// WHERE_AGENTS_RUN
SOVEREIGN AI
The legal foundations for transatlantic AI data flows are eroding faster than most teams realise. We help you move your AI onto infrastructure you actually control.
“We use their London region” is not a sovereignty strategy. If your AI provider is a US company, the CLOUD Act means US authorities can compel data disclosure regardless of where your servers sit.
// OUR_SERVICE
Sovereign AI Readiness Assessment
A half-day session to audit your AI stack, identify sovereignty risks, and deliver a prioritised action plan. Everything below is the evidence — this is where you start.
// OUR_RESEARCH
From Barnacle Labs
Comprehensive Guide
Sovereign AI — Privacy, Compliance & Sovereignty
Why 'stateless' assumptions are wrong. How the CLOUD Act reaches across borders. What UK GDPR restricted transfers actually mean for AI workloads. And what to do about all of it.
[ READ_THE_GUIDE → ]
From the blog
"It's in London" Isn't a Privacy Strategy for AI
Why choosing your vendor's UK region doesn't solve the data sovereignty problem.
Last Year's Best AI Model Now Runs on Your Laptop. For Free.
Google's Gemma 4 beats Gemini 2.5 Pro on nearly every benchmark — open-weight, Apache 2.0, runnable on a MacBook.
// THE_FOUR_BIG_QUESTIONS
The Four Big Questions
// CAPABILITY
Can open-source AI models match the performance of frontier APIs like GPT, Gemini and Claude?
Open models today typically match or exceed the frontier performance of 12 months ago. If you need the absolute bleeding edge — the capability that shipped last week — frontier APIs still lead. But the real question is: do you? Most enterprise workloads don't need today's frontier. They need last year's frontier, reliably, on infrastructure you control. That's exactly what open models now deliver.
// JURISDICTION
Does choosing a cloud provider's UK or EU region protect my AI data from US jurisdiction?
No. What matters is where the company is incorporated, not where the server sits. The US CLOUD Act means a US-headquartered provider can be compelled to hand over data regardless of which region you chose. Server location is a networking decision. Corporate jurisdiction is the legal one.
// STABILITY
Are EU-US and UK-US data transfer frameworks at risk of being invalidated?
It's already happening. The executive orders underpinning EU-US and UK-US data transfer frameworks can be amended faster than legislation. PCLOB oversight has been gutted. Autopen-signed EOs — executive orders signed by machine rather than by hand — are being challenged as invalid. Teams relying solely on the current adequacy regime are building on ground that is actively shifting — sovereign infrastructure is the hedge.
// COST
Is running AI on sovereign infrastructure more expensive than using cloud APIs?
The cost equation has flipped. Open models have eliminated licence fees. Neoclouds have driven GPU pricing down 60%+ in two years. The real question is whether you can afford the alternative: a compliance incident, a forced disclosure, or a midnight scramble to migrate when the legal basis you relied on gets invalidated.
// THE_REGULATORY_LANDSCAPE
How We Got Here
The legal and political developments that made sovereign AI an enterprise imperative — not a nice-to-have.
US CLOUD Act Enacted (Clarifying Lawful Overseas Use of Data Act)→
US authorities can compel data disclosure from US companies regardless of server location.
Schrems II Invalidates Privacy Shield→
EU Court of Justice strikes down the EU-US Privacy Shield, leaving transatlantic data transfers in legal limbo.
EU-US Agree in Principle on New Data Privacy Framework→
Von der Leyen and Biden announce a political deal to replace Privacy Shield. The framework is negotiated, not legislated — its durability depends on executive commitments that can be reversed.
Executive Order 14086→
Biden signs order creating intelligence safeguards — the legal foundation for new EU-US and UK-US data transfer frameworks.
EU-US Data Privacy Framework Adopted→
European Commission adopts adequacy decision for transfers to certified US organisations.
UK-US Data Bridge Comes into Effect→
The UK Extension to the EU-US Data Privacy Framework goes live, creating a lawful route for UK-to-US personal data transfers to certified organisations. Built on EO 14086.
PCLOB Members Fired→
White House terminates members of the Privacy and Civil Liberties Oversight Board — the independent body that oversees US intelligence safeguards. The EU and UK relied on PCLOB's existence as evidence that EO 14086's protections were real. Without it, the legal basis for transatlantic data transfers is directly threatened.
NYT v. OpenAI: 20M Logs Ordered→
Judge orders OpenAI to produce 20 million ChatGPT conversation logs — proving 'stateless' AI isn't stateless at all.
Trump Declares Autopen Executive Orders Invalid→
Trump announces he is cancelling all executive orders signed by autopen during the Biden administration — potentially including EO 14086, the legal foundation for EU-US and UK-US data transfer frameworks. Legal experts dispute the constitutional basis.
EU Declaration for European Digital Sovereignty→
EU Member States adopt a shared commitment to strengthen Europe's digital sovereignty for economic resilience, competitiveness, and security.
// CURATED_RESOURCES
The Sovereign AI Toolkit
Everything you need to evaluate, plan, and deploy sovereign AI — curated and maintained by our team.
GPU cloud and neocloud providers with sovereign data centres in the UK and Europe.
🇪🇺 Nscale — Sovereign AI Data Centres in Europe
→European-first AI infrastructure company building sovereign GPU data centres across Europe.
🇺🇸 CoreWeave — AI Cloud Infrastructure (UK & Europe)
→Purpose-built AI cloud with data centres in the UK and Europe. High-performance GPU infrastructure.
🇳🇱 Nebius — European AI Cloud Platform
→European AI cloud platform offering GPU instances and managed ML services.
🇬🇧 Civo — UK-Based Cloud Provider
→UK-headquartered cloud provider with GPU instances. No US parent company, no CLOUD Act exposure.
🇫🇷 Scaleway — European AI Neocloud
→French cloud provider with sovereign GPU compute and managed AI services. Data stays in EU.
🇫🇷 OVHcloud — EU-Native Cloud
→French cloud provider with GDPR-compliant AI infrastructure. No US corporate jurisdiction.
🇬🇧 Scan — UK Sovereign AI Cloud
→UK-headquartered neocloud providing sovereign GPU-as-a-Service. End-to-end AI infrastructure with data guaranteed to stay within UK legislative borders.
🇱🇺 Gcore — European Sovereign AI Cloud
→Luxembourg-headquartered, self-owned sovereign infrastructure across six continents. GPU regions in Portugal, Netherlands, and Wales. Fully compliant with EU data laws.
🇺🇸 Vultr — Sovereign & Private Cloud
→Air-gapped sovereign cloud deployments managed by host-country nationals. 32 global regions with dedicated control planes untethered from central infrastructure.
🇬🇧 FluidStack — European AI Supercompute
→Oxford-founded GPU cloud powering Mistral, Character.AI, and others. Building a 1GW sovereign AI supercomputer in France. 100K+ GPUs across Europe and Iceland.
Half-Day Assessment
Sovereign AI
Readiness Assessment
A half-day session with your AI and data teams to review your current stack — models, infrastructure, data flows, and vendor agreements. The output is a clear picture of your sovereignty exposure and a prioritised action plan to close the gaps.
Audit your current AI stack
Which providers, what data flows through them, where it lands, and under whose jurisdiction.
Identify sovereignty risks
CLOUD Act exposure, restricted transfers, data retention gaps, and single-vendor dependencies.
Deliver a prioritised action plan
What to fix now, what to migrate, and what you can leave. Practical steps ranked by risk and effort.
What you get
- —Half-day on-site or remote session with your AI and data teams
- —Full sovereignty risk report covering every AI vendor and data flow
- —Prioritised migration roadmap with effort estimates
- —Model-by-model recommendations for sovereign alternatives
- —Infrastructure options mapped to your compliance requirements