OpenAI Unlocks Cybersecurity Model for Europe

Artificial Intelligence & Machine Learning , Geo-Specific , Next-Generation Technologies & Secure Development OpenAI Unlocks Cybersecurity Model for Europe German Financial Regulator Warns Sector to Step Up Defenses David Meyer • May 12, 2026     Share Post Share Credit Eligible Get Permission Image: Shutterstock OpenAI is stepping up to do what arch-rival Anthropic still won't. The artificial intelligence firm will give European authorities and companies access to its new vulnerability-finding AI model, so they can beef up their cybersecurity. See Also: Context Drives Security in Agentic AI Era On Monday, the European commission said OpenAI had agreed to let it poke around GPT-5.5-Cyber, which is the company's answer to Anthropic's Mythos Preview. At a press briefing, spokesman Thomas Regnier welcomed OpenAI's "transparency" and said the development would allow the EU executive body to "follow the deployment of this model very closely, but also to potentially address certain security concerns in a closer way." There are still many details to be established, in talks that Regnier said will continue this week. One big question is who at the commission will get access to the model. The contenders are the commission's new AI Office, its directorate-general for technology - which has a cybersecurity director - and cybersecurity agency ENISA. "One step at a time," said the spokesman. Regnier wouldn't be drawn on the implications for Anthropic's recalcitrance, saying: "With one [AI firm] you have a company proactively offering to give access… with the other one we have good exchanges [and] we're not at a stage where we can speculate on potential access or not." OpenAI said Tuesday that it will allow dozens of European companies into its Trusted Access for Cyber program, which, like Anthropic's Project Glasswing, lets organizations play with restricted access models that have serious prowess in finding and exploiting vulnerabilities. Participants in OpenAI's program will include telecommunications giants Deutsche Telekom and Telefonica, the Spanish bank BBVA - which is also becoming a founding partner in the new OpenAI Deployment Company - and German digital investment platform Scalable Capital. "We need to block dangerous activity, while making sure trusted defenders have tools that are genuinely useful in protecting systems, finding vulnerabilities and responding to threats quickly," said OpenAI EMEA managing director Emmanuel Marill, who was poached from Airbnb just a couple weeks ago, in a statement. U.K.-based Sophos is also joining the program. Its chief technology officer, John Peterson, said in the statement that the cybersecurity firm would be "leveraging these capabilities" in Sophos MDR, its agentic security operations center. OpenAI said the head of its OpenAI for Countries initiative, former U.K. chancellor George Osborne, presented the commission and EU member states with an action plan that included access to the latest models and briefings with OpenAI's safety and security teams. OpenAI did not respond to a request for comment on why it is happy to let European organizations into the fold, while Anthropic refuses to do so (see: European MEPs Push for Stronger Post-Mythos Cybersecurity). German financial regulator Bafin warned Tuesday that new frontier AI models will put new pressure on cybersecurity, stating that measures that are "good today will be far from sufficient tomorrow." "Companies must prepare themselves for the fact that they will have to patch these vulnerabilities far more quickly. In the past, patch management cycles could be measured in months," said Bafin president Mark Branson in a speech marking the release of the authority's latest annual report. "In the future, they will have to be completed within a few days, if not hours. This will be very challenging, especially for small and medium-sized enterprises. But it will be essential that they rise to this challenge." Branson acknowledged that speeding up the process could cause issues of its own, noting darkly that "we all remember CrowdStrike, the mother of all patching problems" (see: Microsoft Sees 8.5M Systems Hit by Faulty CrowdStrike Update). He also announced the creation of a new division within the regulator's ever-expanding Directorate for Cyber Risks and Technology in the Financial Sector, which will focus on carrying out speedy and targeted "IT spotlight" inspections. "If we conduct inspections, we always find issues - particularly with patch management," Branson said. "The best way we can contribute to cybersecurity is therefore to conduct an even greater number of more targeted inspections. The information gathered in the process will help us and the companies to better assess risks and to further strengthen the resilience of the financial sector." Bafin took on the role of the German financial sector's central reporting hub for serious ICT incidents at the start of last year, when the EU's Digital Operational Resilience Act - DORA, a regulation that focuses on the financial sector - entered into force. According to its new annual report, Bafin took in 733 incident reports over 2025, of which around a tenth related to cybersecurity incidents, mostly cyberattacks. Per Bafin, 31.1% of those attacks were phishing, 28.3% involved malware and hacking, 15% were denial-of-service attacks and 13.3% were ransomware incidents. Two-fifths of the attacks affected service providers rather than the financial entities themselves. The regulator warned of financial companies' increasing dependency on outsourced service providers, which are often headquartered outside the EU, creating risks around cybersecurity and data protection compliance. "In some cases, there are also doubts about data security because it cannot be ruled out that foreign authorities may demand access to the data of European companies," it said.