How sovereign is Microsoft Sovereign Cloud really?

Microsoft CEO Satya Nadella this week attempted to address European customers’ concerns about data protection while on Microsoft’s AI ​​Tour in Amsterdam. At the same time, he announced additional features to increase digital sovereignty for companies across Europe. “Microsoft is committed to a model of digital sovereignty that empowers individuals and institutions to work independently, securely, and autonomously,” the US software giant said in a statement.

According to Microsoft, the new features extend sovereignty to all European organizations that use the public cloud while opening up new options for running Microsoft services in sovereign private cloud environments. The Microsoft Sovereign Cloud combines productivity, security, and cloud solutions to give European companies more control.

With the following offers, Microsoft aims to provide its European customers with more sovereignty and control:

• The Sovereign Public Cloud will be offered to all European customers in all of Microsoft’s existing European data center regions. The package includes enterprise services such as Microsoft Azure, Microsoft 365, Microsoft Security, and the Power Platform. In the Sovereign Public Cloud, customer data will remain in Europe and subject to European law, the software giant promises. Operation of and access to the cloud will be solely in the hands of personnel residing in Europe. Furthermore, the Data Guardian feature ensures that only Microsoft employees residing in Europe control remote access to these systems. Customers also have full control over the encryption of their data in the Microsoft Cloud.
• With the Sovereign Private Cloud, Microsoft is going a step further. Customers can run critical collaboration and communications workloads on Azure Local. This combines solutions such as Microsoft 365 Local and Microsoft’s productivity server software into an environment that can run entirely in the customer’s own data center.
• Microsoft is also focusing on partnerships. The US provider plans to cooperate with national partner clouds such as Bleu in France and the Delos Cloud in Germany. There, customers will be able to access features from Microsoft 365 and Microsoft Azure in a standalone and independently operated environment.

For external key management, Microsoft is working with Aachen-based company Utimaco, among others. The joint solution includes Azure Managed HSM (Hardware Security Module) encryption. According to Microsoft, this allows customers to store their data in the cloud encrypted and generate, manage, and securely store the required keys yourself or through local partners.

With the help of an external key manager, such as the Utimaco Enterprise Secure Key Manager (ESKM), European Microsoft customers can also generate keys according to the highest FIPS standards, the company promises. These are secured by an integrated hardware security module that can be obtained as an on-premises appliance or as-a-service.

Microsoft must comply with Trump’s decree

Just a few weeks ago, Microsoft came under fire after the US company allegedly blocked the email account of Karim Khan, chief prosecutor at the International Criminal Court. The reason for this was an executive order sanctions decree by US President Donald Trump, who threatened penalties for anyone who supported Khan financially, materially, or technically. (Microsoft President Brad Smith has since denied that Microsoft cancelled Khan’s account, though a Microsoft representative did admit the account was disconnected.)

This measure further fueled debate on digital sovereignty in Germany. More and more user companies in Germany and Europe are asking themselves to what extent their systems and data in US hyperscaler clouds, such as AWS, Google Cloud Platform, and Microsoft Azure, are still safe.

Such questions are providing reason enough for US cloud providers to be anxious about their business interests in Europe. To counteract this, they are building independent and, in their view, sovereign infrastructures that are technically and organizationally separate from the rest of their public clouds. For example, AWS established a supposedly independent European governance structure for the AWS European Sovereign Cloud at the beginning of June 2025. This includes a dedicated Security Operations Center and the establishment of a new parent company. This will be managed by citizens of European Union (EU) member states and will be subject to local legal requirements, it was stated.

Digital sovereignty: All eyewash?

Axel Oppermann, an analyst at Avispador, is critical of the US vendors’ efforts and describes Microsoft’s promise of sovereignty as an illusion. In a post on LinkedIn, Oppermann argues that sovereignty is being replaced by the appearance of sovereignty — wrapped up in a set of rules that Microsoft itself helps define. “Microsoft continues to control the code base, update cycles, and key mechanisms — even if the server location changes.”

“Sovereignty is simulated, not guaranteed,” the analyst complains. The real shift concerns the frame of meaning. With its infrastructure power and legal precision, Microsoft is transforming “sovereignty” into an operational compliance product. The real effect, from Oppermann’s perspective: “Customer loyalty through complexity reduction — technological dependence is reinterpreted as supposed freedom of choice.”

With its strategy, Microsoft is cementing its maximum market power despite minimal structural concessions, the analyst states. “Europe’s debate about digital sovereignty is not being ignored — it is being absorbed, transformed, and translated into architecture that delegitimizes alternatives before they even emerge.” The result, according to Oppermann, is that those who rely on Microsoft are not just choosing technology — but are choosing against autonomous infrastructures.