preloader

· aws ai cloud gdpr europe devops

OpenAI’s GPT-5.5 and Codex Land on Amazon Bedrock – But European Teams Face a Data Residency Gap

Source: AWS News Blog

Amazon Bedrock added OpenAI’s three most capable models to its catalogue on June 1, 2026: GPT-5.5, GPT-5.4, and Codex. The launch follows an expanded partnership between Amazon and OpenAI and makes these models accessible through a single AWS interface alongside Anthropic, Meta, Mistral, Cohere, and Amazon’s own Nova series. For engineering teams that already run their infrastructure on AWS, having OpenAI frontier models accessible through Bedrock’s unified API, governance controls, and billing is genuinely convenient.

For European teams, though, the picture is more complicated – and the complication matters from a compliance standpoint.

What is now available on Bedrock

GPT-5.5 is OpenAI’s current flagship model, positioned for the most demanding workloads: complex multi-step reasoning, long-context document analysis, and agentic tasks that require sustained coherent reasoning across many steps. GPT-5.4 offers a better price-to-performance ratio for most production use cases and is the more practical choice for high-volume inference workloads. Codex is OpenAI’s coding-focused agent, available through the Codex App, Codex CLI, and IDE integrations for Visual Studio Code, JetBrains, and Xcode – with all inference routed through Bedrock when accessed through the AWS integration.

Pricing matches OpenAI’s direct first-party rates, and crucially, usage counts toward AWS spend commitments. For organisations with large enterprise discount agreements with AWS, this means they can access the most capable OpenAI models at negotiated rates rather than paying full price directly through the OpenAI API.

AWS confirms that prompts and responses are not used to train models and are not shared with OpenAI. This is significant: it means the confidentiality guarantees of Bedrock’s standard data processing agreement apply to OpenAI model inference, the same as they do for Anthropic or Meta models on the platform.

The European region availability problem

GPT-5.5 is currently only available in the US East (Ohio) region. GPT-5.4 is available in US East (Ohio) and US West (Oregon). Neither model has European region availability at launch.

For European organisations, this creates a concrete legal problem. Under GDPR, transferring personal data to a third country – including to US-based infrastructure – requires one of the lawful transfer mechanisms defined in Chapter V of the regulation. The EU-US Data Privacy Framework (DPF), renewed in 2023, provides a basis for transfers to certified US organisations, and Amazon is certified under it. However, the practical question for each organisation is whether their internal data governance and data processing agreements with AWS explicitly cover transfers of specific data categories to specific regions.

For teams whose AI prompts contain only non-personal data – proprietary code, anonymised documents, internal knowledge base content – the US region limitation is operationally inconvenient but legally straightforward: there is no personal data to protect.

For teams who are sending prompts containing personal data – customer records, HR information, patient data, financial transactions – routing those prompts to a US region creates a transfer that needs to be explicitly covered by your DPA with AWS, verified against your GDPR records of processing activities, and potentially subject to a data transfer impact assessment under Schrems II case law.

For organisations subject to sector-specific data localisation requirements under DORA (financial services) or national implementations of NIS2 (critical infrastructure), the restriction to US regions may make these models operationally unusable for regulated workloads until EU region support arrives.

What AWS Bedrock’s architecture does – and does not – solve

Bedrock’s standard controls – IAM-based access management, AWS PrivateLink for private network routing, CloudTrail audit logging, and model invocation logging to S3 – all apply to OpenAI model calls made through the platform. This is meaningfully better than calling the OpenAI API directly from a European environment without equivalent controls.

However, none of these controls change the fundamental fact that inference compute is occurring in Ohio or Oregon. PrivateLink keeps your traffic off the public internet between your VPC and the Bedrock service endpoint, but the request still terminates in a US AWS region. For the purpose of GDPR data transfer analysis, what matters is where the data is processed, not how it travels there.

AWS has not announced a timeline for making GPT-5.5 or GPT-5.4 available in European Bedrock regions. Given that this is a managed service dependent on OpenAI’s infrastructure agreements with Amazon, the timeline is not entirely within AWS’s control.

The practical decision for European teams right now

There are three realistic positions for European engineering teams considering these models:

If your use case involves only non-personal data, the US region limitation is a practical inconvenience rather than a compliance barrier. You can begin evaluating GPT-5.5 and GPT-5.4 through Bedrock now. The unified governance and billing consolidation are genuine advantages for teams already in the AWS ecosystem.

If your use case involves personal data but you have strong GDPR transfer mechanisms in place, review your AWS DPA to confirm it covers transfers to the Ohio and Oregon regions for AI inference workloads, and document the transfer in your records of processing activities before going to production. This is not an insurmountable barrier, but it is work that needs to happen before production use, not after.

If your organisation has hard data localisation requirements or operates in a sector where regulators have taken a strict position on non-EU processing, defer production use of these specific models until EU region support is available, or consider Mistral AI models on Azure – which do carry EU data residency and are available in European regions today.

What this means for AI model strategy

The launch does clarify one important strategic point: AWS is now a credible single platform for managing a diverse AI model portfolio. The ability to switch between Anthropic Claude, Meta Llama, Mistral, and now OpenAI GPT-5.5 through a single API, with unified logging, access controls, and billing, reduces the integration overhead of using multiple frontier models and gives engineering teams a realistic path to multi-model architectures.

For European organisations, the gap in EU regional coverage for the newest and most capable models remains a recurring pattern. Mistral has EU coverage on Azure. Anthropic Claude models have partial EU coverage on Bedrock. The newest OpenAI models do not yet. This is a live variable in AI model selection decisions that needs to be tracked and revisited as regional availability expands.

If you want help evaluating which AI models are compliant with your GDPR and sectoral obligations, assessing how Bedrock compares to Azure AI Foundry or direct API access for your specific workloads, or documenting AI inference workflows in your records of processing activities, contact Excello Digital. We help European engineering teams build AI architectures that work under both technical and regulatory constraints.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!