Your legal team approved the vendor. Your IT department enabled the integration. Your employees are already using it. But when your company started sending business data to ChatGPT, Azure OpenAI, or Google Gemini — did anyone ask _who else might be able to read it?_
For European companies, especially those in Sweden, Norway, Finland, and Denmark, the answer is more complicated than a terms-of-service checkbox. It involves US federal law, a European privacy framework that may not survive its next court challenge, and a regulatory environment that is tightening on multiple fronts simultaneously.
This is not a theoretical risk. It is a documented, accelerating problem — and the frameworks to address it are either already in force or arriving fast.
The CLOUD Act Problem Nobody Talks About Openly
The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) allows US federal law enforcement to compel any US-headquartered technology company — Microsoft, Google, Amazon, OpenAI — to hand over data stored on servers _anywhere in the world_, regardless of whether that data belongs to non-US persons or is physically stored in Frankfurt, Stockholm, or Amsterdam.
> "No, I cannot guarantee that — but, again, it has never happened before." — Anton Carniaux, Microsoft France Director of Public and Legal Affairs, under oath before the French Senate, June 2025, when asked whether he could guarantee French citizen data would not be transmitted to the US government without French government consent
That testimony — from one of the world's largest technology companies, under oath, in a legislative chamber — is the clearest on-record confirmation that data residency in Europe does not equal data sovereignty. The EU data centre tag on your Azure subscription is a geography, not a legal protection.
The CMS Law white paper published in February 2026 described the gap between legal reality and vendor marketing on this point as requiring active demystification. The EU itself raised the bar further in October 2025 with a Cloud Sovereignty Framework specifying eight concrete requirements for genuinely sovereign cloud services — requirements that most commercial US AI providers do not meet.
The Legal Safety Net Is Fraying: Schrems III Is Coming
The current legal basis for most EU-US data transfers is the EU-US Data Privacy Framework (DPF), an adequacy decision adopted in July 2023 following the invalidation of both the Safe Harbor framework (Schrems I, 2015) and Privacy Shield (Schrems II, 2020) by the Court of Justice of the EU.
The DPF survived its first judicial challenge in September 2025. That case is now on appeal to the very court that invalidated its two predecessors.
> 🔴
> The Schrems III clock is running. On January 27, 2025, the Trump administration removed Democratic members from the Privacy and Civil Liberties Oversight Board (PCLOB), leaving it without a quorum. PCLOB oversight of US surveillance practices was a central safeguard in the DPF adequacy decision. MEPs formally asked the European Commission whether to suspend the DPF pending reinstatement. If the CJEU invalidates the DPF, the legal basis for most EU-US AI data transfers disappears overnight — for the third time.
Beyond PCLOB, the picture grew more complex through 2025: DOGE gained effective access to databases at seven major US federal agencies; a Trump executive order directed agencies to eliminate "information silos" and promote inter-agency data sharing; and analysis of Big Tech transparency reports revealed that Google, Apple, and Meta shared 3.1 million user accounts with US law enforcement over the decade 2014–2024 — a 600%+ increase, according to Euronews reporting in March 2025.
The Timeline: How the Risk Has Escalated
July 2020Schrems II — Privacy Shield invalidated
CJEU rules US surveillance law incompatible with EU fundamental rights. SCCs survive but require Transfer Impact Assessments. EU-US data transfers enter legal uncertainty.
July 2023
EU-US Data Privacy Framework adopted
Third attempt at EU-US data transfer adequacy. Relies on PCLOB oversight and US executive commitments. Challenged immediately by privacy advocates.
January 2025
PCLOB dismantled — key DPF safeguard removed
Trump administration removes board members. PCLOB loses quorum. MEPs ask European Commission to suspend DPF adequacy decision. Legal basis for EU-US transfers enters renewed uncertainty.
June 2025
Microsoft confirms: data sovereignty cannot be guaranteed
French Senate testimony makes explicit what legal scholars had argued: CLOUD Act exposure is real regardless of data centre location.
August 2025
EU AI Act GPAI obligations take effect
Training data disclosure requirements live for providers (OpenAI, Google, Mistral). Deployer obligations under Article 26 in force. Data governance obligations under Article 10 apply to high-risk AI.
Late 2025
DPF survives legal challenge — but CJEU appeal filed
EU General Court dismisses Latombe challenge. Max Schrems files appeal to CJEU — the same court that killed Safe Harbor and Privacy Shield. IAPP analysts: "All roads lead to Schrems III."
August 2026
Full EU AI Act enforcement begins
Commission enforcement powers active. Non-compliant deployers of high-risk AI face penalties up to €30M or 6% of global turnover. Data governance obligations fully enforceable.
Nordic Companies: High Adoption, High Exposure
Nordic markets lead Europe in cloud and digital adoption — which means they also lead in exposure.
US hyperscalers have held approximately 70–85% of European cloud infrastructure spending for nine consecutive years, with European providers unable to close the gap. For most Nordic companies, every AI workload — every document sent to Copilot, every customer interaction logged in a ChatGPT-powered support tool, every strategic document analysed by an AI assistant — flows through infrastructure subject to US legal process.
Shadow AI: The Risk You Already Have
Corporate policy does not determine what data leaves the building. Employee behaviour does.
This is not a future risk. The average Nordic organisation using US-based SaaS tools is almost certainly already experiencing shadow AI usage — employees uploading contracts, meeting notes, client data, and internal strategy documents to consumer AI tools without IT oversight, security review, or legal basis assessment.
> ⚠️
> 46% of employees say they would continue using banned AI tools even if explicitly prohibited. The enforcement problem is not technical — it is cultural and architectural. Without local or controlled AI alternatives, prohibition creates shadow usage, not security.
What the Regulations Actually Require
The compliance landscape is converging. Multiple frameworks — some already in force, some arriving — create overlapping obligations that collectively demand a coherent AI and data governance strategy.
🔒ISO 27001Insufficient alone
Gold standard for information security management. But it predates generative AI entirely. Contains no controls for model integrity, hallucination risk, training data provenance, or AI-specific bias — meaning a fully certified ISO 27001 organisation can still have zero AI governance. A necessary baseline, not a complete solution.
✔SOC 2Insufficient alone
Validates security controls for cloud providers. Assumes deterministic software. Provides no framework for probabilistic AI output validation, model governance, or vendor model changes. Your AI vendor's SOC 2 report tells you their access controls are in order — not whether your data is safe from US government requests or their model from drift.
🇪🇺NIS2 DirectiveInforce
Transposition deadline October 2024. Supply chain security is explicitly mandated under Article 21 — requiring documented risk assessment of all direct suppliers and service providers, including US-based AI/cloud vendors. Essential entity violations: up to €10M or 2% of global turnover. Personal management liability applies.
🤖ISO 42001Rapidly emerging
Published December 2023, the world's first AI Management System standard. Covers data governance, bias testing, training data provenance, human oversight, and AI vendor risk. Explicitly aligned with EU AI Act compliance pathways. Increasingly embedded in procurement requirements and the EU's GPAI Code of Practice. The emerging standard for AI-specific governance.
The EU AI Act's Data Obligations: What Deployers Must Do
The EU AI Act (Regulation 2024/1689) entered into force August 2024. Full enforcement begins August 2026. For European organisations deploying AI tools — which now means virtually every business using Microsoft Copilot, Salesforce Einstein, or any AI-assisted product — the deployer obligations under Article 26 are binding:
> Article 26: Key Deployer Obligations (High-Risk AI Systems) Human oversight: Assign oversight to persons with documented competence, training, and authority Input data relevance: Where you control input data, ensure it is relevant and sufficiently representative Log retention: Retain automatically generated AI logs for a minimum of six months Incident reporting: Immediately notify providers and market surveillance authorities upon discovering risks Worker notification: Inform employees before deploying AI systems that affect their work DPIA linkage: Use AI system information to conduct GDPR Data Protection Impact Assessments under Article 35
For data governance specifically, Article 10 establishes binding requirements on training data quality, bias detection, and provenance documentation for high-risk AI systems. If your AI provider cannot tell you where their training data came from, how biases were assessed, or what data governance practices were applied — and many cannot — your use of that system in high-risk contexts may itself be non-compliant.
The Governance Gap: Where Most Organisations Stand
How the Frameworks Compare
Framework
Covers AI-specific risks?
Data sovereignty?
Mandatory?
Penalties
ISO 27001
No
Partial
Industry/Procurement
Certification loss
SOC 2
No
No
Customer-driven
Audit failure
GDPR
Partial
Yes
Yes — EU Law
4% global turnover or €20M
NIS2
Via supply chain
Partial
Yes — EU Law
2% global turnover or €10M
EU AI Act
Yes
Yes (Art. 10, 26)
Yes — EU Law
6% global turnover or €30M
ISO 42001 AI-native
Yes — by design
Yes
Voluntary + procurement
Certification loss
The Path Forward: What Sovereignty-Aware AI Looks Like
The answer is not to stop using AI. It is to use it with architecture that matches your legal obligations and risk appetite. That means knowing exactly what data goes where — and having alternatives when the answer is "not to a US server under CLOUD Act jurisdiction."
> Practical Measures for European Organisations Data classification before AI deployment: Map which data categories exist in your organisation. Personal data, trade secrets, and regulated information require different controls before they touch any AI system. Transfer Impact Assessments for AI vendors: Required under Schrems II for SCCs. Document the surveillance law landscape of each AI provider's jurisdiction — including CLOUD Act exposure — and implement supplementary technical measures where needed. NIS2 supply chain assessment: Formally assess your AI and cloud vendors under Article 21(2)(d). This is now legally required for essential and important entities, not optional best practice. Local and private AI deployment: For sensitive workloads, consider on-premises or sovereign cloud AI — models that run within your infrastructure, under your control, with no outbound data transmission. Fine-tuned open-weight models (Llama, Mistral, Qwen) can match commercial model performance for specific use cases while eliminating third-party data exposure. ISO 42001 roadmap: Begin the AI Management System gap assessment. Even pre-certification readiness significantly improves AI governance posture and demonstrates diligence to regulators and clients. Shadow AI programme: The technical solution to shadow AI is not blocking — it is providing governed alternatives. Employees using personal ChatGPT accounts are a symptom of insufficient internal AI tooling, not a policy problem alone.
> "Data residency in Europe does not equal data sovereignty. A Frankfurt data centre tag on your Azure subscription is a geography, not a legal protection." — The gap that the EU Cloud Sovereignty Framework (October 2025) was designed to address
The Regulatory Pressure Is Not Easing
In December 2025, EU Council ministers approved a negotiating mandate for a US-EU agreement on US access to EU citizens' biometric data — a development that privacy advocates described as adding a new exposure vector rather than closing existing ones.
The Register, reporting in December 2025, described Europe as "getting serious about cutting the US digital umbilical cord" — but institutional seriousness takes time to translate into market alternatives at scale. Until it does, European organisations operating on US AI infrastructure carry risks that ISO 27001 and SOC 2 alone were never designed to address.
The EU AI Act, NIS2, ISO 42001, and the looming Schrems III decision are not separate problems. They are the same problem viewed from different angles: European organisations need to know where their data goes, who can access it, under what law, and what they would do if the answer changed overnight.
Is Your AI Usage Aligned With Your Compliance Obligations?
SimpleTech helps European organisations map AI data flows, assess sovereignty risks, and implement governance frameworks — including ISO 42001 readiness, NIS2 supply chain assessments, and local AI deployment for sensitive workloads.
Talk to an AI & Data Governance Expert →
Sources & References:
• US CLOUD Act (2018) — Wikipedia overview
• CMS Law White Paper: CLOUD Act vs European Data Sovereignty (Feb 2026)
• The Register: Microsoft admits it cannot guarantee EU data sovereignty (July 2025)
• EU AI Act — EUR-Lex Official Text (Regulation 2024/1689)
• Article 10: Data and Data Governance — EU AI Act Service Desk
• Article 26: Deployer Obligations — EU AI Act Service Desk
• Euronews: Big Tech shares 3.1M user accounts with US authorities (March 2025)
• CNBC: Europe's reliance on US digital infrastructure — four charts (Feb 2026)
• Holori: Cloud Market Share 2026
• Mordor Intelligence: Nordics Cloud Computing Market
• noyb.eu: EU-US data transfers heading to CJEU for third time
• WilmerHale: CJEU to review EU-US DPF challenge (Dec 2025)
• Clifford Chance: EU raises concerns over US oversight changes (March 2025)
• ISO/IEC 42001:2023 — AI Management Systems Standard
• Knostic AI: The 20 Biggest AI Governance Statistics (2025)
• Dataguard: NIS2 Requirements Complete Guide
• The Register: Europe gets serious about cutting US digital umbilical cord (Dec 2025)
• EDPB Opinion 28/2024: Data protection aspects of AI models
No comments yet