Confidential Computing – A Way Out of Europe's AI Dilemma?

Confidential Computing – A Way Out of Europe's AI Dilemma?

Auf Deutsch lesen →

Almost everyone uses AI by now – ChatGPT, Gemini or Copilot have long been part of daily life for many. The question rarely asked along the way is: where do our inputs actually end up – and who could, in theory, read them?

How real that question is shows up in an everyday observation: many organisations are hesitant to give their staff the truly powerful tools – a Claude Code, say – precisely because of this open data question. Yet that is only one slice of a larger dilemma that affects Germany and the EU in particular.

The dilemma

The most capable AI models today almost all come from the US (OpenAI, Anthropic, Google). Three US providers together account for roughly three-quarters of the enterprise market for language models; the dependency is also large in cloud (~70 %) and AI chips (Nvidia and AMD combined over 80 %). Europe’s only front-runner of its own is Mistral (France) – strong in areas such as document/OCR processing, but not yet on par when it comes to “vibe coding” (AI-assisted programming) à la Claude Code or OpenAI Codex.

At the same time, the server location is no guarantee: the US CLOUD Act obliges US companies to hand data to US authorities on the basis of a valid US legal instrument (e.g. a court order) – explicitly regardless of whether the data sits in the US or in an EU data centre. So a “Frankfurt hosting” from Microsoft, AWS or Google does not automatically resolve the legal tension with Art. 48 GDPR (transfers to third countries). That this is not grey theory was shown in 2025 by the case of ICC chief prosecutor Karim Khan, who – according to media reports – switched from his Microsoft account to a Swiss provider following US sanctions (Microsoft disputed the depiction of an active shutdown).

And the obvious idea – “then we’ll just host open models ourselves” – has its own catches: leading Chinese models (DeepSeek, Qwen) carry documented censorship directly in the model weights, which persists even when run locally. Meta’s Llama 4 is, in licensing terms, partly off-limits for EU companies. And Western models aren’t inherently neutral either: xAI’s Grok produced extreme, well-documented failures several times in 2025.

Where Confidential Computing comes in

Classic encryption protects data at rest and in transit – but the moment a computer processes it, it sits in plaintext in memory. Confidential Computing closes exactly this gap: the processing runs inside a hardware-isolated, encrypted area (an “enclave”) that not even the cloud operator or an administrator can inspect. Through “attestation”, the hardware also proves cryptographically that the expected, unaltered code is really running.

For AI, that means: you could send sensitive data through a strong model without the operator seeing it in plaintext.

The honest question

Is this the way out of the dilemma? Partly. It genuinely protects the confidentiality of the data – but it does not automatically make a US model “sovereign”: the roots of trust (processors from Intel, AMD, NVIDIA and the associated attestation services) are themselves US-controlled, and the CLOUD Act attaches to the organisation anyway, not to the server location. Against a model’s bias or censorship the technology does nothing at all – it protects data, not content.

The honest formula is therefore: Confidential Computing makes strong (US) AI more GDPR-compliant and lower-risk – not automatically GDPR-compliant, and not sovereign. Real sovereignty only emerges with European-controlled infrastructure (Gaia-X, EuroHPC) – which, at the frontier level, isn’t there yet. The two are complementary, not interchangeable.

It is precisely these opportunities and limits that I want to explore step by step in the coming posts: why an EU data centre alone doesn’t mean sovereignty, which model is suitable for self-hosting, what Confidential AI actually delivers in practice today – and how to do the sovereignty maths honestly.


If this piece helped you, feel free to share it – and let me know how you see the data question in your own environment.


Sources (selection):