Nur zwei Slots frei, aktuell nur kurze Beratung und Fractional-Rollen. Schreiben Sie mir für die Warteliste

Zurück zu allen Beiträgen

Warum ich immer wieder zur Souveränität komme: ein Memo nach der Fable-5-Abschaltung

Ein persönliches Memo. Rund drei Wochen lang hat diesen Sommer eine US-Exportkontrolle Claude Fable 5 weltweit offline genommen. Was mir das über den CLOUD Act, FISA 702, die EU-KI-Verordnung und darüber gelehrt hat, warum europäische Teams digitale Souveränität als Resilienz behandeln sollten, nicht als Bürokratie.

Published 2026-07-07·Updated 2026-07-07·7 Min. Lesezeit
Sovereign AIEU AI ActDigital sovereigntyClaude

I have spent a good part of the last few years telling European founders the same thing, and watching most of them file it under later. Sovereignty. Data residency. Not putting your whole company on top of a model that lives in someone else’s jurisdiction. It always sounded a little abstract, a little paranoid, a little like the thing a Paris-based consultant would say to justify the invoice. I understood the polite nods. Abstract risks are easy to defer.

Then Fable 5 happened, and the abstract turned into a date on a calendar.

Anthropic launched its strongest model on the 9th of June. On the 12th, at twenty-one minutes past five in the evening Washington time, the US government handed the company an export-control directive: suspend access for every foreign national, inside the United States or out. You cannot check someone’s nationality through an API in real time, so the only way to comply was to pull the model for everyone. Not throttle it. Pull it. A team in Lyon or Lisbon or Tallinn woke up to find that a capability they had been designing around had simply gone, and there was nothing in their power to do about it. It came back on the 1st of July, roughly three weeks later, once the Commerce Secretary put out a letter withdrawing the order.

I want to sit with that, because I think a lot of people read it as a headline and moved on. A decision taken by a government that no European founder votes for, about a company no European founder owns, removed a piece of live infrastructure from under European products for three weeks. There was no European process, no notice, no appeal. That is not a story about one model. It is a description of where the ground actually is.

The outage was the system working as designed

Here is the part that should worry you more than the outage itself: it was not a glitch. US export controls run through the Export Administration Regulations and the Commerce Department’s Bureau of Industry and Security, and over the last three years they have walked steadily from chips toward the models themselves. The 2022 and 2023 rules were about semiconductors. By January 2025, a new framework put the weights of the most advanced closed models into their own export-control category, trained-compute threshold and all. Translation: a frontier American model is now, legally, a controllable export. Fable 5 was simply the first time we all watched that fact leave the page and touch a production system.

Two laws sit under every US cloud contract

Export control is only the loud risk. Two quieter ones sit under every contract with a US provider, and they were there long before Fable 5. The CLOUD Act, on the books since 2018, lets US authorities compel an American-headquartered company to hand over data in its control no matter which country the servers sit in. FISA Section 702, reauthorized and quietly broadened in April 2024, lets US agencies run surveillance of non-US persons through those same providers. And European law sees the conflict plainly: Article 48 of the GDPR says a foreign authority’s demand for your data only counts if there is a treaty behind it. So a European company on an American stack is not being paranoid when it worries about a conflict of laws. It is sitting on one.

The usual reassurance is the Data Privacy Framework, the arrangement that currently makes EU to US data transfers legal. I would not build a ten-year company on it. It rests on a US executive order a president can rewrite without asking Congress. The American oversight board meant to police it lost its quorum after three members were dismissed in early 2025. And it is already being challenged in the European courts, heading toward the same judges who struck down its two predecessors, Safe Harbour and Privacy Shield, within the last decade. Two frameworks gone in ten years is not a foundation. It is a lease that keeps getting renewed at someone else’s discretion.

Sovereignty is optionality, not a flag

This is the part I find hard to say without sounding like I am selling something, so let me just say it plainly. I am not anti-American. I use these models every day. Some of the best engineering I have seen this year came out of American labs, and Fable 5 itself is genuinely remarkable. This is not about which country to root for. It is about not building your house on a plot of land where someone else holds the keys and can change the locks on a Tuesday.

Sovereignty, the way I actually mean it, is not a flag. It is optionality. It is being able to say: if this provider disappears, or gets regulated out of my reach, or triples its price, I have somewhere else to go by Friday, not by next quarter. In practice that means a few unglamorous things. Keeping the model behind an interface so it is a swappable part and not load-bearing. Having a real fallback ready, an Opus, a Mistral, an open-weight model you can host in Frankfurt or Paris. Keeping the data that actually matters inside the EU, under a law you can reason about. None of it is exciting. All of it is the difference between an inconvenience and an incident.

Europe is finally building the exit

The good news, and I do mean good news, is that the ground under the European side is firming up, so this is getting easier rather than harder. The Draghi report in 2024 put a hard number on the dependence and the investment needed to close it. The EuroStack analysis reckons Europe imports more than four fifths of its digital technology, and that seven in ten of the foundational AI models it uses are American. The Commission’s answer is arriving in pieces you can actually use: a couple of hundred billion euros mobilised for AI and compute, a Cloud and AI Development Act that finally writes sovereignty tiers into law, and the one I point clients to first, the Data Act, which from January 2027 bans the switching fees that used to make leaving a cloud provider quietly expensive. The exit door is being built and paid for. Fewer excuses to hard-wire yourself in.

The AI Act hands you the other half

There is a flip side founders keep missing. The same European legal order that protects your optionality also hands you obligations. The AI Act is now partly live: general-purpose model rules since August 2025, most of the high-risk regime landing across 2026 and 2027, with a recent omnibus pushing some deadlines out. If you build or deploy AI in Europe you carry real duties, documentation, risk management, transparency, with fines that reach into tens of millions of euros or a slice of global turnover. And a US model’s internal safety routing does not discharge a single line of that for you. The provider’s safety layer protects the provider. Your compliance is still yours to build. For the seed-stage version of that work, see EU AI Act readiness for seed-stage startups.

What I tell clients now

So what do I actually do with clients now? I stopped framing sovereignty as a compliance chore and started framing it as resilience, because that is what it is. I ask a simpler question than I used to. If your most important model went dark tomorrow, what happens to your product, your customers, your week? If the answer is that you would be fine, that you would fail over, good. If the answer is a long pause, that pause is your risk, and as of this summer it has a name.

I do not think everyone should rip out their American models and go fully sovereign tomorrow. That would be its own kind of foolishness. What I think is that the era of treating a single foreign frontier model as permanent, neutral infrastructure is over, and Fable 5 is the moment it ended out loud. Build for the world where your best tool might be gone on a Thursday and back the following month, because that is demonstrably the world we are in. If you want to work out where that leaves your own stack, that is what a scoping consultation is for, and the fuller argument lives on Sovereign AI.

That is the whole memo, really. Not a doctrine. Just a conviction that got a great deal sharper on the 12th of June, and a quiet suggestion that European teams start taking their own autonomy as seriously as the people writing the export controls take theirs.

References

Redaktioneller Inhalt. Nur zu Informationszwecken — keine Rechts-, Finanz- oder Fachberatung.

Hol dir das Playbook

Kurze, praktische KI-Essays für Gründer, CTOs und Heads of AI. Eine E-Mail pro Monat. Jederzeit abbestellbar.

Möchten Sie ein ähnliches Gespräch über Ihren Stack?

Die meisten Engagements beginnen mit einem 60-minütigen Scoping-Call.

Weiterlesen

Aru Bhardwaj

Fractional CTO architecting sovereign AI systems for startups and scale-ups across Europe. Custom ML, agentic RAG, and secure LLM infrastructure. 7+ years turning complex data into production intelligence.

Malt
Upwork

Contact

Services

  • Fractional CTO & AI Strategy
  • MVP Development & Rapid Prototyping
  • Sovereign LLM Deployment (OVHcloud, Scaleway)
  • Multi-Cloud AI (AWS Bedrock, Vertex AI, Azure)
  • RAG Pipelines & Autonomous Agents
  • GDPR & EU AI Act Compliance
  • Generative AI & Prompt Engineering
  • Machine Learning & Predictive Analytics

Monthly playbook

Practical AI essays for founders and tech leaders. One email a month.

Taktische KI-Essays, monatlich.

© 2026 Insightrix SASU. All rights reserved.Aru Bhardwaj, Fractional CTO & AI Strategist

60 Rue François Ier, 75008 Paris, France · SIRET 989 236 856 00013 · TVA FR42989236856