Digital Sovereignty in the Microsoft Azure Cloud: Why It Matters More Than Ever

With President Trump back in the White House, the topic of digital sovereignty has returned to the center of political and business debates in Europe. Recent events have shown how dependent Europe remains on non-European hyperscalers such as Microsoft, and how quickly foreign political decisions can affect European institutions. This raises important questions: what does digital sovereignty mean, why is it so urgent today, and how is Microsoft trying to address it in its Azure cloud?

What Is Digital Sovereignty?

Digital sovereignty refers to the ability of a country or region to control and protect its data, infrastructure, and digital systems under its own laws. In practice, this means that data generated within a country’s borders should remain subject to that nation’s legal framework, and foreign governments should not be able to access or manipulate it through their own legal systems.

This idea has gained enormous weight with the rise of cloud computing. Because data is often stored in multiple regions and managed by global providers, questions about who controls it and under what laws have become central to Europe’s digital future (Ryan, 2024).

Why Is Digital Sovereignty a Hot Topic Now?

In recent years, several high-profile incidents have highlighted how dependent European organizations are on foreign cloud providers—and how vulnerable they are to decisions made outside of Europe. These events have transformed digital sovereignty from a theoretical concept into a pressing issue for businesses, governments, and regulators. The combination of legal obligations imposed by foreign governments and the political climate in the United States has only increased the urgency of this debate.

This reveals three kinds of vulnerability: sudden service suspension, political interference, and exposure of even international institutions to U.S. law.

Which Regulations Enable This and What Protects Europe?

To understand the debate on digital sovereignty, we need to look at the legal frameworks that make U.S. authorities powerful abroad and the European rules that try to limit this reach. On one side, U.S. laws give agencies broad extraterritorial rights over cloud providers. On the other side, Europe has created strong privacy and data protection laws, but they cannot always block foreign demands. This legal imbalance is at the heart of Europe’s sovereignty concerns (Blancato, 2024).

U.S. Regulations with Extraterritorial Reach

The Cloud Act is the most direct instrument. It allows U.S. authorities to demand data from American cloud providers, even if the data is stored in Europe. Alongside it, the Patriot Act and FISA Section 702 also allow U.S. agencies to request or intercept data belonging to non-U.S. citizens outside the United States. Together, these laws make sure that any company under U.S. jurisdiction can be forced to hand over information, no matter where it is located.

European Counterweights

Europe has developed its own regulations to protect privacy and reinforce sovereignty. The GDPR places strict conditions on data transfers outside the EU, creating high legal risks for companies that hand over personal data to foreign governments. The E-Evidence Regulation gives EU law enforcement a standardized way to request digital evidence, with safeguards against foreign overreach. In addition, several countries, such as the Netherlands, have passed national security and computer crime laws that control how their own authorities can access data.

The Legal Gap

Despite these protections, none of the European measures can fully block a U.S. request directed at Microsoft, AWS, or Google. The European Data Protection Board (2024) has explicitly stated that transfers of personal data to third-country authorities outside the GDPR framework are unlawful, yet this leaves providers caught between conflicting legal obligations. This gap explains why legal safeguards alone are not enough (ENISA, 2017). As a result, European institutions and companies are increasingly turning toward technical and operational measures to reinforce sovereignty.

What Is Microsoft Doing to Make Azure Safe for European Data?

Since European laws cannot fully block U.S. legal demands, Microsoft has tried to reassure European customers with a set of commitments and technical safeguards. These measures are designed to show that data hosted in Azure can remain under European legal control, even though Microsoft is an American company. The strategy combines three layers: legal promises, operational oversight, and technical controls.

1. European Digital Commitments

In April 2025, Microsoft announced its European Digital Commitments, a package of promises meant to align Azure more closely with European expectations. The commitments include expanding data center capacity across the EU, creating a European oversight board made up only of EU citizens, and guaranteeing that sensitive public-sector and regulated data stays within EU or EFTA borders. Microsoft also pledged to legally challenge any third-country order that threatens European operations and to publish transparency reports about such requests. Together, these steps aim to build trust that European rules, not U.S. demands, will guide Microsoft’s activities in the region.

2. The Sovereign Cloud Family

To match different levels of sovereignty need, Microsoft built a family of sovereign options on top of Azure. A sSovereign Public Cloud setup keeps data and most metadata inside the EU and lets customers hold and manage their own encryption keys. For higher-risk cases, a Sovereign Private Cloud approach—often called Azure Local—runs Azure services in a country under local operational control and can even work in disconnected, “air-gapped” mode. In some countries Microsoft also supports partner-operated national clouds, such as Bleu in France with Orange and Capgemini and Delos in Germany with Deutsche Telekom’s T-Systems, which aim at national certifications like SecNumCloud and BSI C5 while still using Azure technology. These options trade some speed and breadth of services for more local control and clearer compliance pathways. (Capgemini, 2024; T-Systems, 2022; Michels, 2025.)

3. Data Guardian Feature

Operational control also needs verifiable guardrails. Data Guardian is a process and tooling layer that records and governs remote access to European environments. Access by non-EU staff requires advance approval by EU personnel, and all actions are written to tamper-evident logs that customers and regulators can audit. This does not replace encryption or key control, but it gives a clear trail and an approval step when support is needed across borders.

This feature gives European organizations greater transparency and confidence that no unauthorized access occurs behind the scenes.

Credibility of Microsoft’s Legal Challenges

Microsoft has pledged to legally challenge any foreign government order that could threaten its European operations. This is a strong political signal, but its credibility depends on history. In the Ireland warrant case, Microsoft did contest a U.S. demand for data stored in Dublin all the way to the Supreme Court. The case, however, was overtaken by the passage of the CLOUD Act, which expanded U.S. extraterritorial powers and vacated the earlier ruling. In another instance, Microsoft filed suit against secrecy (gag) orders but dropped the case after the Department of Justice adjusted its policy. These examples show that Microsoft has sometimes fought back, but outcomes often depend on legislative or policy changes outside its control. The pledge is therefore credible as intent but limited as a stable guarantee.

How Azure Services Like Confidential Compute & Azure Local Help

Legal and organizational commitments are important, but they cannot fully guarantee digital sovereignty. To address European concerns more directly, Microsoft has developed a portfolio of technical and operational services that aim to give customers stronger control over their data. These services are grouped under the umbrella of Microsoft Cloud for Sovereignty, launched in 2022, and include Confidential Computing, Hardware Security Modules, and Sovereign Cloud models such as Azure Local, Bleu, and Delos. Together, they demonstrate how technical and operational safeguards complement legal measures in creating a layered sovereignty framework.

Azure Confidential Computing

European regulators recognize that even strong privacy laws cannot fully prevent U.S. extraterritorial claims under the Cloud Act or FISA. This gap highlights the need for technical safeguards that protect data independently of jurisdictional conflicts. Confidential Computing, which shields data during processing through Trusted Execution Environments (TEEs), is one such measure.

Microsoft has rolled out Confidential VMs based on AMD SEV-SNP and Intel TDX in several European regions. As of May 2023, the DCasv5 and ECasv5 VM families were available in West Europe (Netherlands) and North Europe (Ireland), with expansion to Germany West Central and Sweden Central during 2024 (Microsoft, 2024a). In March 2024, Azure Kubernetes Service (AKS) introduced preview support for Confidential Containers in EU regions (Microsoft, 2024b).

Adoption is growing in sensitive sectors. In 2023, a German health-tech consortium tested Confidential VMs for genomic data analysis, while financial institutions in France piloted SEV-SNP workloads to comply with EBA guidelines. Critical infrastructure operators in the Netherlands have explored confidential containers for SCADA telemetry, protecting operational data from insider threats (Akram et al., 2022; ENISA, 2023). Benchmarks, however, show mixed performance: one 2025 study measured 45–70% throughput loss and 20–30% latency increase for GPU inference under confidential mode (Anonymous, 2025).

Compared with competitors, Azure emphasizes VM and container protections. Google Cloud Confidential VMs also rely on AMD SEV-SNP but report lower overhead (<7% in Google tests). AWS Nitro Enclaves isolate applications at the process level, but have memory constraints and require more developer effort. Azure’s differentiator is Kubernetes integration, while Google stresses performance and AWS focuses on enclave isolation.

TEEs, however, do not address metadata sovereignty. Usage and billing data, service logs, and resource descriptors remain outside the enclave, exposing contextual information to providers. For regulators, this is a sovereignty concern, since metadata can reveal patterns as sensitive as the data itself (EDPB, 2024). Mitigations include EU-only logging, customer-managed keys, Private Link to confine telemetry within Europe, and strict access controls such as Microsoft’s Data Guardian.

Confidential Computing is therefore a useful but incomplete safeguard. It protects sensitive data in use, yet must be paired with metadata protections and organizational commitments to deliver sovereignty.

The Role of Hardware Security Modules (HSMs)

Cryptographic key management is another cornerstone of sovereignty. The rule is simple: whoever controls the keys controls the data. Microsoft offers two main HSM-based services in Azure, reflecting different sovereignty models.

Azure Key Vault Managed HSM is a fully managed, multi-tenant service validated at FIPS 140-2 Level 3. It integrates seamlessly with other Azure services, reducing operational complexity but leaving customers partly dependent on Microsoft’s infrastructure.

Azure Dedicated HSM provides physically isolated Thales Luna 7 appliances, where customers hold administrative control and Microsoft operators cannot access devices. As of 2024, this service was available in West Europe, North Europe, and Germany West Central (Microsoft, 2024c). Dedicated HSM offers stronger sovereignty assurances but has limited service integration and higher costs.

Despite their strengths, HSMs are not perfect. Sovereignty depends on where the HSM is physically hosted and how backups are managed. If replication occurs outside the EU, protections weaken. Operational risk is another factor: Dedicated HSM places full responsibility for lifecycle management and key recovery on the customer, and mistakes can cause irreversible data loss (ENISA, 2017; NIST, 2020).

European policy bodies emphasize the importance of key control. ENISA (2023) identifies HSM-backed cryptographic governance as a baseline for sovereign cloud, while ISO/IEC 19790 defines international security requirements for HSMs. Best practices include EU-only deployment, residency guarantees in contracts, and advanced techniques like threshold cryptography, splitting keys across multiple jurisdictions.

HSMs thus strengthen sovereignty by shifting control to customers, but they cannot fully remove extraterritorial exposure. Their effectiveness depends on physical hosting, careful governance, and alignment with European regulatory frameworks.

Azure Local & Sovereign Private Cloud

For Europe’s most sovereignty-sensitive sectors, Microsoft has developed sovereign partnerships and localized deployment models. These go beyond technical assurances by embedding operational control in national hands.

In France, the joint venture Bleu, launched in partnership with Orange and Capgemini, aims to provide Microsoft cloud services fully isolated from global Azure operations and aligned with SecNumCloud certification (Capgemini, 2024).

In Germany, Microsoft and Deutsche Telekom’s T-Systems launched Delos Cloud in 2022. It targets compliance with BSI C5 and alignment with the upcoming EUCS scheme, with a focus on serving the German public sector (T-Systems, 2022; Bertelsmann, 2024).

These models come with trade-offs. Certification slows innovation, meaning sovereign clouds may lag years behind public Azure in new features. Service availability is narrower, often excluding advanced PaaS or AI tools. Costs are higher, with analyst estimates suggesting a 20–40% premium compared to hyperscale regions (Michels, 2025). There is also a risk of fragmentation: multiple national models may overlap with EU initiatives like GAIA-X, complicating Europe’s sovereignty landscape.

Sovereign partnerships such as Bleu and Delos are pragmatic responses to national sovereignty demands. They deliver compliance and operational independence but with costs in flexibility and innovation speed.

Combining Legal, Technical, and Operational Layers

Sovereignty in the cloud cannot be achieved by legal, technical, or operational measures alone. Each plays a role, but only when combined do they provide credible protection.

Microsoft’s legal safeguards—European Digital Commitments, governance boards, and pledges to challenge foreign orders—provide external accountability but risk being symbolic if unsupported. Technical measures, including Confidential Computing and customer-managed HSMs, shield data from unauthorized access but cannot address all metadata or jurisdictional risks. Operational models such as Azure Local, Bleu, and Delos give the strongest assurances but are costly, limited, and slower to innovate.

If one layer is missing, sovereignty weakens: legal safeguards without technical enforcement are symbolic, technical tools without governance are narrow, and operational sovereignty without integration risks fragmentation. The path forward for Europe is therefore not binary but layered, where legal, technical, and operational measures reinforce each other. Only in combination can European institutions claim genuine control over their cloud environments (Blancato, 2024; ENISA, 2023; Michels, 2025).

Conclusion

The debate on digital sovereignty is no longer abstract. Recent incidents, from the Amsterdam Trade Bank shutdown to the suspension of ICC email accounts, show how quickly U.S. legal decisions can disrupt European institutions. At the same time, U.S. laws such as the Cloud Act and FISA continue to give American authorities broad extraterritorial reach. European regulations like the GDPR and E-Evidence Regulation have strengthened privacy and accountability, but they cannot fully prevent foreign demands on U.S. cloud providers.

Faced with this tension, Microsoft has built a multi-layered response. At the legal and organizational level, it has introduced European Digital Commitments and pledged to challenge foreign government orders. At the operational level, it has launched Sovereign Cloud partnerships and oversight mechanisms that place more control in European hands. At the technical level, it offers tools such as Confidential Computing, Hardware Security Modules, and Microsoft Cloud for Sovereignty, all designed to ensure that sensitive data remains protected even when processed in the cloud.

This layered model shows that sovereignty in the cloud is not achieved by a single measure but by combining legal, operational, and technical safeguards. The approach reduces the risks of foreign interference, but it also comes with trade-offs: higher costs, reduced service availability, and slower innovation cycles. For most commercial and public-sector workloads, these safeguards may be sufficient if they are implemented carefully. For mission-critical or national-security workloads, however, only fully sovereign or air-gapped solutions can meet the strictest sovereignty requirements.

Digital sovereignty in Europe therefore depends on balance. Abandoning U.S. hyperscalers entirely is neither practical nor necessary, but relying on them without adaptation is risky. The real path forward lies in using the cloud wisely, with clear attention to sovereignty features and an acceptance that sovereignty comes at a price (Blancato, 2024; Ryan, 2024).

References

Akram, A., Peisert, S., et al. (2022). SoK: Limitations of Confidential Computing via TEEs for High-Performance Compute Systems. University of California, Davis. https://www.cs.ucdavis.edu/\~peisert/research/2022-SEED-TEE-SOK.pdf

Anonymous. (2025). Performance of Confidential Computing GPUs: inference workloads under confidential mode. arXiv preprint. https://arxiv.org/html/2505.16501v1

Baldoni, R., & Di Luna, G. (2025). Sovereignty in the digital era: The quest for continuous access to dependable technological capabilities. arXiv preprint. https://arxiv.org/abs/2503.10140

Bertelsmann. (2024, September 24). First sovereign cloud platform for the German administration on the home straight. https://www.bertelsmann.com/news-and-media/news/first-sovereign-cloud-platform-for-the-german-administration-on-the-home-straight.jsp

Blancato, F. G. (2024). The cloud sovereignty nexus: How the European Union may need to choose vendors outside U.S. jurisdiction. Policy & Internet. https://doi.org/10.1002/poi3.358

Capgemini. (2024, January 15). Capgemini and Orange are pleased to announce the launch of commercial activities of Bleu, their future cloud de confiance platform. https://www.capgemini.com/news/press-releases/capgemini-and-orange-are-pleased-to-announce-the-launch-of-commercial-activities-of-bleu-their-future-cloud-de-confiance-platform

Dautov, R., et al. (2019). Federated cloud security architecture for managed key storage. Future Generation Computer Systems, 96, 580–594. https://doi.org/10.1016/j.future.2019.02.007

ENISA. (2023). Cloud cybersecurity market analysis. European Union Agency for Cybersecurity. https://www.enisa.europa.eu/publications/cloud-cybersecurity-market-analysis

European Parliament & Council. (2023). Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (Data Act). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R2854

Feng, Y., et al. (2024). Survey of research on confidential computing. IET Communications. https://doi.org/10.1049/cmu2.12759

Li, L., Lee, R., Zhong, Y., et al. (2024). Blindfold: Confidential memory management by untrusted operating system. arXiv preprint. https://arxiv.org/abs/2412.01059

Michels, J. D. (2025). Sovereign cloud for Europe: Independent research report. Centre for Commercial Law Studies, Queen Mary University of London. SSRN. https://doi.org/10.2139/ssrn.5146122

Microsoft. (2024b). Confidential Containers on AKS (preview). https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-containers

Microsoft. (2024c). Azure Key Vault Managed HSM technical details. https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/managed-hsm-technical-details

Microsoft. (2024d). Azure Local overview. https://learn.microsoft.com/en-us/azure/azure-local

NIST. (2020). Recommendation for Key Management, Part 1 – General (SP 800-57 Rev. 5). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-57pt1r5

Orange & Capgemini. (2022, June 21). Bleu will start engaging with customers by the end of 2022. Orange Newsroom. https://newsroom.orange.com/capgemini-and-orange-announce-that-bleu-will-start-engaging-with-customers-by-the-end-of-2022

Ryan, M. (2024). Will the real data sovereign please stand up? An EU policy perspective. International Journal of Law and Information Technology. https://doi.org/10.1093/ijlit/eaae006

T-Systems. (2022, November 10). Sovereign cloud for Germany: Delos Cloud launched. https://www.t-systems.com/de/en/insights/newsroom/news/t-cloud-cloud-solutions-that-make-europe-more-independent-1090566