AI adoption in German SMEs doubled in 2025: 36 percent of companies with 20 or more employees now actively use AI (previous year: 20 percent). At the same time, almost every second company (48 percent) names data protection as one of the biggest hurdles to AI adoption (Bitkom, September 15, 2025). On top of that comes the works council, which — by the next quarterly meeting at the latest — will ask for an AI agreement under Section 87 of the German Works Constitution Act (§87 BetrVG).
Fail to sort this out now and you'll be building shadow IT instead of AI infrastructure — employees will use their private AI licenses regardless of whether a company ChatGPT already exists or AI is banned outright. In the DACH market, a category term is establishing itself for exactly this gap: the Corporate LLM — an LLM platform combining a compliance stack, an adoption program, and SME-friendly pricing in one.
At a glance: There are four routes to setting up AI in a mid-sized company: AI built into the office suite, a company-owned ChatGPT (API plus your own frontend), self-hosted open source on your own hardware, and a platform like Corporate LLM. Entry costs range from 6,700 EUR per year (office suite) to six-figure TCO (self-hosted).
What is an LLM platform? A definition for the mid-market
An LLM platform bundles four layers into one stack: the language model (inference), the frontend (chat interface, model picker, file upload), a knowledge connection to your own documents (RAG), and a governance layer with a DPA, audit logs, and role-based permissions. The difference from raw LLM API access: the platform is built as a finished product for end users inside the company, not as a toolkit for developers.
In an SME context, that means in practice: employees log in, pick a model, upload documents, and get an answer. Nobody writes Python code first or stuffs an API key into an environment variable. Compliance, scaling, and adoption are built into the platform from day one — not into a separate in-house build.
Which LLM platform for the mid-market? The 4 routes compared
In the DACH market of 2026, all realistic LLM setups fall into exactly four categories. The category determines entry cost, compliance risk, and time to value — and with that, whether the route fits your company at all.
1. Built into the office suite: Microsoft Copilot as an AI license add-on
The AI sits directly in Word, Excel, Outlook, Teams, or Google Docs. No second license island, no new login, no separate training for a standalone tool. Microsoft 365 Copilot is the DACH market standard in this category.
- When it makes sense: Microsoft 365 E3 or E5 is fully licensed, use cases stay within Office documents and email, and nobody in the company insists on multi-provider routing.
- Strengths: deep Office integration, an existing license pipeline, the lowest in-house adoption hurdle (employees already know Word and Outlook).
- Weaknesses: no multi-provider routing (always the same model, regardless of use case), RAG only against SharePoint or OneDrive, and the DPA runs through Microsoft Ireland — often requiring explanation in a compliance audit. Industry-specific agents or custom knowledge hubs are not possible.
2. Company-owned ChatGPT: API plus your own frontend
Direct model access via the provider API (OpenAI, Anthropic, Mistral), combined with a self-operated frontend (LibreChat, OpenWebUI, custom build). You buy inference; the tool is built in-house.
- When it makes sense: a technical team in-house, an appetite for DIY, full control over system prompts and logging desired, and a clearly scoped pilot use case.
- Strengths: token-based pricing (you only pay for active use), maximum flexibility, multi-provider technically possible, no vendor lock-in layer above the model.
- Weaknesses: no onboarding, no compliance bundle, no out-of-the-box RAG, no audit trail. You run the tool and the rollout entirely yourself.
3. Self-hosted / on-premise: open source on your own hardware
Open-weight models (Llama, Mistral, Qwen) run on your own GPU stack with a self-operated inference server. No data leaves the building.
- When it makes sense: defense, pharma, core banking — an absolute air-gap requirement as a regulatory obligation.
- Strengths: no outbound data transfers, full control over models, logs, and updates, no variable costs in the long run (no per-seat fees).
- Weaknesses: six-figure TCO (GPU hardware from 80,000 EUR plus an ML-ops team), model quality on frontier tasks typically one generation behind the proprietary top models (for specific tasks, e.g. DeepSeek V4 Pro, now comparable), six months of setup time.
4. Corporate LLM: SME platform with a compliance stack and multi-model routing
Corporate LLM is the answer to the gap that categories 1 through 3 leave open: an SME platform with multi-provider routing, RAG, custom agents, a German DPA including a §203 clause, EU hosting as the default for most models, plus structured implementation support as a contractual standard service from 15 seats.
- When it makes sense: as an SME from 30 employees, without an in-house AI development team.
- Strengths:
- Adoption as a default service: an onboarding workshop plus adoption coaching for multipliers is available as part of the platform program.
- Compliance stack out of the box: a German DPA with a §203 clause, EU hosting as the default for most models (non-EU models are permanently flagged in the chat header).
- Multi-provider routing: the use case determines the model, not the vendor.
- Custom agents with a skill library: role-specific AI assistants per use case draw on reusable skills, prompts, and knowledge in the team workspace.
- Weaknesses: implementation support only from 15 seats; smaller companies get self-service training videos only.
What does an LLM platform cost for 20 employees? (DACH range, 2026)
The table below compares annual costs for a 20-seat account per category. All figures in EUR.
| Category | Price range, 20 seats / year | EU hosting | German DPA | Multi-provider | Onboarding included |
|---|---|---|---|---|---|
| 1. Built into office suite | 6,700 to 13,000 EUR | Yes (Azure) | Conditional | No | Via Microsoft partner |
| 2. Company-owned ChatGPT | 10,000 to 50,000 EUR based on token use | Conditional | No | Conditional | Your own effort |
| 3. Self-hosted / on-premise | from 80,000 EUR TCO | Yes (internal) | n/a | Conditional | Your own effort |
| 4. Corporate LLM | 5,800 to 9,800 EUR | Yes | Yes (§203) | Yes | Yes |
Recorded May 25, 2026 (as of this article) · Office suite figures are based on Microsoft list prices, the other ranges on Corporate LLM project experience · No guarantee · Pricing subject to change
Four things stand out:
- Price is not the deciding criterion. Categories 1 and 4 overlap at the same level. The question isn't "cheap or expensive" but "Office add-on or standalone AI infrastructure".
- The build effort in category 2 is invisible. Token costs are only the recurring side. Frontend, RAG integration, authentication, and maintenance must be budgeted as separate development effort (50,000 to 100,000 EUR, one-off).
- Compliance costs are invisible too. Category 1 has a "conditional" DPA because it runs through Microsoft Ireland. Category 2 has no DPA at all — you have to negotiate one separately. Both cost lawyer or data protection officer hours that don't appear in the table.
- So are adoption costs. Buying multiplier workshops and adoption coaching externally adds 4,000 to 30,000 EUR on top.
A GDPR-compliant LLM platform: 3 compliance anchors for the mid-market
Whichever category you choose, three compliance anchors must be in place before the first employee logs in.
- A data processing agreement in German. Not US boilerplate with a German translation, but a contract your data protection officer can actually work against. German contracting party, German jurisdiction, sub-processors fully disclosed (every model, every hosting provider, every logging service).
- EU hosting as the default, not an add-on. All prompt, output, and embedding data in the EU.
- A works council agreement on AI use. The works council has a co-determination right under Section 87 of the German Works Constitution Act (§87 BetrVG). Skip this and you risk a preliminary injunction at the first rollout.
For professions bound by confidentiality, a fourth anchor applies: Section 203 of the German Criminal Code (§203 StGB). Professionals subject to statutory secrecy (including tax advisors, lawyers, auditors, physicians, psychotherapists, pharmacists, and notaries) may only run client or patient data through an LLM if the provider has countersigned a confidentiality commitment.
Conclusion: choosing the right LLM platform for the mid-market
The obligation is here. The four routes are clear. What decides 2026 is the choice of a suitable AI infrastructure.
A company-owned ChatGPT works if in-house AI experts shoulder the build themselves. Self-hosted is the hardest route and should only be chosen when compliance strictly requires it.
For SMEs that need GDPR-compliant operations, multi-model routing, and structured adoption support in one platform, we built Corporate LLM.
LLM platform for the mid-market: launch a pilot in 4 weeks
If you're looking for a GDPR-compliant LLM platform and want compliance, workflow, and adoption set up in 4 weeks, the direct route is: create a free account and try Corporate LLM right away.
Frequently asked questions
Which LLM platform fits the German mid-market?
There are four ways to set up an LLM in a mid-sized company: AI inside your existing office suite (e.g., Microsoft Copilot), a company-owned ChatGPT (your own API integration plus your own frontend), self-hosted open source on your own hardware, or an SME platform with built-in expert support like Corporate LLM. Which route fits comes down to three questions: How deeply is Microsoft 365 already embedded, do you have your own change management team, and does Section 203 of the German Criminal Code (§203 StGB) apply? For companies with 30 to 500 employees without a dedicated adoption team and with professional confidentiality requirements, the fourth route is usually the fastest and safest.
Which LLM is GDPR-compliant for German SMEs?
In the B2B mid-market, GDPR-compliant means three things: EU hosting, a data processing agreement (DPA) in German with German jurisdiction, and a works council agreement under Section 87 of the German Works Constitution Act (§87 BetrVG). Whether these three anchors are properly addressed differs markedly by LLM route. Office suite solutions often run through Microsoft Ireland or Google Ireland, company-owned ChatGPT setups need a separately negotiated DPA, self-hosted keeps the contract in-house, and platforms like Corporate LLM deliver it as standard, including a §203 clause.
What does an LLM platform cost per year for 20 employees?
The 2026 DACH range for 20 seats depends on the chosen route. Built into the office suite runs between 6,700 and 13,000 EUR per year (depending on the Microsoft 365 edition). A company-owned ChatGPT runs 10,000 to 50,000 EUR in ongoing token costs, plus 30,000 to 100,000 EUR in one-off build effort for frontend, RAG, and maintenance. Self-hosted on-premise means six-figure TCO (from 80,000 EUR including GPU hardware and ML ops). Corporate LLM positions itself between 5,800 and 9,800 EUR per year (Business Starter to Business Pro, 20 seats) and includes an onboarding workshop plus adoption coaching. It is the only route where the adoption gap doesn't have to be paid for on top.
Microsoft Copilot or your own LLM platform: what fits the mid-market?
Microsoft Copilot fits if Microsoft 365 E3 or E5 is fully licensed and use cases are limited to Word, Excel, Outlook, Teams, and SharePoint. Your own LLM platform fits if you need multi-provider routing, your own RAG sources, or industry-specific use cases — and if your works council or data protection officer expects a separate German DPA. In SMEs with 30 to 500 employees, a dedicated platform is the more common fit, because M365 is rarely licensed as E3 and Copilot doesn't allow multi-provider.
What must a DPA for an LLM contain?
A data processing agreement for an LLM system must cover four points: contracting party and jurisdiction in Germany, a complete sub-processor list (every downstream model, every hosting provider, every logging service), a clear statement on whether inputs are used for training (the industry standard is no training on customer data), and — in professional confidentiality contexts — an explicit §203 StGB secrecy clause. US boilerplate with a German translation will not hold up in an audit.
