"On the contrary, it makes it even more critical that banks step up and act now," Frank Elderson, vice‑chair of the ECB supervisory board, wrote in a regulatory newsletter — a blunt opening to a call for European banks to accelerate cyber defenses against rapidly advancing AI-enabled attack tools.
Frank Elderson and the ECB's urgent prescription
In a Wednesday regulatory newsletter, Elderson told banks that lack of access to Anthropic's Mythos "was not an excuse for inaction." He urged "bank‑specific, risk‑based" measures in line with the Digital Operational Resilience Act, and said banks must "redouble their efforts to identify vulnerabilities, even minor ones, using existing AI tools." Critically, he recommended changing patching practices so that flaws "once thought minor" are treated as urgent and fixed "right away."
Elderson also warned that other critical infrastructure relied upon by banks could now be exposed, and urged institutions to update operational resilience plans for a "higher probability of severe disruptions" and to monitor communications from EU and national authorities — and the behavior of banks that do have access to Mythos.
Anthropic's Mythos and Project Glasswing
The newsletter singled out Anthropic's Mythos as a catalyst for recent concerns about AI that can swiftly discover and exploit vulnerabilities. For reasons the ECB described as unclear, Anthropic has included European authorities and companies in Project Glasswing — a selected early‑access program for Mythos. The ECB framed access disparities as no justification for inaction, not as a security remedy.
OpenAI's GPT‑5.5‑Cyber and selective European access
On Monday, OpenAI said it would allow the European Commission and several regional firms, including Deutsche Telekom and the Spanish bank BBVA, to use its GPT‑5.5‑Cyber model for similar purposes. The ECB's note placed that development alongside Anthropic's Project Glasswing as part of a broader shift in which frontier models are being funneled, selectively, to European authorities and commercial partners.
Mistral, digital sovereignty, and secretive talks
France's Mistral, identified in the newsletter as the EU's only rival to OpenAI, Anthropic and Google DeepSeek, appears to be escalating efforts. Bloomberg, cited in the ECB piece, reported that Mistral was developing a rival to Mythos and GPT‑5.5‑Cyber and had engaged in confidential discussions with large European banks. Mistral CEO Arthur Mensch told a French parliamentary inquiry that a local alternative is essential: "You can't have the French military's source code scanned by Mythos," he argued, saying that dependency would be "irreparable" and that Europe "absolutely must find solutions."
The U.K. AI Security Institute, METR, and accelerating capability
The U.K.'s AI Security Institute (AISI), which had early access to a Mythos Preview model and validated its capabilities a month earlier, said a newer checkpoint demonstrated a "stronger" leap in cyber performance. AISI reported that the newer variant delivered "stronger cyber results than the previous version, including the first completion of both our cyber ranges."
AISI quantified recent model progress: in February 2026 it estimated that frontier models' 80%‑reliability cyber time horizon had been doubling every 4.7 months since late 2024, with earlier November 2025 estimates at around eight months. AISI said Claude Mythos Preview and GPT‑5.5 have "significantly outperformed this trend," and that it was unclear whether those models marked an isolated break or a new, faster trend. The institute cited time‑estimate work by METR, which sees a consistent 4.2‑month doubling time on software tasks.
AISI concluded: "Frontier AI's autonomous cyber and software capability is advancing quickly: the length of cyber tasks that frontier models can complete autonomously has doubled on the order of months, not years," and warned that while the evidence does not predict exact thresholds, "the time to invest in strong security baselines is now."
What this means for European banks, regulators, and critical‑infrastructure operators
- Banks: Per the ECB, banks must reassess vulnerability‑management and patching cycles, treat previously minor flaws as urgent, and update operational resilience plans to reflect a higher probability of severe disruptions tied to automated hacking.
- Regulators and national authorities: The ECB urged attention to communications from EU and national bodies and monitoring of firms with access to frontier models; that reflects a regulatory push to align controls with the Digital Operational Resilience Act.
- Critical‑infrastructure operators: The ECB specifically flagged other critical services on which banks depend as potential attack surfaces that now merit reassessment given more powerful and prevalent automated hacking tools.
The recent cluster of warnings — from the ECB, the International Monetary Fund and Germany's financial regulator Bafin — and the selective release of frontier cyber models to European actors frame a fast‑moving problem: powerful AI tools are being developed and parceled out even as their demonstrated cyber capabilities accelerate. The ECB's message is straightforward and immediate: limited access to those tools cannot serve as an excuse for delay, and defensive practices must change now.




