Why is OpenAI giving the EU access to GPT-5.5-Cyber while Anthropic withholds Mythos?

OpenAI announced on May 11, 2026 that it would grant European Union partners access to GPT-5.5-Cyber, its specialized cyber-defense model. Anthropic continues to withhold Claude Mythos from the EU and is only in early-stage talks with the European Commission. The split reflects different risk postures: OpenAI is positioning GPT-5.5-Cyber as a defensive tool for sovereign partners under negotiated terms, while Anthropic considers Mythos too dangerous for broad release and runs the closed 'Project Glasswing' program with roughly 50 vetted partners — mostly large US tech companies.

What is Project Glasswing and who has access to Mythos as of May 2026?

Project Glasswing is Anthropic's limited research preview for Claude Mythos. Roughly 50 vetted industry partners — primarily major US technology companies including Apple, Microsoft, and Amazon — have access, with the goal of using Mythos defensively to scan and patch vulnerabilities in critical software infrastructure. As of May 12, 2026 the EU is largely excluded; only Germany has reportedly initiated dialogue with Anthropic but does not yet have access. The European Commission is monitoring Mythos under DORA and AI Act provisions but has no granted access path.

Does this mean GPT-5.5-Cyber is safer than Mythos?

Not necessarily. The two models have different design profiles. GPT-5.5-Cyber is OpenAI's specialized cyber-defense variant with controlled-access deployment for sovereign and partner organizations. Mythos is broadly considered more capable on vulnerability discovery — it scored 93% on SWE-Bench Verified Cyber and is the model Anthropic flagged as triggering its 'cyber moment of danger' framing. Anthropic's withholding stance reflects a higher capability ceiling and a stricter view of dual-use risk, not a verdict that GPT-5.5-Cyber is unsafe. Both vendors run usage policies and red-team programs before granting access.

How does this affect European enterprises building cyber programs?

Practical impact for May 2026: EU-based security teams can now negotiate access to GPT-5.5-Cyber via OpenAI's announced EU pathway, but they cannot yet access Mythos. Combined with Anthropic's lack of EU data residency (all API processing in the US), EU regulated industries — finance under DORA, public sector, healthcare — face a real choice. They can use GPT-5.5-Cyber within EU-friendly terms, use Mythos-tier capability via US-based partner relationships (if eligible for Glasswing), or wait for Anthropic's Commission talks to conclude. Most are pursuing parallel paths while the policy picture stabilizes.

Quick Answer

GPT-5.5-Cyber EU Access vs Mythos EU Withheld (May 2026)

Published: May 12, 2026

GPT-5.5-Cyber EU Access vs Mythos EU Withheld (May 2026)

On May 11, 2026 OpenAI confirmed it would grant European Union partners access to GPT-5.5-Cyber. The same day, regulators confirmed Anthropic is still withholding Claude Mythos from the EU. Here is what changed, why the two vendors landed in different places, and what it means for cyber-defense buyers in Europe.

Last verified: May 12, 2026

The May 11 split, in one paragraph

OpenAI’s announcement is a negotiated access program for GPT-5.5-Cyber, its specialized cyber-defense model. The EU is the first major jurisdiction granted formal access. Anthropic’s position is unchanged: Mythos remains in the closed Project Glasswing research preview with roughly 50 vetted industry partners — almost entirely large US technology companies. The European Commission has been in discussions with Anthropic about Mythos under DORA and the AI Act framework, but those talks are at an earlier stage and no EU partner has received access. Germany alone has reportedly initiated a direct dialogue with Anthropic.

Side-by-side

Property	GPT-5.5-Cyber (OpenAI)	Mythos (Anthropic)
Announced	Late April 2026	March 2026
EU access	✅ Granted May 11, 2026	❌ Withheld; talks ongoing
Access program	OpenAI EU partner pathway	Project Glasswing (~50 partners)
Known partners	EU sovereign/security partners (TBD)	Apple, Microsoft, Amazon and others
SWE-Bench Verified Cyber	Strong; below Mythos	93% (industry-leading)
Vendor risk framing	Controlled-access defensive tool	”Cyber moment of danger”
EU data residency	OpenAI offers EU regions for some products	❌ All processing in the US
DORA fit (EU finance)	Negotiable	Difficult without residency
Public availability	Closed; partner-only	Closed; partner-only

What changed on May 11

Per CNBC and Politico reporting on May 11, OpenAI told EU officials it would extend access to GPT-5.5-Cyber to bloc partners under negotiated usage terms. The same coverage flagged that Anthropic was “not there yet” on EU access for Mythos. Bloomberg Law confirmed the European Commission is actively monitoring Mythos’s security implications but has no granted access. Politico also reported the same day that Google disclosed AI was used to discover a major real-world security flaw — adding pressure to the regulatory conversation.

The net: by Tuesday May 12, 2026 European cyber-defense buyers have one open lane (GPT-5.5-Cyber) and one closed lane (Mythos).

Why the two vendors landed in different places

OpenAI’s logic. GPT-5.5-Cyber is a tuned variant of the GPT-5.5 family. OpenAI’s positioning is that controlled-access deployment to vetted partners — including sovereign EU partners — strengthens defensive capacity faster than withholding does. The model is below Mythos on raw vulnerability-discovery capability, which makes the dual-use risk easier to argue down. OpenAI also has a stronger EU operational footprint and an active interest in being the policy-cooperative US vendor as the AI Act omnibus takes effect.

Anthropic’s logic. Mythos sits at the frontier on cyber capability (93% SWE-Bench Verified Cyber, the figure that triggered the company’s “cyber moment of danger” framing in April). Anthropic’s stance is that broader release — including release to additional jurisdictions before they have established controls — increases offensive risk faster than defensive benefit. Project Glasswing is the company’s bet: a small partner cohort that can absorb the capability defensively without the model leaking laterally.

Both positions are defensible. They are not identical to a safety verdict.

Capability vs access — a useful distinction

Buyers tend to conflate “more capable” with “more dangerous to release.” The clean way to read this:

Capability: Mythos > GPT-5.5-Cyber on most cyber benchmarks.
Access: GPT-5.5-Cyber > Mythos in the EU as of May 12.
Defensive utility for an EU bank in Q2 2026: GPT-5.5-Cyber wins on availability today; Mythos wins on raw capability if and when Glasswing or a successor opens.

If your threat model assumes nation-state-grade adversaries with their own equivalent capability, the “withhold Mythos” stance offers less protection than it appears to. If your threat model is opportunistic and commodity, GPT-5.5-Cyber under EU terms is materially useful right now.

Practical implications for European buyers

Financial services (DORA-scoped). GPT-5.5-Cyber under EU partner terms is the only currently negotiable path at frontier-cyber capability. DORA mandates ICT third-party risk diligence; OpenAI’s EU pathway is being structured to fit. Mythos is effectively unavailable.

Public sector and defense. Same access asymmetry, sharper sovereignty concerns. Expect bilateral deals (Germany–Anthropic dialogue is the template). Some EU member states are exploring fine-tuned local equivalents on open-weights cyber models in parallel.

Critical infrastructure (energy, telecom, healthcare). Glasswing-tier access via a US parent or partner is the realistic Mythos route. Otherwise GPT-5.5-Cyber is the option. Pilot both where possible.

Cloud-native SaaS companies based in EU. GPT-5.5-Cyber on a contracted EU pathway is the obvious near-term play. Watch the Anthropic–Commission talks; if a Glasswing-EU lane opens, revisit.

What to watch next

The terms of OpenAI’s EU GPT-5.5-Cyber program. Data residency, logging retention, allowed use cases, red-team obligations.
Whether Anthropic opens a Glasswing-EU cohort. Germany’s dialogue is the canary.
AI Act omnibus implementation. The May 7, 2026 omnibus deal changes some general-purpose-AI obligations; cyber-specific provisions are still being interpreted.
Capability parity from open-weights. GLM, DeepSeek and Qwen cyber-tuned variants are closing in; jurisdictional access matters less when local models reach Mythos-class capability.
Any actual incident traced to misuse of either model. This conversation reshapes within hours if it happens.

Sources

CNBC, “OpenAI to give EU access to new cyber model; Anthropic still holding out on Mythos” (May 11, 2026)
Politico, “Google says hackers used AI to develop a major security flaw” (May 11, 2026)
techresearchonline.com, “OpenAI Grants EU Access to GPT-5.5 Cyber AI Model” (May 11, 2026)
CSO Online, “European authorities without access to Anthropic’s AI for hacking”
Schneier on Security, “On Anthropic’s Mythos preview and Project Glasswing” (April 2026)
Bloomberg Law, “EU monitoring Anthropic’s Mythos security implications”
Just Security, “Too Dangerous: Anthropic Mythos”
Stibbe, “Mythos and the rise of AI-driven cyber threats under DORA”
PYMNTS, “OpenAI offers EU access to new cyber model as Anthropic talks continue”
Economic Times, “EU says OpenAI offers to open access to cybersecurity model, Anthropic not there yet”

Last verified: May 12, 2026.

GPT-5.5-Cyber EU Access vs Mythos EU Withheld (May 2026)

The May 11 split, in one paragraph

Side-by-side

What changed on May 11

Why the two vendors landed in different places

Capability vs access — a useful distinction

Practical implications for European buyers

What to watch next

Sources

Related reading