The promise of cloud sovereignty
Within the Cloud for Sovereignty program, Microsoft introduced two types of cloud solutions: the Sovereign Public Cloud and the Sovereign Private Cloud. These are designed to keep data entirely within European data centers, operationally managed by European employees, and encrypted using External Key Management (EKM).
For sectors with strict compliance requirements, such as government and healthcare, there are also national initiatives, such as Bleu in France and Delos Cloud in Germany. In these models, regulation is not seen as a limitation, but as a foundation for responsible innovation.
In the second half of 2025, there was a clear acceleration in this trend:
- Microsoft 365 Local became generally available, enabling core productivity services such as Exchange and SharePoint to run locally in an Azure environment.
- Azure Local grew from small-scale clusters to environments with hundreds of servers, including support for SAN storage and advanced AI hardware such as NVIDIA GPUs.
- National cloud initiatives strengthened their collaboration to ensure continuity, even in scenarios with geopolitical pressure on international cloud services.
These developments show that sovereignty within the Microsoft cloud is no longer an abstract ambition, but is being actively realized and reinforced in practice by local partners.
The reality check: French Senate
However, there is also a downside to this story. During a hearing on June 18, 2025, Microsoft France was asked whether the company could guarantee that European data would never be requested by US authorities. The answer was clear and confrontational: no, that guarantee cannot be given.
The reason for this lies in the US CLOUD Act, which can oblige US companies to provide data under certain circumstances, even if that data is physically stored in Europe. Microsoft indicated that it would legally challenge such requests, limit them to what is strictly necessary, and inform customers where possible. To date, there have been no requests for EU data, but legally the possibility remains.
Why this matters to your organization
This statement has reignited the debate on digital sovereignty in Europe. It emphasizes that sovereignty is not only about the physical location of data, but above all about which jurisdiction has access to it.
For public organizations, healthcare institutions, and parties involved in critical infrastructure, this is not a minor detail, but a strategic issue. It explains:
- why European countries are investing in national cloud partners;
- why encryption, governance, and key management are crucial;
- and why contractual and operational safeguards are becoming increasingly important.
In 2026, the legal reality remains unchanged: there is still no law that repeals the extraterritorial effect of the US CLOUD Act, which means that Microsoft cannot give an absolute guarantee that EU data will never be requested by US authorities. At the same time, additional measures have been introduced, such as a European administrative body that supervises all data center operations within the EU, consisting exclusively of EU citizens, and explicit agreements on digital resilience in government contracts.
The European Union also raised the bar with its Cloud Sovereignty Framework (October 2025), which sets out eight specific requirements for sovereign cloud services. It uses a sovereignty score to assess the extent to which services governed by EU law are exposed to foreign legislation such as the CLOUD Act and remain operational in the event of foreign sanctions. This benchmark forces cloud providers, including Microsoft, to demonstrate compliance with European sovereignty requirements in order to continue serving government customers.

Why Microsoft Cloud remains a logical choice
Despite these legal complexities, Microsoft Cloud, and Microsoft 365 in particular, remains a strategic choice for many organizations. Not only because of compliance, but also because of scale, innovation, and security.
- Productivity and integration
Microsoft 365 offers a deeply integrated ecosystem for collaboration, modern workplaces, and AI-driven productivity. - Security and compliance by design
Microsoft invests structurally in security and compliance, with solutions such as Purview, Advanced Threat Protection, and encryption options such as Customer Key, Double Key Encryption, and External Key Management.
The alternative, everything on-premises or in a niche cloud, often leads to higher costs, less innovation, and more complex management.
Which data belongs where? The hybrid strategy
| Category | Features | Recommeded location |
|---|---|---|
| General business data | Low to medium sensitivity, high collaboration requirements | Microsoft 365 in EU regions with EKM, Azure |
| Critical IP or state-sensitive data | High sensitivity, strict jurisdiction requirements | Azure Local or Public Cloud |
| Regulated workloads (health, justice) | Legal obligation for national hosting | National Partner Cloud (e.g. Bleu, Delos) |
Azure Local: bridging the gap between cloud and control
Azure Local offers organizations the ability to combine cloud functionality with local control. The platform provides physical isolation by running workloads in a local environment managed by a trusted partner. At the same time, feature parity is maintained: organizations gain access to Azure services without data leaving the country.
This makes Azure Local particularly suitable for sectors where national legislation requires sovereignty. In combination with Microsoft 365 Local, this creates a hybrid model in which collaboration tools and core applications run in the cloud, while sensitive workloads remain local.
By the end of 2025, Azure Local will have evolved into a more mature platform. It now supports large-scale deployments with clusters of several hundred servers, and organizations can integrate their existing storage solutions via SAN connections and leverage GPU acceleration for AI workloads. Azure Local thus offers not only control and compliance with national regulations, but also the scalability and performance that larger organizations expect.
The practice of sovereign cloud choices
The Microsoft Cloud remains a powerful foundation for most of your digital landscape. By consciously choosing hybrid architectures, with cloud where possible and local control where necessary, you can create a future-proof balance between innovation, compliance, and control.
It is essential to pay attention to risks and the security of your data. Within Azure, you can encrypt all data and manage the encryption keys yourself via Azure Key Vault Premium Hardware Security Modules (HSMs). This allows you to maintain control over your own data and makes it virtually impossible to decrypt it, even when requested externally. This ensures maximum security, compliance, and control without compromising flexibility and innovation.
Architecture as the foundation for data sovereignty
Although Microsoft Cloud is an important building block for many organizations, data sovereignty is ultimately determined by architectural choices, governance, and contractual arrangements, not by a single platform alone.
With in-depth expertise in data sovereignty and the management of business-critical systems and infrastructures, we help organizations design and implement IT landscapes that balance control, continuity, and innovation. The focus is not on the platform, but on the architectural choice that fits your organization’s risk profile and strategic objectives.



