← Thought Leadership

Architecture

Who interprets European law?

For fifteen years European data protection has asked where information is stored. Artificial intelligence has changed the question to where regulation is understood.

Jan Jensen
Co-founder
· 4 min read

New to the topic? Start with What sovereign compliance actually means.

A grand circular library reading room lined with books

Photo: Lilian Do Khac / Unsplash

Consider a mid-sized European bank preparing for a DORA examination. Its analysts no longer read the regulation unaided; increasingly, they ask an AI system to summarise the requirements, map them to internal controls, and draft the supporting documentation. The work is faster and, in many respects, better, yet it is worth pausing on a question the efficiency tends to obscure: when that system explains what DORA requires, who is actually performing the interpretation?

The answer is not the bank

The answer is not the institution, and it is not a European authority. It is a model built, trained, and operated by a company established under United States law, and therefore reachable by US courts and executive power. The institution has not merely stored its data abroad; it has delegated an act of legal reasoning about European law to an entity outside European jurisdiction.

For most of the past two decades, Europe’s debate about digital sovereignty has concerned itself with location. The Schrems judgments, the standard contractual clauses, and the successive adequacy decisions all turn on a single axis: where European personal data physically resides, and who might reach it there. That axis mattered, and still does, though it was framed for an era in which software largely moved and stored information rather than reasoned over it.

Definition
Data residency and interpretive sovereignty are not the same thing.
Data residency concerns where information is stored and which jurisdiction can compel access to it. Interpretive sovereignty concerns something later in the chain: where the reasoning about that information is performed, and under whose authority the systems performing it operate. A dataset can sit in Frankfurt while the model that interprets it answers to Washington.

Compliance is a judgment, not a database

The distinction is not academic, because compliance is a matter of judgment rather than storage. Every material compliance decision is an act of interpretation: reading a provision, weighing its application to a particular institution, and determining what it demands. When that interpretation is produced by a model whose development and operation fall under a foreign legal system, the institution has accepted a dependency it would refuse from any human adviser. No European bank would appoint, as its sole authority on European financial regulation, a counsel who could be silenced or redirected by a foreign government, yet that is the arrangement many are drifting into, one convenient query at a time.

The exposure is not hypothetical. A model’s provider can be compelled to alter it, restrict it, or disclose what it has processed, on the authority of a legal system in which European institutions have no standing. Even a unilateral change to commercial terms can shift how the system reasons about a regulation on which a bank’s licence depends. In each case, the institution learns of the change after the fact, if at all, and has no recourse inside its own jurisdiction. Under the United States CLOUD Act, American authorities can compel a US provider to surrender data wherever in the world it is stored. In June 2025, Microsoft’s own French legal counsel, asked under oath before the Senate whether he could guarantee that French data would never reach the US government, answered simply: “No, I cannot guarantee that.”

Where the reasoning should run

This is not an argument against artificial intelligence in compliance. The productivity gains are real, and the institutions that ignore them will fall behind. It is an argument about where the reasoning should run. A model that interprets European law on behalf of European institutions should itself sit within European jurisdiction: developed, hosted, and governed under European control, and answerable to European authorities rather than exposed to foreign ones. That is not protectionism; it is the principle that already governs where data may reside, extended to the more consequential question of where judgment is formed.

Reaching that point will take time, because European models are still maturing towards the scale their American counterparts command, and candour about the gap belongs in the argument rather than beneath it. Two disciplines hold in the meantime: keep the processing within the EU, and design so that an institution’s own source documents never reach the interpreting model at all, whatever that model is and wherever it runs. The first keeps the data in European hands; the second means the most confidential material is never exposed to the model.

Data residency is now table stakes, written into contracts and adequacy decisions. Interpretive sovereignty is barely discussed, even as the systems that make it urgent are adopted across the sector. The institutions that recognise the distinction early will be the ones spared from unwinding a dependency later, when removing it has become far more costly. The question every board should be able to answer is a simple one, even when the answer is uncomfortable: when our systems tell us what European law requires, whose judgment are we actually relying on?

Sources