DEV Community

Cover image for The EU Data Act and Sovereign AI
Micky Irons
Micky Irons

Posted on • Originally published at mickai.co.uk

The EU Data Act and Sovereign AI

The EU Data Act and Sovereign AI

By Micky Irons, founder and CEO of Mickai.

The European Union built the Data Act to break open the vaults. From 12 September 2025 its core obligations apply in full, and the message to every connected-device maker, cloud provider and data holder is blunt: the person or business who generates data has a right to reach it, to move it, and to hand it to someone else. Portability stops being a courtesy and becomes a legal duty. Territory stops being an afterthought and becomes a design constraint.

That is a welcome shift, and it exposes a quiet contradiction. You cannot honour a data right if the intelligence that reads, ranks and reasons over that data lives on somebody else's estate, under somebody else's keys, in a jurisdiction you do not control. The Data Act frees the data. It says nothing about who owns the mind that uses it. We built Mickai, our Sovereign Intelligence Operating System, to answer exactly that gap: own the intelligence, and the data rights follow it home.

What the Data Act actually demands

The Regulation (EU) 2023/2854, to give the Data Act its formal name, does three things that matter for anyone running artificial intelligence. It grants users of connected products a right of access to the data those products generate. It compels data holders to share that data with third parties the user nominates. And it forces cloud and edge providers to make switching and interoperability real, stripping out the contractual and technical lock-in that has kept customers captive for a decade.

Alongside the General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (EU AI Act), the Data Act completes a picture. GDPR governs personal data. The EU AI Act governs how models behave. The Data Act governs who may move the raw material between them. Read together, they describe a world where data is portable by law, decisions must be explainable, and the customer holds the reins. The uncomfortable question is whether your intelligence stack was built for that world or against it.

A colossal marble figure of Mnemosyne holding an open vessel from which golden light streams, standing against a black void in storm light.

Mnemosyne kept memory whole so nothing was lost; portability only matters when the whole mind moves with the record.

Portability is meaningless if the mind is rented

Consider what portability means in practice. A regulated firm exports its data from one provider and imports it into another. Clean, tidy, compliant. But the value was never in the raw data. It was in the model weights tuned to that data, the embeddings, the retrieval indexes, the learned behaviour that turned records into decisions. When the intelligence is rented from a hyperscaler, none of that travels with you. You port the ore and leave the refinery behind.

Mickai inverts the arrangement. The intelligence, our sovereign brains, the retrieval subsystems, the studios that act on the data, all run on hardware the customer owns. Air-gapped or on-premise, with zero data egress. Move estates, change suppliers, satisfy a portability request, and the mind moves with the matter because both sit inside your own perimeter. Portability becomes trivial when nothing was ever outside to reclaim.

Territory is a property of the substrate, not a promise in a contract

Data sovereignty is usually sold as a contractual assurance: a region setting, a data-residency clause, a page in a compliance pack. Those are promises. The Data Act, and its siblings the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2), increasingly want proof. Where did this data sit at the moment of processing? Which brain touched it? Under whose keys? A clause cannot answer that. A substrate can.

A colossal marble figure of Hestia standing guard within a circular hearth of golden fire against a black void.

Hestia never left the hearth; territory is a fact of where the fire sits, not a promise written elsewhere.

Because Mickai runs on the customer's own iron, territory is not asserted, it is a physical fact. The intelligence never crosses a border it was not permitted to cross, because it never leaves the room. For firms bound by DORA in finance, or by NIS2 across critical sectors, that difference is the difference between an auditable claim and an aspirational one. The room is the boundary, and the boundary is the proof.

Every action signed before it happens

A data right you cannot prove you honoured is a liability waiting for an auditor. So we made proof structural. Every action Mickai takes is wrapped in an Operation Attestation Record (OAR) that is signed before the action executes, not logged afterwards. The signatures use post-quantum cryptography, the FIPS 204 ML-DSA-65 standard, and the records chain together with SHA-3-512 hash-linking into a tamper-evident ledger.

A colossal marble figure of Themis holding upright balanced scales of gold, blindfolded, against a black void in storm light.

Themis weighed the deed before the verdict; attestation signs each action before it runs, not after.

The practical upshot: when a portability request arrives, or a regulator asks who accessed a dataset and why, the answer is a cryptographically signed, offline-verifiable record that predates the event it describes. Brains are revocable. High-stakes actions require multi-brain plus voice-biometric approval before they proceed. The ledger does not depend on our servers, our goodwill, or our continued existence to be checked. That is what data governance looks like when it is engineered rather than promised.

The capability is filed, not merely claimed

We hold 104 filed United Kingdom patent applications, covering about 2,340 claims, owned by Mickai LTD. They read on the machinery that makes this possible: attestation before execution, hash-linked sovereign audit chains, revocable multi-brain approval, offline verification of signed operations. We frame our patents by the capability they contain, not as trophies, because the capability is the point. The Data Act asks for control and evidence. These filings describe the mechanisms that deliver both.

None of this positions us against the public cloud. OpenAI, Microsoft, Amazon Web Services, Google and Oracle are allies, and they occupy a different layer. They serve the vast, elastic, general workloads magnificently. Mickai serves the regulated boundary the public cloud cannot cross on the customer's own terms: the air-gapped floor, the classified network, the jurisdiction that will not let intelligence leave its soil. Two layers, one stack, no conflict.

A colossal marble figure of Atlas bearing a sphere of interlinked golden chains on his shoulders against a black void.

Atlas held the weight in one fixed place; sovereign intelligence carries the load on ground the customer owns.

The bottom line

The EU Data Act answers half the sovereignty question. It gives users the right to reach and move their data, and it dismantles the lock-in that made those rights theoretical. The other half, who owns the intelligence that reads the data, it leaves open. Rent your mind from a hyperscaler and you will forever port the ore while leaving the refinery on someone else's land.

Mickai closes the gap by making the intelligence sovereign: on the customer's hardware, under the customer's keys, every action signed before it runs and provable offline forever. Data rights, portability and territory stop being clauses you hope hold up and become properties of the ground you stand on. Own the intelligence, and the data comes home with it.


Written by Micky Irons. Originally published at https://mickai.co.uk/articles/eu-data-act-and-sovereign-ai. More from Micky Irons and Mickai at mickai.co.uk.

Top comments (0)