BNP Paribas, the largest bank in the eurozone by assets, is working with French artificial intelligence startup Mistral AI to develop a cybersecurity model intended as a European counterpart to Anthropic's Mythos tool. This collaboration, reported by Bloomberg on Tuesday, underscores a growing divergence between the United States and Europe in access to advanced AI capabilities for critical infrastructure protection.
Mythos is an AI system designed to identify and exploit software vulnerabilities at machine speed. In controlled testing, it produced working exploits on its first attempt more than 83 percent of the time, often outperforming human red-teamers. Anthropic launched the tool earlier this year but deliberately restricted access to roughly 40 to 50 organizations, primarily large US technology firms, US national-security partners, and a handful of US banks like JPMorgan Chase. No European bank currently has access, despite the European Commission initiating talks with Anthropic in April, which have since stalled. Spanish officials have publicly described those negotiations as deadlocked, while the European Central Bank has warned that such tools fundamentally alter the threat landscape for all banks, regardless of who possesses them.
The Bundesbank has formally backed Brussels in pressing Anthropic for access, but Anthropic has resisted, arguing that wider distribution could turn the model itself into a weapon. This standoff has created a gap that Mistral is now trying to fill. Since at least mid-May, the French firm has been pitching a sovereign European alternative to banks and regulators across the continent. BNP Paribas's involvement represents the most concrete sign that the European banking sector is willing to commit financial resources to the project rather than waiting for a resolution between Brussels and Anthropic.
Background on Mythos and Its Implications
Anthropic's Mythos is not a generic large language model. It was trained specifically to combine vulnerability discovery with exploit generation in a single automated workflow. This dual capability means it can scan codebases, detect zero-day flaws, and generate code to exploit them, all without human intervention. In controlled internal tests, Mythos succeeded in producing working exploits on the first attempt 83 percent of the time, which is significantly faster than traditional manual penetration testing. Such speed could allow defenders to patch vulnerabilities before attackers exploit them, but it also poses a risk if the model falls into malicious hands.
The European Central Bank has publicly stated that as tools like Mythos become available, the defensive side must have equivalent capabilities to maintain balance. ECB Executive Board Member Frank Elderson recently told banks that if attackers obtain a comparable model, defenders without one will be structurally behind. This assessment has accelerated the search for alternatives, particularly among European financial institutions that handle critical payments infrastructure and sensitive customer data.
Mistral AI's Role and Capabilities
Mistral AI has emerged as Europe's best-funded foundation-model company, having raised hundreds of millions of euros from investors including Andreessen Horowitz, Lightspeed Venture Partners, and Salesforce. The company was founded by former Google DeepMind and Meta researchers Arthur Mensch, Timothée Lacroix, and Guillaume Lample. Its models have been praised for their efficiency and performance, often rivaling larger US competitors while using fewer computational resources. Mistral already has a three-year commercial agreement with BNP Paribas signed in February for its broader product lineup, which includes general-purpose language models for tasks such as customer service automation, document analysis, and risk assessment.
The cyber-focused model now under development is a specialized addition to that lineup. However, on current public reporting, its specific capabilities have not been independently demonstrated. Mimicking Mythos's ability to combine vulnerability discovery with exploit generation is a significant engineering challenge. Anthropic has accumulated vast amounts of red-team data and security incident reports to train its system, and Mistral may not have equivalent access. Nevertheless, the pitch to BNP Paribas and other European bank prospects is that a sovereign model with even somewhat lower capability is preferable to having no model at all on the defensive side. It also serves as a hedge against the possibility that Brussels-Anthropic talks collapse permanently.
European Tech Sovereignty in Practice
The broader pattern here is familiar from the past year of European technology policy. When a US firm builds a frontier capability and restricts access—whether on safety, national security, or commercial grounds—European institutions often respond by attempting to build a domestic equivalent. This logic has driven recent pushes on cloud sovereignty, where companies like OVHcloud and Deutsche Telekom have sought to offer alternatives to Amazon Web Services and Microsoft Azure. It also applies to payments rails, where the European Payments Initiative aims to create a pan-European card scheme to compete with Visa and Mastercard. Most loudly, it has driven semiconductor manufacturing initiatives under the European Chips Act, which aims to double Europe's share of global chip production by 2030.
Banking cybersecurity AI now joins this list as a critical area where European self-reliance is considered essential. The BNP Paribas-Mistral pairing is its highest-profile concrete project to date, but it is likely not the last. Other European banks, including Deutsche Bank and Santander, are reportedly observing the development closely, and similar partnerships may emerge if Mistral's model proves viable.
Technical and Regulatory Challenges
Building a model that can effectively find and exploit vulnerabilities requires not only advanced machine learning architecture but also access to high-quality data sets of security flaws and exploit chains. Mythos benefited from Anthropic's own red-team operations and partnerships with organizations like the US Defense Advanced Research Projects Agency (DARPA). Mistral will need to replicate that data pipeline, possibly by collaborating with European cybersecurity firms, national CERTs, or military agencies. The European Union's newly proposed Cyber Resilience Act and the Digital Operational Resilience Act (DORA) for financial services could provide regulatory incentives for banks to adopt such models, but they also impose strict requirements on testing and validation.
There is also a geopolitical dimension. The United States has generally been more willing to allow frontier AI models to be used for offensive cybersecurity purposes by approved entities, while European regulators tend to emphasize risk minimization and human oversight. This philosophical difference makes it harder for European institutions to simply import US-developed tools like Mythos. An EU-made alternative could be designed from the ground up to comply with European ethics guidelines and liability frameworks, potentially giving it a regulatory advantage in the long run.
Market Reactions and Future Outlook
Neither BNP Paribas nor Mistral commented on the specific Bloomberg report, but the stock prices of both companies have remained stable, suggesting investors view the partnership as a logical step rather than a risky bet. The European cybersecurity market is expected to grow from €50 billion in 2024 to over €80 billion by 2030, driven by increasing digitization of financial services and rising threats from state-sponsored hackers. A specialized AI tool could give European banks a competitive edge if it reduces the time to patch vulnerabilities from weeks to hours.
Independent security researchers have noted that while Mythos has not been demonstrated in the wild on a European bank to date, the theoretical possibility is concerning. Several large European financial institutions reported an uptick in attempted breaches using AI-generated malware in the first half of 2025. The momentum behind the Mistral project may accelerate if such incidents continue to rise, as banks may prefer a domestic solution that is not subject to US export controls or licensing restrictions.
The collaboration between BNP Paribas and Mistral AI represents a microcosm of Europe's broader struggle for technological sovereignty in an era of rapid AI advancement. By pairing the continent's largest bank with its most promising AI startup, the project aims to demonstrate that Europe can produce advanced cybersecurity tools without relying on US tech giants. Whether it succeeds will depend on technical execution and the willingness of regulators to accept a homegrown solution with potentially lower performance than its American counterpart. Mythos has not been demonstrated in the wild on a European bank to date, but the pressure to build a defensive equivalent is now higher than ever.