You chose the model carefully.

You read the documentation. You checked the provider had an EU representative. You logged it in your AI inventory, mapped it to the right obligations, maybe ran a DPIA.

You did the diligence. Then you built it in: the model now sits inside a product, or a workflow, or a process a few hundred people rely on without thinking about it.

On Friday evening it stopped existing.

On June 12, at 5:21pm Eastern time, the US government ordered Anthropic to cut off access to its two most capable models, Fable 5 and Mythos 5, for any foreign national. Inside the US or outside it. Including Anthropic’s own foreign-national staff. Anthropic couldn’t separate the foreign users from everyone else fast enough to comply selectively, so it did the only thing that guaranteed compliance: it switched both models off for every customer on earth. Fable 5 had been publicly available for three days.

Somewhere in the EU, a company that built on Fable woke up to a product that no longer worked, and a question its compliance file did not answer.

What the EU AI Act Promised You

The EU AI Act has a great deal to say about a general-purpose AI provider, and almost all of it is reassuring.

Chapter V is the part that governs models like Fable and Mythos. Under Article 53, the provider has to write and maintain technical documentation, and hand downstream users a package covering what the model is, what it can do, and how to integrate it.

Ask for more than that, and the picture gets softer. You will often hear that the provider has fourteen days to answer. The number is real, but it isn’t in Article 53. It comes from the General-Purpose AI Code of Practice, which is voluntary. The Code binds only the providers who signed it, and even then the promise is only to respond “within a reasonable timeframe, and no later than 14 days”, save for exceptional circumstances. Article 53 obliges the provider to make the information available. It sets no deadline at all.

Under Article 54, a provider based outside the EU has to appoint an authorised representative inside it. And because a frontier model of this size crosses the systemic-risk threshold in Article 51 (training compute above 10^25 floating-point operations creates a presumption of systemic risk), Article 55 piles on more: adversarial testing, systemic-risk assessment, serious-incident reporting to the AI Office, cybersecurity for the model and its infrastructure.

It is a serious set of obligations. Read them as a group and a pattern shows up.

Document. Disclose. Evaluate. Mitigate. Report. Secure. Appoint a representative.

Every one of them is about the provider’s conduct. Each answers a version of the same question:

Is the provider behaving responsibly toward the people downstream and toward the regulator?

It is a regime built to make the provider accountable, and on its own terms it does that well.

None of it answers the question the EU company actually had on Friday.

Will the model still be there tomorrow.

The Obligation That Isn’t There

There is no continuity duty in Chapter V.

No obligation to keep the model available. No notice period before withdrawal. No requirement to warn downstream users that access is about to disappear, and certainly nothing about what happens when a government orders the lights off.

The EU AI Act built an elaborate structure of accountability around the provider and assumed, without ever saying so, that the provider would stay a stable, willing counterparty. Availability was never in question.

That assumption is the soft spot, and Fable walked straight into it.

The regulation spent its effort making the provider answerable to you and to the AI Office.

Last week’s events answered a question the regulation never asked:

Who is the provider answerable to first?

Within hours of a government letter, a commercial model serving hundreds of millions of people went dark, worldwide, and not one line of Chapter V slowed it down. The documentation package didn’t help. The fourteen-day response window didn’t help. The authorised representative had nothing to represent. The incident-reporting channel to the AI Office runs the wrong way for this: it tells Brussels what happened, after it happened.

The provider answers to its own government first. Everything the EU AI Act guarantees sits downstream of that fact.

Switching Is the Easy Part

The obvious response is to move to another model, and often that’s genuinely easy.

Fable 5 and Opus 4.8 are both Anthropic. Same API, same SDK. You change the model name and you’re running again, possibly the same afternoon. The directive named specific models and left every other Anthropic model untouched, so Opus stayed up the whole time. For a lot of companies, the fallback was a one-line change.

Notice why it was available, though. Opus stayed up because Washington drew the line at Fable and Mythos, not because you arranged it that way. The scope of the order was the government’s choice, not yours. A one-line fallback works right up until the next letter names the provider instead of two models, and then the model you’d switch to is dark as well.

The easy path also narrows fast once the deployment is real. Move to a different company’s model and the prompts, the behaviour, and the evaluation results all have to be redone. Fine-tune a model and the tuning doesn’t travel. You retrain. Run the model somewhere regulated or safety-relevant, and the code change is the smallest part of the job. You tested, documented, and signed off on a specific model. Swapping it can mean re-running evaluations and rewriting documentation before the replacement is allowed to ship.

The model string changes in a minute. The revalidation doesn’t.

So it isn’t that you’re stranded. It’s that switching is often trivial and still doesn’t cover you, because the part you don’t control is the part that matters: not how hard the swap is, but how wide the next order reaches.

“Switch to Opus 4.8” answers what happened on Friday. It says nothing about the day the order doesn’t stop at one model.

DORA Saw This Coming

There is one corner of EU law that treats the availability of a third-party service as a regulated risk rather than an operational detail. It’s DORA, the Digital Operational Resilience Act, which is in force since January 2025.

DORA makes financial firms keep documented exit plans (Article 28(8)) and assess concentration risk, including whether a realistic substitute for a critical provider actually exists (Article 29). If you are a bank or an insurer, you already have the muscle to ask the Fable question, because the law made you build it.

If you are anything else, you don’t.

DORA covers roughly twenty categories of financial entities. A hospital running a triage tool on a frontier model is not covered. Nor is a manufacturer, a software company, a university, a public authority. They get the EU AI Act’s safety and transparency guarantees but no continuity guarantee at all. The one EU rule that would have made them plan for a sudden provider shutdown simply doesn’t apply to them.

Even DORA is a smaller shield than it looks. The risks it imagines are outages, cyberattacks, insolvency: the ordinary ways a vendor fails. A foreign government switching the product off on a Friday isn’t in that taxonomy, and no standard force-majeure clause contemplates it either.

Worse, DORA’s designated critical providers are the big clouds: AWS, Google Cloud, Microsoft. Most EU firms reach Anthropic’s models through exactly those clouds. The cloud is on the register. But last week none of the clouds went down. The model did, pulled clean off the top of infrastructure that kept humming the whole time.

The dependency that actually failed sits one floor below where even the careful firms were looking.

What to Take From This

A few things worth doing before this stops being news.

1. Put the model on your register as its own dependency, separate from the cloud it runs on. If your third-party inventory stops at AWS, it does not describe what you’re actually exposed to.

2. Ask the DORA question whether or not DORA applies to you. If this specific model went dark tomorrow with no notice, what runs in its place, and how long until it does? Name a second model. Cost out the switch honestly. That number is your real exposure.

3. Know your own role, because it sets your own obligations. If you build the model into a system you put on the market, you’re a downstream provider with duties of your own and a right to the provider’s Annex XII documentation. If you only use it, you’re probably a deployer. The distinction matters a lot.

4. And read the EU AI Act for what it is. It makes your provider document, disclose, test, and report. It is a real set of protections and it is worth understanding. It just never promised the one thing you needed last week, and it is better to know that up front.

The compliance file you built was honest work. It described a provider doing everything the law requires: documented, transparent, tested, supervised. All of it true, and none of it load-bearing, because the model's availability wasn’t the provider's promise to give. It belonged to a government you have no standing in front of, under an authority no one disclosed, exercised in one afternoon.

You can hold a provider to account for how a model behaves. You cannot hold one to account for being switched off by someone else.