Data sovereignty in 2026: why on-prem and isolated AI moved from preference to plan

For a long time, “where does the AI run” was an engineering detail. In 2026 it is a compliance question with dates attached.

The regulatory clock is real

The EU AI Act entered into force on 1 August 2024 and applies in phases: prohibited practices since 2 February 2025, general-purpose-AI obligations since 2 August 2025, and most high-risk obligations from 2 August 2026. Whatever you deploy now will live inside that timeline.

What the GDPR actually requires

It helps to be precise about the baseline. The GDPR does not require personal data to be stored physically inside the EU. What it regulates is how data leaves the EEA: you need a legal basis such as an adequacy decision or appropriate safeguards (standard contractual clauses), plus a transfer impact assessment. The catch, after the CJEU’s Schrems II ruling, is that safeguards on paper cannot cure a conflict with a foreign surveillance law — which is exactly where the next point bites.

The gap a contract cannot close

Under the US CLOUD Act and FISA Section 702, a US-owned provider can face lawful requests for data even when it sits in an “EU region” — a point Microsoft conceded under oath to the French Senate in June 2025. A foreign-owned cloud’s “sovereign” label reduces exposure; it does not remove the legal vector. On-prem and isolated deployment does, because the data never enters a foreign-controlled system in the first place.

Say what you mean by “isolated”

One honesty note. “Isolated” usually means a segregated network with controlled egress; “air-gapped” means no route off the box at all. They are different risk profiles, and conflating them is a credibility error. Be precise about which one you are buying.

Arpanet is built so the answer can be “inside your perimeter”: on-prem, fully isolated, or in the cloud — your call. The platform is engineered for the GDPR from the first line of code, and sovereignty is a setting, not an upsell.