12 min read · 22 Jun 2026

ChatGPT Enterprise vs Microsoft 365 Copilot vs Custom RAG: Which Should a DACH Company Buy?

Short version for a company in Austria, Germany, or Switzerland: buy Microsoft 365 Copilot if you already live in Microsoft 365 and the value is in your Exchange, SharePoint, and Teams data. Buy ChatGPT Enterprise if you want the strongest general assistant and your data is spread across many tools, not just Microsoft. Build a custom RAG system only when you need control none of them give you: residency on your terms, permission-aware retrieval over a proprietary corpus, or model portability, and you have the engineering to maintain it. None of the three is "GDPR compliant" on its own. You stay the controller, and the contract, not the marketing page, decides whether you are covered.

This is a procurement and engineering view, not a vendor pitch. We build and roll out all three for clients, so the comparison below is about fit and trade-offs, not about which logo we like. Prices and data terms are current as of mid-2026 and move often; verify the linked vendor pages before you sign.

Want a neutral read on which of these fits your company?

Book Free Consultation

The comparison at a glance

The dimensions that actually decide this, side by side. Treat every figure as mid-2026 and re-check it.

Dimension	ChatGPT Enterprise	Microsoft 365 Copilot	Custom RAG
Pricing	Negotiated, no public list price	30 USD per seat per month (Enterprise add-on, annual); Business tier lower with a 300-seat cap; Copilot Chat free with eligible M365	No per-seat fee; build and run cost instead
Prerequisites	None, it is standalone	A qualifying Microsoft 365 base license, plus Graph, Exchange, and OneDrive	An engineering team and cloud infrastructure
Trains on your data by default	No	No	No, you control it
What it is grounded in	General knowledge plus opt-in connectors	Your Microsoft 365 data, permission-trimmed	Your own corpus, any source
EU data residency	Europe region (at rest since Feb 2025, in-region inference since Jan 2026); "Europe" granularity	EU Data Boundary (EU and EFTA, including Switzerland); in-country processing rolling out 2026	Whatever you build (Azure EU Data Zone, AWS EU, or self-host)
Governance and admin	SSO, SCIM, IP allowlists, connector gating, compliance logs	Purview, DLP, sensitivity labels, restricted SharePoint search	Whatever you build
Lock-in	Medium	High (Microsoft ecosystem)	Low (model-portable)
Time to value	Days to weeks	Fast if your M365 is mature	Weeks to months

One caveat that matters for a DACH audience and is easy to miss: Microsoft now uses some Anthropic models inside Copilot, and those are out of scope for the EU Data Boundary and in-country processing commitments. If a strict data-location story is the reason you chose Copilot, confirm which features route to which models.

ChatGPT Enterprise

The strongest general-purpose assistant of the three, and the most flexible about where your data lives across tools. OpenAI does not train on business data by default, you own your inputs and outputs, and retention is admin-controlled. It carries SOC 2 Type 2, ISO 27001, a data processing agreement for GDPR, and a BAA for health data. EU data residency arrived for storage at rest in February 2025 and expanded to in-region inference in Europe in January 2026, though the granularity is "Europe," not a named Austrian or Swiss data center. The honest gap: OpenAI does not publish ChatGPT Enterprise pricing. The figures you will see quoted around 60 dollars per seat with a 150-seat minimum are third-party estimates, not official, so treat them as a starting point for a sales conversation rather than a fact.

Microsoft 365 Copilot

If your work already happens in Microsoft 365, this is the path of least resistance, because the value is grounding answers in your own Exchange, SharePoint, and Teams data, trimmed to what each user is already allowed to see. The Enterprise add-on is 30 dollars per user per month paid yearly and requires a qualifying base license such as E3 or E5; the Business tier is cheaper but capped at 300 users; and Copilot Chat is included at no extra cost with eligible subscriptions. Prompts, responses, and the data Copilot reaches through Microsoft Graph are not used to train foundation models and stay within the Microsoft 365 service boundary, which runs on Azure OpenAI rather than the public ChatGPT service. The real risk here is not the model, it is oversharing: Copilot will happily surface anything a user technically has access to, so if your SharePoint permissions are a mess, Copilot makes that visible fast. Clean up permissions and sensitivity labels before rollout, not after.

Custom RAG

Building your own retrieval system is the right call when none of the products give you the control you need: full residency on your terms, permission-aware retrieval over a corpus that is not in Microsoft 365, or the freedom to swap models and avoid lock-in. It is also the most work. As a rough guide from real projects, a proof of concept lands somewhere around 6,000 to 25,000 euros, a production MVP around 17,000 to 80,000, and a self-hosted enterprise setup with SSO and compliance from 80,000 upward; treat these as directional, not quotes. The cost driver is almost never the model. It is data cleaning, access control, and integration, which routinely eat 30 to 50 percent of the budget. The single hardest part is permissions: enforce them at the retrieval layer with metadata filters before the search runs, not bolted on in the app afterwards. We go deep on that in our RAG production-readiness checklist for the EU.

There is also a middle ground worth naming: tools like Microsoft Copilot Studio and Azure AI Foundry, or OpenAI's agent tooling, let you customize and ground a managed product without building retrieval from scratch. That is often the pragmatic answer when "buy" is too rigid and "build" is too much.

How to choose

Pick by the constraint that actually binds you, not by which demo was shiniest.

Choose Microsoft 365 Copilot when you are already on M365 E3 or E5, the value is grounding in Exchange, SharePoint, and Teams, and EU Data Boundary plus Purview governance covers your data-protection bar. Accept the Multi-Geo, web-query, and Anthropic-model exclusions, and clean your permissions first.
Choose ChatGPT Enterprise when you want the strongest general assistant and frontier models, your data lives across many SaaS tools rather than just Microsoft, and "Europe region" residency plus a signed DPA satisfies your requirements.
Build custom RAG when you need residency or sovereignty on your own terms, permission-aware retrieval over a proprietary corpus, or model portability, and you have or will hire the engineering and MLOps to carry the maintenance.
Start smaller than you think. For most teams the right first move is Copilot or ChatGPT Enterprise plus a focused enablement push, and a custom build only once a specific high-volume workflow clearly justifies it. We describe that order in how to roll out AI internally in 2026.

"None of these tools is GDPR compliant by itself. You are the controller. The product gives you the building blocks, a DPA, a data boundary, admin controls, and your job is to assemble them into something defensible. The buying decision is the easy half."

The DACH data-protection part you cannot skip

Whichever you pick, you remain the data controller, and that means a few things are not optional. You need a lawful basis under Article 6, a signed data processing agreement under Article 28 (an AVV) before any personal data flows, a valid transfer mechanism, and a data protection impact assessment for higher-risk uses. The EU-US Data Privacy Framework has provided adequacy since 2023, but a challenge is working through the EU courts, so treat it as provisional and keep standard contractual clauses as a fallback. Switzerland needs a framework-certified recipient, SCCs, consent, or EU and Swiss hosting. And a hard line for staff: the free and Plus consumer tiers of ChatGPT have no DPA and are not suitable for company personal data. If people are pasting customer data into a personal account, that is the first thing to fix, before any of this comparison matters. Residency itself is a deep topic we cover in EU data residency for AI apps in 2026.

Frequently Asked Questions

Does ChatGPT Enterprise train on our data?

No. OpenAI does not train on business data by default across Team, Enterprise, and the API. You own your inputs and outputs and you control retention through the admin console.

Does Microsoft 365 Copilot train on our data?

No. Prompts, responses, and the data Copilot reaches through Microsoft Graph are not used to train foundation models and stay within the Microsoft 365 service boundary, which runs on Azure OpenAI.

Is Microsoft 365 Copilot GDPR compliant?

Microsoft provides the building blocks: a processor DPA, the EU Data Boundary, Purview governance, and certifications. Whether you are compliant still depends on you as controller, meaning a lawful basis, an AVV, a DPIA where needed, and clean permissions.

ChatGPT Enterprise in Austria, is it allowed under data protection law?

Yes, with an OpenAI DPA, Europe data residency, and your own legal basis and DPIA. The Austrian DSB treats you as the controller, so the real questions are whether personal data needs to be sent at all and which transfer mechanism you rely on.

Where is our data stored and processed in the EU?

Copilot keeps data within the EU Data Boundary covering the EU and EFTA including Switzerland, with in-country processing for some countries rolling out in 2026. ChatGPT Enterprise uses a Europe region, at rest since February 2025 and in-region inference since January 2026, with no country-specific data center named.

What about Schrems II and US data transfers?

The EU-US Data Privacy Framework currently provides adequacy, but a court challenge is pending, so treat it as provisional and keep standard contractual clauses as a fallback. Switzerland needs a framework-certified recipient, SCCs, consent, or local hosting.

Do we need an AVV or DPA?

Yes, under GDPR Article 28, before any personal data is processed. Both Microsoft and OpenAI offer one for their business tiers. Consumer ChatGPT tiers do not include a DPA and are unsuitable for business personal data.

When should we build a custom RAG instead of buying?

When you need full residency or sovereignty control, permission-aware retrieval over a proprietary corpus, or model portability to avoid lock-in, and the per-seat economics stop making sense at your scale, and you can sustain the engineering and maintenance burden.

Can our team keep using free or Plus ChatGPT for work?

Not for personal or confidential data. Consumer tiers have no DPA. Use ChatGPT Enterprise or Team, or Copilot with enterprise data protection, for anything involving company or customer data.

What does Copilot cost and what do we need first?

30 USD per user per month for the Enterprise add-on paid yearly, or a lower Business tier capped at 300 users, and both require a qualifying Microsoft 365 base license. Copilot Chat is free with eligible subscriptions.

Final thoughts

The buying decision is mostly determined by where your data and your work already are. Deep in Microsoft 365, Copilot is the obvious start. Spread across many tools, ChatGPT Enterprise fits better. Needing control that neither gives you, you build.

What does not change with the logo is your responsibility. None of these is compliant out of the box, you remain the controller, and the contract and your permissions hygiene decide whether you are covered. Pick the tool in an afternoon. Spend the real effort on the AVV, the residency story, the permissions, and a small, well-scoped first use case that proves value before you roll it out to everyone.

Want help running a clean pilot before you commit budget?