Europe runs on artificial intelligence it did not build. The official answer is to build its own — one day. The real question, the one companies have today, is different: how do you use American AI here, lawfully, now? Almost no one is answering it.
The most capable AI models in the world are American. GPT from OpenAI, Gemini from Google, Claude from Anthropic. Almost no European company builds its own — they build products and workflows on top of an American model. The intelligence is imported; only the application is local.
This is not a marginal fact. It is the structural condition of European technology right now.
Scholars have a name for the position this creates. One calls it meta-sovereignty — authority performed through declarations and investments that project control without securing it. An older phrase fits the moment: cuius regio, eius machina — whose realm, their machine. Europe sets the rules. Someone else builds the engine.
Europe's response is serious, well-funded, and entirely about the future. The Commission's AI Continent Action Plan mobilises up to €200 billion, including €20 billion for AI "gigafactories." In November 2025, all 27 member states signed a Declaration for European Digital Sovereignty, naming technological dependency as a strategic risk. The framing is construction: we can only cash these checks if we hold the pen.
As a ten-year industrial strategy, this may be right. As an answer to the question a company has this quarter, it is no answer at all. It addresses how Europe escapes the dependence. It says nothing about how to live with it well in the years before the escape arrives — if it arrives.
The sovereignty debate plans the exit. Companies need to operate today. The work is in the gap between the two.
And the gap is wide. Even sympathetic analysts concede Europe has no complete, production-ready supply chain for AI that avoids American providers. The one credible European frontier lab, Mistral, is strong but small — there is no realistic path by which it powers a continent of 450 million people in the near term. Switching to it does not even solve the core legal problem, because European data law applies to a French model exactly as it applies to an American one. The dependence is not a phase. For the relevant horizon, it is the terrain.
The difficulty is not that American models are bad. It is that they were built for a market that thinks about data differently. The United States asks: is the data secure? Europe asks a prior question: do you have the right to process it at all? One is a security question. The other is a question of rights — rooted in a European history that treats personal data as part of human dignity, not as an asset.
Two opposing forces meet in every AI product sold in Europe. European law, since 2016, rewards using less personal data. Large language models, since 2023, get more useful with more context. Data minimisation versus context richness — the same technology pulling in two directions at once. This is the engineering-invisible problem at the heart of it all, and no model maker solves it for you, because it is not their problem to solve. It lands on the company that ships the product.
It is also why so much of Europe simply waits. Survey after survey finds the same brake: companies cite privacy and legal uncertainty as a leading reason they have not adopted AI. The hesitation is not technophobia. It is a rational response to an unanswered question.
The legal uncertainty is not a side effect of slow adoption. It is the cause of it.
The comfortable belief is that European data residency solves this: keep the data on EU servers and you are compliant. It is wrong, and the people who understand the law are blunt about why.
Storing data in Frankfurt is a necessary condition, not a sufficient one. A US-headquartered provider with European data centres can still be reached by US authorities under laws like the CLOUD Act — and a transfer can occur not only by moving data, but through remote access, support activity, or log aggregation, even when the main dataset never leaves the region. Location is the wrong variable. The real variables are control and access: whose law can compel disclosure, and who holds the keys.
Microsoft's own chief legal officer in France told the French Senate, under oath, that the company cannot guarantee European data is safe from US government requests — and that no US hyperscaler can offer absolute protection simply by localising data in Europe.
That single admission dissolves the residency myth. If hosting in Europe were the answer, the largest provider in the market would say so. It cannot. Which means the answer has to be built somewhere other than the map.
There is no single switch that makes American AI lawful in Europe. There is a set of measures that, combined, move a use case from "shadow AI on a private account" to "defensible business use." The pieces exist. They are scattered across vendor documentation, law-firm notes and research papers, each describing one corner. No one has assembled them into a single picture for the person who actually has to ship. Here is the picture.
A privacy proxy sits between your application and the model, detecting and masking personal data before the prompt ever leaves your network — and restoring it in the response. Open tools now exist for exactly this. It directly attacks the minimisation-versus-context tension: send the model what it needs to be useful, not the identities it does not.
Where the law's standard is real protection, the answer is architectural: EU-region deployment combined with customer-held encryption keys, so that even a lawful foreign order cannot produce readable data. Control of the keys, not the postcode of the server, is what holds.
A data processing agreement, zero-retention mode, the correct transfer mechanism. Necessary, unglamorous, and routinely misconfigured — the default logging window is what trips most reviews.
A model that suggests and drafts while a person reviews and approves is not only more trusted in Europe — it is easier to explain, audit and defend. Collaborative AI rather than autonomous agents is a compliance posture as much as a design choice.
No layer is a magic wand, and I am not a lawyer. Masking reduces exposure; it does not erase every obligation. The stack does not make GDPR disappear — it makes American AI usable within it. The tools are mostly American too, which is precisely why an independent European perspective is needed to assemble and judge them. Your data protection officer signs off on the specifics. My work is the map: which layers your case needs, where each genuinely helps, and where it only looks like it does.
Three groups talk past the company that needs to act. The sovereignty movement explains how Europe should one day stop depending on American AI. The model vendors document their own product and tell you to trust them. The privacy-tool makers sell one layer of the stack. None of them answers the whole, practical, cross-vendor question a company actually has:
Given that I must use American AI now — how do I run it in Europe correctly? This model, this configuration, this contract, today.
That question stays open because the dependence stays real. It is not the Commission's job, and not the vendors' job. It is the work of mediation — translating between an imported intelligence and a continent's rules, culture and trust. That is European Context Engineering, and it is what I do.
The specifics will keep moving — tools improve, rules shift, configurations date. The thesis will not: as long as Europe runs on a borrowed mind, someone has to make the borrowing work. If you want to see where your own product or company stands on these questions, the readiness check is the place to start.
Start with ten questions worth sitting with before you invest — or write me, and we'll think it through together.
The readiness check Get in touch