OpenAI and Anthropic represent the two named frontier-model labs the European Commission is now in formal access talks with, with OpenAI granting EU institutions direct use of GPT-5.5-Cyber.
The European Commission confirmed the talks on 11 May 2026. OpenAI's offer puts GPT-5.5-Cyber into the hands of EU institutions, businesses, governments, the EU AI Office and member-state cyber authorities. Anthropic, after four or five Commission meetings, has not yet matched that posture on its Mythos model. Both sets of talks are unfolding against the AI Act's high-risk obligations, which begin coming into force in August 2026 and August 2027.
What the Commission Confirmed
💡EU frontier-access talks — facts at a glance
• OpenAI will grant EU institutions direct access to GPT-5.5-Cyber
• Eligible parties: EU AI Office, member states, businesses, governments, cyber authorities
• Anthropic remains in talks on Mythos but "not yet at the same stage" as OpenAI
• Commission has held "four or five" meetings with Anthropic
• AI Act high-risk obligations: phased in August 2026 and August 2027
• Both labs are headquartered in California; access is being negotiated bilaterally with Brussels
The structure of the EU offer is unusual. The deal is direct lab-to-government access, not a regulatory licensing scheme. The Commission is acquiring the right to inspect and use the model, in exchange for what amounts to a soft regulatory dividend — the labs that play along are likely to find their AI Act compliance smoother, even before the August deadlines bind.
Two Stages of Negotiation
The OpenAI deal is the more advanced. According to Commission officials cited by CNBC, OpenAI's offer covers a specific model — GPT-5.5-Cyber — and a specific set of parties — EU institutions plus member-state cyber authorities. The Anthropic conversation, by contrast, has been described as "four or five meetings" with no equivalent commitment yet on Mythos.
Source: https://www.cnbc.com/2026/05/11/openai-eu-cyber-model-anthropic-mythos-gpt.html
Research on Mythos suggests the model is the more capable of the two on cyber tasks, which makes Anthropic's hesitation politically loaded. Analysis from EU-watchers shows that the Commission's leverage rises sharply once high-risk obligations bind, but until then, labs retain real bargaining power on access terms.
Why GPT-5.5-Cyber Is First
The model name signals the framing. GPT-5.5-Cyber is positioned as a cyber-defence asset — a capability that fits cleanly into existing EU cyber infrastructure (ENISA, national CSIRTs, sector regulators). Granting access to a cyber-themed model is easier to justify domestically than granting access to a generalist frontier model whose risk profile spans every sector.
For OpenAI, the offer also pre-empts pressure. Once high-risk AI Act obligations bind, conformity assessments and regulator-access provisions will apply regardless. Offering access now — on OpenAI's terms — beats having access compelled later on the Commission's terms.
Mythos and the Anthropic Standoff
Anthropic's Mythos sits in a more uncomfortable space. The White House is grappling with the implications of Mythos in parallel, according to Reuters reporting on a US advocacy push tying federal AI contracts to safety review. Releasing Mythos to EU institutions would simultaneously affect the company's US security-policy positioning, which may explain the slower cadence in Brussels.
The substance is the same on both sides of the Atlantic — a powerful model, capability-flagged for cyber and potentially for biological-weapon adjacent work, and a regulator who wants in. The difference is that the EU has named obligations on a calendar, while the US has voluntary review and procurement leverage. Anthropic is bargaining with both clocks at once.
The August 2026 Trigger
The Commission's leverage rises in August 2026, when the first wave of high-risk obligations under the AI Act bind. Data from regulatory trackers reveals a phased rollout: foundation-model obligations earlier, full high-risk system obligations from August 2027. Lab cooperation in May 2026 buys credit against those calendars.
This is why the talks matter beyond their specific outcomes. The Commission is establishing precedent. Future model releases will be expected to come with EU-access provisions baked in. The default behaviour for frontier labs operating in or around Europe will shift from "release globally, negotiate access if asked" to "negotiate EU access concurrent with launch."
The EI Lens — Asymmetric Sovereignty
Europe is doing what every jurisdiction will eventually have to do — bargain access in exchange for inspection. The asymmetry of two California-headquartered labs negotiating with an entire continent reveals how thin frontier-model sovereignty has become for everyone else.
The dignity-first reading is harder. When the centre of gravity for frontier intelligence sits in a handful of private labs, every jurisdiction outside California is in a similar position to a colonial-era trading post — negotiating access to a technology whose roadmap and ethics are being decided elsewhere. The next decade of AI governance will be shaped less by treaties than by quiet bilateral model-access agreements between named labs and named bureaucracies.
This is the structural fact the AI Act cannot fully address. Brussels can require inspection. Brussels cannot require co-design.
Europe is doing what every jurisdiction will eventually have to do — bargain access in exchange for inspection. The deeper question is whether bargaining counts as governance when only one side gets to set the agenda.
What Follows — Other Jurisdictions Watch
Japan, the United Kingdom, Singapore, Canada, and Australia are all in some stage of frontier-AI policy work. None has yet announced a structurally similar access bargain. The EU's deal, if it holds at the GPT-5.5-Cyber phase and extends to Mythos, is the template each will study.
Research on regulatory diffusion shows that early adopters of novel governance structures tend to set the global default within roughly 18 months. The Commission is moving early on purpose. Evidence from the GDPR rollout demonstrates that the first mover writes the standard — and that the standard becomes a de facto global floor whether or not other regulators formally adopt it.
Frequently Asked Questions
These are the questions analysts and dignity-first observers have been asking since the Commission confirmed the talks. Short answers follow, drawn from CNBC's reporting, EU Commission announcements, and parallel coverage on Yahoo News and MarketScreener.
What is the European Commission's deal with OpenAI?
In short, the deal is direct access to GPT-5.5-Cyber for EU institutions, member states, businesses, governments, and cyber authorities. The answer, simply put, is that OpenAI is granting the Commission inspection and use rights on a specific cyber-themed model, in advance of the AI Act's August 2026 high-risk obligations. The key is that the access is being negotiated bilaterally with the lab, not licensed under a generic regulatory regime.
How does the Anthropic conversation differ?
Data from CNBC reveals that the Commission has held "four or five" meetings with Anthropic on Mythos but is "not yet at the same stage" as the OpenAI offer. Analysis suggests Mythos is the more capable model on cyber and potentially adjacent biological-weapon-relevant tasks, which raises the political cost of granting EU access while US safety-policy debates are ongoing. According to people familiar with the talks, no near-term Mythos access announcement is expected.
Why is access being negotiated now rather than after August 2026?
Research on regulatory pre-emption demonstrates that labs prefer to negotiate access on their own terms before binding obligations come into force. According to the Commission's stated timeline, AI Act high-risk obligations begin biting in August 2026 and August 2027. Pre-binding deals give labs control over scope, parties, and conditions; post-binding deals expose them to whatever the Commission decides conformity assessments require.
Who is the GPT-5.5-Cyber access for?
The access is for the EU AI Office, member-state governments, member-state cyber authorities, EU institutions, and qualifying businesses. In other words, the deal extends the user base of a frontier cyber-defence model from OpenAI's commercial customers to the public-sector defence and regulatory apparatus across the bloc. That extension is novel — no prior frontier model has been distributed to a regulator base of this size.
What are the real risks of bilateral access bargains?
Analysis of regulator-vendor bargains demonstrates three durable risks: capture, where the regulator becomes dependent on the lab and reluctant to enforce against it; asymmetry, where smaller jurisdictions cannot replicate the EU's leverage and are left with worse terms; and lock-in, where specific models become so embedded in regulatory workflow that switching costs make replacement prohibitive. Evidence from EU experience with vendor dependencies in cybersecurity reveals all three risks have materialised in adjacent procurement decisions.
Sources
Primary reporting from [CNBC — OpenAI to give EU access to new cyber model but Anthropic still holding out on Mythos](https://www.cnbc.com/2026/05/11/openai-eu-cyber-model-anthropic-mythos-gpt.html), 11 May 2026. Parallel coverage from [Yahoo News — EU Commission in talks with OpenAI and Anthropic over AI models](https://www.yahoo.com/news/articles/eu-commission-talks-openai-anthropic-104846609.html) and [MarketScreener](https://www.marketscreener.com/news/eu-commission-in-talks-with-openai-and-anthropic-over-ai-models-ce7f5bd8d18af626). Regulatory context from the [European Commission's AI Act framework page](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai).
