AI sovereignty: the three legs and the CLOUD Act argument
“Sovereign” has become a sales argument. It gets stuck on offers that amount to little more than European hosting. That’s not enough, and sometimes misleading. AI sovereignty rests on three legs. If one is missing, the structure collapses.
1. The data
Where does your data live, who can access it, and under which jurisdiction? Physical location isn’t enough: what matters is the real access chain and the law that applies to it. Well-guarded data that a third party can reach through a contractual gap isn’t sovereign.
2. The models
Do you depend on a single vendor, with no way out? Independence means a reasoned choice between open and proprietary models, and above all reversibility: being able to switch without rebuilding everything. Lock-in is the silent enemy of sovereignty.
3. The operation
Who operates the system day to day, under which contract, under which law? Sovereignty doesn’t stop at deployment: it plays out in operation, supervision and accountability, maintained and locatable over time.
The blind spot: the CLOUD Act
The US CLOUD Act lets authorities demand access to data held by companies subject to US law — even if that data is hosted in Europe. GDPR doesn’t neutralise that possibility. Ignoring this leaves a hole in the first leg. We address it explicitly, by design and by contract, not by omission.
Want to test how solid your three legs are? See our approach or discuss it.