The cyber sovereignty gap, measured

Mistral AI is in discussions with European banks about deploying a cybersecurity-focused model that would function as a continental alternative to Anthropic's Mythos, according to a Bloomberg report published Wednesday afternoon by Claudia Cohen and Benoit Berthelot. Sources cited in the report — speaking anonymously because discussions are private — said the Paris-based lab had been working with banking clients on AI-assisted vulnerability identification before Mythos was unveiled in April, and is now building an off-the-shelf product suitable for wider deployment.

The strategic context is sharp. Anthropic's Project Glasswing, the gated-access programme through which Mythos is distributed, has admitted twelve partners and roughly forty vetted users. No European government holds access. European banks, sitting under tightening AI-cyber risk expectations from national regulators and the NCSC, are by report under pressure to find and remediate vulnerabilities that adversaries equipped with similar tools could exploit at speed.

The same week brought the announcement of OpenAI's Daybreak, a tool the company has framed as continuously securing software, and a Google disclosure of what it described as the first observed AI-developed zero-day exploit linked to a planned mass exploitation campaign. The defensive-offensive race is no longer a forecast.

Why it matters. For most of Volume I, the Mythos story has been about absence — what European institutions cannot access. Today it became a story about presence: a Paris lab is building the thing. Whether Mistral can ship at the capability level required is a separate question, and the public reporting offers no model card, no benchmarks, no release date. But the structural point is established. The capability gap has produced a commercial response. Sovereignty is being built, not negotiated.

The UK AI Security Institute on Wednesday published a fresh assessment of how quickly frontier models are gaining autonomous cyber capability. The blog post, titled How fast is autonomous AI cyber capability advancing?, reports that the length of cyber tasks that frontier models can complete unassisted on AISI's narrow cyber suite has been doubling on the order of months, not years — and that the doubling rate has itself been accelerating across successive estimates.

In November 2025, AISI estimated the 80%-reliability cyber time horizon was doubling every eight months. By February 2026, the internal estimate had compressed to 4.7 months. Two newly evaluated systems — Claude Mythos Preview and OpenAI's GPT-5.5 — have since exceeded both of those trend lines. AISI notes that it is unclear whether this represents an isolated jump or the start of a faster regime.

On AISI's two cyber-range simulations, Mythos Preview became the first model to complete both. It solved The Last Ones, a thirty-two-step simulated corporate network attack, in six of ten attempts, and the previously unsolved Cooling Tower in three of ten. GPT-5.5 solved The Last Ones in three of ten attempts. AISI noted earlier this year that Anthropic's Opus 4.6 had reached twenty-two of The Last Ones' thirty-two steps in its February evaluation, without completing the range. METR's independent measurement of software-engineering task horizons points to a parallel doubling time of roughly 4.2 months since late 2024.

Why it matters. Story 01 is not a strategic forecast. It is a response to Story 02. The doubling rate AISI just measured is the commercial pressure forcing European banks to seek a Mythos alternative. The two stories are the same story, told from opposite ends of the chain — measurement at one end, market response at the other.

The European Commission's consultation period on draft measures under Case DMA.100220 — the proceeding that would require Google to give rival AI assistants effective interoperability with Android — closed on Wednesday. Apple, although not the direct subject of the case, submitted comments echoing Google's opposition to the proposals, according to Reuters reporting carried widely in the trade press through the day.

In its filing, Apple wrote that the draft measures, if confirmed, would create what it called profound risks for user privacy, security, safety and device integrity. The framing matters: Apple is itself subject to a parallel set of Article 6(7) obligations under the DMA, and its intervention positions both major mobile gatekeepers in formal opposition to the Commission's preferred remedy before the final binding decision, currently expected by 27 July.

The case was opened on 27 January 2026 by Henna Virkkunen, Executive Vice-President for Tech Sovereignty. Preliminary findings landed on 27 April; the consultation period ran from 27 April to 13 May. The four themes under examination are wake words, system-wide access points, effective app interaction, and access to hardware and software resources. The substantive effect of any final remedy would land directly on Le Chat, ChatGPT and Claude in the European mobile market.

Why it matters. The DMA's AI provisions are the only short-horizon European tool for prying open access to assistant capability on the device. Apple's intervention raises the political cost of issuing the remedy as drafted. The Commission has now received the full opposition case in writing, on the record, before drafting its final decision. Watch 27 July.

A Crunchbase News analysis published Tuesday by Gené Teare reports that, for the first time, AI-related companies accounted for roughly half of all European venture funding in 2026 to date. Europe's Q1 2026 total reached $17.6 billion, up nearly 30% year-on-year, marking the second consecutive quarter of growth for the region.

The country split for Q1: the United Kingdom raised $7.4 billion, France $2.9 billion, and Germany $1.9 billion, flat year-on-year. Three new frontier labs — Ineffable Intelligence and Recursive Superintelligence in London, and Advanced Machine Intelligence Labs in Paris — together raised $2.6 billion in 2026 alone. AMI Labs' $1 billion round was the largest European seed round on record. A separate Notion Capital report cited in the analysis found that 81% of European 100 cloud challenger companies (largely pre-Series A) are now AI-native, up from 50% a year earlier.

Deal volume tells the complementary story: down 40% year-on-year overall, with seed down 44% and early-stage down 30%. Late-stage funding to European startups nearly doubled, reaching $9.2 billion across 83 deals. Capital is concentrating, not broadening.

Why it matters. Stories 01–03 describe the cyber sovereignty gap from three angles: capability, commercial response, regulatory leverage. Story 04 is the fourth side — the capital pivot. The structural reframing is that the European AI story is no longer about whether capital is available. It is about which gaps the capital now identifies as commercially worth closing. Cybersecurity, frontier modelling, and application-layer infrastructure are the answers visible from Q1 2026.

Co-founded in 2023 in Stockholm by Anton Osika and Fabian Hedin, out of the open-source GPT Engineer project that hit over 50,000 GitHub stars. The browser-based product was relaunched as Lovable in November 2024, generating full-stack Next.js + Tailwind + Supabase web applications from natural-language prompts, with GitHub sync so the code remains portable. Lovable reached $75 million in ARR within seven months of launch. A $200 million Series A at a $1.8 billion valuation closed in July 2025 (Accel-led, with Klarna founder Sebastian Siemiatkowski, ElevenLabs founder Mati Staniszewski and Synthesia founder Victor Riparbelli among angel participants), and a Series B in December 2025 valued the company at $6.6 billion with Accel reported among continuing backers.

The free tier offers five daily credits (capped at thirty monthly) and public projects on a lovable.app subdomain. Pro at $25/month adds private projects, custom domains, full Supabase integration and credit rollovers. Business at $50/month adds SSO, design templates, data opt-out and team controls. Reported user base in 2026 is around eight million.

Editorial rationale. Today's issue is about European responses to a capability gap. Mistral is the response at the model layer. Lovable is the response at the application layer — the tool with which a generation of European founders is shipping product without permission. The honest critique from heavy users is that Lovable covers the first 80% of an MVP elegantly and the final 20% pushes you toward Cursor or Claude Code. That is the gap that holds the rating short of a 9. Everything else is best-in-class for what it does.