Anthropic will allow ENISA, the European Union’s cybersecurity agency, to join Project Glasswing and gain access to Claude Mythos Preview, Bloomberg reported on June 1 citing people familiar with the matter — making ENISA the first EU institution to access the model. Anthropic communicated the decision to the European Commission over the weekend, with a trip by Commission officials to San Francisco the prior Thursday believed to be the decisive catalyst after four to five rounds of prior talks since April. ENISA spokesperson Laura Heuvinck confirmed the offer to the Financial Times, saying “it’s been offered but the conditions are still being agreed”; European Commission spokesperson Thomas Regnier stated the Commission had “several productive meetings with Anthropic” and welcomed “the latest developments on potential future access.” The terms governing data sovereignty, the scope of systems ENISA may test, and restrictions on sharing findings with EU member states have not been publicly disclosed and remain under negotiation.
The agreement ends a weeks-long standoff that had become a focal point of transatlantic AI tensions. Euro-area finance ministers, the European Central Bank, and multiple EU member states had demanded access after learning Mythos had identified vulnerabilities in systems European banks, governments, and critical infrastructure operators rely on — findings no European institution could see. Launched in April 2026, Claude Mythos Preview can autonomously identify security flaws across complex codebases and generates working exploits on the first attempt in over 83% of cases, a capability that simultaneously attracted and alarmed European regulators. Project Glasswing currently counts over 40 member organizations including Amazon, Apple, Microsoft, Google, and the Linux Foundation; the Pentagon has separately been using Mythos to patch vulnerabilities in U.S. government systems; and the UK’s AI Security Institute received access earlier. BNP Paribas and Mistral have nonetheless been developing a European alternative and will continue that effort regardless of the ENISA deal. The EU AI Act, which enters full enforcement in August 2026, contains no mechanism to compel a non-European company to share its most capable AI models with EU regulators — a structural gap the episode has laid bare.