Europe’s missing compliance layer
Europe is building sovereign payments and sovereign AI. The layer that interprets its regulation still runs on foreign software.
Essays on who gets to interpret European law — and why the infrastructure that reads a regulation is a question of sovereignty, not just software.
Written in Berlin · processed and hosted in the European Union
A US ruling on who controls the FTC has quietly unsettled the legal basis for moving European data across the Atlantic.
A US ruling on who controls the Federal Trade Commission has quietly removed a load-bearing assumption beneath every transfer of European data to the United States.
Checking a draft contract or a live incident against European law by running it through a foreign AI transmits the full text to a provider under foreign jurisdiction. That is a disclosure, and it may be one you never learn about.
The 3 June package targets chips, cloud, and AI. It says almost nothing about the systems that interpret Europe’s own regulation.
A short set of questions that separates genuine digital sovereignty from an EU region with a sovereignty label, applied honestly to ourselves as well.
For most companies, compliance still lives in a spreadsheet held together by one overworked person. It breaks in four predictable places.
The industry standard is to pull a customer’s documents into the vendor’s cloud. For regulated European firms, that convenience is the exposure.
DORA made banks map every critical technology provider. Few have turned that discipline on the software they use to manage compliance itself.
In 2019 three of Europe’s largest economies built a mechanism to trade around US sanctions. Its near-total failure is the clearest lesson in dependency Europe has.
The term is appearing on every European vendor’s website. Most uses describe where data sits, not who controls it.
For fifteen years European data protection has asked where information is stored. Artificial intelligence has changed the question to where regulation is understood.