Sovereign AI: Why European CISOs Are Rejecting US-Cloud DLP
Schrems II, FISA 702, the CLOUD Act and CNIL enforcement have changed the math. A practical guide to deciding when a US-hosted AI DLP vendor is no longer acceptable.
The legal stack stopped favouring US-cloud DLP
Five years ago, a European CISO buying a Data Loss Prevention tool could shortlist Symantec, McAfee, Forcepoint, Microsoft Purview and Zscaler without anyone in legal raising a hand. In 2026 that shortlist is harder to defend. The change is not driven by a single ruling but by a stack of them, each compounding the last. Schrems II in 2020 invalidated Privacy Shield and made transfers to US infrastructure contingent on supplementary measures most vendors cannot truthfully describe. The Data Privacy Framework that followed in 2023 was supposed to fix this; it was challenged again in 2024 and is sitting in the CJEU's docket on familiar grounds. FISA Section 702 remains untouched, which means a US-headquartered provider must respond to a National Security Letter or a FISA directive even when the targeted data sits in Frankfurt. The 2018 CLOUD Act codifies that reach explicitly.
Then 2025 happened. The current US administration's revisions to the Executive Order that underpins the Data Privacy Framework reduced the independence of the Data Protection Review Court, which was the centrepiece concession that got Brussels to sign in the first place. The European Data Protection Board's January 2026 statement was diplomatic. The message to procurement teams was not: assume the adequacy decision will be revisited, and price accordingly.
Enforcement caught up with theory
For a long time the regulatory risk was abstract. It is no longer. The CNIL ruled in 2022 that the standard configuration of Google Analytics constituted an illegal transfer; in 2024 it followed up against vendors that had bundled US analytics inside their European SaaS offerings, including two security tools. The BSI has published advisories warning German federal agencies away from US-cloud SaaS for any data processing that touches classified or regulated workloads. AEPD has been consistent in treating US-hosted processors as high-risk for healthcare and financial data. Even the post-Brexit ICO, traditionally more flexible than its continental counterparts, has begun to diverge on AI-specific transfers.
Fines are not yet existential, but the precedents are. A CISO who signs a US-cloud DLP contract in 2026 is now signing into a hostile legal climate, and the burden of proof has shifted to them. If a regulator asks why employee data is flowing through US infrastructure to a US-controlled DLP tool, "the vendor said it was fine" will not be a defence.
What "sovereign" actually means
Vendors have noticed. Every major DLP company now claims some form of sovereignty. The word has been so abused that it requires a definition before any procurement conversation. Sovereignty is a spectrum, not a binary, and pretending otherwise is how you end up with a tool that fails the next audit.
| Level | What it means | Real-world exposure |
|---|---|---|
| 1. EU-hosted, US parent | Data plane in Frankfurt or Dublin, parent company headquartered in the United States | CLOUD Act and FISA 702 reach the parent. Encryption keys held by the vendor are subject to compulsion. |
| 2. EU entity, EU-only data plane | European legal entity is the controller of the infrastructure; no US affiliate touches the data path | Schrems II posture is defensible. Still depends on the vendor's supply chain. |
| 3. Customer-managed keys (BYOK) | Vendor runs the service, customer holds the encryption keys in their own KMS | Even if the vendor is compelled, it cannot decrypt. Practical sovereignty for most workloads. |
| 4. On-premise / air-gapped | The control plane runs entirely inside the customer's network | No external dependency. The only configuration acceptable to certain defence and central-bank clients. |
Level 1 is what most US incumbents are selling when they say "hosted in Europe". It is not enough. Level 2 is the minimum a credible procurement team should accept for AI DLP in 2026. Level 3 should be the default for anyone in financial services, healthcare or critical infrastructure. Level 4 is reserved for the cases where the regulator or the threat model demands it.
If your DLP vendor cannot tell you, in writing, which level they sit at and which subsidiary signs the DPA, you do not have a sovereignty story. You have a marketing claim.
The honest trade-offs of full sovereignty
Sovereignty is not free. Anyone who pitches it as a pure upgrade is selling something. The realistic cost picture, drawn from the last eighteen months of European mid-market deals we have visibility into:
- Roughly 25 to 35 per cent price premium over the equivalent US-cloud offering, driven by smaller infrastructure scale and the cost of running EU-only operations.
- A feature lag of six to twelve months on the bleeding edge, particularly for ML-driven detection. The US giants ship faster because they have more telemetry and more headcount.
- A smaller integration ecosystem. Fewer pre-built connectors to obscure SaaS, fewer marketplace plugins, fewer third-party consultants who can deploy the tool.
- Less name recognition with your board. Some boards still equate "Gartner Magic Quadrant leader" with safety, even when the leader is the source of the regulatory risk.
These trade-offs are real. They are also, for most European enterprises in regulated sectors, manageable. The 30 per cent premium on a DLP tool is rounding error against a single CNIL fine, and the feature lag matters less than vendors imply when the features in question are about catching tomorrow's leak, not yesterday's.
Why this matters specifically for AI DLP
The sovereignty conversation has been running in general DLP and SIEM circles for years. What has changed is the workload. AI prompts are not normal employee output. When a sales engineer pastes a deal memo into ChatGPT to summarise it, that prompt typically contains the customer name, the deal size, the competitive context, the technical objection, and sometimes credentials embedded in a debugging session. When a developer asks Claude Code or Cursor to refactor a function, the prompt frequently includes connection strings, API keys, internal hostnames, and the surrounding business logic. Prompts to Gemini for marketing copy regularly carry unannounced campaigns, M&A code names and pricing strategy.
Per token, a generative-AI prompt is the highest-density carrier of sensitive data inside the modern enterprise. The 2025 ENISA AI threat landscape report flagged AI prompt leakage as the fastest-growing data-exfiltration vector. Sending that traffic through a US-cloud DLP pipeline doubles down on the risk you are trying to mitigate: you have moved the most sensitive content in your company from one regulated channel to a less regulated one, then routed it through a vendor that is legally obliged to disclose under FISA on demand.
This is the part many CISOs have not yet internalised. An AI DLP product is a content-inspection tool by design. It has to see the sensitive data in order to detect it. The architectural question of where that inspection happens and who can compel access to it is therefore not a side concern. It is the entire concern.
The procurement questions that actually filter vendors
Most RFP templates are written for storage tools and miss the points that matter for AI DLP. The following six questions, asked in writing and requiring written answers, will eliminate roughly two-thirds of candidates in a first round.
- Where is the data plane, not just the website? A landing page hosted in Paris means nothing. The customer needs to know the AWS region, the GCP project, the Azure resource group — and whether any control-plane component reaches a US region for telemetry, logging or model inference.
- Which legal entity processes my data? "Acme Inc." and "Acme Europe SAS" are not the same answer. The DPA must be signed by an entity whose data centres and personnel are inside the EU and whose corporate parent does not pull the contract into US jurisdiction.
- Can you guarantee no transit through US-jurisdiction infrastructure? Including the CDN, the WAF, the analytics, the support tooling and the model-inference endpoint. Cloudflare US, Datadog US and OpenAI US are common silent failures here.
- Do you support customer-managed keys? If the answer is "on the roadmap", treat it as a no. BYOK is what makes the vendor unable to decrypt under compulsion. Without it, sovereignty is a posture, not an architecture.
- Show me your transparency report for the last 24 months. Volume and type of government requests received, what was disclosed, what was challenged. Vendors who do not publish one are not necessarily compromised, but they have not earned the benefit of the doubt.
- What happens to my data when the contract ends? Time to deletion, format of the export, audit certificate of destruction. A sovereign vendor will have a written answer; a US incumbent will often need to escalate.
An honest note from a European vendor
Zeuslock is European. We are not neutral on this question. But the point of the framework above is not to push a brand; it is to give you the decision criteria you can use against anyone, including us. If a vendor — Zeuslock or otherwise — cannot answer those six questions cleanly, the answer is not to sign and hope the regulator looks elsewhere.
The CISOs we work with in France, Germany, Spain, Italy and the Nordics did not arrive at sovereignty as an ideology. They arrived at it after their general counsel read the post-2024 Schrems analysis, after their DPO walked through the CLOUD Act's extraterritorial mechanics, and after their board started asking what happens to their AI pipelines the next time the Data Privacy Framework wobbles. The math has changed. The shortlist should change with it.
For a written briefing on Zeuslock's data plane, sub-processor list and BYOK architecture, see our GDPR reference page or contact your account team. The document is signed, dated and versioned.
Protect your data from AI leaks
Try Zeuslock free — DLP for ChatGPT, Claude, Gemini and more.
Book a demo →