The European Commission is actively investigating the implications of Anthropic’s deployment of Claude Mythos, an advanced AI model specialized in detecting software vulnerabilities. This review marks a significant assertion of Brussels' regulatory authority over US-based AI firms operating under Europe’s emerging governance framework.
Anthropic previously committed to the EU’s General-Purpose AI Code of Practice in July 2025, positioning itself as a cooperative partner ahead of the AI Act’s August 2025 enforcement. However, regulators are now stress-testing that goodwill. The core issue lies in Mythos’s ability to systematically uncover flaws in critical software infrastructure, a capability that surpasses most human analysts as of April 2026.
By May 2026, the Commission had held multiple meetings with Anthropic. Discussions focus on risk mitigation and potential access for EU entities, including the European Union Agency for Cybersecurity (ENISA). As of June 2026, negotiations remain ongoing with no public resolution.
This situation highlights a growing tension regarding technological dependency on American AI companies. The EU’s AI Act aims to prevent European institutions from being subject to unilateral technology decisions by foreign headquarters. While Anthropic’s voluntary commitments were a positive step, regulators distinguish sharply between voluntary cooperation and enforceable obligations.
For investors, this precedent is critical. If Brussels mandates special access agreements or operational restrictions for AI models with cybersecurity applications, the template will apply to all frontier model developers, including OpenAI, Google, and Meta. The EU intends to be an active negotiating partner in AI deployment, not a passive consumer of Silicon Valley products.