OpenAI grants EU cyber model access

Cybersecurity models are turning into a regulatory test case for Europe. The basic issue is simple — if a company says its AI can find software flaws or help defenders patch them, regulators do not want to grade that claim from a slide deck. They want to touch the system. That is what changed on May 11: OpenAI said it will let vetted European partners, including the EU AI Office, use its new GPT-5.5-Cyber model directly. ### What is GPT-5.5-Cyber? It is not a totally separate foundation model. It is a specialized version of GPT-5.5 built for authorized security work through OpenAI’s Trusted Access for Cyber program. OpenAI says the point is to let approved defenders do things like secure code review, malware analysis, reverse engineering, vulnerability triage, and patch validation, while still blocking clearly malicious uses like credential theft or malware deployment. (cnbc.com) ### Who in Europe gets access? Not random users, and not a broad public release. OpenAI said access will go to vetted European partners — businesses, governments, cyber authorities, and EU institutions including the AI Office. That matters because the AI Office is the part of the Commission that will help enforce the bloc’s rules for the most capable general-purpose models. ### Why do regulators care about hands-on access? (openai.com) Because frontier-model oversight breaks down fast if the regulator can only read company paperwork. A cyber model can look safe in a policy memo but behave very differently in practice depending on prompts, tools, and user permissions. Hands-on testing lets officials and trusted outside teams probe where the guardrails hold, where they bend, and whether a “defensive” capability could spill into offensive use. That is the whole dispute in miniature. (cnbc.com) ### Why is the EU in a position to ask? The AI Act gives Europe a legal framework for general-purpose AI models, with extra obligations for the ones judged to create systemic risk. Those obligations started applying on August 2, 2025, and the Commission later published guidelines and a voluntary code of practice to show providers how compliance is supposed to work. Basically, Brussels now has a rulebook — but a rulebook is only useful if regulators can inspect what they are regulating. (cnbc.com) ### Why is cyber the hard category? Because the same capability can be defensive or dangerous depending on who is using it and for what. A model that helps a bank discover a flaw before criminals do can also help an attacker map weak points faster. That makes cyber models feel less like ordinary chatbots and more like dual-use tools — closer to lock-picking gear than office software. The oversight problem is not just “is this powerful?” It is “powerful for whom, under what controls?” (digital-strategy.ec.europa.eu) ### Is this really about OpenAI versus Anthropic? Partly. OpenAI’s move stands out because another major lab, Anthropic, had not yet given Brussels equivalent access to its own cyber model, Mythos, as of May 11. That leaves EU officials without an easy side-by-side comparison between two frontier systems in the same category. So OpenAI is not just offering access — it is setting the practical benchmark for what cooperation with European oversight might look like. (openai.com) ### What does this change now? In the short term, it gives European officials and trusted local teams a way to test a live frontier cyber system instead of debating abstractions. In the bigger picture, it raises the pressure on other model makers. If one company can provide controlled regulator access without fully opening the model, the argument that such access is impossible gets weaker. (cnbc.com) ### Bottom line This is really a fight over what AI regulation means in practice. Europe does not just want promises about safety. It wants a badge, a door, and a test environment. OpenAI just agreed to hand over the badge. (cnbc.com)