Data residency is a major challenge for AI development in Europe—but is it sufficient for secure AI?

Summary of Data Residency

Information that goes into AI systems and other digital solutions is sent back and forth between servers of the solution providers, third-party actors, and LLM providers for storage and processing. Some of these servers may be located in Europe, while others may be in the U.S., China, or elsewhere.

So What’s the Problem?

When personal data and/or sensitive internal company information are processed through these solutions, the risks associated with this data exchange increase significantly.

GDPR must be taken into account, and although this legislation allows for data to be sent to U.S. servers for storage and processing, there is still inherent risk—both in legal gray areas and in reputational damage, especially as more Europeans have grown skeptical of the U.S.'s relationship with Europe since the beginning of the year.

This is in addition to the natural security concerns of transferring sensitive corporate data outside the country or continent.

What Can Be Done?

There are ways to tackle the challenge, though not without cost or risk.

More technical AI solutions that rely on established language models typically use direct API connections to American providers. In these cases, it is usually not possible to choose for the data to be stored or processed on European servers.

A common workaround is to set up the AI connection through a cloud platform, such as Microsoft’s Azure. There, one can specify whether data processing should occur in Norway, Sweden, Western Europe in general, or another region.

Amazon (AWS) and Google (Google Cloud) are alternative providers offering similar cloud platforms with their own AI solutions.

What’s the Challenge With That?

First, it is more technically complex to establish solutions via this method. It is typically much more complicated, and with larger datasets, it can be expensive—making it a feasible option mostly for well-established companies that have the capacity to secure their AI operations.

Additionally, it still isn’t 100% secure. U.S. law allows authorities to access data from American providers even if the data residency is set to Europe—even if they are European companies owned by American stakeholders. This is enabled by laws like the U.S. Cloud Act and Foreign Intelligence Surveillance Act (FISA).

How Can This Be Solved?

It’s not straightforward, but there are two possible paths forward—toward what I call “data sovereignty” as the next step beyond data residency.

1. Partner with companies structured to avoid exposure to the U.S. Cloud Act and FISA, specializing in cloud-based AI development resources. However, this still requires investing in their cloud services and developing AI models based on open-source models.
2. Purchase and operate your own servers, build the models, and host them locally. This is probably the most secure in the long term but requires significantly more up-front investment and is more complex in terms of establishing environments and training models to produce useful results.

As an AI startup that takes security and compliance seriously, we actively work with partners to explore how we can evolve our solutions toward data residency and data sovereignty. However, there is still a long way to go in Norway—and in Europe more generally.

Signs of Progress in Europe

AI development and the availability of scalable, cost-effective cloud infrastructure in Norway and Europe still seem to lag far behind the U.S.—but this is not set in stone:

• European companies like Nebul specialize in European infrastructure that safeguards against risks from the U.S. Cloud Act and FISA.
• In AI development, the France-based LLM provider Mistral AI has shown results in specific use cases that rival leading models like ChatGPT, Claude, and Gemini.
• Several established IT companies are considering investments in local servers to train open-source models locally, instead of relying on existing closed-source models or cloud solutions.

So, there are signs that Europe may be moving toward more data residency—and potentially even sovereignty—especially following recent geopolitical tensions with the U.S.

Time will tell, but we are aligning ourselves in that direction—in our work and the communities we engage in—and striving for a more Europe-centric focus in AI development.

‍