In brief
- Three laws stack up on your business AI in Luxembourg: GDPR (data), AI Act (AI system), Cloud Act (US provider).
- AI Act: full applicability on 2 August 2026 (EU Regulation 2024/1689). Article 4 (AI literacy) has been enforceable since 2 February 2025.
- The Cloud Act follows the provider's nationality, not the data centre: hosting in Dublin or Frankfurt does not neutralise a US request.
- A 3-question matrix to qualify your exposure and choose between a DPF-certified US provider, a European actor, or a sovereign private LLM.
Introduction
You run a Luxembourg SME, you have deployed an AI assistant, and three legal texts apply to the same tool: the GDPR since 2018, the AI Act in full application on 2 August 2026, and the US Cloud Act whenever your provider is a US-incorporated company.
This article lays out the three laws side by side and offers a decision matrix. For the definition of each law, see our complete AI legal glossary. No panic, no pitch: facts and four operational decisions.
1. Three laws, one AI tool: the puzzle faced by a Luxembourg executive
A Luxembourg accounting firm equips its junior accountants with an AI assistant such as ChatGPT Enterprise, Microsoft Copilot, or Google Gemini Workspace. The tool handles client documents (therefore personal data) and is presented as hosted on a European data centre. The director believes the firm is GDPR-compliant: EU servers, signed data processing agreement.
Reality is denser. The same tool is governed by three frameworks: GDPR for the data, AI Act for the AI system, Cloud Act for any access request a US authority might serve on the provider. The Cloud Act follows the provider's nationality, not the server's geography.
This stacking is the rule for any SME using an AI assistant based on a US LLM. Unmanaged shadow use (an employee opening consumer ChatGPT) adds another layer, described in our guide on unmanaged consumer AI in the workplace.
2. What each law does, in one sentence per text
GDPR (2018): protects personal data, everywhere
The GDPR (EU Regulation 2016/679) has framed the processing of EU residents' personal data since 25 May 2018. It applies as soon as personal data is processed, regardless of the tool. The CNPD (Luxembourg data protection authority) is the national supervisor.
AI Act (2024): governs the AI system according to its risk
The AI Act (EU Regulation 2024/1689) entered into force on 1 August 2024. Article 4 (AI literacy) has been enforceable since 2 February 2025. Full applicability of the high-risk regime kicks in on 2 August 2026. The text classifies systems into 4 categories (official timeline).
Cloud Act (2018): grants jurisdiction to US authorities
The Cloud Act (H.R.4943), signed on 23 March 2018, allows US authorities to compel a US-incorporated provider to disclose data it hosts, regardless of where that data physically resides (Paperjam analysis, in French).
💡 Good to know: none of the three laws overrides the others. They stack up as soon as an AI tool processes personal data via a US provider.
3. The conflict of laws that catches SMEs: GDPR vs Cloud Act
A US provider ordered by a US authority to hand over data is caught in a vice: the Cloud Act compels disclosure, the GDPR prohibits transferring the data to the United States without appropriate safeguards. LexisNexis describes this case as a structural conflict of laws (in French).
The answer runs through the Data Privacy Framework (DPF), the EU adequacy decision of 10 July 2023 that authorises transfers to certified US companies (CNPD file, in French). The DPF legalises the transfer on the EU side; it does not protect against a US request served on the provider.
A US AI provider can therefore be GDPR-compliant (via the DPF) and exposed to a Cloud Act request. For ordinary processing, this stacking is acceptable. For sensitive processing (health, legal, financial, parapublic), it warrants specific analysis, detailed in our article on the real location of AI data.
Simon Dumontel, a Luxembourg lawyer quoted in Paperjam in April 2026, recalls that « the Cloud Act does not give US authorities a blank cheque to access data without any condition » (translated from French). The jurisdiction is extraterritorial and framed, not an open door, but the exposure is real.
4. Where the AI Act adds to the equation
The AI Act does not erase the GDPR or the Cloud Act. It adds a third set of obligations, focused on the AI system itself: documentation, transparency, human oversight, traceability, AI literacy. These obligations stack up on the GDPR, they do not replace it.
Article 4 of the AI Act has been enforceable since 2 February 2025 (source). Full applicability of the high-risk regime arrives on 2 August 2026. For the operational checklist, see our AI Act SME Luxembourg 100-day guide. In Luxembourg, draft law n° 8476 designates the CNPD as the reference authority for the AI Act, on top of its GDPR role (K&L Gates analysis, Luxembourg government position, in French).
Key point: an AI system can be fully GDPR and DPF compliant while being AI Act non-compliant if documentation, transparency, and staff training are not organised.
Concentric rings diagram showing a business AI tool surrounded by GDPR, AI Act and Cloud Act obligations, with the 3 key dates 2018, 2024 and 2026.
Three frameworks apply simultaneously: GDPR (data), AI Act (AI system), Cloud Act (US provider).
5. The 3-question decision matrix
To qualify an AI tool's exposure, three questions are enough. The answers stack up.
Vertical 3-question decision tree: EU personal data, AI Act risk category, US provider, to qualify a business AI tool's exposure in Luxembourg.
A 3-question decision tree to qualify a business AI tool's exposure.
|
Question |
If yes |
If no |
Action |
|---|---|---|---|
|
Q1. Personal data of EU residents? |
GDPR in scope: DPIA, record, provider DPA. |
Out of GDPR scope (rare). |
Map inbound and outbound data. |
|
Q2. AI Act risk category? |
AI Act in scope: documentation, transparency, AI literacy, CE marking if high risk. |
Minimal AI Act (light regime). |
Classify each use into one of the 4 categories. |
|
Q3. US-incorporated provider? |
Cloud Act applicable: DPF required, sovereignty to arbitrate. |
Cloud Act out of scope. |
Verify DPF or arbitrate based on sensitivity. |
Yes to all three (the common case for ChatGPT Enterprise, Copilot, Gemini Workspace): the three frameworks apply. Yes to Q1-Q2, no to Q3: you step out of the Cloud Act scope, typical of a European provider or a private LLM hosted by a non-US actor.
For a law firm or a notary office, this qualification is a priority: see our lawyers and notaries and accountants and fiduciaries pages.
6. Why a sovereign private LLM simplifies all 3 frameworks
A private LLM hosted in Europe by a non-US actor does not remove the GDPR or the AI Act, it simplifies them by removing the Cloud Act variable. Three structural factors.
Control of the path: model and data on European infrastructure operated by a European entity, the GDPR audit becomes direct, no cascading subcontracting (the CNPD documents its obligations on international transfers, in French). Logging: the AI Act requires traceability, a private LLM allows logs to be stored on the client's infrastructure without depending on a third party. Legal jurisdiction: a European actor is outside the Cloud Act scope, the structural exposure disappears. Detailed reasoning in our use case on protecting your data with private AI.
You have mapped your Cloud Act exposure and want a second opinion before arbitrating?
7. The 4 decisions to take this week
Four decisions to take right now, in order.
- Map the AI tools in use. Official, unofficial, browser extensions, AI embedded in Microsoft 365 or Google Workspace.
- Identify each provider's legal nationality. For US subsidiaries in the EU, keep the parent company for Cloud Act analysis.
- Verify DPF certification for critical US providers. Public registry of the US Department of Commerce. Plan an exit path in case of suspension.
- Plan the sovereignty arbitrage before 2 August 2026. For each sensitive tool: keep the DPF US provider, switch to a European one, or move to a sovereign private LLM.
For public and parapublic entities, add a fifth decision: check whether the NIS2 perimeter is engaged, in which case cyber obligations stack on top.
Conclusion: sovereignty is a calculation, not a speech
AI Act, Cloud Act, GDPR: three laws, one AI tool. The three frameworks are independent, they stack up, they do not substitute for each other. To stay compliant before 2 August 2026, qualifying your exposure to all three is the only serious approach.
For some uses, a DPF-certified US provider is enough. For others, infrastructure sovereignty is the only clean exit. See why LetzAgents supports Luxembourg SMEs and mid-caps with a free AI audit.
Before 2 August 2026, a structural audit prevents unpleasant surprises.
FAQ: your questions on AI Act, Cloud Act and GDPR
1. Does the Cloud Act apply to a Luxembourg SME?
Not directly: it applies to its US-incorporated providers. As soon as your AI assistant relies on a US editor, the data entrusted is potentially accessible to US authorities via a Cloud Act request, even with a European data centre. The arbitrage happens at provider level, not at territory level.
2. What is the difference between the AI Act and the GDPR?
The GDPR (EU Regulation 2016/679, 2018) governs personal data. The AI Act (EU Regulation 2024/1689, full applicability on 2 August 2026) governs AI systems by 4 risk categories. The two stack up. The CNPD is the Luxembourg national authority for both (draft law n° 8476).
3. My US AI provider has a data centre in Europe, is it subject to the Cloud Act?
Yes. The Cloud Act (H.R.4943, 23 March 2018) follows the provider's nationality, not the server location. A US-incorporated provider with a data centre in Dublin or Frankfurt remains legally competent to execute a US request. Simon Dumontel, quoted in Paperjam (April 2026), reminds: framed extraterritorial jurisdiction, not immunity.
4. Who supervises AI compliance in Luxembourg?
The CNPD is the national authority for the GDPR since 2018 and has been designated as the reference authority for the AI Act by draft law n° 8476. For regulated financial entities, the CSSF adds DORA supervision. For the Cloud Act, no Luxembourg authority supervises: verification goes through provider mapping.
5. Is the Data Privacy Framework certification enough on sensitive data?
The DPF (EU adequacy decision of 10 July 2023) authorises EU transfers to a certified US provider. It does not neutralise the Cloud Act. For ordinary processing, the DPF is enough. For legal, medical, financial, or parapublic processing, a private LLM hosted by a non-US actor is often the clean exit. The DPF remains under European judicial scrutiny.
