"A race against time has begun, and Europe is not prepared," European lawmakers warned in a letter to the European Commission, framing an urgent push for new defensive measures after the arrival of advanced artificial intelligence models with demonstrated cyberoffensive capabilities.
MEPs press Henna Virkkunen with concrete demands
Dozens of members of the European Parliament — cross-party except for the far right — sent a missive to Henna Virkkunen, the European Commission executive vice‑president responsible for tech sovereignty and security, pressing for rapid action. The letter singles out Anthropic's Mythos as an inflection point and warns that reports of unauthorized parties gaining access to Mythos "underscore that this threat is no longer hypothetical."
The lawmakers call for several specific measures: that Europe be included in Anthropic's Project Glasswing; that the Commission accelerate adoption of zero trust architectures, assume‑breach principles and AI‑assisted defensive tools with concrete guidance for public institutions and private enterprises; that vulnerability disclosure policies and patching frameworks be reformed to "reflect compressed AI‑driven timescales"; and that member states promote immediate reductions of attack surface, further network segmentation and prioritization of protection for "crown jewels." The letter also makes clear it is not seeking restrictions on AI‑powered defensive measures, saying such tools "are equally indispensable to our defense."
Project Glasswing, Anthropic, and EU access
Anthropic is restricting access to Mythos through a selective testing program dubbed Project Glasswing. According to the Commission's spokesman Thomas Regnier, the EU institution had not gained access to Project Glasswing at the time of publication. "There are clearly some cybersecurity concerns that have to be addressed, and I can tell you that the company is engaging in good faith with the commission, but I will not speculate about potential future access or not," Regnier said at a Monday press briefing.
Anthropic declined to respond to a request for comment on why the EU is not yet participating in Project Glasswing, and the European Commission had not replied to a request for comment at the time the article was published.
Mythos' reported capabilities and international reactions
The U.K.'s AI Security Institute received early access to Mythos Preview and in mid‑April reported the model was "at least capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained," while noting uncertainty about the model's ability to attack well‑defended systems. Those findings helped prompt tangible operational changes: England's National Health Service instructed tech managers to set GitHub repositories to private by the start of next week, saying, "We are temporarily restricting access to some NHS England source code to further strengthen cybersecurity while we assess the impact of rapid developments in AI models," a spokesperson told ISMG.
Responses outside Europe are also in motion. A Bloomberg report quoted Kyriakos Pierrakakis, president of the Eurogroup, warning that frontier AI models "may soon present challenges of a potentially systemic nature." In the U.S., where the second Trump administration had so far chosen an entirely hands‑off approach to AI regulation, The New York Times reported the president is now considering reintroducing government oversight, including "potential plans" for a formal government review process for new AI models. Separately, the administration announced that Google DeepMind, Microsoft and xAI agreed to give the Center for AI Standards and Innovation — part of the Department of Commerce's National Institute of Standards and Technology — access to models before public release for "pre‑deployment evaluations and targeted research to better assess frontier AI capabilities and advance the state of AI security."
What this means for ENISA, security teams, and open‑source maintainers
- ENISA and European cybersecurity planners: The letter explicitly asks the Commission to "bring together our companies, institutions and the European cybersecurity agency ENISA" to develop defensive solutions — signaling a push for centralized coordination and new mandates to manage compressed response timelines.
- Security teams and public IT operators (e.g., NHS tech managers): Expect pressure to accelerate deployment of zero trust architectures, assume‑breach postures, network segmentation and targeted reductions in attack surface. The NHS example demonstrates immediate operational steps — privatizing repositories — that other public services may emulate.
- Open‑source maintainers and private enterprises: The call to reform vulnerability disclosure and patching frameworks to mirror "compressed AI‑driven timescales" will require process, resource and policy changes for projects that historically rely on more protracted disclosure cycles.
Next steps and the open operational question
The MEPs ask Henna Virkkunen to secure European participation in Project Glasswing and to deliver accelerated, concrete guidance on architectures and tools. The Commission's spokesman confirmed engagement with Anthropic but declined to predict future access, and Anthropic has not offered a public explanation for the EU's exclusion from Project Glasswing. Meanwhile, other jurisdictions and bodies are taking steps of their own: the U.K.'s AI Security Institute performed early evaluations, the NHS has tightened repository access, and select U.S. companies agreed to pre‑deployment model access with a U.S. standards body.
The operational questions now are specific and immediate: will the Commission gain access to Project Glasswing; how quickly will ENISA and national agencies convert the letter's prescriptions into enforceable guidance; and can patching and disclosure processes be adapted fast enough to match the pace of models like Mythos and open‑source equivalents such as Kimi K2.6 combined with agentic systems? The MEPs' appeal underscores a clear European demand for answers — and fast.
Source: European MEPs Push for Stronger Post-Mythos Cybersecurity (GovInfoSecurity)
