Jadey Insight

July 3, 2026Jörg Hubacher

Borrowed Intelligence

Why American and Chinese AI models are critical dependencies for European companies, and why the right answer during the transition phase is controlled dependency, not decoupling.

Jörg Hubacher is founder of Corevision GmbH and developed Jadey. This article is a personal contribution to the debate on corporate digital sovereignty, not an original empirical study.

Note: This article formulates a testable thesis on how European companies should handle non-European frontier models. It is not legal advice and not product copy. Documented findings, plausible mechanisms and normative conclusions are deliberately kept separate. A separate note on Jadey's transition strategy follows at the end, outside the actual insight.

Abstract

The debate on digital sovereignty swings between two mistakes. The first mistake is naive integration: companies build their value creation on American or Chinese AI models without treating the resulting dependency for what it is: a critical, externally controllable dependency in legal jurisdictions whose access logic European companies do not control. The second mistake is premature decoupling: giving up frontier capabilities for sovereignty reasons at a time when European alternatives do not yet reach frontier-level performance, so the waiver creates a measurable competitive disadvantage.

This article argues for a third position: European companies must deliberately expose themselves to these dependencies during a transition phase, but in a controlled, classified and reversible way. In this phase, sovereignty is not a property of model origin, but a property of operating architecture. A company that classifies its data, builds model-agnostic orchestration, defines exit paths and keeps operational control can use frontier capabilities without strategically handing itself over. The transition phase ends when European or openly available models reach the frontier level required for the respective workload. The evidence suggests that point is moving closer, but has not yet been reached.

Keywords: digital sovereignty; critical dependency; frontier models; agentic AI; CLOUD Act; open-weight models; EuroStack; transition strategy; operating architecture

Problem statement: sovereignty as operating risk, not attitude

Digital sovereignty is often discussed in Europe as a political or cultural topic: as a question of values, identity and independence from Big Tech. For companies, that framing is unproductive. It leads either to symbolic decisions without business substance or to a shrug, because value rhetoric rarely wins against productivity gains.

The business-relevant question is different: What happens to a company whose core processes run on a resource it neither controls nor can replace at short notice, and whose availability, price, behaviour and legal exposure are decided in Washington or Beijing?

That question is not hypothetical. Within three years, generative AI has moved from an experimental field to a production resource; according to the Stanford AI Index 2026, 70 percent of organisations use generative AI in at least one business function (Stanford HAI, 2026). With agentic systems, use moves from text assistance into process execution: models access tools, data and approval mechanisms, prepare decisions and complete cases. The deeper these systems are built into workflows, the more their dependency resembles dependency on an energy source rather than dependency on software. It is continuous, volume-based and hard to substitute during live operations.

In academic literature, digital sovereignty is therefore increasingly understood not as autarky, but as agency and control capability under conditions of interdependence (Pohle and Thiel, 2020; Floridi, 2020). That is the meaning used here: a company is not sovereign because it avoids foreign technology, but because it can always make a reasoned decision about which data it entrusts to which system, and because it could change provider without its operations collapsing.

Conceptual clarification: when does a dependency become critical?

Not every dependency is a problem. Companies depend on semiconductors, payment networks and operating systems without that automatically creating acute strategic vulnerability. Based on the criteria the European Commission uses to assess strategic dependencies in supply chains, a dependency can be called critical when three conditions come together (European Commission, 2021):

First, concentration: the resource is controlled by a small number of providers, which also sit in one or two jurisdictions. Second, low substitutability: a short-term switch is technically, contractually or qualitatively impossible without losing material performance. Third, depth of intervention: the resource touches core processes, sensitive data or decisions, not only peripheral functions.

For many companies, frontier models now meet all three conditions at once. That distinguishes them from classic standard software. Replacing a word processor is annoying; replacing a model whose specific behaviour has calibrated the prompts, agent workflows, evaluations and quality assurance of an entire company is a reengineering project. And unlike standard software, model use continuously moves data: context, documents, customer information, process knowledge.

One distinction matters: critical does not mean malicious. The thesis of this article does not assume hostile intent by American or Chinese providers. It only assumes that those providers are subject to the law and strategic interests of their home states, which the evidence shows they are, and that geopolitical conditions can change faster than enterprise architectures.

Evidence I: the frontier is American-Chinese

The finding behind this article is uncontested and well measured. For 2025, the Stanford AI Index 2026 counts 59 notable models from the United States and 35 from China; all other countries together play a marginal role in that statistic, with France and the United Kingdom each accounting for one notable model in the evaluated data (Stanford HAI, 2026). In March 2026, the performance gap between the best American and the best Chinese model had shrunk to 2.7 percent; since early 2025, American and Chinese models have traded the leading position several times. The frontier race is a two-country race, and Europe is currently not taking part in it.

The investment data explains why. Private AI investment in the United States reached USD 285.9 billion in 2025; China reached USD 12.4 billion, while state-guided funds likely understate actual Chinese expenditure considerably (Stanford HAI, 2026). Europe does not appear at that scale. The Draghi report on European competitiveness classified this gap structurally in 2024: Europe's productivity gap versus the United States is substantially a technology gap, only four of the world's 50 most valuable technology companies are European, and without massive additional investment Europe risks becoming a technology taker (Draghi, 2024).

For the dependency question, the EuroStack analyses are even more telling: more than 80 percent of the digital technologies and infrastructures used in Europe come from non-European providers, around 70 percent of the AI foundation models used globally come from the United States, and European companies account for only 7 percent of global research spending in software and internet (Bria, Timmers and Gernone, 2025; Bertelsmann Stiftung, 2025).

Two additional bottlenecks sharpen the picture below the model layer. More than 60 percent of global AI compute capacity runs on chips from a single manufacturer, and almost every leading AI chip is produced by one foundry in Taiwan (Stanford HAI, 2026). Anyone talking about dependency on models is implicitly also talking about dependency on a highly concentrated compute and fabrication infrastructure that Europe does not control either.

Evidence II: the anatomy of dependency

Dependency on non-European models is not a diffuse concern. It can be broken down into four concrete mechanisms that are documented to different degrees.

US jurisdiction: extraterritorial data access

The US CLOUD Act of 2018 can require companies under US jurisdiction to hand over data on lawful order, even if that data is physically stored outside the United States (U.S. Department of Justice, 2019). There is also broader US intelligence law: Section 702 of the Foreign Intelligence Surveillance Act targeted surveillance of non-US persons outside the United States; after authorisation expired in June 2026, the operational situation remains legally complex until 2027 because of existing FISC certifications (Brennan Center, 2026). The practical reality of this legal position became visible in June 2025, when Anton Carniaux, chief legal officer of Microsoft France, was asked under oath in a French Senate hearing whether he could guarantee that data of French citizens would never be transmitted to the US government without the consent of French authorities. His answer was no, he could not guarantee it, while noting that such a case had not occurred so far (Sénat, 2025; heise online, 2025). The statement is not only about Microsoft as an individual case. It points to the basic problem of providers under US jurisdiction: EU data centres and contractual assurances reduce risks, but do not automatically remove the legal exposure of the parent company.

Chinese jurisdiction: cooperation duties and content control

On the Chinese side, the legal position is even clearer. Article 7 of China's 2017 National Intelligence Law requires organisations and citizens to support and cooperate with state intelligence work (National People's Congress, 2017). The 2023 Interim Measures for generative AI services also require generated content to comply with socialist core values, a content-control requirement relevant for providers of generative AI services in the Chinese regulatory sphere (Cyberspace Administration of China, 2023). Practical relevance became visible in January 2025, when the Italian data protection authority Garante immediately prohibited the processing of Italian user data by DeepSeek after the company rejected questions on data collection, storage location and legal basis as inapplicable from its point of view; regulators in Ireland and France opened their own reviews (Garante, 2025; Euronews, 2025). For Chinese services, storage or processing in China can additionally matter; for locally operated Chinese open-weight models, live data outflow may disappear, but the provenance and alignment question of the model weights remains.

Business dependency: pricing, deprecation and behavioural drift

The third mechanism is less dramatic, but most effective in daily operations. Model providers unilaterally change prices, terms of use, rate limits and model versions. Models are deprecated, their behaviour shifts between versions, and prompts, agents and evaluations calibrated to specific model behaviour have to be adjusted. For a company operating agentic processes in production, model deprecation is not a software update. It is an intervention in live operations, scheduled by the provider, not the user. This mechanism is not a geopolitical scenario, but documented market routine.

Escalation risk: technology as leverage

The fourth mechanism long seemed the least likely and is the most consequential: unilateral withdrawal or state steering of access to frontier models. Export controls for AI chips have been an established US policy tool toward China since 2022; since 2025, the possibility that the same logic, access as bargaining leverage, could in principle also be used toward Europe has become a serious political debate rather than a marginal scenario (Bria, Timmers and Gernone, 2025). Fairness is required here: until recently, this point meant no documented case, only a scenario. That changed in June 2026. On June 12, 2026, the US government issued an export-control directive, citing national security, that prohibited all access to Anthropic's new top models Fable 5 and Mythos 5 by foreign nationals, inside and outside the United States and including the provider's own foreign employees. Because nationality cannot be checked in real time at API level, Anthropic had to disable both models globally for all customers at short notice; the company publicly objected to the reasoning but had to comply with the order (Anthropic, 2026a; Al Jazeera, 2026). Two weeks later, on June 26, 2026, OpenAI released its new top model GPT-5.6 initially only in a limited way to individually vetted US-based partner organisations at the request of the US government, not a ban, but a politically influenced access gate at launch (Forbes, 2026; Reuters, 2026). On June 30, 2026, the US Department of Commerce lifted the export controls again; Fable 5 was made available globally again from July 1 (Anthropic, 2026b; Euronews, 2026).

The episode lasted less than three weeks, and, to be precise, it was not a targeted move against Europe. According to public explanation, the reason was a security assessment of the models' cyber capabilities, not geopolitics. That is exactly why it is revealing: it proves the mechanism independently of motive. Three things are now documented: access to frontier models can be withdrawn by state order within hours and without lead time; the providers themselves do not control that process; and non-US customers or non-US nationals can be directly excluded through nationality or location clauses, regardless of whether a measure is aimed at Europe. What is not documented is the use of this lever as targeted pressure against Europe; that remains a scenario. But the question of whether the lever exists and can be pulled at short notice has been answered since June 2026. In a repeat case, the size of the damage is then decided not by the order, but by the reversibility of the company's own architecture. That is why this mechanism belongs in every architecture decision, not in the category of alarmism.

Core thesis: controlled dependency during the transition phase

Two temptations follow from the evidence, and both are wrong.

The first temptation is premature decoupling: refusing American and Chinese frontier models until European alternatives are ready. That position underestimates the cost of abstention. For complex tasks, multi-step reasoning, agentic tool use and demanding code generation, the performance gap between frontier models and today's available European alternatives is real and commercially relevant. In a competitive environment where 70 percent of organisations use generative AI productively, a company that systematically rejects the highest-performing model class chooses a structural productivity disadvantage versus every competitor that does not. Sovereignty bought through competitive loss does not create sovereignty; it merely shifts dependency from the technology provider to the superior competitor.

The second temptation is naive integration: deeply embedding frontier models in core processes, sending sensitive data unfiltered into foreign jurisdictions and coupling the architecture so tightly to one provider that a switch is effectively excluded. That position underestimates the cost of irreversibility. It treats a critical dependency as an ordinary supplier relationship.

The core thesis of this article is therefore: during the transition phase, until European or openly available models reach the frontier level relevant for the respective workload, European companies must deliberately accept dependency on American and Chinese models. But they must treat it for what it is: a critical dependency that is classified, limited and kept reversible. In this phase, sovereignty is not a property of model origin, but a property of operating architecture.

What controlled dependency concretely requires

Controlled dependency is not a feeling, but a verifiable architectural property. It can be measured through five questions.

First, data classification: which data may reach a frontier model in a foreign jurisdiction, which data may only reach a model under the company's own control, and which data may reach no model at all? A company that cannot answer this question per process has not a controlled dependency, but an uncontrolled one. Second, model agnosticism: is the orchestration layer, prompts, tool integration, evaluations and approval logic, built so that a model change is a configuration and testing effort rather than a reengineering project? Third, exit paths: is there a named, tested fallback option for every productive use case, a second provider or an open-weight model on own or European infrastructure, and has the switch been rehearsed rather than merely asserted? Fourth, operational control: are process knowledge, context stores, protocols and audit data under the company's own access and in European infrastructure, so that the company still knows what its systems did and why after a provider change? Fifth, supervision capability: can the company prove to customers, regulators and itself at any time which model prepared which decision with which data?

These five properties are useful regardless of how geopolitics develops. They require discipline, but little performance sacrifice. None requires giving up frontier capabilities. What they require is that the dependency could be terminated at any time, because a dependency that can be terminated loses much of its strategic force.

The transition phase: how long, and what suggests that it ends?

The thesis of a transition phase assumes that an end is foreseeable. Three developments support that view without guaranteeing it.

First, the gap between open and closed models is measurably shrinking. According to Epoch's ECI estimate, the best open-weight models were still about one year behind the closed frontier at the end of 2024; since early 2026, the average gap has been about four months (Cottier et al., 2024; Edwards and Emberson, 2026). For companies, this is one of the most important indicators in the debate: it suggests that capabilities available today only through American APIs may arrive, with a delay of a few months, in models that can be operated under own control and in European infrastructure. One caveat applies: the leading open models currently come predominantly from China. Local operation solves the data outflow problem, not the provenance problem of the weights, which is one reason why European open models matter strategically.

Second, European compute and model capacity is emerging at a scale that did not previously exist. The European Commission's InvestAI initiative is intended to mobilise around EUR 200 billion for AI, including a EUR 20 billion facility for up to five AI gigafactories with more than 100,000 AI processors each; 13 smaller AI Factories were selected in 2024 and 2025, and the formal call for gigafactories is expected for summer 2026 (European Commission, 2026a; European Commission, 2026b). Projects such as OpenEuroLLM are working on open European foundation models, and Mistral provides at least one European provider credibly close to the frontier. The announced Cloud and AI Development Act also addresses strategic dependencies from the regulatory side (European Commission, 2026c).

Third, and this is the honest qualification, the time horizon is long and the outcome open. Years lie between tendering, construction and productive operation of gigafactories; the formal call has already been postponed several times. A transition phase of several years is realistic, not a matter of quarters. And there is no law of nature that says Europe will catch up. The investment gap versus the United States is twentyfold, and the Draghi report describes structural rather than cyclical causes (Draghi, 2024). The transition strategy must therefore hold even if the transition phase lasts longer than hoped, which it does, because reversibility becomes more valuable in every scenario the longer the dependency persists.

Objections and alternative positions

The most obvious objection is that the dependency is overstated. The frontier-model market is competitive, several providers compete, and multi-vendor strategies reduce risk. That is correct, and insufficient. Three American providers are not full diversification of jurisdiction risk; they are primarily diversification of supplier risk. CLOUD Act, broader US intelligence law and the political steerability of access structurally affect providers under US jurisdiction; switching within the same legal space changes that situation only in a limited way. Diversification counts only once at least one rehearsed fallback option outside the two dominant jurisdictions exists.

A second objection comes from the opposite direction: the position taken here is too lenient. If the dependency is critical, the consequence must be immediate exit, not management of that dependency. This objection deserves a serious answer, because it is consistent. It fails on the empirical status of alternatives: for many demanding workloads, there is currently no European substitute at frontier level, and abstention would not be symbolic, but productive. A sovereignty policy that lets European companies fall behind during the decisive productivity surge of a foundational technology damages the economic substance from which European alternatives would have to be funded. Decoupling may be debatable as an end state; as an immediate measure, it is self-weakening.

Third: sovereignty rhetoric as disguised protectionism. This objection also has a true core; not every European product deserves preference merely because it is European. The thesis argued here does not require that. It requires reversibility, not preference. A company working according to the five criteria can always use the best model available; it simply never loses the ability to decide differently.

Fourth: European models may never reach the frontier, making the transition phase permanent. That is possible. But the thesis depends on this less than it might seem. If the catch-up fails, reversibility does not become worthless, but more important, because the bargaining power of the remaining providers grows and the open-weight route becomes the only control layer. Controlled dependency is the dominant strategy in both scenarios; only premature decoupling and naive integration each bet on exactly one outcome.

Fifth, the legal objection: the transition strategy could be shortened from outside, for example if the transatlantic adequacy decision, like its two predecessors, falls in court and data transfers to the United States again rest on uncertain foundations. That is not an argument against the thesis, but its strongest practical argument. A company that builds data classification, model agnosticism and exit paths only when a court ruling forces it will build them under time pressure and in a damage case.

Conclusion

European companies' dependency on American and Chinese AI models is real, measurable and critical under the usual criteria: it is highly concentrated, hard to substitute at short notice and reaches deeply into core processes and data stores. At the same time, immediately giving up these models would be the most expensive answer of all, a self-chosen productivity disadvantage in the early phase of a foundational technology that no sovereignty rhetoric can offset.

The rational position for the transition phase is uncomfortable because it asks something of both camps in the debate: sovereignty advocates must admit that Europe has to import the frontier for now; pragmatists must admit that this import is a critical dependency that must not be entered unless it can be ended at any time. In this phase, sovereignty emerges not from where the model comes from, but from the architecture of operation: classified data, model-agnostic orchestration, rehearsed exit paths, operational control over knowledge and protocols, supervision capability.

The thesis is testable. If it is wrong, it should become visible that abstaining from frontier models creates no measurable competitive disadvantage, that providers' price, condition and version changes do not place companies without fallback options in a worse position than companies with such options, and that European or open models are already equivalent for the relevant workloads. If it is right, the coming years will show three things: a further shift of productive workloads to open-weight models on own or European infrastructure, growing regulatory requirements for evidence and exit capability, and a growing valuation difference between companies that could terminate their AI dependency and those that cannot.

Europe has only limited control over the pace of its own models. The decision whether the dependency of the transition phase is controlled or uncontrolled, however, lies entirely with companies themselves. That is where the discussion should begin.

In our own case: how Jadey handles the transition phase

The following section is a separate product note and not part of the insight itself. The insight documents theses and source positions; this section describes the consequence we draw at Jadey.

We have translated the third position described in the insight into an operating principle: Sovereignty by Default. Frontier by Choice.

Sovereignty by Default means: the default state is sovereign, not the exception. We follow the sovereignty concept used in this insight: no autarky, no question of model origin, but the ability to decide at any time, with reasons, which data may reach which system, and to change provider without operations collapsing. That ability is resilient only when it does not require continuous effort. Sovereignty that has to be actively chosen each time in daily operations erodes; under time pressure, the easiest path wins. We therefore reverse the burden of proof. Regular operation runs by default on digitally sovereign models in own or European infrastructure; operational control is the starting state, case knowledge and audit logs remain as operational IP with the customer; every deviation from the default is an explicit, documented decision. The five criteria of controlled dependency from the insight, data classification, model agnosticism, exit paths, operational control and supervision capability, are therefore not a checklist that a company has to satisfy afterwards, but the state in which the system starts.

Frontier by Choice means: the frontier is not the foundation everything rests on, but a choice the customer makes per use case, data class, cost profile and governance requirement, inside its own operating frame. It is chosen where the performance difference determines the result; in practice, this concentrates on the most demanding work, opening up, shaping and transferring operational responsibility spaces into agentic execution, complex reasoning and demanding exception handling. Model routing implements the principle technically: sovereign models wherever they are sufficient; frontier models only where the customer has approved them, bound to contracts, keys, data classes and review rules, and therefore revocable at any time.

That principle is what makes the third position of the insight operable, and it is especially valuable during the transition phase. As long as sovereign models have not yet reached frontier level, the share of tasks that truly require frontier capabilities is real, but shrinking. With every advance in open and European models, workloads move through routing decisions onto the sovereign default: without reengineering, without a migration project, during live operations. The transition phase is therefore built into the architecture rather than imposed on it. We are convinced that this path allows European companies to work with digital sovereignty without building a capability disadvantage against competitors in the United States and China. Full frontier dependency sacrifices sovereignty, full frontier abstention sacrifices competitiveness. Sovereignty by Default, Frontier by Choice does not have to sacrifice either.

Concrete information on the technical implementation is available under Governance and Trust & Security.

Source review for this version

For this version, the central statements were checked against primary sources, official publications or established analyses. The sources do different things and are therefore used separately: measurements and analyses (Stanford AI Index, Epoch AI) carry the empirical basis on the model and investment landscape; official and institutional publications (European Commission, Draghi report, Senate hearing, supervisory decisions, legal texts) carry the legal and political classification; the EuroStack publications by the Bertelsmann Stiftung are used as a conceptual and industrial-policy contribution, not as neutral statistics. Press reports are used only to document public events, not as standalone evidence. The description of the export-control episode in June 2026 relies on public statements by the affected provider and on independent reporting; documented events (order, global shutdown, staged release, lifting) and undocumented interpretations (targeted pressure on Europe) are explicitly kept separate in the text. Legal statements on US jurisdiction, Section 702 and transatlantic data access are framed as risk classification, not as a guarantee for every individual case.

Literature and sources

Al Jazeera (2026): US Orders Anthropic to Disable AI Models for All Foreign Nationals. June 13, 2026. Online: aljazeera.com (accessed July 3, 2026).

Anthropic (2026a): Statement on the US Government Directive to Suspend Access to Fable 5 and Mythos 5. June 2026. Online: anthropic.com (accessed July 3, 2026).

Anthropic (2026b): Redeploying Claude Fable 5. July 2026. Online: anthropic.com (accessed July 3, 2026).

Bertelsmann Stiftung (2025): EuroStack: Sicherstellung der digitalen Souveränität Europas. Policy Brief, April 2025. Online: bertelsmann-stiftung.de (accessed July 3, 2026).

Brennan Center (2026): Section 702 of the Foreign Intelligence Surveillance Act (FISA): 2026 Resource Page. Online: brennancenter.org (accessed July 3, 2026).

Bria, F., Timmers, P. and Gernone, F. (2025): EuroStack - A European Alternative for Digital Sovereignty. Gütersloh: Bertelsmann Stiftung. Online: bertelsmann-stiftung.de (accessed July 3, 2026).

Cottier, B., You, J., Martemianova, N. and Owen, D. (2024): How Far Behind Are Open Models? Epoch AI. Online: epoch.ai/blog/open-models-report (accessed July 3, 2026).

Cyberspace Administration of China (2023): Interim Measures for the Management of Generative Artificial Intelligence Services. In force since August 15, 2023.

Draghi, M. (2024): The Future of European Competitiveness. Report to the European Commission, September 2024. Online: commission.europa.eu (accessed July 3, 2026).

Edwards, J. and Emberson, L. (2026): Open Models Lag State-of-the-Art Closed Models by 4 Months. Epoch AI, Data Insight. Online: epoch.ai/data-insights/open-closed-eci-gap (accessed July 3, 2026).

Euronews (2025): DeepSeek in Italien gesperrt, Datenschutzbeauftragter leitet Verfahren gegen chinesische KI-App ein. January 31, 2025. Online: de.euronews.com (accessed July 3, 2026).

Euronews (2026): US Lifts Export Controls on Powerful AI Models, Anthropic Says. July 1, 2026. Online: euronews.com (accessed July 3, 2026).

European Commission (2021): Strategic Dependencies and Capacities. Commission Staff Working Document SWD(2021) 352 final.

European Commission (2026a): AI Gigafactories. Online: commission.europa.eu (accessed July 3, 2026).

European Commission (2026b): AI Factories. Online: digital-strategy.ec.europa.eu (accessed July 3, 2026).

European Commission (2026c): European Approach to Artificial Intelligence (AI Continent Action Plan, Cloud and AI Development Act, Apply AI Strategy). Online: digital-strategy.ec.europa.eu (accessed July 3, 2026).

Floridi, L. (2020): The Fight for Digital Sovereignty: What It Is, and Why It Matters, Especially for the EU. Philosophy & Technology, 33, 369-378. DOI: 10.1007/s13347-020-00423-6.

Forbes (2026): OpenAI Rolls Out Powerful New GPT-5.6 Models - But Limits Users After Government Request. June 26, 2026. Online: forbes.com (accessed July 3, 2026).

Garante per la protezione dei dati personali (2025): Intelligenza artificiale: il Garante privacy blocca DeepSeek. Press release of January 30, 2025. Online: garanteprivacy.it (accessed July 3, 2026).

heise online (2025): Keine Garantien: Microsoft muss EU-Daten an USA übermitteln. July 21, 2025. Online: heise.de (accessed July 3, 2026).

National People's Congress of the People's Republic of China (2017): National Intelligence Law of the People's Republic of China (国家情报法), Article 7. In force since June 28, 2017.

Pohle, J. and Thiel, T. (2020): Digital Sovereignty. Internet Policy Review, 9(4). DOI: 10.14763/2020.4.1532.

Reuters (2026): OpenAI defers public rollout of GPT-5.6 as US seeks early access to frontier AI models. June 26, 2026. Online: reuters.com (accessed July 3, 2026).

Sénat (2025): Audition de représentants de Microsoft France devant la commission d'enquête sur la commande publique. Hearing of June 10, 2025. Online: senat.fr (accessed July 3, 2026).

Stanford HAI (2026): Artificial Intelligence Index Report 2026. Stanford Institute for Human-Centered Artificial Intelligence. Online: hai.stanford.edu/ai-index/2026-ai-index-report (accessed July 3, 2026).

U.S. Congress (2018): Clarifying Lawful Overseas Use of Data Act (CLOUD Act), H.R. 4943. In force since March 23, 2018.

U.S. Department of Justice (2019): Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act. White Paper. Online: justice.gov (accessed July 3, 2026).