Sovereignty is a data path, not a data center

The US CLOUD Act obliges US companies to produce data on lawful request, regardless of where in the world that data physically sits. What binds is the jurisdiction of the operator, not the location of the server. A data center in Frankfurt run by a US corporation is still within reach — the EU region is the box that reassures without protecting.

So sovereignty is not a property of a storage location. It is a property of the entire data path. You have to follow the route a query takes and, at each stop, ask one question: who operates this, and what law are they subject to? A RAG system is only as sovereign as its most exposed layer.

Walk the path a query takes. The embedding model turns each chunk into a vector, and it sees every piece of content — once at indexing time, and again on every query. The vector database holds a searchable copy of the whole corpus, often including the source text as metadata. And the language model receives the retrieved context together with the question on every single call.

That last one is the sharpest. Generation is where the sensitive context lands continuously, in normal operation — not once during setup. A managed language model from a US provider therefore sees the protected content every time the system is used. The region the servers sit in doesn't enter into it.

Here is the point that trips people up: what matters is not who trained the model, but who runs it. An open-weight model whose weights you download and run on your own European infrastructure sends nothing back to its maker. Whether those weights originated in the US or anywhere else is irrelevant to the CLOUD Act question once the model runs under your control.

The exposure comes from the managed API, not from the provenance of the weights. That is what makes a sovereign stack practical: you don't need a European-made model, you need a European-operated one.

Every layer has a mature, European-operable option today. For sensitive data the rule is the same at each one: self-host it, or use a provider under European jurisdiction — never a managed US service.

It is not free, and pretending otherwise is dishonest. You take on operational load — running GPU servers, scaling, updates — that a managed provider would otherwise absorb. The best open-weight models are very good and more than enough for most retrieval work, but the very frontier is still held by the large US models, and that gap is closing rather than closed. GPU infrastructure can also cost more than a usage-based API at low volume.

The calculus flips with the data. For public content, a sovereign stack is over-engineering. For personal, public-sector, or health data — exactly where the GDPR and the EU AI Act already require you to control the flow — it is less a cost question than a condition of being allowed to run the system at all.

Here is an exercise shorter than any compliance audit. Take one sensitive request and trace it through your stack — query, embedding, retrieval, generation — and mark every stop a US company controls. Each mark is a point the CLOUD Act can reach, whatever the region dropdown says.

And a concrete starting point that is production-ready today: GPU infrastructure at a German provider; bge-m3 for embeddings via Text Embeddings Inference; Qdrant for the vector store; a Mistral model via vLLM for generation, or Mistral and Aleph Alpha managed if you skip self-hosting; orchestration in your own code on EU infrastructure. Put all five layers under European control and you haven't built a sovereignty-adjacent system. You've built a sovereign one.