Data security and digital sovereignty in Europe: Are Microsoft's investments in Europe data-secure? – Image: Xpert.Digital
Why server location offers no guarantee for data security
Microsoft recently announced significant investments in Europe, including securing source code in Switzerland and expanding its cloud infrastructure. These actions are interpreted as a response to political uncertainties and growing concerns among European customers. Despite these efforts, a fundamental conflict remains between US law and European data protection regulations, raising the question of whether a European server location can truly provide sufficient protection. This report analyzes Microsoft's assurances for Europe, explains the legal conflict between the US CLOUD Act and the GDPR, and examines why the physical location of data alone does not guarantee data security and sovereignty.
Related to this:
Update July 21, 2025:
Microsoft's new digital assurances for Europe
In light of the trade wars waged under the Trump administration and sudden political decisions, many European customers have lost confidence in digital products from the US. Microsoft is responding with concrete commitments and investments in Europe.
Extensive infrastructure investments
Microsoft has announced plans to expand its data center capacity in Europe by approximately 40 percent over the next two years, extending it to a total of 16 European countries. The company plans to invest tens of billions of dollars annually in this expansion. These measures are intended not only to meet the growing demand for cloud services and AI infrastructure, but also to strengthen the trust of European customers.
Brad Smith, General Counsel and President of Microsoft, emphasizes in his blog post the company's close economic ties to Europe and assures readers that Microsoft will not withdraw from the region. The European data centers will operate independently and be managed by EU citizens, respecting and implementing European laws.
Swiss source code backup and business continuity
One particularly noteworthy assurance is the backup of Microsoft's source code in Switzerland. The company creates backups of its source code in secure data storage facilities in Switzerland and grants legally binding access rights to European partners. This measure serves as a contingency plan for the "unlikely event" that Microsoft should ever be forced to discontinue its services in Europe.
Microsoft also plans to identify European partners and implement contingency plans to guarantee business continuity. This is already being implemented through partnerships in France and Germany with the Bleu and Delos data centers.
The EU data border: Microsoft's answer to privacy concerns
A key component of Microsoft's strategy in Europe is the implementation of the so-called "EU Data Boundary" for the Microsoft Cloud.
Comprehensive data residency within the EU
Since January 2024, European customers in the commercial and public sectors have been able to store and process all their data and user credentials for Microsoft's core cloud services—including Microsoft 365, Dynamics 365, Power Platform, and Azure services—within the EU and the EFTA region. In February 2025, the third and final phase of the EU data boundary was completed, extending the boundary to include Microsoft Professional Services data from technical support interactions.
With this offering, Microsoft goes a step further than many other cloud providers: The company enables not only the local storage and processing of customer data, but also of all personal data, including data from automatically generated system logs.
Additional security options
Microsoft offers European customers several options for securing and encrypting their data. These include Confidential Computing in Azure, which prevents third parties – including Microsoft itself – from accessing customer data, and “Lockbox” features for Azure, Dynamics 365, and Microsoft 365, which allow customers to review and approve requests before Microsoft accesses their data.
Other security options include Azure Key Vault and Microsoft Purview Customer Key, which allow customers to secure their data with self-controlled encryption technology.
The fundamental conflict: CLOUD Act versus GDPR
Despite all efforts and assurances, a fundamental legal conflict remains, raising the question of whether the data of European companies is truly secure with US providers.
The extraterritorial scope of the CLOUD Act
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which came into force in 2018, allows US law enforcement agencies to compel US-based companies to grant access to data, regardless of where the data is physically stored. This also applies to data stored in the EU but managed by US companies or their subsidiaries.
The law obligates American internet companies and IT service providers to grant US authorities access to stored data even if the data is not stored in the US. While the affected companies have the right to object if the data owner is not a US citizen and the company would violate the laws of other countries by disclosing the data, this right only applies to countries that have a CLOUD Act agreement with the US, which currently only applies to the UK.
The objection to the GDPR
The European General Data Protection Regulation (GDPR) directly contradicts the CLOUD Act. Article 48 of the GDPR prohibits companies from transferring data stored within the EU without a mutual legal assistance agreement. Violations of this provision can be punished with fines of up to €20 million or four percent of the company's global annual turnover.
This incompatibility between the US CLOUD Act and the EU General Data Protection Regulation (GDPR) puts companies using cloud services in an impossible dilemma. They are faced with the choice of either violating the CLOUD Act or the GDPR, both of which can lead to significant penalties.
Related to this:
Why server location offers no guarantee for data security
Contrary to popular belief, the mere fact that data is stored on servers within Germany or the EU does not provide sufficient protection against foreign access.
The misconception of data security through location choice
The belief that data on servers in Germany is automatically protected from foreign access is considered a "dangerous misconception." Even if personal data is stored within data centers in the European Union, a US cloud provider may be legally obligated to disclose this data to US authorities as part of criminal investigations.
A specific risk exists particularly if the cloud provider is headquartered or operates in the USA, data processing takes place via US infrastructure, or a US corporation has direct or indirect access to the data. In such cases, there is a possibility that US authorities could gain access to personal data, even without the knowledge or consent of the data subjects in Europe.
Threat to intellectual property and trade secrets
The issue goes far beyond the protection of personal data. The CLOUD Act poses real risks that also jeopardize the security and confidentiality of all types of sensitive data, including intellectual property, R&D prototypes, customer data, and private communications.
Even if data is stored in EU data centers, the CLOUD Act can compel US companies to hand over this data to US authorities. This not only undermines the protections of the GDPR and the EU's data sovereignty, but also exposes critical business information, such as prototypes or strategic plans, to the risk of unauthorized access.
Due to the potential access possibilities of US authorities, “companies de facto lose control over their data and thus over their intellectual property”, which is particularly critical for trade and business secrets.
Solutions for greater data sovereignty
In light of the problems described, the question arises as to what measures companies can take to maintain their data sovereignty.
Alternative cloud providers and technical measures
Effective protection against access based on the CLOUD Act is only guaranteed if all providers and sub-service providers operate outside of US law, an exclusively European infrastructure is used, and end-to-end encryption with exclusively user-side key control is implemented.
Experts therefore recommend taking the following precautions when choosing a cloud storage or backup provider:
- Choosing an EU-based provider that is not subject to the CLOUD Act
- Guarantees of data sovereignty, where both the data and the encryption keys remain entirely within the EU
- Consulting legal and compliance experts specializing in GDPR and data protection
Alternative approaches: Open-source as a strategy
Switzerland is taking an interesting alternative approach: In April 2023, the Federal Act on the Use of Electronic Means for the Performance of Government Tasks (EMBAG) was passed, which stipulates that government software must be open source and that the source code should be disclosed.
Professor Dr. Matthias Stürmer of Bern University of Applied Sciences, who championed this law, describes it as “a great opportunity for the state, the IT industry, and society.” The approach aims to reduce vendor lock-in for the public sector, enable companies to expand their digital business solutions, and potentially lead to lower IT costs and better services for taxpayers.
The path to true digital sovereignty
Microsoft's investments in Europe and the implementation of the EU data border are important steps towards greater data sovereignty for European companies and public institutions. However, they do not fully address the fundamental legal conflict between the US CLOUD Act and the European GDPR.
Simply storing data on European servers does not provide sufficient protection against potential access by US authorities if the cloud provider is subject to US law. This situation not only calls data protection into question but also threatens the intellectual property and trade secrets of European companies.
True digital sovereignty therefore requires more comprehensive approaches that consider both legal and technical aspects. These include the use of cloud services that operate entirely outside the scope of US law, consistent end-to-end encryption with user-side key control, and potentially increased investment in open-source solutions.
Ultimately, Europe needs its own independent cloud infrastructure that is not only technically but also legally sovereign. Until then, companies and public institutions must carefully consider what data they store, where and how – and which providers they can trust.
Related to this:
Your global marketing and business development partner
☑️ Our business language is English or German
☑️ NEW: Correspondence in your native language!
Konrad Wolfenstein
I and my team are happy to be available to you as your personal advisor.
You can contact me by filling out the contact form here wolfenstein@xpert.digital:or simply call me at +49 7348 4088 965. My email address is
I'm looking forward to our joint project.
