1 What “Agent mode” actually does GitHub Copilot’s Agent mode lets developers type a high-level goal; the LLM then plans, edits code, invokes tools and loops until tests pass⁴ (learn.microsoft.com). Behind the scenes, Visual Studio, VS Code and Copilot Chat call the same Azure OpenAI endpoint used by Copilot Chat and Copilot for Azure⁵ (learn.microsoft.com). 2 Where that inference runs 2.1 EU-only datacentre path On 26 Feb 2025 Microsoft announced the completion of its EU Data Boundary (EUDB) phase 3, adding dedicated GPU clusters in Dublin, Amsterdam, Frankfurt, Berlin, Stockholm and Marseille⁶ (blogs.microsoft.com). GitHub enabled Enterprise Cloud data residency on 29 Oct 2024; repository blobs, pull-request metadata and Actions artefacts now stay in-region⁷ (github.com). Power Platform guidance makes the rule explicit: _“If your environment is hosted in the EU Data Boundary, we use an Azure OpenAI endpoint in the same boundary.”_⁸ (learn.microsoft.com) Thus, when your Copilot subscription sits in an EUDB tenant, Agent mode’s prompts, context and inference traffic never cross EU borders. 2.2 Cross-region capacity & rare spill-over Admins can opt-in to Move data across regions for burst capacity; doing so lets Copilot route requests to the nearest global GPU farm for latency relief⁹ (learn.microsoft.com). Leave this disabled to preserve EU-only processing. Microsoft’s EUDB change-log notes that certain pseudonymised identifiers (e.g., Entra ID hashes for abuse monitoring) may replicate to global SOC systems even when data-sharing is off¹⁰ (learn.microsoft.com). 2.3 Verifying your tenant # confirm GitHub org region gh org view YOUR-ORG --json location,dataResidency # check Azure OpenAI region binding az cognitiveservices account show -n YOUR-AOAI -g YOUR-RG --query "properties.apiProperties.publicNetworkAccess" Both commands must show an EU location (e.g. “westeurope”) and Enabled for private network mode. 3 Copilot Agent & the EU AI Act 3.1 Regulatory classification The European Commission classifies Copilot as a GPAI model provider—not a high-risk vertical system. GPAI obligations (articles 52a–52d) start 2 Aug 2025³ (digital-strategy.ec.europa.eu). Brussels reaffirmed last week that there will be no delay to these dates¹¹ (reuters.com). 3.2 What Microsoft/GitHub must do AI Act article Obligation Evidence of fulfilment 8 Risk Mgmt Ongoing red-teaming, bias tests Microsoft Responsible AI Standard & governance site¹² (microsoft.com) 10 Data & governance Training-data provenance Azure OpenAI data-privacy doc¹³ (learn.microsoft.com) 13 Tech docs System cards & transparency notes Copilot Transparency Note (June 2025)¹⁴ (support.microsoft.com) 14 Logging Tamper-proof logs for 30 yrs EUDB retention policy¹⁰ (learn.microsoft.com) 15 Transparency User-facing “AI-generated” badges Copilot UI & docs⁴ (learn.microsoft.com) 16 Human oversight Accept/undo, diff view Agent mode tool-approval flow⁴ (learn.microsoft.com) 3.3 What you must do DPIA—map personal-data flows for prompts, repo metadata and logs. Usage policy—ban Agent mode from generating code for regulated high-risk modules (medical, biometric, etc.). Audit & log retention—store Copilot interaction logs in EU for ≥ 10 years (Act Art. 14). Human review—enforce pull-request approval and diffs. Annual red-team—test Copilot output for security & bias. 4 Five-step hardening checklist Step Action Where 1 Create GitHub Enterprise org in EU region Admin Center → _Settings ▸ Data Residency_⁷ (github.com) 2 Disable “Move data across regions” Azure Portal / Power Platform⁹ (learn.microsoft.com) 3 Lock Azure OpenAI resource to EU region az resource update with location="northeurope" 4 Enforce branch protection so Agent PRs need review GitHub → Branch Rules 5 Document Copilot as GPAI tool in AI register Include transparency note & system card¹⁴ (support.microsoft.com) 5 Frequently-asked questions Does telemetry still leave the EU? Only limited, pseudonymised signals (e.g. hashed tenant telemetry) may copy to Microsoft’s global SOC; no code or prompts are included¹⁰ (learn.microsoft.com). What about Business Central or Power Platform copilots? They follow the same EUDB rule set: if your tenant is in the EU, your prompts stay in EU endpoints¹⁵ (learn.microsoft.com). Can I prove the LLM stayed in Europe? Azure OpenAI exposes a callerIpAddress & region in its activity log that you can export to Sentinel for audit. 6 Key takeaways Agent mode uses fully EU-resident inference when configured correctly. GPAI obligations land 2 Aug 2025—start your policy work now. Your most critical levers: tenant location, cross-region switch, branch protection and log retention. Lock those down today and you’ll ship with Copilot’s productivity boost and a defensible compliance story for regulators and customers alike.