Skip to content
Arpanet
All posts

INDUSTRY

Data sovereignty in 2026: why on-prem and isolated AI moved from preference to plan

2 min read

The EU AI Act clock, a rewritten KVKK transfer regime and the CLOUD Act gap have turned “where your AI runs” into a legal question, not just an architectural one.

For a long time, “where does the AI run” was an engineering detail. In 2026 it is a compliance question with dates attached.

The regulatory clock is real

The EU AI Act entered into force on 1 August 2024 and applies in phases: prohibited practices since 2 February 2025, general-purpose-AI obligations since 2 August 2025, and most high-risk obligations from 2 August 2026. Whatever you deploy now will live inside that timeline.

In Türkiye, KVKK Article 9 was rewritten by Law No. 7499 and took effect on 1 June 2024. The old “just get explicit consent” route for cross-border transfers closed on 1 September 2024 and was replaced by a three-tier regime — an adequacy decision, appropriate safeguards (standard contractual clauses, binding corporate rules, or an undertaking), or narrow exceptions — with the implementing regulation in force since 10 July 2024 and a five-business-day duty to notify the Authority after signing.

Why in-country is the path of least resistance

Here is the practical part: as of 2026 the KVKK Board has issued no adequacy decisions for any country. There is no “safe list”. So almost every cross-border transfer of Turkish personal data has to ride on a standard contract or another safeguard — paperwork, notification and ongoing risk. Keeping the data in-country, processed on infrastructure you control, removes that surface entirely.

GDPR works differently — it does not require you to store personal data inside the EU; it governs how data leaves the EEA through adequacy or safeguards. But the direction is the same: the cleaner your data-flow story, the less you have to defend.

The gap a contract cannot close

There is also the part no clause fixes. Under the US CLOUD Act and FISA Section 702, a US-owned provider can face lawful requests for data even when it sits in an “EU region” — a point Microsoft conceded under oath to the French Senate in June 2025. A foreign-owned cloud’s “sovereign” label reduces exposure; it does not remove the legal vector. On-prem and isolated deployment does.

Say what you mean by “isolated”

One honesty note. “Isolated” usually means a segregated network with controlled egress; “air-gapped” means no route off the box at all. They are different risk profiles, and conflating them is a credibility error. Be precise about which one you are buying.

Arpanet is built so the answer can be “inside your perimeter”: on-prem, fully isolated, or in the cloud — your call. The platform is engineered for the KVKK from the first line of code, and sovereignty is a setting, not an upsell.

All posts