Compliance meets geopolitics

Corporate compliance teams are no longer working from one global rulebook; they are mapping country-by-country limits on AI, data storage, and who can move information across borders. (ec.europa.eu) In the European Union, the Artificial Intelligence Act entered into force on August 1, 2024 and rolls out in stages through August 2, 2027, with major duties for high-risk systems due in 2026. The bloc’s Data Act has applied since September 12, 2025, adding rules on access to connected-device data and cloud switching. (europa.eu) (ec.europa.eu) In the United States, the Justice Department’s final rule under Executive Order 14117 took effect on April 8, 2025 and restricts or bars some data transactions involving bulk sensitive personal data and government-related data with “countries of concern.” The rule turned cross-border data transfers into a national-security issue as well as a privacy issue. (federalregister.gov) China has moved in the other direction on some transfers, easing parts of its outbound-data regime in March 2024 and then publishing official question-and-answer guidance in April 2025. The Cyberspace Administration of China said ordinary data that is not personal information or “important data” can generally move abroad, while sensitive categories still trigger compliance duties. (cliffordchance.com) (privacymatters.dlapiper.com) That patchwork means a company can face three different questions about the same system: whether the model is allowed, where the training or user data may sit, and whether engineers or vendors in another country may touch it. A cloud architecture that passes one jurisdiction’s test can fail another’s if keys, support access, or onward transfers cross the wrong border. (nvlpubs.nist.gov) (dataprivacyframework.gov) The older idea of a single baseline has not disappeared, but it no longer settles the hardest questions. The Organisation for Economic Co-operation and Development updated its AI Principles in May 2024, and the National Institute of Standards and Technology still describes its AI Risk Management Framework as a voluntary tool rather than a binding law. (oecd.ai) (nist.gov) Even the main transatlantic privacy bridge is narrower than a universal standard. The European Commission adopted the European Union-United States Data Privacy Framework on July 10, 2023 for certified U.S. companies, but it covers one transfer route under privacy law, not export controls, sector rules, or national-security restrictions. (edpb.europa.eu) (ftc.gov) The operational effect is that lawyers, security teams, procurement officers, and engineers are being pulled into the same room earlier. Companies now have to decide where models run, where logs stay, which affiliates can review incidents, and whether a vendor’s remote access creates a regulated transfer. (nist.gov) (therecord.media) Governments are also tying these rules to industrial policy and strategic autonomy. European policy documents link data and artificial-intelligence sovereignty to reducing dependence on non-European technology stacks, while U.S. policy has increasingly treated advanced technology and sensitive data as strategic assets. (lawfaremedia.org) (justice.gov) The result is a compliance function that looks more like geopolitical risk management than checklist auditing. For multinational firms in 2026, the central question is no longer whether they comply everywhere in the same way, but whether they can prove why each system is built differently in each market. (vucense.com))