𝐇𝐨𝐰 𝐝𝐨 𝐰𝐞 𝐢𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭 𝐂𝐫𝐨𝐬𝐬-𝐑𝐞𝐠𝐢𝐨𝐧 𝐈𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞 (𝐂𝐑𝐈𝐒) 𝐰𝐡𝐢𝐥𝐞 𝐜𝐨𝐦𝐩𝐥𝐲𝐢𝐧𝐠 𝐰𝐢𝐭𝐡 𝐝𝐚𝐭𝐚 𝐩𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐥𝐚𝐰𝐬?
Before I answer that question, let me quickly explain how CRIS works and why customers use it.

When you use Bedrock's CRIS, you call a model from a source region (e.g., eu-central-1 aka Frankfurt). Bedrock then routes that request to an optimal destination region - often within the same geography (EU, US, APAC) - based on real-time capacity. Your request travels from source to destination, gets processed, and the result comes back to you. This approach gives you 2x default throughput, resilience against outages, and better availability during traffic spikes.

Here's where the concern kicks in: Many customers hear "your request goes to another region" and immediately think "our data gets distributed across multiple locations." That's 𝐭𝐡𝐞 𝐦𝐢𝐬𝐜𝐨𝐧𝐜𝐞𝐩𝐭𝐢𝐨𝐧 that leads to the compliance question. Let me be direct about what actually happens:
Your prompts and outputs are processed in the destination region, yes. But 𝐭𝐡𝐞𝐲'𝐫𝐞 𝐧𝐨𝐭 𝐬𝐭𝐨𝐫𝐞𝐝 𝐭𝐡𝐞𝐫𝐞. They exist in memory only during processing. The moment processing completes, they're gone from that region. Meanwhile, all logs (CloudTrail, Model Invocation Logs, etc.) are persisted only in your source region. Your audit trail stays home. The transit between regions is encrypted across AWS's backbone network.

Suppose you call an EU inference profile in Frankfurt. Bedrock might route it to Paris for processing with single to double-digit milliseconds of network overhead. Negligible compared to LLM processing measured in seconds. That request gets processed in Paris, but 𝐧𝐨𝐭𝐡𝐢𝐧𝐠 𝐩𝐞𝐫𝐬𝐢𝐬𝐭𝐬 𝐭𝐡𝐞𝐫𝐞. All logs including CloudTrail logs show the request originated from Frankfurt. Your Model Invocation Logs (if enabled) are captured in Frankfurt only. The data story is: processed elsewhere, but 𝐬𝐭𝐨𝐫𝐞𝐝 𝐨𝐧𝐥𝐲 𝐚𝐭 𝐡𝐨𝐦𝐞.

One more compliance detail: 𝐠𝐞𝐨-𝐭𝐢𝐞𝐝 𝐂𝐑𝐈𝐒 𝐩𝐫𝐨𝐟𝐢𝐥𝐞𝐬 are immutable. AWS won't add new regions to the profile next year. The destination region set is fixed, you can document exactly which regions handle your data, and that answer never changes.
How does this get implemented? In a nutshell all you do is 𝐫𝐞𝐩𝐥𝐚𝐜𝐞 𝐲𝐨𝐮𝐫 𝐦𝐨𝐝𝐞𝐥 𝐈𝐃𝐬 𝐰𝐢𝐭𝐡 𝐭𝐡𝐞 𝐢𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞 𝐩𝐫𝐨𝐟𝐢𝐥𝐞 𝐈𝐃 in your code. To implement compliance checks in your AWS landing zone, there is an awesome post by my colleague Arlind Nocaj that gives a detailed walk-through how to adapt your security policies. And if you are a Swiss customer, there is a great blog post by Christoph Schnidrig, Margo Cronin and Valentin Fluor that details out the compliance & security details for Swiss customers. For Swiss and EU organizations, the compliance frameworks are established. Switzerland recognizes EU jurisdictions as having adequate data protection.

Sources in the comments.

when you dive deep on weather forecasting and this xkcd comes up and bridges from pilot training to IT !