Mythos AI and Banking: Where DORA, NIS2 and the AI Act Fall Short

The arrival of Claude Mythos Preview has unsettled the assumptions on which Europe's financial cybersecurity framework rests. Not because it is the first AI model with offensive capabilities, but because it is the first one distributed at institutional scale, under a structured access programme, with the explicit argument that only those who understand the weapon can defend against it. That logic is sound within the doctrine of offensive security. Applied to the legal architecture of the European Union, it fractures three pillars on which the bloc has built its digital resilience regime: DORA, NIS2 and the AI Act. The European Central Bank has responded with the tools at its disposal: meetings with supervised banks and an upcoming letter to their chief executives. The relevant legal question is not whether that response is proportionate. It is whether current law allows anything more.

Offensive AI as a Category Without Precise Regulatory Fit

Anthropic has distributed Claude Mythos Preview through Project Glasswing to one hundred and fifty organisations across fifteen countries, including major Spanish financial institutions. The model can discover vulnerabilities in complex systems at a speed and scale qualitatively beyond anything seen before, and, according to available reporting, can transform security patches into exploitable attack vectors. That last capability has no precedent in the threat frameworks the EU legislator used as reference when drafting the regulations currently in force.

The problem is not that Mythos is illegal. It is that it does not fit cleanly into any of the categories European law has constructed to manage high-risk AI or cybersecurity systems. The AI Act (Regulation EU 2024/1689) classifies AI systems by their declared function and deployment context, not by their potential for misuse. A system a bank uses to audit its own infrastructure is not, under the Regulation's criteria, a "high-risk AI system" within the meaning of Annex III. Nor does it constitute a prohibited AI practice under Article 5, whose catalogue targets manipulation of individuals, social scoring and biometric identification—not vulnerability analysis tools. Mythos, as distributed within Project Glasswing to organisations using it in a defensive mode, does not trigger any of those prohibitions.

What European law lacks is a category for what might be termed dual-use offensive AI systems: models whose primary function is legitimate and whose destructive potential lies not in the provider's intention or the recipient's declared use, but in the transferability of the knowledge they generate. That absence is not a drafting oversight. It reflects the fact that the AI Act was designed to manage the risk of deployed systems, not the emergent risk of the capabilities those systems produce when they act as analysers of critical infrastructure.

DORA and NIS2: A Resilience Regime Facing a Risk It Did Not Anticipate

The DORA Regulation (EU 2022/2554) entered into application in January 2025 with the aim of unifying digital operational resilience requirements across the financial sector. Its regulatory architecture rests on three pillars: ICT risk management (Articles 5–16), operational resilience testing (Articles 24–27) and incident notification (Articles 17–23). The flagship instrument of the third pillar is the TIBER-EU framework, which allows simulating advanced persistent threat attacks on financial infrastructure using accredited red teams.

The structural problem DORA faces against Mythos is its temporal assumption. Penetration tests and TIBER-EU exercises are conducted in periodic cycles, with specialist human teams, against identified attack vectors. Mythos breaks that assumption: an attacker with access to the model can run continuous analysis of an entity's attack surface, identify vulnerabilities in near real time and adapt the attack vector to whatever mitigations have been implemented. DORA does not provide any response mechanism for a risk of that temporality. Articles 13 and 14, which govern third-party ICT risk management, impose due diligence obligations on critical providers but include no specific regime for AI-assisted vulnerability analysis tools that the provider itself distributes to the supervised entity's competitors.

NIS2 (Directive EU 2022/2555) adds a further layer but does not resolve the underlying issue. The Directive classifies essential and important operators by sector and requires proportionate cybersecurity risk management measures. Significant banks under ECB supervision are essential operators in the banking sector. NIS2 requires them to have network and systems security policies, incident management, business continuity and supply chain security measures. However, Article 21, which lists risk management measures, operates on an inventory logic: it identifies categories of measures entities must implement, not criteria for continuous adaptation at the pace of threat evolution. A bank that fully complies with NIS2 may simultaneously have an attack surface that Mythos has already analysed, and no current security measure capable of covering the exposure.

The fracture is not one of non-compliance. It is a structural gap between the regulatory update cycle—operating on the order of years—and the cycle at which the offensive capability of a model like Mythos evolves once distributed, which operates on the order of weeks.

The AI Act and the Dual-Use Paradox

The current version of the AI Act contains no specific provisions on AI systems designed for cybersecurity analysis. Recital 49 notes that cybersecurity systems "should not be considered high-risk if they are not intended for use in relation to critical infrastructure", a deliberate exclusion from intensive regulation. The EU legislator chose not to enter that territory, presumably to avoid impeding the development of legitimate defence tools.

That exclusion was reasonable when the reference framework was vulnerability scanners and patch management platforms. It is insufficient when the system under analysis can discover attack vectors no human analysis would have identified, at a marginal cost approaching zero for the attacker. The dual-use paradox of Mythos is precise: Anthropic distributes it so that banks understand their actual exposure and reduce it before malicious actors reach the same conclusions. That argument is coherent with the logic of offensive red-teaming. But the systemic effect of the programme is that one hundred and fifty organisations across fifteen countries now have access to a depth of vulnerability analysis without precedent, and none of the EU regulatory frameworks addresses what happens when that knowledge migrates—voluntarily or otherwise—beyond the perimeter of controlled access.

The AI Act, under Article 57, provides controlled testing environments (regulatory sandboxes) allowing providers to develop and validate innovative AI systems under specific regulatory oversight. Anthropic does not appear to have sought any European sandbox for the distribution of Mythos within Project Glasswing. The question the Regulation does not answer is whether a provider distributing a model with advanced offensive capabilities to supervised financial institutions should be subject to additional oversight beyond that applicable to ICT providers under DORA.

There is an argument that it should. Article 28 of the AI Act, on distributor obligations, provides that any person making an AI system available on the Union market must ensure that the system meets applicable requirements. If Mythos is not a high-risk system under Annex III, its compliance obligations are minimal. But the model's capacity to identify and potentially facilitate the exploitation of vulnerabilities in critical financial infrastructure does not fit comfortably within the "minimal risk" category the Regulation associates with unclassified systems. The AI Act's architecture was designed for a world in which AI represents a risk at the point of final deployment, not a risk in the capability it generates during the analysis process.

The ECB's Supervisory Response: Legal Architecture and Real Reach

The ECB has reacted with the instruments its legal framework provides. In April 2026 it convened a meeting with SSM banks to analyse cybersecurity contingency plans. Weeks later it held a second meeting on resilience against cyberattacks. It is now preparing a Dear CEO letter to the chief executives of supervised institutions, including the ten Spanish banks under direct supervision, requesting that they adopt proactive measures.

The Dear CEO letter is a form of soft supervisory guidance with a specific history within the SSM. It does not constitute an individual supervisory decision, a binding recommendation, or a formal instruction with a compliance deadline and automatic legal consequences for non-compliance. Its legal effect is, in principle, that of a formalised supervisory expectation: the bank receiving it knows the ECB will use it as a due-diligence benchmark in future SREP reviews. If a bank ignores the measures requested and then suffers an incident related to the vulnerabilities the ECB had flagged, that inaction will carry weight in the governance risk assessment and potentially in additional capital requirements.

That indirect mechanism is not negligible. The ECB can convert the letter's expectations into formal SREP evaluation criteria without requiring additional legislation. The SSM Regulation (EU 1024/2013) grants the ECB prudential supervision powers over significant institutions that include assessing internal governance frameworks and risk management, and cybersecurity risk has been explicitly incorporated into the SREP as an evaluation dimension since the revised EBA guidelines of 2023. What the ECB can do, in practical terms, is elevate the cybersecurity expectations in the letter to compliance criteria that affect capital ratios.

What the ECB cannot do with that instrument is considerably more significant. It cannot instruct banks to adopt any specific technology. It cannot prohibit supervised entities from using Mythos or comparable tools. It cannot establish binding technical cybersecurity standards with general legal effect—that competence belongs to ENISA under the Cybersecurity Act (Regulation EU 2019/881) and to the EBA in coordination with NIS2. And, perhaps most significantly, it cannot regulate the model's supply chain: it does not supervise Anthropic and cannot impose direct obligations on Project Glasswing as a distribution scheme for offensive capabilities to entities in the European financial sector.

Frank Elderson's statement at the Goldman Sachs conference is legally precise in its formulation: banks must act "before these technologies are used more widely by cybercriminals." The ECB implicitly acknowledges that its window for action is the time difference between the controlled distribution within Project Glasswing and the eventual democratisation of equivalent capabilities. That window exists but cannot be quantified, and the compliance mechanism of the Dear CEO letter does not guarantee that banks will exploit it at the necessary pace.

The Structural Inadequacy of the Reactive Model and a Reform Proposal

The argument Anthropic has used to justify Project Glasswing is analogous to the argument that underlies vaccination as a public health policy: exposing institutions to knowledge of the risk before that risk materialises in an uncontrolled way. It is an argument with strong backing in offensive security doctrine, but it transfers to the legal domain a premise EU law has not explicitly validated: that the controlled distribution of advanced offensive capabilities to private actors is, in itself, a systemic risk-reduction measure.

That premise deserves doctrinal scrutiny. European law has dealt with analogous dilemmas elsewhere: disclosure of pharmaceutical vulnerabilities, reporting of security flaws in critical infrastructure under the coordinated vulnerability disclosure regime of NIS2 (Article 12), and knowledge management in computer security incident response teams. In each of those contexts, EU law has opted for controlled-access regimes with notification obligations, not open distribution to trusted actors.

What the current regulatory framework lacks is a specific regime for AI providers that distribute models with critical infrastructure analysis capabilities. Three reforms merit doctrinal consideration.

The first is extending the critical third-party ICT provider regime under DORA to providers of AI models with cybersecurity analysis capabilities. Article 31 of DORA provides for the designation of critical third-party ICT providers subject to direct oversight by the European Supervisory Authorities. That regime was designed for cloud service providers and processing infrastructure. Extending it to providers of AI models with advanced offensive capabilities is legally achievable without legislative reform, through regulatory development of Article 31(3), which grants the ESAs authority to determine designation criteria. Anthropic would not be the only entity affected: any provider of a model with equivalent capabilities would be subject to analogous oversight.

The second reform concerns DORA's threat intelligence sharing regime. Article 45 provides for voluntary sharing of cyber threat information among financial entities. The voluntary nature of that regime is consistent with the principle of business autonomy, but it generates an information asymmetry: entities with greater resources for threat analysis accumulate informational advantage over smaller entities sharing the same exposure perimeter. A mandatory information-sharing regime covering vulnerabilities identified by AI—triggered when the analysis has been produced by tools distributed under institutional controlled access—would reduce that asymmetry and increase the sector's systemic resilience without imposing disproportionate costs on individual entities.

The third and most structural proposal is the incorporation, in the AI Act's next revision, of a category of AI systems with high dual-use potential in critical infrastructure. That category would not necessarily imply prohibiting the affected models, but would subject their distribution to a supervised sandbox regime, with transparency obligations towards competent authorities regarding identified vulnerabilities, and with ENISA participating as a recipient of the exposure analyses produced when those tools are used against entities classified as essential operators under NIS2. The administrative burden of that regime would be significant but not greater than what DORA already imposes on financial entities for their TIBER-EU testing obligations.

The ECB Letter as a Symptom

The Dear CEO letter the ECB is preparing is not an inadequate response. It is the maximum response that current law permits to a supervisory authority that has correctly identified the problem and lacks the instruments to address it at the necessary scale. Elderson is right when he says that banks must act before Mythos or its equivalents reach the hands of malicious actors. The question is whether a letter, however well constructed, can impose the response velocity that objective requires.

The European financial sector has, with DORA, the most articulate digital operational resilience regime in the world. It also has, with the SSM, the most concentrated supranational direct banking supervision available. Neither of those strengths resolves the underlying problem: no compliance system built around annual evaluation cycles can respond to a threat that evolves at the pace of a well-tuned AI model. KPMG describes that shift as the move from a reactive model to one based on anticipation, automation and operational resilience. That description is correct as a risk management diagnosis. What no consultancy can provide is the normative framework that converts anticipation into a legally enforceable obligation, with concrete supervisory consequences for those who fail to implement it.

That framework does not yet exist. The ECB's Dear CEO letter is the implicit acknowledgment of that gap. It may also be the starting point for a reform that European law, as a whole, has not yet begun with the urgency the Mythos phenomenon—and those that will follow—demands.