With President Trump back in the White House, the topic of digital sovereignty has returned to the center of political and business discussions in Europe. Recent events have shown how dependent we are on non-European hyperscalers like Microsoft and how quickly foreign political decisions can impact European organizations. But what exactly is digital sovereignty, why is it such a hot topic now, and how is Microsoft addressing these concerns in its Azure cloud?

What Is Digital Sovereignty?

Digital sovereignty refers to a country’s or region’s ability to control and protect its data, infrastructure, and digital systems under its own laws. In practical terms, it means that:

• Data generated within a country’s borders should be stored and processed under that nation’s jurisdiction.
• Foreign governments should not have the power to access or manipulate it through their own legal systems.

This concept has gained enormous importance with the rise of cloud computing, where data is often stored across multiple regions and managed by international providers.

Why Is Digital Sovereignty a Hot Topic Now?

In recent years, several high-profile incidents have highlighted how dependent European organizations are on foreign cloud providers—and how vulnerable they are to decisions made outside of Europe. These events have transformed digital sovereignty from a theoretical concept into a pressing issue for businesses, governments, and regulators. The combination of legal obligations imposed by foreign governments and the political climate in the United States has only increased the urgency of this debate.

1. The Amsterdam Trade Bank (ATB) Case – The “Kill Switch” Fear

In March 2025, Amsterdam Trade Bank (ATB) lost access to its cloud services when Microsoft and AWS were ordered by a U.S. court to suspend its services¹. ATB became effectively cut off from its IT infrastructure overnight.

This incident sparked alarm in Europe, as it highlighted a “kill switch” risk: U.S. authorities could effectively turn off critical European infrastructure with a single court order.

2. Political Volatility Under Trump

With Donald Trump back in power, European regulators fear a more aggressive use of U.S. legal instruments to influence or pressure companies. Microsoft President Brad Smith has publicly pledged to legally challenge any government order compelling Microsoft to cease European operations².

3. The ICC Email Shutdown

In another example, Microsoft blocked the email account of the International Criminal Court (ICC) Chief Prosecutor in The Hague to comply with a Trump-era executive order. This showed how even international institutions are not immune to U.S. political influence over global cloud providers.

These cases have turned digital sovereignty from a theoretical discussion into a business-critical concern for European companies and governments.²

Which Regulations Enable This and What Protects Europe?

Before diving into technical and organizational safeguards, it’s essential to understand why the U.S. government can exert such influence over European cloud data and what Europe is doing in response. The legal landscape is at the heart of the digital sovereignty debate: while American regulations like the Cloud Act give U.S. authorities broad extraterritorial powers, Europe has its own set of privacy and data protection laws that aim to shield organizations and citizens. However, these protections are not always sufficient, making it crucial to combine legal, technical, and contractual measures.

The U.S. Cloud Act

The Clarifying Lawful Overseas Use of Data Act (Cloud Act) is the main U.S. regulation that enables this reach. It allows U.S.-based cloud providers (such as Microsoft, AWS, and Google) to hand over data, even if it is stored abroad, if ordered by U.S. authorities.

While the Cloud Act is the most direct regulation enabling U.S. authorities to request data stored abroad, it is not the only legal framework. Other U.S. laws, such as the Patriot Act and the Foreign Intelligence Surveillance Act (FISA), also play a significant role in giving American agencies access to data—even if that data belongs to non-U.S. citizens or is stored outside the United States.

• The USA Patriot Act (2001): Originally introduced to combat terrorism after 9/11, the Patriot Act allows U.S. authorities to issue National Security Letters (NSLs) and other subpoenas that compel companies to hand over information relevant to national security investigations. Importantly, U.S.-based companies must comply regardless of where the data is physically stored.
• FISA (Foreign Intelligence Surveillance Act, amended by FISA Section 702): FISA, and especially Section 702, allows U.S. intelligence agencies to collect foreign intelligence information from non-U.S. persons located outside the United States. This law obliges electronic communication service providers (which includes cloud providers like Microsoft, AWS, and Google) to give access to stored communications and data streams.

Together with the Cloud Act, these laws create a legal environment in which U.S. agencies can legally request or intercept data stored on servers anywhere in the world, as long as the provider is subject to U.S. jurisdiction.

European Counterweights

While U.S. laws create broad extraterritorial powers, Europe has developed its own regulatory framework to protect the privacy and sovereignty of its citizens’ data. These counterweights aim to ensure that sensitive information remains under European control, although they cannot always fully prevent U.S. legal demands. Understanding these European safeguards is essential for organizations that need to remain compliant and reduce risk.

1. GDPR – General Data Protection Regulation
   The GDPR sets strict rules for processing personal data and imposes heavy penalties for unauthorized data transfers outside the EU. Any transfer of personal data to third countries must meet specific adequacy and safeguard requirements. Although GDPR does not directly block U.S. government requests, it significantly increases the legal risk for companies that comply with such demands without proper justification.

2. E‑Evidence Regulation
   The E‑Evidence Regulation standardizes how law enforcement agencies across the EU can request digital evidence from service providers. Importantly, it includes procedural safeguards to ensure that any data request respects EU privacy principles and prevents foreign overreach. This is Europe’s attempt to create a more controlled and transparent mechanism for cross-border data access.

3. National Regulations
   Several EU member states, such as the Netherlands, have their own data access laws, including the Intelligence and Security Services Act 2017 (Sleepwet) and Computer Crime Act III. These laws regulate when and how national authorities can access digital data. While they don’t block U.S. demands directly, they set strict standards for lawful access within Europe, reinforcing the principle that European data should first and foremost remain under European legal control.

However, none of these European rules can fully stop U.S. legal demands directed at American cloud providers. This gap is why technical and organizational safeguards, like those introduced by Microsoft, are becoming increasingly important.

What Is Microsoft Doing to Make Azure Safe for European Data?

The legal safeguards provided by European regulations are not always enough to fully protect against extraterritorial U.S. laws like the Cloud Act. To address these concerns and to reassure European governments, businesses, and regulators, Microsoft has introduced a series of legal, operational, and technical measures to strengthen data sovereignty in Europe. These initiatives are designed to ensure that European data remains under European legal control, even when hosted by a U.S.-based company.

1. European Digital Commitments

In April 2025, Microsoft unveiled its European Digital Commitments³. A set of five promises aimed at building trust and meeting Europe’s sovereignty requirements. Together, they form the foundation of Microsoft’s strategy to align Azure with European regulations and sovereignty expectations:

1. European Datacenter Expansion
   Microsoft committed to expanding its datacenter capacity in Europe by 40% across 16 countries to meet growing demand and reduce reliance on non-EU regions.

2. European Oversight Board
   A European Governance Board, staffed exclusively by EU citizens, now oversees the operation of Microsoft’s European datacenters to ensure compliance with EU laws and regulations.

3. Data Residency Guarantee
   Microsoft guarantees that all customer data of EU public sector and regulated industries stays within EU/EFTA datacenters, unless explicitly requested otherwise by the customer.

4. Digital Resilience Commitment
   Microsoft pledged to legally challenge any third-country (e.g., U.S.) government orders that could force a shutdown or unauthorized access to European services. Additionally, disaster recovery and source code backup plans have been set up in neutral European jurisdictions (e.g., Switzerland) to ensure service continuity.

5. Transparency & Auditability
   Microsoft introduced independent audits and transparency reports specifically for its European operations. These reports disclose all third-country data requests, strengthening accountability and regulatory trust.

These five commitments together aim to address the political, legal, and operational concerns raised by European governments and enterprises.

2. The Sovereign Cloud Family

To provide technical and operational safeguards, Microsoft launched its Sovereign Cloud portfolio in mid‑2025⁴. This is not a single product but a family of solutions designed for varying levels of sovereignty:

• Sovereign Public Cloud
  Data and metadata are kept strictly within EU/EFTA borders, operated by EU-based staff only. Customers have full control over encryption keys, ensuring that even Microsoft cannot access the data without explicit permission.

• Sovereign Private Cloud & Azure Local
  Designed for highly regulated sectors (e.g., defense, healthcare), this model allows hybrid or fully air‑gapped deployments, operated locally by governments or certified national partners.

• National Partner Clouds
  Partnerships with local companies, such as Bleu (France) and Delos (Germany), ensure that some regions operate under national ownership and meet specific certifications like SecNumCloud.

3. Data Guardian Feature

Microsoft also introduced the Data Guardian feature, which provides an additional operational safeguard:

• EU Control of Remote Access
  Any remote administrative access by non-European Microsoft personnel must be approved in advance by EU staff.

• Tamper-Evident Logging
  All access is logged in a tamper-evident ledger, which can be independently audited by European regulators or customers.

This feature gives European organizations greater transparency and confidence that no unauthorized access occurs behind the scenes.

How Azure Services Like Confidential Compute & Azure Local Help

Legal and organizational measures alone cannot fully guarantee digital sovereignty. Technical safeguards are crucial to ensure that data remains protected, even if external legal pressures are applied to cloud providers. Microsoft offers several Azure services designed specifically with sovereignty in mind. Among the most important are Confidential Computing, which secures data even during processing, and Azure Local, which enables air‑gapped or locally operated deployments for maximum control.

Azure Confidential Computing

Confidential Computing encrypts data not just at rest and in transit, but also in use, inside a Trusted Execution Environment (TEE). This means:

• Even Microsoft operators cannot access the data while it’s being processed.
• Customers can use their own keys (via HSMs) to maintain full control.

This is a crucial safeguard against extraterritorial data access requests, because the data is protected even during computation.

However, there are important limitations to consider when adopting Confidential Computing:

• Limited Service Availability: Only a subset of Azure services currently supports Confidential Computing, such as Confidential VMs (based on AMD SEV-SNP or Intel TDX) and certain Azure Kubernetes Service (AKS) workloads. Many PaaS services, databases, and analytics platforms are not yet supported.
• Performance Overhead: Running workloads in a TEE can result in slightly reduced performance due to encryption and isolation overheads, which may not be suitable for high-throughput or latency-sensitive applications.
• Complex Integration: Migrating existing applications to a Confidential Compute model may require code changes or container adjustments to be compatible with TEE-enabled hardware.

Despite these downsides, for workloads that require the highest level of data protection, Confidential Computing provides a unique layer of sovereignty-focused security.

The Role of Hardware Security Modules (HSMs)

To further strengthen sovereignty controls, Azure supports the use of customer-managed Hardware Security Modules (HSMs). HSMs are dedicated, tamper-resistant devices used to securely generate, store, and manage cryptographic keys. By using Customer Managed Keys (CMKs) stored in HSMs, organizations can:

• Ensure that encryption keys never leave European jurisdiction and are not accessible to Microsoft or U.S. authorities.
• Rotate, revoke, or audit key usage independently, giving organizations full lifecycle control.
• Combine HSMs with Confidential Computing to create an end-to-end encryption chain where data remains protected at rest, in transit, and in use.

This approach aligns perfectly with digital sovereignty goals because control over the keys ultimately equals control over the data.

However, there are limitations and considerations when using HSMs for sovereignty purposes:

• Complex Key Management: Managing your own HSMs requires specialized expertise and strict operational processes to avoid accidental key loss or misconfiguration.
• Limited Integration: Not all Azure services fully support Customer Managed Keys (CMKs), which may reduce flexibility in multi-service architectures.
• Cost Overhead: Dedicated HSMs and secure key lifecycle management can be significantly more expensive than relying on Microsoft-managed keys.
• Operational Responsibility: Full sovereignty means the customer, not Microsoft, is responsible for compliance, audits, and key recovery procedures.

Azure Local & Sovereign Private Cloud

Azure Local enables air-gapped or hybrid local clouds hosted in Europe, even fully operated by government or local partner staff. This makes it ideal for state-critical or defense-related workloads that cannot risk foreign interference.

Microsoft positions Azure Local and Sovereign Private Cloud as the highest level of control within its sovereignty offerings. Key characteristics include:

• Local Operations and Staffing: The infrastructure can be fully operated by certified local or national partners, ensuring compliance with strict national sovereignty rules. Microsoft staff have no default access and any support access is controlled through mechanisms like the Data Guardian feature.
• Air-Gapped Deployments: For ultra-secure scenarios, such as military or intelligence use cases, Azure Local can run in disconnected or semi-disconnected modes, allowing organizations to keep sensitive workloads physically isolated from the public internet.
• Support for National Standards: Sovereign Private Clouds are designed to meet specific national certifications and compliance frameworks (e.g., SecNumCloud in France or BSI C5 in Germany).
• Hybrid Flexibility: Organizations can extend existing Azure regions with locally hosted infrastructure, combining cloud scalability with on-premises sovereignty control.

These capabilities make Azure Local and Sovereign Private Cloud particularly suitable for governments, healthcare, finance, and defense sectors where data residency, operational control, and regulatory compliance are non-negotiable.

However, there are also limitations and downsides to consider:

• Higher Costs: Operating local or air-gapped infrastructure often requires significant upfront investment in hardware, facilities, and skilled personnel compared to standard Azure services.
• Limited Service Availability: Not all Azure services are available in air-gapped or local configurations, which may restrict the ability to run complex, multi-service workloads.
• Operational Overhead: With local control comes greater responsibility; organizations or partners must manage updates, patching, and compliance audits themselves.
• Slower Innovation Cycles: Air-gapped and sovereign private clouds may lag behind public cloud regions in receiving new Azure features and updates due to stricter validation and certification processes.

Conclusion

The question at the heart of the digital sovereignty debate is clear: can European organizations safely use Microsoft’s Azure cloud, or should they abandon U.S.-based hyperscalers entirely?

The answer is nuanced. Legal risks remain—U.S. laws such as the Cloud Act, the Patriot Act, and FISA Section 702 continue to give American authorities extraterritorial power over data held by U.S.-based companies, even if it is physically stored in Europe. Incidents such as the Amsterdam Trade Bank (ATB) shutdown and the ICC email block demonstrate that political decisions in Washington can have immediate and severe consequences for European institutions.

However, abandoning Azure altogether is not the only option—and for most organizations, it is neither practical nor necessary. Microsoft has responded to European concerns with a multi-layered sovereignty strategy that combines legal, operational, and technical safeguards:

• Legal & Organizational Commitments: The European Digital Commitments and the pledge to legally challenge third-country orders show Microsoft’s willingness to protect European operations.
• Sovereign Cloud Options: Azure Local and Sovereign Private Cloud allow fully local or air-gapped operations for the most sensitive workloads, meeting national standards like SecNumCloud.
• Technical Controls: Confidential Computing and customer-managed HSMs give customers full control over their encryption keys, making it technically impossible for Microsoft—or U.S. authorities—to access protected data without cooperation from the customer.

Yet, these safeguards come with trade-offs. Sovereign cloud options are more expensive, introduce operational overhead, and are limited in service availability. Confidential Computing, while powerful, is still restricted to specific VM and containerized workloads. Organizations must therefore carefully balance sovereignty requirements, cost, and flexibility.

So, is your data safe in the Microsoft cloud in Europe?
For most commercial and public-sector workloads, yes—if you properly implement the available sovereignty features. Microsoft’s current approach significantly reduces the risk of foreign interference, especially when you control your own keys and choose EU-only data residency. However, for the most sensitive, mission-critical, or national-security workloads, a sovereign private or fully air-gapped solution remains the only way to achieve true digital sovereignty.

In short: Europe does not need to abandon Azure, but it must use it wisely and sovereignty comes at a price.

---

1. Lucas Jellema, “Sovereign cloud: fear of the kill switch” (Medium, 2025) ↩︎

2. Atlantic Council, “Microsoft President Brad Smith says the company is committed to safeguarding its operations in Europe…” (2025) ↩︎

3. Microsoft – “Microsoft announces new European digital commitments” (April 30, 2025) ↩︎

4. Microsoft – “Introducing the Sovereign Cloud family” (June 15, 2025) ↩︎