11 min read · 21 Jun 2026

EU Data Residency for AI Apps in 2026: OpenAI, Azure OpenAI, Mistral, Hetzner, or Self-Hosted?

If you are building an AI app in Europe and need to keep data in the EU, your realistic options in 2026 are: OpenAI API with EU data residency (sales-gated, storage at rest in the EEA), Azure OpenAI with an EU Data Zone deployment (the best-documented in-region processing guarantee from a hyperscaler), Mistral (EU-headquartered, EU by default), AWS Bedrock with EU cross-region inference profiles, or self-hosting open-weight models on Hetzner GPUs in Germany or Finland. Only Mistral and Hetzner avoid US jurisdiction entirely. The trap that catches almost everyone: "EU data residency" usually means storage at rest in the EU, not that the model runs in the EU. Those are separate guarantees. Ask for both, explicitly.

This is an engineering view, not a vendor pitch, and it has a short shelf life. Residency offerings moved a lot across 2025 and 2026. Every claim below is dated mid-2026; re-check the linked vendor page before you sign anything or commit an architecture.

Need help picking and wiring up an EU-compliant AI stack?

Book Free Consultation

First, get the words straight

Most confusion in EU AI procurement comes from mixing up terms that mean different things. Pin these down before you compare anything.

Data residency is a location claim: where data physically sits. It is a convention, not a term defined in the GDPR.
Data sovereignty is a jurisdiction claim: whose laws govern the data. EU data on a US-owned cloud can be EU-resident and still reachable under the US CLOUD Act. The legal anchor here is GDPR Chapter V on transfers, not the word "residency."
Storage at rest is where your data is persisted. Processing or inference is where the GPU actually runs the call. Under GDPR Article 4(2), "processing" explicitly includes both storing and using data, so an inference call in a non-EU region is itself a processing event even if storage stays in the EU.
Zero data retention (ZDR) means the provider does not persist your request or response at all. "No training on your data" only means they will not train on it; it says nothing about whether it is logged or stored. These are independent. A provider can refuse to train on your data while still keeping it 30 days for abuse monitoring.

The one sentence to remember: EU data residency almost always means storage at rest in the EU. In-region processing is a separate, narrower, and often newer guarantee. Never assume residency equals EU-only inference.

The comparison at a glance

How the main options stack up across the dimensions that actually decide a procurement. All entries are mid-2026 and should be re-verified per provider.

Dimension	OpenAI API	Azure OpenAI	Mistral	AWS Bedrock	Hetzner (self-host)
EU storage at rest	Yes (per-project, sales-gated)	Yes (customer geography)	Yes, by default	Yes (region you call)	Yes (you control)
EU in-region processing	Separate add-on; confirm scope	Yes, via EU Data Zone	EU default; some transfers possible	Yes, via EU inference profiles	Yes, fully
No training by default	Yes (since 2023)	Yes	Paid: yes. Free: no	Yes	N/A (you own it)
Zero data retention	Approval-gated	Via modified abuse monitoring	Scale plan, request-gated	Yes (mode: none), often gated	Inherent
Self-serve signup	No (sales)	Yes	Yes	Yes	Yes
US CLOUD Act exposure	Yes (US company)	Yes (US company)	No (EU company)	Yes (US company)	No (DE/FI company)
Ops burden	Low	Low to medium	Low	Medium	High
Frontier model quality	Highest	Highest	Strong (EU)	Broad catalog	Open-weight ceiling

Only Mistral and Hetzner are EU-headquartered, so they sit outside the reach of the US CLOUD Act that applies to the hyperscalers even for EU-resident data. For the US providers, customer-managed encryption keys are the usual supplementary measure, not a cure.

OpenAI API

OpenAI offers data residency configured per project, with Europe (EEA and Switzerland) among the regions, spanning both the API platform and ChatGPT Enterprise. It is sales-gated, not self-serve, and typically set on new projects. The important nuance: the default guarantee is storage at rest in the selected region. In-region inference is a separate matter, so if you need the model itself to run in the EU for the raw API, confirm that explicitly with their sales team rather than assuming it. Data sent to the API has not been used to train OpenAI models since March 2023 unless you opt in, and ZDR is available but approval-gated, removing the roughly 30-day abuse-monitoring retention. Note a 2026 pricing uplift on data-residency endpoints for newer models.

Azure OpenAI

Azure gives the clearest in-region processing story of the hyperscalers, because the deployment type decides where inference runs. Global deployments may process in any Azure region worldwide. Data Zone deployments process only within a specified zone, and the EU Data Zone confines processing to the EU Data Boundary. Regional deployments stay in the deployment region. Storage at rest stays in your chosen geography across all of them. Two traps worth flagging: Batch jobs default to Global processing unless you pick the Data Zone batch variant, and the EU Data Zone (a processing scope of several regions) is not the same as the broader EU Data Boundary residency commitment. Human reviewers for EEA deployments are EEA-located, which is a genuine selling point. Azure OpenAI does not call OpenAI's own services and does not share your data with the model provider.

Mistral

Mistral is EU-headquartered and states that, by default, your data is hosted in the European Union; using the US endpoint is an explicit opt-in. Two things to get right. First, the official wording says "European Union," not a specific country, so do not write that it is "hosted in Sweden" because the Swedish facility is a future inference center, not where La Plateforme data sits today. Second, training defaults differ by plan: paid and Scale plans are opted out of training by default, while the free tier is opted in unless you change it. ZDR exists on the Scale plan for stateless calls and is request-gated. For maximum control, Mistral also offers self-hosted and dedicated-VPC deployments, and its open-weight models can be self-deployed. One caveat: on cloud marketplaces such as Bedrock or Azure, residency follows the cloud region you pick, not Mistral's EU default.

Hetzner and self-hosting

Hetzner is general-purpose hosting, not a managed LLM API, so you bring your own model and inference stack. What you get is full control of both storage and processing, all inside the EU, under an Article 28 data processing agreement, with no third-party model provider in the loop. Its owned EU data centers are in Germany (Nuremberg, Falkenstein) and Finland (Helsinki), and it offers single-GPU dedicated servers: roughly a 20 GB card for inference of smaller models, and a 96 GB card for training or running a quantized 70B model. The parks are ISO 27001 certified. The cost of this control is real: you now own capacity planning, quantization choices, batching, autoscaling, uptime, patching, and monitoring.

If you go fully self-hosted on open weights, watch the licenses. Most Mistral open models are Apache 2.0 and the least encumbered. Llama is not OSI open source; its community license carries a large monthly-active-user clause and an attribution requirement, and EU teams should check the current acceptable-use policy carefully before relying on multimodal variants. Qwen licensing is mixed by model. Self-hosting wins on control, not on cost or quality at low volume, where a dedicated GPU sits idle.

The decision tree

Pick the first branch that matches your hard constraint, not your preference.

No US entity may ever be able to access the data. Self-host open weights on Hetzner, or run Mistral self-hosted or on-prem. These are the only EU-jurisdiction options.
You need EU residency, low ops, and frontier quality, and US-company processing is acceptable with a DPA and standard contractual clauses. Azure OpenAI with an EU Data Zone deployment, or OpenAI API EU residency once you confirm the inference-residency scope with sales.
You want an EU-headquartered managed API with minimal effort. Mistral on a paid or Scale plan, training off by default, ZDR added if needed.
You already live in AWS and want EU-contained inference. Bedrock with EU cross-region inference profiles, plus zero data retention if you need it.
You have high sustained volume and in-house MLOps and want to own everything. Self-host open weights on Hetzner, sized to the model, with the license caveats above.

"EU data residency on the contract usually means your data is stored in the EU. It does not mean the model runs in the EU. Those are two different promises, and most teams only ask for the first one."

Where residency fits the bigger picture

Residency is one input into a defensible EU AI system, not the whole answer. The harder problems tend to be retrieval quality, per-user permissions, evals, and cost, which we cover in our RAG production-readiness checklist for the EU. And residency sits inside a wider compliance stack of RAG data flows, GDPR, and the AI Act, which we untangle in how GDPR and the AI Act stack for a DACH SaaS. Get the residency model right early, because retrofitting data location after launch is one of the more expensive things you can do.

Frequently Asked Questions

Does EU data residency mean my prompts are processed in the EU?

Not necessarily. It usually guarantees storage at rest in the EU. In-region processing is a separate guarantee, named differently by each provider, so confirm the processing location on its own rather than assuming residency covers it.

Is "no training on my data" the same as zero data retention?

No. "No training" means your data will not be used to improve models. Zero data retention means it is not stored at all. A provider can do the first while still keeping your data for roughly 30 days for abuse monitoring.

Which provider is safe from the US CLOUD Act?

Only EU-headquartered ones, in practice Mistral and Hetzner. US providers such as OpenAI, Azure, and Bedrock remain reachable under US law even for EU-resident data. Customer-managed encryption keys reduce but do not remove that exposure.

What is the EU Data Zone in Azure?

A deployment type that confines inference to the EU Data Boundary. It is distinct from the broader EU Data Boundary residency commitment, and the exact list of in-zone regions changes over time, so check the current Microsoft documentation.

Does Azure Batch stay in the EU?

Only if you use the Data Zone batch variant. Plain Batch defaults to Global processing, which may run in any Azure region worldwide.

Is Mistral hosted in Sweden?

No. The official wording is "European Union" by default, today primarily France and EU subprocessors. The Swedish site is a future inference data center, not where current La Plateforme data lives.

Can I get OpenAI EU residency on a self-serve plan?

No. It is sales-gated and configured per project, typically on new projects. There is also a 2026 pricing uplift on data-residency endpoints for newer models.

When is self-hosting on Hetzner actually worth it?

When you need full EU control of both storage and processing with no third-party provider, or you have high sustained volume and in-house MLOps. It wins on control, not on cost or quality at low volume, where the GPU sits idle.

Which open-weight model is cleanest for EU commercial self-hosting?

Apache-2.0 Mistral models are the least encumbered. Llama carries a large monthly-active-user clause plus attribution and an EU acceptable-use caveat to check, and Qwen licensing is mixed. Read each model card before you commit.

How often does this change?

Often. Residency offerings shifted across 2025 and 2026. Treat every claim here as mid-2026 and re-verify the vendor page before a contractual or architectural commitment.

Final thoughts

EU data residency is not one switch. It is a set of separate promises: storage location, processing location, retention, training, and jurisdiction. The mistake that costs the most is treating "EU data residency" on a contract as if it meant the whole set, when it usually means only storage at rest.

Decide which of those promises you actually need, in order of how hard the constraint is. If no US entity can ever touch the data, you are choosing between Mistral and self-hosting on EU infrastructure. If contractual safeguards are acceptable, Azure's EU Data Zone and OpenAI's EU residency are the low-ops frontier options. Then write the date next to every claim, because this will have moved again by the time you read it.

Want a second opinion on your EU AI architecture before you sign?