The European Central Bank is taking urgent action to address the cybersecurity risks posed by advanced artificial intelligence models, convening a meeting with major banks on Tuesday. The gathering follows growing concern across the European financial sector about Anthropic's Claude Mythos Preview, a frontier AI model that has already identified thousands of zero-day vulnerabilities in widely used operating systems and browsers. These flaws, previously unknown to developers, represent a critical threat to financial institutions that rely on software from companies like Microsoft, Google, and Apple.
Background of the AI cybersecurity threat
Mythos, developed by San Francisco-based Anthropic, is part of a new generation of AI models that can autonomously search for software vulnerabilities and create working exploits. In controlled testing, the model produced successful exploits on its first attempt more than 83% of the time, often outperforming human cybersecurity specialists. This capability has alarmed regulators worldwide, as the speed and scale of AI-driven vulnerability discovery far exceed traditional methods. The model operates by reverse-engineering software patches and identifying security holes that human teams might overlook.
The ECB's intervention comes after months of internal discussions within the European Union about how to respond to the rapid advancement of AI in cybersecurity. The meeting will involve senior executives from major European banks, including Deutsche Bank, BNP Paribas, Santander, and others. ECB Executive Board member Frank Elderson stated that while the central bank has been working with lenders on cybersecurity for years, the progress in AI demands faster action. “There is a whole range of issues on cyber security that we have been engaging on with the banks for years which are all still valid, but given the progress in AI, they need to be dealt with faster,” he told the Financial Times.
Access imbalance and information asymmetry
One of the central challenges discussed at the meeting is the unequal access to Mythos. Only about 40 to 50 organizations have been granted permission to use the model through Anthropic's controlled distribution program called Project Glasswing. These include major US technology companies like Amazon, Microsoft, Google, and Nvidia, as well as cybersecurity firms CrowdStrike and Palo Alto Networks, and financial giant JPMorgan Chase. No European bank is currently on the list, creating a significant information gap. European lenders cannot directly use the most powerful tool for finding vulnerabilities in their systems, while their US counterparts can.
Anthropic has briefed the Financial Stability Board on the findings of Mythos at the request of Bank of England Governor Andrew Bailey, who chairs the board. The Federal Reserve and the US Treasury have also convened meetings with bank CEOs to discuss the risks. Real-world data from Palo Alto Networks indicates that advanced AI models are discovering vulnerabilities at seven times the usual rate, and the firm has warned that the industry may have only three to five months of defensive buffer remaining before the gap becomes unmanageable.
Call for faster patching
Elderson's message to banks is blunt: patch faster. AI models can now reverse-engineer software fixes within minutes of their release, meaning the window between a vulnerability being patched and being exploited has collapsed. Banks and their IT contractors can no longer afford to leave even minor vulnerabilities for longer update cycles. European banks cannot use their lack of access to Mythos as an excuse for inaction, because malicious actors could soon gain access to equivalent technology. This urgency is underscored by Anthropic's own warning that adversaries could replicate the capability within six to twelve months.
The ECB is pushing banks to comply with the Digital Operational Resilience Act (DORA), the EU's cybersecurity law for financial services that requires institutions to manage IT risk, test resilience, and report incidents. The question is whether DORA's framework can keep pace with AI models that are finding decades-old vulnerabilities faster than the institutions responsible for fixing them. Banks are being asked to adopt continuous vulnerability assessment processes, automate patch deployment, and invest in AI-driven defensive tools.
European regulatory scramble and political pressure
The ECB's action follows a broader regulatory scramble across Europe. Euro-area finance ministers have demanded access to Mythos, and European Commissioner Valdis Dombrovskis confirmed on 4 May that the EU is in talks with Anthropic about having companies and banks tested for vulnerabilities the model uncovers. However, those talks have made little progress. Reports from Spanish officials in mid-May indicated the negotiations had effectively stalled, leaving European institutions in a precarious position.
The impasse has created an opening for rivals. French AI startup Mistral AI is in discussions with European banks about deploying its own cybersecurity model, designed to identify vulnerabilities in the same way Mythos does. CEO Arthur Mensch has framed the effort as a question of technological sovereignty, leveraging existing banking clients including HSBC and BNP Paribas. The model is still under development and has no confirmed release date, but it represents a potential European alternative.
Broader implications for the financial sector
The stakes are not theoretical. Banks today rely on a vast ecosystem of software from hundreds of vendors, each with its own update cycle. A single zero-day vulnerability in a widely used component like Apache Log4j caused chaos in 2021, affecting countless organizations. With AI models like Mythos, the scale and speed of such attacks could multiply dramatically. The ECB expects banks to not only patch faster but also re-evaluate their entire software supply chain security. This includes third-party vendors, cloud providers, and internal development teams.
For European banks, the situation is uncomfortable. The most powerful tool for finding the flaws in their systems exists, they are not allowed to use it, and the regulator is telling them to fix the problems it reveals anyway. The political pressure to resolve the access question is mounting, but until it is, European lenders are being asked to defend against threats they cannot fully see. The ECB's meeting on Tuesday is a step toward bridging this gap, but the path forward remains uncertain.