INDUSTRY
Sovereign AI for regulated industries: when on-prem stops being optional
2 min read
Finance, healthcare and the public sector increasingly face hard data-residency rules. Here is how on-prem and isolated AI maps to DORA, the EU AI Act and the European Health Data Space.
In regulated sectors, “where the AI runs” is rarely a preference. It is written into supervision.
Finance: residency by regulation
In the EU, DORA — the Digital Operational Resilience Act — has applied since 17 January 2025, with strict ICT third-party risk management and a register of providers. Dutch supervisors DNB and AFM have flagged concentration risk from leaning on a few non-EU IT providers, nudging firms toward sovereign and on-prem hosting. Other jurisdictions go further still — Türkiye’s banking regulator requires banks to keep original data in-country — but the EU direction is already clear: for a regulated firm, “send the data to someone else’s cloud” is getting harder to defend.
Healthcare and the public sector
Health data is moving the same way: the European Health Data Space regulation entered into force on 26 March 2025, keeping patient data inside national healthcare infrastructure under access-permit regimes. Public-sector procurement, too, is tilting toward sovereign and on-prem options. The common thread is that the data is too sensitive — or too regulated — to leave the building.
The AI Act sits on top
Over all of this runs the EU AI Act, whose high-risk obligations phase in through 2 August 2026 and bring duties around data governance, logging and traceability. A controlled, on-prem deployment makes those duties easier to audit, because the whole data flow is inside one boundary you can inspect.
Be honest about the cost
On-prem is the safe default here, but it is not free. Running models yourself means real compute, the full local retrieval-and-inference stack, and the operational discipline of patching systems that don’t phone home. The point is not that on-prem is cheap; it is that for regulated workloads it is often the only option that passes review.
For regulated workloads, sovereignty isn’t a feature you add at the end — it’s the shape of the architecture.
Arpanet is built for that shape: our own models, our own gateway, and deployment on-prem, isolated or in the cloud — engineered for the GDPR by design, so the compliance story is the architecture, not a bolt-on.