The 85% Lie: Nordic Firms Want EU-Tech But Won't Fund It

85% Want Sovereignty. 0% Want to Pay For It.

Proton just dropped their 2026 survey. 85% of Nordic companies now say they want EU alternatives to US tech platforms. I read that number sitting in Jönköping, Sweden, where I run an AI development company, and I almost laughed. Not because the number is wrong. It is probably accurate. I laughed because I know what those same companies are actually doing with their money.

They are routing their AI workloads through Azure. They are training on AWS. They are signing multi-year contracts with American hyperscalers while telling pollsters they want digital sovereignty. And the EU AI Act, the regulation that was supposed to protect European tech independence, is the very mechanism that made this behavior rational.

This is not a rant about hypocrisy. This is a structural analysis. Something is deeply broken in how Europe is approaching AI, and if you are a founder, CTO, or CEO in the Nordics, you need to understand it before it eats your business.

What the Survey Actually Tells Us

The Proton survey results are clear in their sentiment. Nordic executives are anxious about US data access, post-CLOUD Act risks, and the general trajectory of American tech policy. They want European options. They say so loudly.

But sentiment is not strategy. McKinsey's latest report on Nordic software exports tells the other half of the story. The Nordic software sector is surging, yes. But almost entirely in SaaS layers built on top of American infrastructure. We are building the furniture. Americans own the house.

Think about that. Sweden is a world-class software development hub. We produce incredible engineers. Spotify, Klarna, King, iZettle. The talent is real. But when it comes to foundational AI, the compute, the base models, the training infrastructure, we are tenants. Not owners.

85% want sovereignty. But sovereignty does not come from survey answers. It comes from procurement decisions, R&D budgets, and the willingness to accept that European-built AI might not match GPT-5 on benchmarks today but could matter more in five years.

The EU AI Act: A Liability Transfer Machine

Here is where it gets ugly. Politico reports that AI is "a nightmare for the EU" right now. Compliance paralysis is setting in. The Carnegie Endowment frames the EU AI Act as a "power play between deregulation and innovation." From Washington, maybe it looks that way. From Jönköping, it looks like something else entirely.

It looks like a liability transfer mechanism.

Here is how it works in practice. If you are a Nordic company and you want to build your own AI system, you are the provider under the AI Act. You bear the full classification burden. You need conformity assessments. You need risk management systems. You need technical documentation that would make a pharmaceutical company wince. The compliance cost for a mid-size Swedish company to deploy a custom high-risk AI system is enormous.

Or. You can buy Microsoft's Copilot. Use OpenAI through Azure. Let the American hyperscaler be the "provider" and you become the "deployer." Your compliance burden drops dramatically. Your legal team relaxes. Your board signs off.

The EU AI Act, in effect, made it cheaper and legally safer to outsource your intelligence to America than to build it yourself in Europe.

That is not sovereignty. That is surrender with extra steps.

Sweden vs. The World: We Have the Talent, Not the Will

Let me put this in context. As a tech company in Jönköping, I see the Swedish ecosystem up close. We have some of the best engineers on the planet. Stockholm, Gothenburg, Malmö, and yes, Jönköping, are full of people who can build real things. If you want to hire AI developers in Sweden, you will find world-class talent.

But compare our situation to what is happening elsewhere.

The US has effectively deregulated AI development at the federal level. CHIPS Act money is flowing. The hyperscalers are investing $100B+ annually in compute. OpenAI, Anthropic, Google, Meta. They are building the foundation.

China is building its own stack. DeepSeek showed the world that you can do frontier-level work with different economics. The Chinese government does not ask its AI companies to fill out conformity assessments before deploying internally. They have their own problems, but speed is not one of them.

And Europe? We wrote the world's most comprehensive AI regulation before we built the AI. We put the seatbelt on before we built the car. And now we wonder why we are not driving.

Sweden specifically has some advantages that are being wasted. We have clean energy for compute. We have cold climate for data center cooling. We have a deep engineering culture. We have high trust institutions that could enable responsible AI development without suffocating it. Northvolt showed that Sweden can build physical infrastructure at scale (even if that story got complicated). The question is whether we can do the same for digital infrastructure.

Right now, the answer is no. Not because we cannot. Because we will not.

The Real Cost of the Compliance Moat

Let me be concrete about what the compliance reality looks like for builders in Europe right now.

If you are a Swedish founder building an AI product that touches hiring, credit, healthcare, or education, you are likely in "high-risk" territory under the AI Act. That means:

• Mandatory risk management systems
• Data governance and documentation requirements
• Human oversight mechanisms
• Accuracy, robustness, and cybersecurity standards
• Conformity assessments before market placement
• Post-market monitoring

Each of these is reasonable in isolation. Together, for a 20-person startup in Gothenburg or a scale-up in Jönköping, they represent a compliance overhead that can consume 15-25% of your engineering capacity. I have talked to founders who are spending more on AI Act compliance preparation than on actual model development.

Meanwhile, their American competitor just ships. And then sells the compliant API back to Europe.

This is the moat. Not a technology moat. A compliance moat. And it protects the incumbents, who are overwhelmingly American.

Where This Goes: 2027-2030

Let me tell you what I think happens next, and it is not optimistic unless something changes.

Short term (2026-2027): More Nordic companies sign up for "EU sovereign cloud" offerings from... Microsoft, Google, and AWS. These are US companies running EU-located data centers with EU-resident staff and contractual guarantees. It is sovereignty theater. The code, the models, the update pipelines, still flow from Redmond and Mountain View. Swedish companies will check the compliance box and feel good about it.

Medium term (2027-2029): As AI moves toward more autonomous agents and systems that make real decisions, the dependency becomes existential. If your supply chain optimization, your customer interactions, your financial modeling all run on American AI, you do not have a European company. You have a European wrapper around American intelligence. When the US changes its export policy, or its data access rules, or its pricing, you have no fallback.

The AGI question: If anything resembling AGI arrives in the 2028-2031 window that many researchers are now discussing seriously, the regions that control the foundational models will have an advantage that dwarfs anything we have seen in tech history. Europe is not even in the race. We are regulating the race. That is a different thing.

What needs to happen is a fundamental shift in European industrial policy around AI. Not more regulation. Not more surveys. Actual capital deployment into European compute, European model training, European AI infrastructure. France is trying with Mistral and government-backed compute initiatives. Germany has some movements. Sweden is mostly quiet.

For Swedish policymakers reading this: the AI Act needs a builder's exemption. Small and mid-size European AI companies developing foundational technology should have a materially different compliance pathway than companies deploying American AI at scale. The current framework punishes builders and rewards buyers. Invert it.

What to Actually Do About It

If you are a Nordic CTO or founder, here is what I think you should be doing right now, beyond waiting for policy to catch up.

1. Audit your AI dependency chain. How much of your intelligence layer is American? If the answer is "all of it," you have a single point of geopolitical failure. Start identifying where open-source or European alternatives can slot in, even if they are not as polished.

2. Build compliance infrastructure as code. Do not treat AI Act compliance as a legal exercise. Treat it as an engineering problem. At HEIMLANDR, we build AI solutions that bake compliance into the architecture from day one, because retrofitting it later is three times more expensive and ten times more painful.

3. Invest in your own AI capabilities. Even if you use external models, build the team and the infrastructure to fine-tune, evaluate, and eventually replace them. The companies that will win in 2030 are the ones investing in internal AI competency now, not the ones outsourcing everything to an API.

4. Push your industry associations and political representatives. The 85% who say they want EU alternatives need to start demanding that EU policy actually enables EU builders instead of punishing them.

What to Look At

If you are thinking about compliance, sovereignty, and security in a practical way, a few open-source tools are worth your attention right now:

CISO Assistant is trending on GitHub and for good reason. It is a GRC platform that supports 130+ frameworks including NIS2, DORA, GDPR, and ISO 27001 with automatic control mapping. If you are trying to manage the compliance sprawl that comes with operating in Europe, this is a serious tool. Open source, self-hostable.

Prowler is the most widely used open-source cloud security platform, and it works across multi-cloud environments. If you are running workloads on US hyperscalers (and let us be honest, you are), at least audit them properly.

Baserow is an open-source, GDPR-compliant alternative to Airtable that now includes AI agent and automation capabilities. It is self-hostable. It is European. It is the kind of tool that should be in your stack if you actually mean it when you say you want EU alternatives.

These are not silver bullets. But they are building blocks for a stack you actually control. And control is what sovereignty actually means.

The Bottom Line

I run a software development company in Sweden. I build AI systems, SaaS platforms, and blockchain solutions from Jönköping. I am not a policy wonk. I am a builder. And what I see from where I sit is a continent that talks about digital sovereignty the way it talks about the weather. Everyone has an opinion. Nobody is actually doing anything about it.

85% is a big number. It should mean something. Right now it means nothing, because the same structures that produce the demand for European tech actively prevent its creation. The EU AI Act needs to be fixed, not scrapped, but genuinely restructured so that European builders are not punished for trying to build what European companies say they want.

Until then, the 85% is a lie. A well-intentioned, survey-friendly, beautifully expressed lie. But a lie.

Stop answering surveys. Start signing purchase orders for European AI. That is how sovereignty actually works.

Fredrik Brunnberg is the CEO of HEIMLANDR.IO, building AI and software solutions from Jönköping, Sweden. This is the daily HEIMLANDR briefing. If you found this valuable, share it with someone who builds things.