INDUSTRY
Sovereign AI for regulated industries: when on-prem stops being optional
2 min read
Finance, healthcare and the public sector increasingly face hard data-residency rules. Here is how on-prem and isolated AI maps to DORA, KVKK, banking localisation and the EU AI Act.
In regulated sectors, “where the AI runs” is rarely a preference. It is written into supervision.
Finance: residency by regulation
In the EU, DORA — the Digital Operational Resilience Act — has applied since 17 January 2025, with strict ICT third-party risk management and a register of providers; Dutch supervisors DNB and AFM have flagged concentration risk from leaning on a few non-EU IT providers. In Türkiye, banking rules go further — the BDDK requires banks to keep primary systems and original data inside the country, now layered with national duties under the 2025 Cybersecurity Law. For a bank, “send the data to someone else’s cloud” is often simply not allowed.
Healthcare and the public sector
Health data is moving the same way: the European Health Data Space regulation entered into force on 26 March 2025, keeping patient data inside national healthcare infrastructure under access-permit regimes. Public-sector procurement, too, is tilting toward sovereign and on-prem options. The common thread is that the data is too sensitive — or too regulated — to leave the building.
The AI Act sits on top
Over all of this runs the EU AI Act, whose high-risk obligations phase in through 2 August 2026 and bring duties around data governance, logging and traceability. A controlled, on-prem deployment makes those duties easier to audit, because the whole data flow is inside one boundary you can inspect.
Be honest about the cost
On-prem is the safe default here, but it is not free. Running models yourself means real compute, the full local retrieval-and-inference stack, and the operational discipline of patching systems that don’t phone home. The point is not that on-prem is cheap; it is that for regulated workloads it is often the only option that passes review.
For regulated workloads, sovereignty isn’t a feature you add at the end — it’s the shape of the architecture.
Arpanet is built for that shape: our own models, our own gateway, and deployment on-prem, isolated or in the cloud — engineered for the KVKK and the GDPR by design, so the compliance story is the architecture, not a bolt-on.