Hat tip to Torkel Thune for lifting this into my feed.

I am 36. That makes me old enough to remember when "the cloud" was just a polite word for someone else's computer, and when most of us still ran our own — the rack, the stack, the whole thing, sitting in a room you could physically walk into. Over time the pendulum swung hard the other way. We handed infrastructure to a handful of global providers because it was cheaper, faster and someone else's responsibility to keep operational. For a long time, that trade made sense.

It is swinging back now.

And this time the reason is not cost. It is security.

This week made that concrete for me. Reports emerged that Anthropic has reportedly not provided the European Union with access to Mythos, its most advanced cyber-focused AI model, while a select group of mainly US companies and government agencies already have it. The European Commission has reportedly been asking for access for weeks. Around the same time, OpenAI shared its own advanced cyber model with EU authorities.

That contrast is the entire story.

This is not a disagreement about chatbot features or image generation. Mythos is tied to advanced cyber capability — discovering software vulnerabilities, modelling attack paths and analysing infrastructure risk at a scale and speed humans cannot realistically match. That is not a productivity tool anymore. It is closer to strategic infrastructure.

And right now, access to it is being decided outside Europe.

The problem is dependency, not nationality

I want to be careful here, because the lazy version of this argument is wrong. This is not about Anthropic being malicious, and it is not anti-American. American companies are not the problem.

The problem is structural dependency.

Dependency works perfectly — right up until priorities diverge. Access you do not control can be delayed, narrowed, reprioritised or withdrawn entirely by actors operating under different political, commercial or national interests than your own. That is not some hypothetical future risk. It is the default condition of the arrangement itself.

And this week, that condition became visible.

The banking sector illustrates the problem clearly. US financial institutions reportedly already have access to Mythos. European institutions do not. The reason this matters is the shape of the infrastructure underneath modern banking systems: deeply interconnected software, legacy dependencies and operational complexity where vulnerabilities rarely remain isolated.

A weakness discovered and patched in one part of the ecosystem changes the security posture of the entire system around it.

If one side gains earlier access to advanced vulnerability discovery tooling while the other waits, that is not simply a delayed rollout schedule. It becomes an asymmetry in operational readiness, in real time.

Europe regulated the conversation, not the capability

There is an uncomfortable thing Europe needs to say out loud.

For years, Europe focused heavily on building regulatory frameworks for AI — work that absolutely has value — while much of the actual capability continued consolidating elsewhere:

  • the models,
  • the compute,
  • the cyber tooling,
  • the infrastructure,
  • the hyperscale capacity.

We became very good at discussing the governance layer of technologies we increasingly do not control.

And for most of the last decade, "digital sovereignty" in Europe mostly meant:

  • data residency,
  • procurement frameworks,
  • privacy regulation,
  • and compliance requirements.

All important.

But this story exposes another layer entirely: operational capability.

Because sovereignty is not only about where data is stored. It is whether Europe can independently access the infrastructure, compute, tooling and competence required to operate critical systems on its own terms.

And increasingly, frontier cyber AI belongs on that list.

Healthcare, finance, energy, telecommunications, government and industrial systems do not experience this discussion as abstract policy language. They experience it operationally:

Can we secure the systems we depend on? Can we see threats fast enough? Can we respond independently when priorities shift?

That is what this debate is really about.

What we are actually building — and why

At WAYSCloud we have spent the last years building infrastructure specifically around reducing this type of dependency. Not through isolationism, but through optionality:

  • European infrastructure,
  • open-source foundations,
  • interoperability,
  • local operational competence,
  • and architectures designed to avoid hard vendor lock-in.

Concretely, that includes our threat intelligence work. Our systems already ingest and correlate hundreds of millions of abuse reports, malware indicators, IP reputation events and security observations across multiple sources and networks. The value is not just the raw data itself, but the intelligence layer built on top of it: identifying patterns, correlating activity across infrastructures, prioritising risk and helping organisations detect threats earlier.

That is where AI increasingly matters.

Not as a chatbot feature, but as an operational capability layer sitting directly on top of infrastructure and security analysis.

We are also moving more of our service layers fully into Europe, including local AI processing connected to this intelligence work. The longer you operate at this layer, the harder it becomes to ignore how strategically important both infrastructure control and AI capability are becoming.

Cyber resilience used to mean firewalls and endpoint protection.

It increasingly means something more fundamental: who controls the intelligence layer itself — the systems deciding what counts as a threat, how quickly it is identified and who gets access to the capability required to analyse it.

Open source is not ideology here. It is the exit strategy.

When people hear "open source," they often interpret it as an ideological preference.

In reality, it is operational pragmatism.

Open source is what allows organisations to:

  • audit systems,
  • self-host infrastructure,
  • fork projects,
  • maintain operational continuity,
  • and avoid becoming completely dependent on a single vendor's future decisions.

It is, quite literally, the optionality this entire situation is about.

Because if access can be granted, access can also be revoked.

And the only real defence against that is maintaining the ability to continue operating regardless.

Europe is not starting from zero. There are serious efforts emerging here, including companies like Mistral and a growing ecosystem around sovereign infrastructure and regional AI capability.

But it is worth being honest: Europe still trails US firms significantly in frontier model development, hyperscale compute capacity and investment scale. Pretending otherwise helps nobody.

Closing that gap is not a branding exercise.

It requires:

  • sustained long-term investment,
  • regional infrastructure,
  • stronger open-source collaboration,
  • interoperability,
  • operational competence,
  • and organisations willing to build local alternatives before dependency becomes a crisis.

The point

The answer is not protectionism. Europe should absolutely continue cooperating internationally on technology, AI and cybersecurity. Open ecosystems and international collaboration matter enormously.

But cooperation and dependency are not the same thing.

Resilience means retaining the ability to continue operating when access, priorities or geopolitics inevitably shift.

And they will shift.

This week simply made that reality visible.

Resilience cannot be outsourced indefinitely.

That is not ideology anymore. It is increasingly becoming a basic infrastructure requirement for Europe itself.

Sources

Tags Sovereignty Trust