OpenAI grants EU access to GPT-5.5-Cyber as Anthropic keeps Mythos restricted

OpenAI said on Monday it would grant the European Union access to GPT-5.5-Cyber, the cybersecurity-tuned variant of its latest flagship model, in a deal that puts the US lab at least one practical step ahead of its closest rival on a fault line that has become political over the past month. The Sam Altman-led company will share the model with vetted EU member-state agencies, businesses and EU institutions, on the same limited-preview terms it announced for US cybersecurity teams last week.

Anthropic, whose comparable Mythos Preview model is currently shared with roughly 40 organisations under direct contract, said its conversations with the European Commission were "at a different stage" than OpenAI's. A Commission spokesperson, briefed reporters on Monday morning, confirmed four or five meetings with Anthropic but said "we are not at the same point" as the OpenAI agreement.

The split traces a deeper disagreement on how to release frontier cyber-capable models. Anthropic has framed Mythos as a model with capabilities — including a documented ability to complete a 32-step simulated corporate cyberattack in three out of ten attempts — that warrant unusually tight access controls. OpenAI, in a Monday blog post, said GPT-5.5-Cyber's "slightly behind" capabilities (two of ten on the same UK AI Security Institute test) were already widely matched in the open-source ecosystem and that broader defensive deployment was the right answer.

Mythos has been at the centre of a four-week political conversation in Brussels. The Commission's AI Office released a draft "responsible-disclosure framework" last Tuesday that would require commercial labs to share both capability benchmarks and limited-access copies of frontier security-relevant models with at least three EU member-state cybersecurity agencies before broader rollout. The framework is non-binding for now, but is widely understood as the template for binding rules under the AI Act's general-purpose-model code of practice.

Anthropic, whose only public Mythos rollout in Europe has been to two French cybersecurity firms, said in a Monday statement that its broader Europe plans were "active but careful", citing a separate $200 billion five-year cloud-and-chips commitment to Google announced last week as evidence of the lab's "long European horizon". The company has previously said Mythos will not be released to states or organisations under sanctions.

The Microsoft, Google DeepMind and xAI agreements with the US Center for AI Standards and Innovation — also announced last week — point in the same direction: pre-release government testing, structured carve-outs for defensive cybersecurity, and an emerging two-tier global access map in which the rest of the world will see frontier cyber-capable models on a delay.