Insights

European AI sovereignty
in defense.

Why training infrastructure matters: the implications of data sovereignty for defense AI development, and what European sovereign compute actually means in practice.

In preparation · 12 min read

Context and significance

Artificial intelligence is becoming a core military capability not because it is novel, but because it is structurally well-suited to the modern operating environment: saturated sensors, dense electromagnetic competition, compressed decision timelines, and an expanding set of machine-to-machine interfaces. AI is already embedded—explicitly or implicitly—in intelligence, surveillance and reconnaissance (ISR), targeting support, electronic warfare analysis, predictive maintenance, logistics optimization, and defensive cyber operations. As autonomy increases in platforms and effects, the limiting factor will not be the availability of a model to run inference, but the ability to sustain an evolving model portfolio under operational security constraints.

This shifts how sovereignty should be understood. Traditional defense procurement is optimized for relatively stable artifacts—airframes, radars, encrypted radios—where capability is largely “delivered” at acceptance and then upgraded on planned cycles. AI does not behave that way. AI capability is a lifecycle: data intake and labeling, training and evaluation, deployment and monitoring, red-teaming and patching, retraining under drift, and continuous integration into mission systems. In practice, the operational value of an AI system depends on how quickly and safely it can be adapted to new theatres, new adversary behaviors, new sensors, and new tactics, techniques, and procedures.

The central claim of this analysis is therefore narrow and testable: AI sovereignty in defense is not achieved by purchasing models. It is achieved by controlling training infrastructure, data governance, compute capacity, and lifecycle maintenance. Model procurement can support capability delivery, but it does not by itself confer strategic autonomy. Inference sovereignty without training sovereignty is incomplete—and in contested conditions, it can become illusory. A state that cannot retrain, validate, and sustain its models on its own terms does not control its future capability trajectory; it only rents a present-tense capability from another actor’s industrial system.

Operational sovereignty, defined
In defense AI, “sovereignty” is meaningful only when expressed as control over specific technical and organizational functions.
  • Training sovereignty: the accredited ability to train and retrain models on sovereign infrastructure using sensitive and classified datasets, including the ability to reproduce builds, audit lineage, and iterate under operational tempo.
  • Data sovereignty: governance and control of collection, labeling, metadata, access, and releasability decisions—so that model behavior reflects national and coalition constraints rather than vendor defaults.
  • Compute sovereignty (as a gradient): assured access to sufficient compute capacity, with known supply-chain risk, to execute training, evaluation, and incident response without external gating.
  • Lifecycle sovereignty: authority and competence to validate, deploy, monitor, red-team, patch, and retire models and their dependencies over multi-year programs.

By contrast, symbolic sovereignty is achieved through labels—“European,” “sovereign cloud,” “on-prem inference”—without control of the lifecycle functions above. It may reduce some risks, but it does not eliminate strategic dependency. Operational sovereignty is measurable: who can retrain, where, under what accreditation, with what data, and at what pace.

The strategic implication is not that Europe should reject foreign technology or isolate itself from allied ecosystems. Interoperability, shared standards, and coalition operations remain central to European security. The issue is rather that procurement of foreign AI systems does not equal capability independence. In defense, the binding constraint is rarely “Can we run a model?”—it is “Can we adapt the model safely on classified data, at speed, without external permission or hidden coupling to a third party’s infrastructure, supply chain, or legal regimes?” Those are infrastructure questions before they are model questions.

Key dimensions

Defense AI sovereignty is best treated as a set of interlocking constraints rather than a single procurement decision. The dimensions below are mutually reinforcing: weak data governance degrades training; inadequate training infrastructure creates outsourcing pressure; supply-chain fragility constrains compute; and talent shortages convert even well-funded programs into brittle dependencies. The objective is not absolute independence—rarely achievable and often unnecessary—but durable autonomy in the capabilities that matter most: training, assurance, and lifecycle control.

Data sovereignty and classification

In defense AI, “data sovereignty” is not primarily a privacy concept. It is a classification and operational control concept. The most valuable datasets—sensor collections, intelligence reports, signatures, patterns of life, mission logs, blue force telemetry, electronic order of battle—are frequently classified, caveated, and compartmented. They are also heterogeneous and time-bound: they reflect specific theatres, platforms, and adversary behaviors that evolve. Any realistic approach to sovereign defense AI therefore begins with the constraints imposed by multi-level security (MLS) and cross-domain separation.

MLS constraints shape more than storage locations; they shape architectures and development workflows. In practice, defense organizations operate across multiple data domains (unclassified, restricted, confidential, secret, top secret, and special compartments) plus coalition releasability regimes (national, NATO, bilateral, mission-specific). Moving data across these boundaries is never a simple “export.” Cross-domain transfers require approved mechanisms, human review, and often purpose-built cross-domain solutions (CDS) that are security-accredited and heavily audited. The friction is structural, and it must be designed into the training pipeline rather than treated as an afterthought.

Three operational realities follow:

  • Labeling pipelines are themselves sensitive systems. Labeled data is often more sensitive than raw data because labels encode judgments, priorities, and derived intelligence. A controlled labeling environment—with audited tools, vetted label taxonomies, and secure workforce processes—becomes part of the classified system boundary.
  • Metadata is operationally revealing. Even when payloads are sanitized, timestamps, geolocation references, sensor parameters, collection methods, and link-analysis structures can expose sources and methods. Effective governance therefore requires metadata classification rules, not just file classification.
  • Releasability is not a technical flag. Coalition training and deployment frequently require parallel model lines: one model trained on national-only data, another trained on releasable subsets, and sometimes mission-specific fine-tunes. This multiplies lifecycle complexity and makes sovereign training capacity more—not less—important.

This is why training on classified data requires sovereign infrastructure. If the training environment is not under national (or explicitly agreed coalition) control, then the state cannot credibly claim control over the data-to-model transformation. “Cloud-region hosting” is not equivalent to sovereignty if the provider retains administrative access paths, if incident response is constrained by vendor processes, or if legal and contractual dependencies limit forensic transparency. In sensitive programs, the practical question is: can the authority responsible for security accreditation fully enumerate, test, and approve the system boundary? If the answer is “not without a third party’s cooperation,” sovereignty is already diluted.

Data governance also shapes retraining cycles and model design choices. If data can only be accessed in a high-side enclave, then model architectures must support segmented training, strict lineage, and controlled export of artifacts. If cross-domain transfer is limited to weights (or to distilled representations), then the program must plan for separate evaluation regimes, leakage testing, and strict controls against inadvertent memorization of sensitive content. These are not abstract compliance requirements; they are operational constraints that determine whether an AI system can be sustained in peacetime and adapted in crisis.

Training infrastructure as strategic asset

The distinction between inference infrastructure and training infrastructure is foundational. Inference can often be distributed, resource-efficient, and embedded: models can run on edge devices, tactical servers, shipboard compute, or hardened datacenters with relatively modest power and cooling. Training is different. Training is an industrial process that demands dense compute, high-bandwidth interconnects, high-throughput storage, disciplined MLOps, and a security posture robust enough to withstand both cyber threats and insider risk. The sovereignty question is therefore not “Can we deploy a model?” but “Can we sustain the capability to produce and evolve models under our own security and operational assumptions?”

A sovereign training environment for defense typically requires some combination of:

  • Secure enclaves with tightly controlled administrative domains, hardened identity and access management, and auditable privileged access—so that the environment can be accredited and its boundary understood.
  • Air-gapped or highly segmented clusters for the most sensitive workloads, where the connectivity model is designed for risk reduction rather than convenience.
  • High-density accelerator capacity and interconnect topology suitable for modern deep learning training, not only classical HPC simulation workloads.
  • End-to-end lineage controls: dataset versioning, model weight provenance, dependency pinning, reproducible builds, and secure artifact repositories.
  • Integrated evaluation and red-team workflows to test for adversarial robustness, data leakage, unsafe behavior under stress, and operational failure modes.

These features are not luxuries; they are what converts “access to compute” into a defensible capability. A model trained on classified data becomes a sensitive artifact in its own right. It can encode operational patterns, intelligence judgments, and potentially even memorized fragments of source material. Sovereign training therefore includes the ability to apply technical controls (differential privacy where feasible, memorization tests, controlled fine-tuning strategies), but also procedural controls: who can trigger retraining, who can approve releases, how updates are distributed, and how incidents are handled.

Outsourcing training introduces strategic dependency in several ways that are often underestimated:

  • Dependency on external update cadence. If a supplier controls the training environment, the state’s ability to respond to drift or adversary adaptation is gated by contractual timelines and vendor priorities.
  • Opacity in assurance. Without full visibility into the build pipeline, evaluation environment, and dependency chain, it becomes difficult to certify behavior under mission conditions—especially when the model interacts with classified systems.
  • Lock-in through tooling and interfaces. Training pipelines tend to accumulate implicit assumptions: data formats, orchestration tools, monitoring semantics, and evaluation harnesses. Over time, the “model” becomes inseparable from the vendor’s infrastructure.
  • Legal and policy coupling. Export controls, licensing restrictions, and changing policy environments can affect service delivery even when intentions are benign.

The strategic point is that training infrastructure determines the future capability trajectory. A ministry of defense that controls accredited training environments can iterate: it can adapt models to new sensors, incorporate operational feedback, and maintain a portfolio of mission-specific models. A ministry that only controls inference is limited to consuming what others can produce and certify. In peacetime, this may appear acceptable. In crisis, it becomes a material constraint.

This reality also intersects directly with procurement and accreditation timelines. Security accreditation for classified systems is deliberately slow because it must be defensible. If AI programs treat training environments as ad hoc or vendor-proprietary, accreditation becomes a recurring bottleneck. Conversely, if defense organizations invest in standardized, reusable training enclaves—with well-understood controls and evidence packages—then iterative AI development becomes operationally feasible. The trade-off is clear: higher upfront investment and discipline in infrastructure yields lower long-term friction and greater operational flexibility. It also supports a practical objective aligned with infrastructure-independent autonomy: architectures and pipelines that can run across accredited sovereign infrastructures without being captive to a single provider’s stack.

European compute capacity

Europe possesses world-class high-performance computing capabilities, including national supercomputing centers and pan-European investments. However, defense AI training is not simply “more HPC.” The requirement is a blend of AI-optimized accelerators, fast interconnect, high-throughput storage, and a software stack tuned for large-scale model training—delivered within security-accredited facilities and operated under governance appropriate for sensitive workloads. The gap is often not raw peak performance, but assured access, AI-appropriate architecture, and the ability to operate at classification.

Several practical constraints shape Europe’s compute sovereignty posture:

  • AI-optimized clusters are structurally different from many traditional HPC procurements. Simulation-heavy systems can be excellent for physics workloads yet poorly aligned to deep learning training if accelerator density, memory hierarchy, and interconnect patterns are not designed for it.
  • Defense workloads are “always-on,” not best-effort. Many academic HPC environments allocate time via calls and batch queues. Defense AI training and evaluation often require persistent capacity for continuous integration, operational patching, and mission tempo.
  • Classification changes the hosting model. Even where national HPC capacity exists, it is rarely engineered, accredited, and governed to host multi-level defense data and controlled model artifacts at scale.

Compute sovereignty is also constrained by semiconductor realities. Europe remains heavily reliant on non-European vendors for high-end AI accelerators and key elements of the networking and system software stack. This is not a moral failing; it is an industrial structure. Advanced semiconductor fabrication is globally concentrated. High-performance accelerators depend on supply chains that span design, packaging, memory, and manufacturing nodes that Europe does not fully control. In addition, AI training ecosystems are currently dominated by vendor-specific software (notably in compilers, drivers, and kernels) that can create implicit dependency even when hardware is purchased outright.

The implication is not that Europe can—or should—aim for total compute independence in the near term. Rather, Europe should aim for assured compute capacity for sensitive defense workloads, with risk-managed procurement and a software strategy that reduces lock-in. In practice, that means investing in:

  • Defense-specific AI training clusters operated under national security governance, sized for iterative training and evaluation rather than showcase peak FLOPS.
  • Portability layers in the software stack: containerized workflows, reproducible environments, and abstraction approaches that allow migration across hardware generations and vendors.
  • Long-term sustainability models that treat compute as a strategic enabler—budgeted for continuous refresh, power and cooling, and skilled operations—rather than as a one-time capital acquisition.

Public-private investment models are often necessary because the economics of modern training infrastructure are difficult for any single ministry to sustain alone, yet too sensitive to outsource completely. Pooling frameworks—where accredited compute is shared across defense, critical national security agencies, and selected industrial partners—can raise utilization, justify refresh cycles, and build a larger ecosystem of cleared operators and engineers. Done correctly, pooling does not dilute sovereignty; it institutionalizes it by making infrastructure a shared national asset rather than a bespoke program risk.

Supply chain independence

Supply chain independence in defense AI cannot be reduced to the nationality of a vendor. It is a spectrum of exposure across hardware, firmware, software, and operational dependencies. For AI systems, the critical supply chain elements include advanced semiconductors, high-bandwidth memory, networking equipment, firmware and microcode, orchestration software, and long-term maintenance contracts. Each layer can introduce constraints that matter more in a crisis than they appear to in steady-state procurement.

Two characteristics of AI supply chains deserve explicit attention:

  • Concentration at the frontier. The leading edge of accelerators and fabrication is concentrated among a small number of firms and jurisdictions. Export controls and licensing constraints can therefore change the availability of certain classes of compute with limited warning.
  • Invisible dependencies. Modern compute platforms include management controllers, firmware stacks, signed driver chains, and remote management tooling. These are often opaque to end users but are part of the real security boundary and the real dependency boundary.

A mature approach treats sovereignty as risk-managed resilience, not purity. Total independence is unrealistic for most states, and in many cases would be cost-ineffective. The objective should be to reduce the probability that external actors can unilaterally degrade capability, and to reduce the blast radius when supply shocks occur. Practical measures include:

  • Trusted procurement and attestation. Require verifiable supply chain documentation, secure boot, hardware attestation where feasible, and explicit firmware update policies. Treat firmware as a controlled dependency, not a vendor convenience.
  • Lifecycle maintenance planning. Defense AI programs should plan for decades-long sustainment: spare parts, obsolescence management, and periodic platform refresh without breaking accredited pipelines or losing reproducibility.
  • Software bill of materials (SBOM) discipline. Model performance depends on libraries and drivers that can change. Without explicit dependency management, supply chain risk becomes operational risk during upgrades and incident response.
  • Architectural diversification. Design systems so that mission-critical inference can degrade gracefully: edge-capable models, distributed inference, and modular components reduce single points of failure.

Architecture choices can meaningfully reduce vulnerability without requiring industrial autarky. Not every mission requires frontier-scale models; many defense tasks benefit from compact, specialized models that can be trained and deployed on smaller, more controllable hardware footprints. Distributed systems can avoid central dependency on a single training cluster for every update. Inference can often be designed to operate on hardened tactical compute or microcontroller accelerators for specific functions, reducing exposure to high-end supply constraints while preserving operational effect.

The goal is not to eliminate dependence—an impossible target—but to ensure that dependence is chosen, transparent, and survivable. Sovereignty increases when a defense organization can explain, in concrete terms, which dependencies it accepts, why, what mitigation exists, and how quickly it can reconstitute capability under disruption.

Talent and knowledge transfer

Defense AI sovereignty is partly epistemic: it depends on what a nation can understand, reproduce, and improve. Even with sovereign compute and data governance, capability will erode if the knowledge to operate and evolve the system is external. This is particularly true for classified AI development, where the most meaningful work must occur inside secure environments and cannot be fully outsourced to open academic ecosystems or commercial service providers.

The talent challenge is not simply “hire more ML researchers.” Sovereign defense AI requires a composite workforce:

  • Data engineers and labeling operations capable of building controlled pipelines for sensitive datasets.
  • ML engineers and researchers who can design architectures suitable for mission constraints and retraining realities.
  • Secure infrastructure engineers who can operate clusters under accreditation and manage identity, logging, and incident response.
  • Test and evaluation specialists who can translate operational requirements into measurable model behavior and run red-team exercises.
  • Domain experts who understand sensors, tactics, and operational contexts well enough to detect when a model is “wrong in the way that matters.”

Security clearance processes become a critical throughput constraint in this ecosystem. When clearance timelines are long or unpredictable, programs compensate by shifting work to uncleared environments—precisely where the most valuable data cannot be used. The result is a two-tier development process: prototypes built on sanitized data, followed by slow and fragile transitions to classified environments. This pattern reliably reduces operational relevance and increases dependence on external vendors who already operate at scale.

There is also a structural knowledge-transfer dynamic tied to infrastructure ownership. Owning infrastructure builds knowledge; renting infrastructure erodes it. When training pipelines are operated internally (or within tightly governed national consortia), engineers learn the failure modes, the performance bottlenecks, and the security trade-offs. When training is consumed as a service, that learning accumulates externally. Over time, the sovereign actor becomes a sophisticated customer rather than a sovereign operator, and the ability to challenge vendor claims or adapt independently declines.

Indigenous algorithm development matters for the same reason, but it should be framed realistically. Europe does not need to invent every technique from first principles to be sovereign. It does need the capacity to implement, evaluate, modify, and assure techniques inside accredited environments, including under constraints that commercial research rarely prioritizes: MLS segmentation, forensic traceability, controlled release, and mission-specific robustness. This is where infrastructure and talent converge: an accredited training environment becomes both a capability platform and a training ground for the people who will sustain the capability.

Policy and strategy recommendations

A credible sovereignty strategy is built around lifecycle control, not one-off acquisition. The following recommendations are structured as implementable categories rather than slogans, and can be adapted to national scale and threat posture.

  1. Define sovereignty in capability terms and measure it. Establish a defense AI sovereignty framework with metrics: time-to-retrain on classified data, time-to-patch after vulnerability discovery, reproducibility of model builds, percentage of lifecycle steps under national control, and assured compute availability under crisis conditions.
  2. Invest in accredited training infrastructure as a strategic asset. Fund secure AI training clusters sized for iterative development, not demonstrations. Prioritize reusable “training enclaves” with standardized controls, evidence packages for accreditation, and integrated logging and provenance so they can support multiple programs and agencies.
  3. Build controlled data pipelines, not just data lakes. Create sovereign data ingestion and labeling capabilities with MLS-aware governance: label taxonomies, metadata classification rules, audit trails, and cross-domain transfer procedures. Treat labeling tools and processes as part of the classified system boundary.
  4. Institutionalize model lifecycle governance. Adopt standards for model lineage, evaluation, red-teaming, and release authority. Require documented retraining triggers (drift, new intelligence, sensor changes), and formalize who can approve updates for operational deployment.
  5. Create compute pooling frameworks under sovereign governance. Where national scale is limited, establish public-private defense AI consortia that pool accredited compute across defense and selected industrial partners with appropriate clearances. This increases utilization, supports refresh cycles, and expands the cleared talent base while retaining sovereign control.
  6. Reform procurement for iterative AI systems. Move from static requirements to iterative contracting models that support continuous delivery, evaluation, and retraining. Contract for measurable outcomes (performance under defined mission conditions, update cadence, assurance evidence) and require portability of pipelines and artifacts to avoid vendor lock-in.
  7. Harden supply chain posture through transparency and diversification. Require firmware governance, SBOM discipline, and attestation where feasible. Plan for obsolescence and spares. Encourage architectural designs that can shift between hardware generations and support compact mission models when frontier compute is constrained.
  8. Accelerate cleared talent development and retention. Treat clearance throughput as a strategic enabler. Build career paths for ML engineers, secure infrastructure operators, and evaluation specialists within defense and national security institutions. Support structured collaboration with academia and industry through controlled environments that allow meaningful work without compromising security.

These measures are mutually reinforcing. Training clusters without data governance become underutilized. Data governance without accredited compute creates outsourcing pressure. Procurement reform without assurance standards accelerates risk. The strategic objective is to create a sustainable loop: sovereign data → sovereign training → sovereign assurance → sovereign deployment → operational feedback → retraining.

Comparative perspectives

Comparative analysis is useful when it focuses on structural realities rather than rhetoric. The question is not which actor “believes” most in sovereignty; it is which institutional arrangements reliably produce lifecycle control: training capacity, assurance regimes, and rapid iteration under security constraints. Three reference cases illustrate different structural solutions.

United States: The U.S. approach is characterized by deep integration between defense primes, advanced research institutions, and hyperscale cloud providers, combined with significant defense-driven R&D funding and platformization. A key strength is scale: the industrial base can sustain large training efforts and attract top technical talent. Another strength is procurement agility in selected programs, enabled by flexible contracting vehicles and a mature ecosystem of defense-adjacent software firms. The main sovereignty lesson for Europe is not to imitate reliance on any particular provider, but to recognize that training infrastructure plus assurance processes are treated as enduring capability platforms, not one-off purchases.

China: China’s model is characterized by state-integrated compute strategy, close coupling between industrial policy and security objectives, and large-scale mobilization of data and infrastructure. The structural advantage is centralized capacity: large compute investments can be aligned rapidly with national priorities, and domestic ecosystems can be directed toward strategic needs. The constraint is that such centralization is embedded in a different governance model than most European states would accept. The lesson for Europe is nonetheless relevant: compute and training capacity are treated as national strategic infrastructure, and this materially affects the ability to iterate quickly and at scale.

Israel: Israel’s defense AI ecosystem is distinguished less by scale and more by integration and tempo. Tight coupling between operational units, intelligence organizations, and a highly capable domestic tech sector supports rapid iteration and direct feedback loops. Programs can move from operational need to prototype to deployment quickly because institutional boundaries are comparatively thin and the ecosystem is practiced at operating under security constraints. The lesson for Europe is that sovereignty is not only a function of capital investment; it is also a function of organizational design: clear authorities for iteration, deployment, and retraining, and mechanisms to move operational feedback into training pipelines without procedural paralysis.

For Europe, the relevant synthesis is pragmatic. Europe’s strength lies in advanced industrial capabilities, strong national security institutions, and an existing framework for coalition operations. The challenge is that AI sovereignty requires bridging gaps between these strengths: aligning procurement with iterative development, aligning classification governance with data pipelines, and aligning compute investment with accredited, mission-driven training environments.

  • Scale can be pooled. Not every nation needs a frontier-scale cluster, but every serious defense AI actor needs assured access to accredited training capacity.
  • Tempo can be institutionalized. Iterative AI delivery is compatible with rigorous security accreditation when reusable enclaves and standardized assurance evidence are developed.
  • Interoperability can coexist with sovereignty. Coalition operations benefit from shared evaluation methods, common interfaces, and releasable model lines—provided the sovereign training capability exists to produce and validate them.

The strategic conclusion is therefore direct: the decisive element of defense AI sovereignty is not where a model is purchased, or what label is attached to it. It is whether the state can control the data-to-model lifecycle under its own security governance, at the pace required by operations, and with supply-chain and talent structures that are resilient under disruption. In a domain where adversaries adapt and environments change, sovereignty is the ability to keep producing relevant capability. That is an infrastructure problem before it is a software problem—and it is best solved by investing in training infrastructure, lifecycle governance, and portable architectures that preserve autonomy even as technologies and vendors evolve.

← Back to Insights