ECB Summons Banks to Fix AI-Exposed Cyber Flaws

ECB Calls Emergency Meeting as Anthropic's Mythos AI Exposes Critical Cybersecurity Flaws in European Banking

The European Central Bank summoned eurozone banks to a hastily arranged meeting on May 24, 2026, urging them to urgently address cybersecurity vulnerabilities exposed by the latest generation of AI models — most notably Anthropic's Claude Mythos Preview. The ECB's supervisor made clear it would use the meeting to stress the seriousness of risks to the financial system, a move that underscores how rapidly artificial intelligence has shifted from a productivity opportunity to a systemic threat concern for European financial regulators.

The emergency summons arrives weeks after Anthropic unveiled Project Glasswing, a controlled-access program for its Claude Mythos Preview model — a general-purpose frontier AI that Anthropic itself describes as having "reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities." In controlled testing, Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Among its documented discoveries: a 27-year-old bug in OpenBSD and a 17-year-old remote code execution flaw in FreeBSD.

The problem for European banks is stark: they do not have access to Mythos. And regulators are not letting that fact be an excuse for inaction.

The Access Gap That Is Forcing Europe's Hand

Anthropic restricted Mythos Preview to a consortium of approximately 40 technology and critical infrastructure companies under Project Glasswing, committing up to $100 million in usage credits for the model alongside $4 million in direct donations to open-source security organizations. JPMorgan Chase was the only bank included in the initial group. Since then, executives at Morgan Stanley, Goldman Sachs, and Bank of New York Mellon confirmed on their latest earnings calls that they have gained access to the model — but that access has remained concentrated among U.S.-based institutions.

Eurozone banks, by contrast, have been left working from secondhand intelligence. As of May 8, 2026, eurozone banks still did not have access to Mythos, according to a source with knowledge of the matter cited by S&P Global Market Intelligence. The World Economic Forum reported in May 2026 that smaller banks globally were being warned through shared findings from larger peers — an information chain that places European institutions several steps removed from the original source.

ECB Executive Board member and Vice Chair of ECB Banking Supervision Frank Elderson addressed the access gap directly in the ECB's Supervision Newsletter, making clear that being locked out of the model is not a valid reason for delay. "Lack of access is not an excuse for inaction. On the contrary, it makes it even more critical that banks step up and act now," Elderson stated. He also warned that banks must update their planning for serious disruptions: "Banks therefore need to update their operational resilience plans to cater for the higher probability of severe disruptions."

ECB President Christine Lagarde separately acknowledged the geopolitical dimension of the situation, stating that the ECB is studying defenses against cyberattacks powered by Mythos, but conceding that Europe is at a disadvantage because it has no access to it.

What Mythos Revealed — and Why Regulators Are Alarmed

To understand the urgency behind the ECB's emergency meeting, it helps to understand what Mythos Preview actually demonstrated. Anthropic's own Project Glasswing announcement described the model's implications in direct terms: "Claude Mythos Preview is a general-purpose, unreleased frontier model that reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities."

The company did not soften the downstream consequences either. In a corporate statement accompanying the Project Glasswing announcement, Anthropic warned: "The fallout — for economies, public safety, and national security — could be severe."

Anthropic CEO Dario Amodei put the threat in concrete terms in comments to CNBC: "The danger is just some enormous increase in the amount of vulnerabilities, in the amount of breaches, in the financial damage that's done from ransomware on schools, hospitals, not to mention banks."

The UK's AI Security Institute added a quantitative dimension to the escalation, estimating that frontier models' 80%-reliability cyber time horizon had doubled every 4.7 months since reasoning models emerged in late 2024 — a compounding acceleration that regulators are struggling to match with supervisory frameworks designed for slower-moving risks.

The ECB's response was not limited to the May 2026 emergency meeting. Frank Elderson also stated in the ECB's Supervision Newsletter that banks and their contractors need to quickly fix even minor vulnerabilities that have typically been patched only in longer software update cycles — a direct challenge to the update cadences that most financial institutions have historically considered acceptable.

Europe's Regulatory Response in a Global Context

The ECB's emergency summons is part of a wider scramble among financial regulators worldwide. In the United States, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent meeting with bank chief executives to warn them about the risks posed by Mythos. In Canada, Mythos was discussed at a meeting attended by representatives of the Finance Ministry, the Bank of Canada, and bank executives. Bank of England Governor Andrew Bailey stated that central banks and financial regulators must quickly understand the implications of the new model.

For Europe, the response carries an additional layer of complexity: sovereignty. Mistral, the French AI company, was reportedly developing its own rival to Mythos and had been in talks with large European banks, according to BankInfoSecurity reporting in May 2026. Mistral CEO Arthur Mensch articulated the underlying concern in remarks to a French parliamentary inquiry: "You can't have the French military's source code scanned by Mythos. That creates such an irreparable dependency that we absolutely must find solutions."

Separately, OpenAI stated it would allow the European Commission and several European companies to use its GPT-5.5-Cyber model — a cybersecurity-focused offering that represents a partial, if incomplete, answer to the access gap European institutions face with Mythos.

The ECB Had Already Flagged AI as a Top Risk — But the Threat Moved Faster

The ECB's emergency response did not emerge from a standing start. Tech risk had already been elevated as one of the ECB's top supervisory priorities for the 2026–2028 period, specifically under Supervisory Priority 2 on operational resilience and ICT capabilities, according to an ECB supervisory speech from February 24, 2026. ECB Banking Supervision had also conducted workshops with a sample of 13 supervised banks — headquartered across nine European countries — as part of its 2025 AI supervisory priorities.

The scale of AI adoption within the European banking sector makes the urgency even more acute. According to the ECB's own March 2026 speech on AI and the euro area economy, nearly 90% of significant euro area banks already use AI technologies. Realized digital technology investments in 2025 amounted to more than €4 billion in aggregate across the euro area banking system — equivalent to around 1.3% of total tangible assets. More than 85% of large banks under European supervision were already using AI in some form as of early 2026, according to ECB Banking Supervision board member Pedro Machado, speaking at a RiskTech Conference in Frankfurt in February 2026.

Machado's warning at that conference now reads as prescient: "AI does not dilute responsibility. If anything, it raises the bar."

Despite the rapid adoption figures, the ECB's supervisory workshops found that governance and accountability frameworks were lagging behind the pace of deployment — precisely the gap that Mythos's capabilities have now turned from a compliance concern into an active risk.

What Comes Next for Eurozone Banks

The ECB has been explicit about what it expects from supervised institutions in the near term. Frank Elderson's statements in the Supervision Newsletter point to two immediate priorities: accelerating the patching of known vulnerabilities — including minor ones that would previously have waited for longer software update cycles — and updating operational resilience plans to account for a materially higher probability of severe disruptions.

The broader question of access to frontier AI models for defensive purposes remains unresolved. The World Economic Forum reported in May 2026 that banks in the US, EU, and Japan are all scrambling to fix cyber vulnerabilities surfaced by Mythos, with smaller institutions relying on filtered information from larger peers. Whether European regulators will secure access to Mythos — or whether European AI development through companies like Mistral can close the capability gap — remains an open question as of late May 2026.

What is clear is that the ECB views the current moment as one requiring extraordinary speed. The hastily arranged nature of the May 2026 meeting — rather than routing urgency through the ECB's standard supervisory calendar — is itself a signal of how seriously the regulator is treating this inflection point.

For more tech news, visit our news section.

Why This Matters Beyond Banking

The ECB's emergency response to AI-exposed cybersecurity vulnerabilities is a signal that the operational resilience conversation is no longer abstract. For anyone whose finances, data, or digital infrastructure touch the European banking system — which is to say, nearly everyone in the eurozone — the pace at which institutions patch their systems in the coming months will have real consequences. The intersection of AI capability and critical infrastructure security is no longer a future risk scenario. According to the evidence available as of May 2026, it is a present one.

At Moccet, we believe that staying informed is the first step toward staying protected — whether you're managing personal finances, running a business, or simply trying to make better decisions in an increasingly complex digital environment. Understanding how systemic risks like AI-driven cybersecurity threats evolve helps you make smarter choices about where you keep your data, how you evaluate the platforms you use, and how you protect your own productivity and financial wellbeing. Join the Moccet waitlist to stay ahead of the curve.