The concentration is the exposure.
More than 85 percent of the world's AI compute capacity is controlled by U.S. hyperscalers. For a consumer app, that is a procurement detail. For a bank, an insurer, a hospital group, or a public administration, it is something else: the physical substrate of their most consequential systems sits inside corporate and legal structures that answer to a foreign jurisdiction first.
The exposure is not hypothetical. The U.S. CLOUD Act reaches data held by U.S. providers regardless of where the server stands. “EU regions” and sovereign-cloud marketing soften the optics, but the controlling entity, the escalation path, and the ultimate legal obligation remain outside European control. Regulators have noticed: FINMA's outsourcing circulars, the EBA guidelines on outsourcing arrangements, and DORA all converge on the same questions — who actually controls the infrastructure, and what happens under stress?
Renting fails at exactly the wrong moments.
The rental model has three failure modes, and all of them activate in moments of scarcity or conflict:
- Allocation risk. When compute is scarce — and frontier-scale GPU capacity is structurally scarce — rented capacity is allocated by the provider's priorities, not the tenant's obligations. No European institution is at the front of that queue.
- Jurisdictional conflict. A workload that cannot legally travel does not care how good the SLA is. If the legal regime of the operator conflicts with the legal regime of the data, the institution — not the provider — carries the regulatory consequence.
- Pricing power. A tenant who cannot credibly leave pays what the market's most concentrated layer decides. Compute rent is set by five companies; everything downstream is a price-taker.
Data sovereignty is not a slogan. It is the question of who controls the physical layer when interests diverge.
What sovereign-aligned actually means.
Sovereignty in AI infrastructure is not about painting a flag on a data centre. It is a stack of controls, from the bottom up: land and power held under a jurisdiction the tenant's regulator recognises; an operator whose governance, courts, and insolvency regime sit in that same jurisdiction; contracts — long-tenor, triple-net — that give the tenant durable, enforceable control over capacity; and only then the familiar upper layers of certification and encryption.
Most “sovereign cloud” offerings start at the top of that stack and never reach the bottom. The building, the power contracts, and the operating entity remain where they always were.
The neutral-ground position.
This is the gap Castellan is built to close: sovereign-grade AI campuses developed and operated by a Swiss company under Swiss and European jurisdiction, leased to demanding tenants on triple-net terms, with the scarcest input — interconnected power — secured before the first tenant conversation. Switzerland's neutrality is not decoration here; it is a governance feature for institutions whose regulators ask hard questions about control.
European institutions will keep renting some compute — elasticity has real value. But the base load of regulated, strategic AI belongs on infrastructure whose physical and legal layers answer to the same rules the institution does. That is not nostalgia for on-premise. It is the same logic institutions already apply to custody, clearing, and critical facilities — arriving, at last, at the compute layer.