Guide · Local & sovereign AI

Running AI on your own servers isn't compliance.

A powerful instinct in European AI right now: run the model yourself — on-device, on-premise, on sovereign EU infrastructure — and you've handled the regulation. It's half-right. Keeping a model local can be a genuine win for data control. But it answers a different question from the one the EU AI Act asks. Where a model runs tells you about residency. It says nothing about conformity.

Start here

Two different questions, quietly merged into one.

"Where does the data go?" and "does this system meet the law's requirements?" feel like the same question. They aren't. Running a model on your own hardware is a strong answer to the first — and no answer at all to the second. The Act doesn't ask where you assembled the system; it asks whether the system is fit for what you use it for.

A residency & control question

What running it yourself settles

  • Where your data is physically processed
  • How exposed you are to foreign lawful-access demands
  • Whether you depend on a single vendor
  • How much of your stack you can keep in-house and audit
A conformity question the Act still asks

What it leaves wide open

  • Which risk tier your use falls in
  • Whether a conformity assessment and technical file are owed
  • Transparency, human-oversight and logging duties
  • Post-market monitoring and AI-literacy obligations

The everyday version: building a car in your own garage doesn't exempt it from road-safety law. Where you put it together is not whether it's road-legal — and only one of those is what the regulator checks.

What the Act actually regulates

The use, not the topology.

The EU AI Act regulates an AI system and how it's used — not where the maths happens. The duties travel with the use, whether inference runs on your laptop, in your server room, on a sovereign EU cloud, or through a hosted API. For a system caught by the Act, all of this stays in force regardless of location:

  • Which risk tier the use falls in — Annex III, or not
  • A conformity assessment and technical documentation, if it is high-risk
  • Data governance, logging and record-keeping
  • Transparency — telling people when they are dealing with AI (Art. 50)
  • A competent human kept genuinely in oversight
  • Post-market monitoring, and AI literacy for the staff who use it (Art. 4)

Deployment topology is not a compliance strategy. Where it runs answers residency. It says nothing about conformity.

New to the risk tiers and who owes what? The EU AI Act guide lays out the shape; and if you've adapted or rebranded a model, check whether you've crossed from user to maker in deployer or provider?

Watch for these

Three traps hiding inside "we run it ourselves".

Each is a true statement about the plumbing, quietly doing duty as a false statement about the law.

“Open, so we’re exempt”

Open-weight and European models are a sovereignty and data-control advantage — not a compliance carve-out. The Act's open-source relief trims a few documentation duties for a model's original makers; it never reaches a high-risk or transparency-risk use. Self-host an open model to screen CVs and you carry the full high-risk duties — and if you fine-tune or repurpose it, you may even become its provider.

“Federated, so data never leaves”

On-device and federated set-ups share model updates, not raw files — but those updates can still carry personal data, and the use they serve is regulated either way. Local processing narrows some exposure; it does not remove the obligation.

“It’s hallucination-free”

No general model is, and no retrieval system makes it so. An absolute-accuracy or "hallucination-free" claim isn't a feature — under the Act it's a transparency and marketing-law liability waiting to be tested.

The line worth getting right

Residency is not sovereignty.

Even on the data-control question, the easy version misleads. "EU-hosted" is not the same as "EU-governed". A provider that's subject to a foreign legal order can face lawful-access demands for the data it holds — even when that data sits on European soil. A locked room inside a building someone else owns is not a building you own.

This is where local and European models genuinely pay off: an open-weight model you can self-host changes who can reach the data, not just where it rests. That's a real, defensible advantage — and it's a data-control argument, never a compliance one. It's exactly the ground the Mistral track works through: the introduction to open, self-hostable models and keeping data in your control, and the full hands-on day on deployment options and data control — without ever pretending that choosing your own infrastructure has discharged the AI Act.

How Kramer Consulting helps

Get both stories right — separately.

Sovereign, local and open AI is often the right choice — for data control, for independence, for keeping foreign law at arm's length. We're firmly for it. The only mistake is letting it stand in for the compliance work. We place your system on the risk map wherever it runs and build the evidence the role requires — through the AI Act Compliance Accelerator — and we get the data-control and sovereignty story straight through the training, so the two are never confused for one another.

The Compliance Accelerator See the AI training

Running your own model? Bring it.

We'll separate the residency win from the compliance work. An honest read, no pitch.

Book a discovery call
Keep reading

Related guides

EU AI Act

The EU AI Act, explained

Heard of it, hazy on the detail? Grasp it through two laws you may already know — GDPR and product-safety regulation.

Read the guide Provider or deployer

Deployer or provider?

Most companies using AI are “deployers”, with manageable duties. But configure, rebrand or repurpose that AI and the Act can treat you as its “provider” — with a manufacturer’s full obligations. The line, and how not to cross it by accident.

Read the guide

All guides