The rapid commercial adoption of large language models has created a new sovereignty problem at scale. Every prompt routed to a US-based model provider is a personal data transfer if the prompt contains identifiable information, and the volume and sensitivity of these transfers in most enterprise deployments is significant.
The EU AI Act, fully applicable from 2026, introduces additional requirements on how AI systems are evaluated, documented, and audited. Combined with GDPR’s existing rules on automated decision-making and personal data processing, the regulatory load on AI procurement is now substantial.
European LLM providers such as Mistral AI in France, Aleph Alpha in Germany, and Pleias address this through EU jurisdiction, EU infrastructure, and explicit guarantees about training data and model behavior. Some provide open-weight models that can be deployed inside an organization’s own EU infrastructure, removing the vendor data path entirely.
For procurement teams evaluating this category, the questions to ask include: where is the model hosted, where is inference processed, are prompts used for training, what is the contractual position on input/output data, and what AI Act risk category does the system fall under.