Thundering “You Shall Not Pass!” seems to be the way to stop a force that does not belong. At least it worked for Gandalf; when he thundered “You shall not pass!” on the Bridge of Khazad-dûm, he stopped a force that simply didn’t belong. I’m not writing this out of malice, I have nothing against the US, which is one of our biggest allies in politics and undoubtedly a formidable force to be recognised when talking about European security.
Unfortunately, though, today, that same thundering message greets the US tech companies seeking access to Europe’s high-security data markets – not because of a lack of innovation, but because of the law. Let me explain why.
The Legal Wall: Why US Jurisdiction Trumps Everything
If you’re a US company, it doesn’t matter where your servers are. What matters is where your headquarters – and legal obligations – are based. US surveillance laws, most notably the Cloud Act and FISA Section 702, give US authorities the right to access data held by any US-owned entity, even if that data physically resides within the European Union.
This means that no amount of EU server hosting or privacy policies can shield your data if the ultimate parent is American.
GDPR and the EU AI Act: Not Optional
Europe’s data laws have teeth. GDPR applies to any company handling the data of EU citizens, regardless of where it’s based GDPR Article 3. The new EU AI Act ups the ante further for any AI-powered service – especially for “high-risk” applications.
But here’s the kicker: GDPR Article 48 forbids data transfers to countries outside the EU unless strictly regulated, and the Cloud Act is not considered such a lawful mechanism Wire. Complying with a US warrant would directly violate GDPR.
GDPR = covers all businesses and all personal data.
EU AI Act = only matters for providers/users of AI systems.
The Trust Gap: Why It's a Dead End for US Vendors
For sectors handling sensitive, regulated or strategic data – government, healthcare, defence, critical infrastructure – European clients and regulators now routinely require not just local servers, but local legal ownership and control.
EU procurement rules, especially in critical and high-security sectors, increasingly exclude US-controlled vendors from even bidding for contracts. The legal “hallpass” of US law is seen as an unclosable risk, not a theoretical one. And rightfully so.
Technical workarounds (ring-fencing, “data trust” entities, contractual promises) aren’t enough. Jurisdiction always trumps geography.
Why This Isn't Just About Compliance
Penalties: Fines for GDPR breaches can reach 4% of global annual turnover.
Lost Business: Payment processors, ad networks and institutional clients often pre-emptively reject vendors who can’t demonstrate real data independence.
Reputation: One compliance-related incident can kill access to the European market for years.
European high-security entities can’t take the risk and break the law, no matter how appealing the solutions or offers are. Even the best US AI is barred if it puts a European enterprise at risk of non-compliance.
Is There a Way for US Firms to Truly "Pass"?
For non-sensitive sectors – think ordinary ecommerce, basic SaaS, or marketing tech – US companies can still operate in Europe if they’re meticulous with their compliance measures (GDPR reps, SCCs, robust documentation).
Outside of high-risk sectors and AI applications, a US business can often access the EU market simply by strictly following GDPR and documenting robust compliance. However, for high-security sectors governed by the EU AI Act, only a genuinely independent EU entity – free from US law – can truly comply.
For high-security, high-stakes sectors, especially when talking about AI, US jurisdiction is the wall you cannot climb. The only real alternative is to create a genuinely independent, locally-governed European company with true legal and operational autonomy, not a subsidiary. Anything less, and you’re right back at the bridge – entry denied.
Conclusion: Europe's Message is Clear
You can build the world’s best AI, hire the brightest minds, and run servers in a Paris bunker, but if you answer to Washington, you shall not pass into Europe’s most sensitive data markets. That is the new normal for digital sovereignty in 2025.
For those that can pass – European-owned, independent and built for the continent’s strict legal regime – the bridge is open. For everyone else: Gandalf’s thundering stands.
North Atlantic was built for this new world – European, independent and unbound by overseas law. That’s why, for us and for our clients, we shall pass.
Victor A. Lausas
Chief Executive Officer
Subscribe to North Atlantic’s email newsletter and get your free copy of my eBook,
Artificial Intelligence Made Unlocked. 👉 https://www.northatlantic.fi/contact/
Discover Europe’s best free AI education platform, NORAI Connect, start learning AI or level up your skills with free AI courses and future-proof your AI knowledge. 👉 https://www.norai.fi/
