The DIHK Digitalisierungsumfrage 2026, published by the Deutsche Industrie- und Handelskammer and based on responses from nearly 5,000 companies across all industries, contains a number that deserves to be on every CTO's desk and every procurement officer's screen: 53 percent of German companies distrust non-European AI providers. That is not a fringe position. It is a majority — and, the DIHK notes, the highest distrust figure recorded anywhere in the EU.
This is not general technophobia, and the same survey makes that plain. Generative AI is in everyday use: 78 percent of companies already use it to produce text, images, or code, and among active users 41 percent rate its impact on their own productivity as high. German enterprises are not sceptical about AI itself. They are sceptical about who controls the infrastructure their AI runs on, where the data goes when it leaves their premises, and what happens when a foreign government issues a lawful demand for information that German law considers protected. The Bitkom strategy-gap analysis describes the same population from the adoption side; the DIHK adds the sovereignty side.
That scepticism is about to become a procurement filter — but the regulatory clock is more complicated than it looked a year ago. The EU AI Act's obligations for providers of general-purpose AI models have been in force since 2 August 2025, and they are not going away. The deployer and high-risk obligations once pencilled in for 2 August 2026, however, have moved. Under the Digital Omnibus agreed in May 2026, the use-based high-risk obligations of Annex III were deferred to 2 December 2027. The pressure has not disappeared; it has been rescheduled. Companies that read the delay as a reprieve and stop work will find the deadline arriving exactly when they have lost the habit of preparing for it.
The trust gap is a data sovereignty signal
The 53 percent figure does not exist in isolation. The DIHK survey reveals a layered picture of how German companies perceive digital dependency. Fifty percent name data security as a central concern — the second-highest rate in Europe, behind Italy. Roughly half report complete dependence on non-EU countries for core technology such as hardware and operating systems. And legal uncertainty around data use remains, in the DIHK's own framing, the single biggest obstacle to getting value from data at all.
Read those figures together and the pattern is clear. German enterprises are not expressing vague discomfort. They are identifying a specific structural problem: the AI tools they need to stay competitive are overwhelmingly supplied by companies headquartered in jurisdictions whose legal frameworks conflict with European data protection law. The US CLOUD Act, enacted in 2018, allows American authorities to compel any US-headquartered company to produce data it controls, wherever in the world that data is stored. When a Mittelstand manufacturer puts its production-optimisation data, customer records, or proprietary engineering specifications on a platform operated by a US parent, that data is one lawful government order away from disclosure — regardless of which data-centre region was selected at provisioning time.
The sovereign AI analysis examines this jurisdictional conflict in architectural detail. What the DIHK data adds is the demand side of that equation: the majority of German companies already understand the problem. They distrust non-European providers not out of nationalist sentiment but because they have read the legal landscape correctly. The question is what they do about it.
From distrust to decision criteria
Distrust without a decision framework is just anxiety. The DIHK numbers tell us that 53 percent of companies feel the problem. They do not tell us that 53 percent have solved it — and the survey's own finding that only around one in five companies has a defined AI strategy suggests most have not. The gap between recognising a sovereignty risk and acting on it is where most enterprises stall, and where the most consequential platform decisions of 2026 and 2027 will be made.
A practical platform selection framework for the trust gap era rests on four decision criteria that extend the vendor evaluation framework with sovereignty-specific requirements.
Jurisdictional transparency means knowing, for every component in your AI stack, which country's courts have authority over the data. This is not answered by checking the data centre location. It is answered by tracing the corporate ownership chain of every provider in your technology stack. If any entity in that chain is headquartered in or subsidiary to a company in a jurisdiction with extraterritorial data access powers — the United States under the CLOUD Act, China under the National Intelligence Law — the data is jurisdictionally exposed. This applies to the model provider, the cloud infrastructure, the orchestration layer, and any third-party service that touches the data in transit. A single non-sovereign link breaks the chain.
Data residency with teeth means contractual commitments backed by technical enforcement. Many cloud providers offer EU data residency as a configuration option. Fewer offer it as a binding contractual obligation with financial penalties for breach. Fewer still implement technical controls — encryption with customer-managed keys, hardware security modules under customer control, jurisdictional access logging — that make the commitment verifiable rather than declarative. When evaluating providers, the question is not whether they offer an EU region. The question is what happens, technically and contractually, when a foreign government issues a data production order.
Operational escape velocity means the ability to migrate away from any provider within a defined timeframe. The self-hosting decision framework introduces this concept as one of three sovereignty properties. In the context of the DIHK trust gap, escape velocity is the insurance policy against regulatory change. If the legal landscape shifts — a new adequacy decision, a new transatlantic data framework, a new enforcement action — enterprises that have built portable architectures can respond. Enterprises locked into a single provider's proprietary tooling cannot. The practical test is simple: could your team migrate the core AI workload to a different provider in 90 days or less without rebuilding the application logic?
Compliance readiness means that every component in the stack can satisfy the documentation, risk classification, and monitoring obligations that the EU AI Act imposes. The EU AI Act compliance guide details these obligations comprehensively. For platform selection, the critical question is whether the provider's architecture supports the compliance workflows you need — audit trails, model versioning, data lineage tracking, human oversight mechanisms — or whether you must build that compliance infrastructure yourself on top of a platform that was not designed for it.
The legal uncertainty multiplier
The DIHK's finding that legal uncertainty around data use remains the biggest obstacle to data value deserves closer examination, because legal uncertainty does not just slow adoption — it changes which platforms companies adopt and how they architect their deployments.
When the legal framework is uncertain, risk-averse enterprises — and DACH enterprises are, by global standards, risk-averse — default to the most conservative interpretation. If it is unclear whether a specific data-processing arrangement satisfies DSGVO requirements once a US provider is involved, the conservative response is to avoid the US provider entirely. If it is unclear how the EU AI Act will classify a specific application, the conservative response is to assume the heavier obligations and build accordingly.
That conservatism is rational, because the penalty asymmetry is real. The EU AI Act's top fine tier — up to 35 million euros or 7 percent of global annual turnover, whichever is higher — is reserved for breaches of the prohibited-practice rules under Article 5; other infringements sit at 15 million euros or 3 percent. The DSGVO ceiling is 20 million euros or 4 percent. For a Mittelstand company turning over 100 million euros, a worst-case DSGVO fine is 4 million euros, and the upper AI Act tier reaches 7 million euros. Against numbers like those, the cost of over-compliance — a more expensive but jurisdictionally clean provider, documentation infrastructure that might prove unnecessary, a European model in place of a marginally more capable US one — is trivially small.
Combine that penalty asymmetry with the 53 percent trust deficit and a specific market behaviour becomes predictable: German enterprises will keep favouring European and sovereignty-compliant AI providers, even where the non-European alternative offers better headline performance or a lower price. The trust gap is not irrational. It is the market pricing in regulatory risk.
The capacity problem behind the sovereignty problem
There is a quieter constraint underneath the trust gap, and the survey points straight at it: only around one company in five reports having a defined AI strategy, and the DIHK names the shortage of skilled people as one of the central brakes on progress. Wanting sovereign infrastructure and being able to build it are different things.
For sovereignty-conscious enterprises, the engineering challenge is compounded. Sovereign AI infrastructure — on-premise, on European cloud providers, or in hybrid form — rarely matches the depth of managed services hyperscalers provide. AWS, Azure, and Google Cloud ship integrated toolchains where model hosting, data pipelines, monitoring, and deployment automation are pre-connected. Sovereign alternatives demand more integration engineering, more operational expertise, and more deliberate architectural planning.
This is not an argument against sovereign infrastructure. It is an argument for realistic scoping. The companies that distrust non-European providers and the companies that lack the in-house engineering capacity to replace them are, in many cases, the same companies. The trap is obvious in hindsight: an organisation that cannot build the sovereign alternative defaults to the hyperscaler it already knows, and the sovereignty requirement quietly evaporates under delivery pressure. The way out is not to drop the requirement for convenience. It is to scope deployments to match operational capacity, starting with the workloads where the sovereignty requirement is clearest and the technical complexity is most manageable.
The pattern that works for most DACH enterprises in 2026 is workload-based segmentation. Sensitive workloads — anything involving personal data, regulated data, or proprietary intellectual property — run on sovereign infrastructure. Non-sensitive workloads — development environments, public-facing analytics, anonymised data processing — can run on hyperscaler infrastructure where the managed services genuinely accelerate delivery. The boundary between the two tiers is a data classification decision, not a technology decision. Enterprises that have not completed rigorous data classification are guessing at where the boundary should be — and the DIHK data suggests that a majority of German companies are still guessing.
The deadline moved — the obligation did not
The single most important thing for a procurement officer to understand about the EU AI Act in mid-2026 is that the timeline shifted, and shifted in a way that rewards the disciplined and punishes the complacent. The obligations for providers of general-purpose AI models took effect on 2 August 2025 and remain in force. The use-based high-risk and deployer obligations under Annex III, once due on 2 August 2026, were deferred under the Digital Omnibus agreed in May 2026 to 2 December 2027. The Digital Omnibus changes are worth reading in full, but the headline for platform strategy is simple: you have more runway, not less work.
The GPAI obligations that are already live shape vendor selection today. Providers of general-purpose models must publish sufficiently detailed summaries of their training data, comply with EU copyright law, and maintain technical documentation; providers of models judged to carry systemic risk face additional duties around evaluation, adversarial testing, incident reporting, and cybersecurity. None of that is hypothetical or postponed. For a German enterprise choosing a model today, the question is concrete: can your current or planned provider actually demonstrate compliance with the obligations already in effect? If the model provider cannot produce adequate training-data documentation, the enterprise deploying that model inherits the gap.
This is where the DIHK trust gap meets regulatory reality. The 53 percent who distrust non-European providers now have a framework that validates their scepticism and converts it into documented procurement criteria. "We prefer European providers" is a preference. "Our compliance framework requires documented training-data provenance, EU-jurisdiction processing, and verifiable model evaluation — and Provider X cannot demonstrate these" is a criterion that audit can verify and legal can defend. The sixteen-month deferral to December 2027 is the window in which to build exactly that framework, calmly, before the high-risk obligations land. Enterprises that use the extra time to map their stack against documented criteria will be ready. Those that treat the delay as permission to wait will meet the same deadline with less rehearsal.
What the trust gap means for platform strategy in 2026-2027
The DIHK Digitalisierungsumfrage 2026 is, in part, a sentiment survey. It does not prescribe architecture. But sentiment at this scale — nearly 5,000 companies, majority distrust, the highest reading in the EU — is a leading indicator of procurement behaviour. Here is what the data predicts and how enterprises should position.
European AI model providers will gain share out of proportion to their benchmark numbers. European-origin model providers such as Mistral and Aleph Alpha benefit from the trust gap regardless of where they land on a leaderboard. When a majority of potential customers distrust non-European alternatives, the sales cycle for a European provider shortens and the willingness to accept a performance trade-off rises. Enterprises evaluating models should test European alternatives rigorously rather than dismissing them on general benchmark comparisons — domain-specific performance on German-language, industry-specific tasks often diverges meaningfully from headline scores, and that is precisely where Mittelstand workloads live.
Hybrid architectures will become the default, not the exception. The DIHK data does not suggest German companies will abandon non-European technology wholesale. It suggests they will segment. A majority distrust the provider, yet 78 percent already use generative AI day to day and a sizeable share rate its productivity impact as high. Both things are true at once. The architecture that reconciles them is a tiered model: sovereign infrastructure for sensitive workloads, hyperscaler infrastructure for non-sensitive workloads, and a portable orchestration layer that lets workloads move between tiers as classification or regulatory requirements change.
Vendor evaluation will become a compliance function, not just a procurement function. Vendor selection for AI platforms will increasingly require compliance sign-off alongside technical and commercial evaluation. Procurement teams that judge AI vendors with the frameworks they use for ordinary software licences will miss exactly the jurisdictional, sovereignty, and regulatory risks the DIHK data shows enterprises already worry about. The vendor evaluation framework gives the structure; the compliance dimension now demands equal weight inside it. And because the binding skills shortage the survey records is the very mechanism by which sovereignty requirements get quietly dropped under delivery pressure, closing the trust gap and closing the capacity gap are the same project — pursued through internal capability building or through an operating partnership that brings the sovereign-infrastructure expertise in-house.
Turning distrust into architecture
The DIHK Digitalisierungsumfrage 2026 gives German enterprises something they have lacked in the sovereignty debate: hard numbers. Not consultant projections, not policy aspirations — survey data from nearly 5,000 companies confirming that majority distrust of non-European AI providers is the market reality, not a fringe position.
The enterprises that will navigate this landscape best are not the ones that distrust most loudly. They are the ones that convert distrust into documented decision criteria, apply those criteria consistently across their AI technology stack, and build architectures that maintain optionality as the regulatory and competitive landscape evolves.
The practical next step is a platform sovereignty audit: map every component in your current or planned AI stack against the four criteria — jurisdictional transparency, data residency with teeth, operational escape velocity, and compliance readiness. Identify the gaps. Prioritise the gaps that carry regulatory exposure. And build a migration path for the components that fail the test, starting with the workloads where the sovereignty requirement is clearest.
The trust gap is real. The GPAI obligations are already live, the high-risk deadline is now December 2027, and the architecture decisions are yours. The runway is the opportunity.
A Fit Call maps your current provider landscape against the four decision criteria — jurisdictional transparency, data residency with teeth, operational escape velocity, and compliance readiness — and pinpoints the gaps that carry regulatory exposure, so you use the runway to December 2027 to prepare rather than to procrastinate.
References: DIHK Digitalisierungsumfrage 2026, Deutsche Industrie- und Handelskammer, 2026 (nearly 5,000 company responses); EU AI Act, Regulation (EU) 2024/1689; EU AI Act Article 99 (penalties); Digital Omnibus on AI — postponed high-risk deadlines, May 2026.