Skip to content
the ai reality map · course 01 · chapter 06/10
// 06 · sovereignty vs the us cloud

What does sovereign AI mean versus the US cloud?

Short answer: an "EU region" on a US cloud is not sovereignty, because the US CLOUD Act follows the provider, not the server. Real sovereignty means European operator, hardware and jurisdiction at the same time.

The CLOUD Act (2018) compels US providers to hand over data they control wherever it sits. Schrems II struck down Privacy Shield; the 2023 Data Privacy Framework is upheld for now but under appeal at the EU Court of Justice (Latombe, 2025).

"EU region" on a US cloud isn't sovereignty. The US CLOUD Act can reach the data anyway.

// who can reach your data

US cloud(incl. "EU region")

Data reachable. The US parent can be compelled to produce it, wherever the servers sit.

Sovereign (EU-operated)

Out of reach. There is no US legal hook to pull. The order has nothing to attach to.

Who operates the platform
A US-headquartered company
A European operator, on hardware we run
Reachable under US law (CLOUD Act, FISA 702)
Yes, even for an "EU region"
No US legal hook exists
Data physically in the EU
Maybe, if you pick an EU region
Yes, always
Can be compelled without telling you
Yes, gag orders exist
Only via EU courts, under EU law
Your data can train a third-party model
Sometimes, by default
Never

Mechanism: the US CLOUD Act (2018) compels US providers to produce data regardless of where it is stored; FISA 702 enables surveillance of non-US persons. Schrems II (CJEU, 2020) invalidated Privacy Shield, and the 2023 EU-US Data Privacy Framework remains under legal challenge.

// the short version

share
transcript
  • An "EU region" on a US cloud is not sovereignty.
  • The US CLOUD Act can reach the data anyway, wherever the server sits.
  • Real sovereignty means the operator, the hardware and the jurisdiction are all European.
  • Run the free, interactive course at heimlandr.io/ai-reality-map.

// the deep dive

A US-headquartered provider can be compelled to produce data regardless of where the server physically sits, under the CLOUD Act (2018, 18 U.S.C. 2713), so a datacenter in Frankfurt owned by a US company is not actually sovereign. US foreign-intelligence law (FISA Section 702 and Executive Order 12333) can reach non-US persons' data held by US providers with limited redress; Section 702's authority lapsed in mid-2026 but collection continues under court certifications into 2027. The legal ground keeps shifting: Schrems II (2020) invalidated Privacy Shield, and the 2023 EU-US Data Privacy Framework was upheld by the EU General Court in 2025 but is now under appeal at the Court of Justice. Real sovereignty means the operator, the hardware and the jurisdiction are all European. We run our own infrastructure on EU soil with no US middlemen in the data path. If your data is regulated, privileged, or a genuine trade secret, this is the difference your legal team flagged.

See how we build sovereign AI

// chapter faq

Does an EU datacenter protect data from the CLOUD Act?

No. The CLOUD Act (18 U.S.C. 2713) compels US providers to produce data they control regardless of where the server sits, so a Frankfurt datacenter owned by a US company remains within reach of US law.

What is sovereign AI?

AI where the operator, the hardware and the jurisdiction are all European at once, so no foreign law can compel access to the data. Private LLMs and agents on EU infrastructure, with the keys held by you or an EU operator.

Who actually needs sovereign AI?

Anyone whose data is regulated, privileged or a genuine trade secret: public sector, healthcare, legal, finance, defence-adjacent industry, and any company whose lawyers flagged Schrems II or the CLOUD Act. For everyone else it is a risk decision, not a requirement.

Every figure in this chapter is sourced. The full source list lives on the main map. Open the map

This is one chapter of ten. The whole course is free.

The full map has the interactive tools, the 8 minute audio edition, the live layer and every source. And if you want it run against your own reality, that call is free too.

Open the whole map