Digital sovereignty in Europe is more of a pipe dream than a reality – especially when it comes to sensitive data in the cloud. Microsoft now wants to build trust with its Sovereign Cloud and promises more control, data protection, and transparency. But when it comes to the question of possible U.S. access to European data, it quickly becomes clear that the matter is not entirely sovereign.
What is Microsoft Sovereign Cloud?
With a comprehensive update, Microsoft is significantly expanding its sovereign cloud platform for Europe. The focus is on three new offerings:
- The Sovereign Public Cloud, which will offer stricter access controls and greater transparency in the future,
- and the completely new Sovereign Private Cloud, which allows companies and government agencies to operate their data processing under complete control at a location of their choice – whether in local data centers, at partners’ sites, or completely isolated.
- The offering is complemented by national partner clouds, such as in cooperation with SAP subsidiary Delos Cloud in Germany.
The group’s goal is to regain trust: The Microsoft Sovereign Cloud is designed to offer European customers more freedom of choice, more control, and greater reliability – especially with regard to data protection and regulatory requirements.
The Sovereign Cloud is Microsoft’s response to growing political and social pressure. In light of ongoing concerns about data protection, transatlantic data transfers, and control over critical IT infrastructures, Europe is looking for ways to become more digitally independent. Microsoft is attempting to address this with a series of technical and organisational measures – albeit within the limits of the existing global cloud architecture. In doing so, the company is taking a different approach to Amazon, for example, which is building a completely new, isolated cloud for sensitive customers in Brandenburg in Germany’s East.
Sovereignty only up to the U.S. border?
But the promise of digital sovereignty has its limits. Although Microsoft emphasises that data is processed and stored exclusively in Europe, U.S. laws such as the CLOUD Act remain an unresolved problem. Even if access is to be restricted to European employees in the future, access from the U.S. cannot be completely ruled out.
Despite all its assurances about digital sovereignty, Microsoft cannot guarantee that European customer data will never end up in the hands of U.S. authorities. This was confirmed by Anton Carniaux, chief legal officer of Microsoft France, at a hearing in the French Senate on 10 July 2025. The occasion was a request for cooperation with the central procurement agency for the public sector, UGAP, which is responsible for sensitive data from schools, local authorities, and administrations.
When asked directly whether Microsoft would pass on such information without the express consent of the French authorities, Carniaux was unable to give a clear negative answer under oath. The reason is obvious: As long as the U.S. CLOUD Act applies, U.S. companies are obliged to transfer data to the U.S. government in response to legally valid requests – even if this data is physically located in Europe.
Microsoft emphasised that it rigorously reviews such requests and informs customers whenever possible. However, this is also subject to conditions: Notification requires the approval of the U.S. authorities.
Problem: U.S. providers and European data protection
Control therefore lies not with customers, but with U.S. law. This statement has explosive implications beyond France. It raises old questions about the use of U.S. cloud services throughout the EU. Not only Microsoft, but also other hyperscalers such as Amazon and Google are subject to U.S. laws that can effectively undermine European data protection standards.
While Amazon is trying to regain trust with legally isolated subsidiaries, Microsoft is relying on locally installed systems – but still with its own maintenance and support, albeit by staff based in Europe. Whether this is sufficient to ensure sovereignty is doubtful. No wonder, then, that European alternatives such as Nextcloud are enjoying noticeable popularity – especially in the public sector, which is increasingly looking for truly independent solutions.
It remains to be seen whether Microsoft’s approach is sufficient to enable true digital sovereignty. The new features seem well thought out – such as key management by the customer themselves or the so-called Data Guardian, which is designed to make data access transparent and controllable. Ultimately, however, the decisive factor will be how much trust European customers place in a U.S. company that continues to be subject to U.S. law.
Conclusion
For companies and public institutions in Europe, Microsoft Sovereign Cloud means above all: more options – but no real independence. The company promises technical measures, greater transparency, and stronger control over data. But as long as U.S. laws such as the CLOUD Act apply, a structural risk remains: The final authority lies not in Brussels or Berlin, but in Washington.
Anyone relying on U.S. cloud services must be aware that sovereignty here is a technical approximation, but not a legally binding status. For the public sector, critical infrastructures, and regulated industries in particular, the question therefore arises as to whether the path taken is sufficient – or whether true digital independence requires European alternatives after all.
Trust alone is not enough. Solutions are needed that also comply with European legal requirements.
