopolitical friction also slowed Anthropic's deployment. The company informed the Commission that sharing the technology required U.S. government authorization, but Washington, aiming to preserve domestic AI advantages, resisted sharing the model with foreign administrations. The June 1 offer to ENISA represents a breakthrough that followed direct diplomatic engagement between EU officials and the U.S. administration.

The Dual Tracks and the EU AI Act

Consequently, the upcoming broader release serves a different market. Independent of the ENISA track, the commercial expansion announced on May 28 will target general API and Claude subscribers. However, Anthropic noted that deploying a model of this caliber demands advanced safety protocols, making the final release timeline dependent on the completion of these safeguards.

Regulatory compliance presents another hurdle. The EU AI Act mandates strict requirements for general-purpose AI models that pose systemic risks. Claude Mythos, given its autonomous offensive capabilities, will likely fall under these rules. The core provisions of the EU AI Act take effect in August. As a result, the model's deployment serves as a major test case for the EU AI Act.

Ultimately, the agreement with ENISA is an incremental step rather than a full market launch. While rumors of a public release have intensified, as detailed in our prior report, Anthropic has prioritized regulatory alignment in Europe. The restrictions are beginning to ease, but the ultimate pace and scope of the rollout will hinge on both safety benchmarks and EU AI Act compliance.