Even in Frankfurt, your cloud AI data answers to US law
A quiet legal fact is reshaping enterprise AI. The US CLOUD Act lets American authorities compel US-headquartered providers to hand over data — including data sitting on servers in Frankfurt or Zurich. So “data residency,” where the bytes physically live, turns out to be the wrong question. The real one is technical sovereignty: who controls the stack. If your AI provider is American, your prompts live under US jurisdiction no matter where the data center is.
Europe is making this explicit. The EU AI Act is landing, with penalties reaching 7% of global turnover; the European Commission has published a Cloud Sovereignty Framework; and certifications like Germany’s BSI C5 and GAIA-X are becoming procurement requirements. The analysts’ takeaway is blunt: open models like Llama or Mistral can be hosted on infrastructure you control and stay sovereign, while routing prompts to a US cloud API can quietly break compliance.
- Sovereignty isn’t where the server is — it’s who can be compelled to open it. Own the stack and the question disappears.
- A model running air-gapped on your own hardware has no foreign jurisdiction, no provider to subpoena, and no prompt leaving your walls.
Background: Orrick on the EU sovereign cloud; the US CLOUD Act and the EU AI Act. See which model fits and our security posture.