US flag and Europe map merged with a central padlock displaying a green checkmark labelled US-EU Strategic Partnership, illustrating the legal bridge for transatlantic data flows.
compliance

GDPR for US SaaS in 2026: What Actually Changed

Ironum Team ·
GDPRUS SaaSAI compliancedata residencyCLOUD ActEU AI Act

Picture a US SaaS team in 2026. Series B, twelve engineers, an AI feature that summarises customer documents, EU customers worth roughly a third of ARR. A large German enterprise prospect is in the final round of an RFP. The procurement team sends a four-page security questionnaire. Question 17: “Describe how your processing of our personal data is insulated from access by US authorities, including under the CLOUD Act, FISA Section 702, and Executive Order 12333. Reference the specific legal entity in possession of the data and its jurisdiction.”

The team’s GDPR posture was put together in 2022. The DPA is generic. The infrastructure is AWS us-east-1 with an EU customer-data region in eu-central-1. The AI feature calls OpenAI’s API directly. The legal answer was “DPF + SCCs + supplementary measures.” It worked when nobody asked.

By 2026, somebody is asking. The list of what actually changed since 2022 is longer than most teams realise, and the changes do not generally make the old answer hold up better. This post is the audit.

Why 2026 is a different year for GDPR-AI compliance

Four shifts have stacked up since the standard “DPF plus SCCs” playbook was written:

  1. The EU-US Data Privacy Framework has survived its first court challenge but is under appeal at the CJEU. The legal foundation is no longer “settled,” it is “currently in force pending review.”
  2. The EU AI Act stacked a second regulatory regime on top of GDPR for any AI feature that touches EU users. It uses a different vocabulary (provider vs. deployer, high-risk vs. limited-risk), it has its own penalties, and as of the May 2026 political agreement, it has a revised timeline.
  3. European data protection authorities, particularly the Italian Garante and the French CNIL, have produced concrete enforcement actions and guidance against US AI vendors. The risk is no longer abstract.
  4. Sovereign cloud options have actually arrived in 2025-2026, changing the architectural conversation from “we have no choice” to “we chose this.”

Each of these is doing real work in EU procurement reviews right now. Let me take them in turn.

What actually changed (the six things that matter)

1. The DPF is in force, but under appeal at the CJEU

The European Commission adopted the EU-US Data Privacy Framework adequacy decision in July 2023, replacing the Privacy Shield invalidated in Schrems II (Case C-311/18, judgment of 16 July 2020).

On 3 September 2025, the EU General Court dismissed the challenge brought by French MP Philippe Latombe, upholding the adequacy decision. Latombe filed an appeal at the CJEU on 31 October 2025, and that appeal remains pending as of May 2026.

What this means for US SaaS: the DPF is the legal basis for transfers to certified US recipients. It is currently valid. It may not be valid in 2027 or 2028. Safe Harbor lasted fifteen years. Privacy Shield lasted four. A working assumption that the third framework holds longer than the second is just an assumption. Every architecture decision in 2026 should have an answer to “what do we do if the DPF is invalidated.”

2. The EU AI Act is now stacked on top of GDPR

Regulation (EU) 2024/1689 entered into force on 1 August 2024. The relevant dates for US SaaS:

The deferral is a planning gift, not a free pass. The Article 50 transparency rules apply in August 2026 regardless. Buyers are asking about AI Act readiness now. And procurement timelines for late-2027 contracts are being written in late 2026.

Penalties under Article 99: up to €35 million or 7% of worldwide annual turnover for prohibited-practice violations; €15 million or 3% for most provider and deployer breaches; €7.5 million or 1% for supplying misleading information. SMEs get the lower of the two figures rather than the higher.

3. DPAs have started enforcing on US AI vendors

The Italian Garante fined OpenAI €15 million on 20 December 2024 for using personal data to train ChatGPT without an adequate legal basis. A Rome administrative court annulled that fine on 19 March 2026. The court has not yet published its reasoning.

The annulment is real but does not undo the precedent of enforcement. More importantly, it is not the only one. In May 2025, the Garante fined Luka Inc., the US developer of the Replika chatbot, €5 million for operating without a legitimate legal basis for processing user data and failing to implement age verification. That fine stands.

The EDPB’s Opinion 28/2024 on AI models, published 18 December 2024, clarified the conditions under which legitimate interest can support AI training and the implications of training on unlawfully processed data. It is the closest thing to a Europe-wide standard on AI-and-GDPR that exists right now, and DPAs are using it.

The French CNIL has published a series of practical recommendations for AI systems covering legal basis, information of data subjects, exercise of rights, anonymity of models, and security. The most recent updates landed in July 2025 and form the working playbook for any EU-facing AI deployment.

For US SaaS, the practical takeaway: enforcement risk against US AI vendors is no longer hypothetical, the EDPB framework gives DPAs a shared reference, and the CNIL playbook is what EU procurement teams cite when they push back on your security questionnaire.

4. The CLOUD Act has not changed, but it now matters more

The CLOUD Act of 2018, codified at 18 U.S.C. § 2713, requires US-headquartered electronic communication and remote computing service providers to disclose data in their “possession, custody, or control” regardless of where the data is physically stored. The narrow exception that lets a provider move to quash on grounds of foreign-law conflict only applies where the target is a non-US person located outside the US and the conflict is with a “qualifying foreign government.”

For US SaaS holding EU customer data: in practice, your US infrastructure provider can be compelled to produce data, even if the data sits in Frankfurt. Encryption with provider-managed keys does not change this. The 2018 statute is the same; the difference in 2026 is that EU procurement teams are now writing CLOUD Act questions directly into security questionnaires.

5. Sovereign cloud has shipped

AWS launched the European Sovereign Cloud on 15 January 2026, with the first region in Brandenburg, Germany. The ESC runs through four newly incorporated German GmbHs with EU-resident personnel and a separation from the commercial AWS regions. Roughly 90 services at launch versus 240+ in commercial EU regions, with notable gaps (CloudFront, GPU instances, most Bedrock models).

The hard caveat: all four German GmbHs are 100% subsidiaries of Amazon.com Inc., the Seattle-headquartered parent. The CLOUD Act question is whether US courts can compel the parent to produce data held by foreign subsidiaries under the “possession, custody, or control” standard. AWS’s contractual commitments (no non-EU personnel access, government-request redirection to the customer) narrow operational risk meaningfully but do not extinguish legal exposure to a determined US warrant against the parent.

Microsoft completed the EU Data Boundary on 26 February 2025, the third phase covering professional services data used in technical support. The Data Boundary covers Microsoft 365, Dynamics 365, Power Platform, and most Azure services. Same structural caveat as AWS: Microsoft Corp. is the parent, and the EU Data Boundary is a data-residency control, not a jurisdictional change.

Net effect: in 2026, “we use a US hyperscaler’s EU region” and “we use a US hyperscaler’s sovereign offering” are real and meaningful improvements over commercial US regions, but neither is the same answer as “we use an EU-headquartered provider with no US parent.” Buyers know the difference. Your security questionnaire response should as well.

6. EU buyers ask different questions than they did in 2022

The cumulative effect of points 1-5 is that the procurement conversation has changed. In 2022, the typical question was “are you GDPR-compliant?” and a generic DPA satisfied it. In 2026, the typical questions are:

The pattern: more specific, more entity-aware, more focused on what happens in the bad case. Vague answers lose deals. Specific honest answers, even when they admit residual risk, do not.

The three architectural patterns US SaaS uses in 2026

Map your current setup to one of these. Most US SaaS shops are in the first or a hybrid of the first two.

Pattern A: US-hosted everything, EU customers served through the same stack.

Your application sits on AWS us-east-1 or equivalent. EU customer data lives in eu-central-1 or eu-west-1, same hyperscaler. The AI feature calls OpenAI, Anthropic, or another US-hosted API directly. The legal answer is DPF + SCCs + a generic DPA.

2026 verdict: defensible today for non-sensitive personal data and acceptable categories. Increasingly hard to defend in RFPs from regulated EU industries (finance, healthcare, legal, public sector). Exposed to DPF invalidation risk. Exposed to CLOUD Act regardless of region selection.

Pattern B: Hyperscaler EU region, possibly with sovereign-cloud or EU Data Boundary additions.

You moved EU customer data to AWS European Sovereign Cloud or Azure with the EU Data Boundary turned on. You may still call US AI APIs for the inference layer.

2026 verdict: materially better operational posture. Most procurement teams will accept this for non-sensitive personal data and many will accept it for sensitive data with additional controls. CLOUD Act exposure shrinks but does not disappear because of the US parent. If the AI inference path still goes through a US API, that becomes the weak link.

Pattern C: EU-resident sovereign stack, no US parent in the chain.

Application, data, and AI inference all run on European infrastructure operated by an EU-headquartered legal entity with no US parent. Typical providers: Hetzner, IONOS, OVHcloud, Open Telekom Cloud, Scaleway. AI models are open-source (Mistral, Llama, Qwen) hosted on EU GPU infrastructure or accessed through EU-resident inference providers.

2026 verdict: cleanest answer to the CLOUD Act question and the only one that is genuinely robust to a future DPF invalidation. Cost is comparable for steady-state AI workloads above moderate volume, sometimes lower. Operational complexity is higher than turning a key on a hyperscaler. The selling point in RFPs is that the question stops being “how do you mitigate US exposure” and starts being “describe your EU operational maturity.”

Most US SaaS does not need to be fully Pattern C. The defensible mid-2020s posture is: keep the application stack where it is, move the AI processing layer (the part that handles sensitive personal data, runs inference on EU-customer prompts, and falls within Annex III) to a Pattern C arrangement. Bound the work, isolate the exposure.

A six-step audit checklist for this quarter

This is the order I use with US SaaS clients. It is deliberately short. None of the steps require new fundraising.

  1. List every AI feature in your product. Include features built on third-party APIs and features your CRM or analytics vendor injected for you. For each, document the data inputs, the legal entity processing them, the geographic path of the data, and whether outputs are stored.
  2. Classify each feature against Annex III of the EU AI Act. Most consumer-facing SaaS will not hit Annex III. HR-tech, fintech, edtech, legal-tech, and anything touching essential services likely will. Document which features are in scope and which are not. The presumption of high-risk for Annex III matches places the burden on you to write down why a system that looks Annex-III-ish is not in fact high-risk under Article 6(3).
  3. Audit the DPA on every sub-processor in your AI chain. Inference provider, model hoster, vector database, observability tooling. For each, confirm: legal entity, jurisdiction, sub-processor cascade, DPF certification status, data retention policy. Update your sub-processor list. EU procurement teams now read this list line by line.
  4. Run a DPIA on every customer-facing AI feature that touches personal data. If you are a deployer of a high-risk AI system under the AI Act, also run a Fundamental Rights Impact Assessment under Article 27. The two assessments share evidence; build them as one workflow.
  5. Decide your DPF-failure plan. Write down the steps you would take if the CJEU invalidates the DPF. How long would the migration take. What contracts would need amending. Which sub-processors would change. Keep this document where your CISO and General Counsel can find it. Procurement teams have started asking for it.
  6. Update your security questionnaire response library. Pre-write the answers to the six questions in the buyer-conversation section above. Specifics, entities named, mitigations honest. Distribute internally so sales and CS engineering give the same answer.

The whole exercise is two to four engineering-and-legal weeks for a Series B shop. The output is defensible RFP responses and a documented posture you can hand to a third-party assessor.

What to put in your next EU enterprise RFP response

The pattern that wins in 2026 EU procurement: name the entities, name the controls, name the residual risk, and name the mitigation. A workable paragraph looks like this:

Customer personal data processed by the [Service Name] AI feature is handled by [EU subsidiary legal entity, jurisdiction], operating on infrastructure provided by [EU-headquartered or sovereign-cloud provider, jurisdiction]. The model inference layer runs on open-source models hosted within the EU and does not transmit prompts or completions to non-EU sub-processors. Where US-hosted services are involved in supporting parts of the platform, transfers occur under [DPF / SCCs / supplementary measures], and we maintain a documented transition plan in the event of adequacy decision invalidation. Sub-processors are listed in [link]. A DPA aligned with the EU SCCs is available under [link], including the AI Act provider/deployer split for the AI features in scope.

The shape matters more than the specifics. Three entities named, the data path traced, the residual risk acknowledged, the mitigation specific. Buyers tune out marketing language and tune in to the kind of paragraph that they can paste into an internal compliance memo.

The bottom line

The 2022 GDPR posture for US SaaS was: keep DPF certified, sign SCCs, generic DPA, do not think about it again. The 2026 posture is: know which entity holds the data at each step, know which features are in scope for Annex III, isolate the AI processing layer to an EU-resident provider where it is defensible to do so, and write down what you would do if the DPF falls.

None of these changes are catastrophic. All of them are work. The companies that quietly do the work in 2026 are the ones that will not be unwinding bad architecture in 2027 when an EU procurement team starts asking for specifics.

If you are doing this audit and want a second set of eyes, particularly on the AI processing layer where Pattern C migration is the typical sticking point, get in touch. For the broader regulatory background, see our EU AI Act guide for US companies and the GDPR-compliant AI guide.

Sources

Related Articles

compliance ·

EU AI Act Compliance Checklist (2026 Update)

Practical EU AI Act compliance checklist for US and EU companies. Risk classification, deadlines, documentation requirements. Updated for 2026 enforcement.
compliance ·

Does the EU AI Act Apply to US Companies? A 2026 Compliance Guide

The EU AI Act reaches US companies whose systems touch Europe, even without an EU office. Here is who it covers, which dates matter, and what to do before 2 August 2026.
compliance ·

GDPR-Compliant AI: A 2026 Guide for US and EU

Why US-built AI APIs create GDPR risk and how US and EU companies deploy compliant AI in 2026. CLOUD Act, data residency, and on-premise paths.