AI-ready sovereignty playbook 2026: how to run gen-AI workloads (ethically) in the EU

Sovereignty is a concept that can have shown nuances in the way it is currently used by states and industry to describe some services.

The term “strategic autonomy” has also been used, as to describe the need for governments to ensure that they have a hand on the full value chain (or at least know the gaps and accept the risks) and can apply their rules while it seats in its jurisdiction (autonomy derives from the greek autos (self) nomos (rule).

Companies could apply the same principles at their level, talking about “organizational autonomy” or more commonly, ensuring service continuity in case of a supplier default (i.e. resilience).

That said, developers have a great role to play as some technological choices can be “future proof” regarding upcoming regulations that might come. Part of the answer is leveraging open source to build your solution and using suppliers supporting portability and interoperability to minimize switching efforts. 

This applies for any kind of workload, AI included. As this field progresses very fast, there is a redoubled need to be vigilant on the services used to avoid vendor lock-in when building tech services on top of it. 

AI sovereignty: how pieces are moving

“A primary tenet of “sovereign AI” is a nation-state’s desire to control its development, modeling and use of AI systems and techniques, with less dependence on other countries’ innovation and talent and less reliance on global vendors.” – Gartner

In some cases, the ambition could be shared by several member states within the same economical space, such as what is currently happening in the European Union, with a renewed ambition described on November 18th by German and French officials during the European digital sovereignty summit in Berlin.

Governments are increasingly looking into it, as market is shifting towards intensive use of AI in a very near future: Gartner predicts that “by 2027, 50% of business decisions will have been augmented or automated by AI agents for decision intelligence” but such adoption would be done in a highly regulated manner as “by 2027, 35% of countries will be locked into region-specific AI platforms”.

Europe has been on the forefront of regulations regarding data protection, and is augmenting it as AI usage brings more intensity through training and leveraging user data. 

Main aspects to consider while implementing AI in products in Europe:

• Transparency: documenting which data, model and how decisions are being made;
• Jurisdiction: ensuring residency and control over data without it flowing outside EU boundaries.
• Risk management: depending on target usage, the AI can be considered as high risk and would need extra measures (fines up to €20 million or 4% of global revenue).

Those pieces are still moving, as the EU Commission released recently the draft Digital Omnibus, which seeks to simplify the interaction between the different legislations that had been drafted in the last years. 

Even if some AI dispositions are being postponed, the spirit of the law will remain and software architecture decisions will still need to be made accordingly to avoid future irregularities.

Building one step at a time in a moving environment

Working with multiple models to benchmark performance has become the norm, as it seats at a higher level of abstraction. 

However, working with multiple cloud service providers in different regions to ensure resilience is something that is still time consuming.

→ Allowing businesses to choose where to run workloads, with different underlying cloud providers, creates new international development opportunities without compromising on security – from a jurisdictional standpoint – or compliance – as some requirements can be tied to geographies. 

Using AI to augment the capabilities of in-house developers to create new applications exposes IT departments who need, more than ever, to handle existing applications that can also be exposed as legacy and can also face deprecation when using older technologies. Leveraging a cloud application platform with integrated observability tools can also support strategies such as lift and shift then optimize, or directly go into an application modernization process seeking to switch only the required components to run it as state of the art.

Wrapping up – leveraging a modern platforms like Upsun let you:

• Create region-specific environments with one configuration file (.upsun/config.yaml) using approved local providers like OVHcloud for the EU.
• Test sovereignty compliance in isolated preview environments.
• Generate compliance documentation automatically based on available audit trails and activity logs.
• Switch between regions without rebuilding depending on the end client's needs.
• Accelerate application modernization, as there is no sovereignty without control on an up to date application portfolio.