Published on: May 4, 2025 / update from: May 4, 2025 - Author: Konrad Wolfenstein
Data security and digital sovereignty in Europe: Are Microsoft's investments in Europe data -proof? - Image: Xpert.digital
Why the server location does not guarantee data security
Microsoft recently announced extensive investments in Europe, including securing source code in Switzerland and the expansion of its cloud infrastructure. These measures are interpreted in response to political uncertainties and growing concerns of European customers. Despite these efforts, there is a fundamental conflict between US law and European data protection regulations, which raises the question of whether a European server location can actually offer sufficient protection. This report analyzes Microsoft's assurance for Europe, explains the legal conflict between the US Cloud Act and the GDPR and examines why the physical location of data alone does not provide any guarantee for data security and sovereignty.
Suitable for:
Microsoft's new digital assurances for Europe
In view of the trade struggles and sudden political decisions conducted under the Trump government, many European customers have lost trust in digital products from the United States. Microsoft reacts to this with concrete assurances and investments in Europe.
Extensive infrastructure investments
Microsoft has announced that it will expand its data center capacities in Europe by around 40 percent over the next two years and to expand it to a total of 16 European countries. For this expansion, the company is planning annual investments in a double -digit billion dollar height. These measures should not only serve the growing demand for cloud services and AI infrastructure, but also strengthen the trust of European customers.
Brad Smith, Justice and President of Microsoft, emphasizes the close economic connection with Europe in his blog post and assures that Microsoft will not withdraw from the region. The European data centers should act independently and are under the direction of EU citizens, whereby European laws are to be respected and implemented.
Swiss source code security and operational continuity
A particularly remarkable assurance is to secure Microsoft's source codes in Switzerland. The company creates backups of its source codes in safe data storage in Switzerland and grants legal access rights to European partners. This measure serves as an emergency plan for the “unlikely case” that Microsoft should ever be forced to stop its services in Europe.
Microsoft also plans to name European partners and take emergency precautions that should guarantee operational continuity. This is already implemented by partnerships in France and Germany with the Bleu and Delos data centers.
The EU data limit: Microsoft's answer to data protection concerns
A central component of Microsoft's strategy in Europe is the implementation of the so-called “EU data limit” (EU Data Boundary) for the Microsoft Cloud.
Comprehensive data residence within the EU
Since January 2024, European customers from the commercial and public sector have been able to save and process all their data and user detections for the central cloud services of Microsoft-including Microsoft 365, Dynamics 365, Power Platform and Azure services. The third and last phase of the EU data limit was completed in February 2025, whereby the limit was also expanded to Microsoft Professional Service data from technical support interactions.
With this offer, Microsoft goes one step further than many other cloud providers: The company not only enables the local storage and processing of customer data, but also from all personal data, including those automatically created.
Additional security options
Microsoft offers European customers several options for securing and encrypting their data. This includes confidential computing in Azure, which prevents third parties-including Microsoft itself-on customer data, as well as “LockBox” functions for Azure, Dynamics 365 and Microsoft 365, with which customers can check and approve before Microsoft accesses their data.
Other security options include Azure Key Vault and Microsoft Purview Customer Key, which enable customers to secure their data with self -controlled encryption technology.
The fundamental conflict: Cloud act versus GDPR
Despite all efforts and assurances, there is a fundamental legal conflict that raises the question of whether the data of European companies are really safe from US providers.
The extraterritorial range of the cloud act
The Cloud Act (Clarifying Lawful Overseas of Data Act), which came into force in 2018, enables US criminal prosecution authorities to force companies based in the United States to grant access to data, regardless of where the data is physically stored. This also applies to data stored in the EU, but is managed by US companies or their subsidiaries.
The law obliges American Internet companies and IT service providers to ensure that US authorities are also accessed access to stored data if the storage is not made in the USA. The companies concerned are entitled to a right to object if the owner of the data is not a US citizen and the company would violate law in other countries-however, this only applies to countries that have concluded an agreement under the cloud act, which is currently only the case in the UK.
The contradiction to the GDPR
The European General Data Protection Regulation (GDPR) is in direct contradiction to the cloud act. Article 48 of the GDPR prohibits companies the transfer of data secured within the EU without a legal assistance agreement. A violation of this provision can be punished with fines of up to 20 million euros or four percent of the global annual turnover.
This incompatibility of US Cloud Act and EU General Data Protection Regulation brings companies that use cloud services to an unsolvable dilemma. They are faced with the choice of either violating the cloud act or against the GDPR, although both can lead to significant sanctions.
Suitable for:
Why the server location does not guarantee data security
Contrary to the widespread assumption, the mere fact that data is stored on servers within Germany or the EU does not offer sufficient protection against foreign access.
The error of data security through the choice of location
The conviction that data on servers in Germany are automatically protected against foreign access is called “dangerous error”. Even if personal data is stored within data centers in the European Union, an American cloud provider can be legally obliged to pass this data on to US authorities in the context of criminal investigations.
There is a specific risk, especially if the cloud provider has its headquarters in the United States or is working there, data processing via US infrastructure or a US company has direct or indirect access to the data. In such cases, there is the possibility that US authorities will receive access to personal data, even without the knowledge or consent of the people concerned in Europe.
Threat to intellectual property and business secrets
The problem goes far beyond the protection of personal data. The cloud act harbors real risks that also endanger the security and confidentiality of all types of sensitive data, including intellectual property, F&E prototypes, customer data and private communication.
Even if data is stored in EU data centers, the Cloud Act US company can force this data to publish this data. This not only undermines the protection of the GDPR and the data sovereignty of the EU, but also exposes critical business information, such as prototypes or strategic plans, the risk of unauthorized access.
Due to the potential access options of US authorities, “companies in fact lose sovereignty over their information and thus about their intellectual property”, which is particularly critical of business and company secrets.
Solution approaches for more data sovereignty
In view of the problem described, the question arises as to which measures companies can take to protect their data sovereignty.
Alternative cloud providers and technical measures
Effective protection against access based on the cloud act is only guaranteed if all providers and subdienst providers act outside of US law, an exclusively European infrastructure is used and an end-to-end encryption is implemented with exclusively user key control.
Experts therefore recommend taking the following precautions when choosing a cloud storage or backup provider:
- Election of an EU-based provider that is not subject to the cloud act
- Guarantees on data sovereignty in which both the data and the encryption key remain completely within the EU
- Adding legal and compliance experts that specialize in GDPR and data protection
Alternative approaches: open source as a strategy
Switzerland goes an interesting alternative way: In April 2023, the federal law on the use of electronic resources was decided to fulfill authorities (EMBAG), which provides that government software must be open source and the source code should be disclosed.
Professor Dr. Matthias Stürmer from the Bern University of Applied Sciences, who fought for this law, describes it as “a great opportunity for the state, the IT industry and society”. The approach is intended to reduce the provider commitment for the public sector to enable companies to expand their digital business solutions, and potentially lead to lower IT costs and better services for taxpayers.
The way to real digital sovereignty
Microsoft's investments in Europe and the implementation of the EU data limit are important steps towards more data sovereignty for European companies and public institutions. However, they do not fully address the fundamental legal conflict between the US Cloud Act and the European GDPR.
The mere storage of data on European servers does not offer sufficient protection against potential access by US authorities if the cloud provider is subject to US laws. This not only questions data protection, but also threatens intellectual property and business secrets of European companies.
For real digital sovereignty, more extensive approaches are therefore required that take into account both legal and technical aspects. This includes the use of cloud services that operate completely outside the range of US law, consistent end-to-end encryption with user-side key control and possibly also increased investments in open source solutions.
Ultimately, Europe needs its own independent cloud infrastructure that is not only technically but also legally confident. Until then, companies and public institutions have to carefully consider which data they save where and how - and which providers they can trust.
Suitable for:
Your global marketing and business development partner
☑️ Our business language is English or German
☑️ NEW: Correspondence in your national language!
Konrad Wolfenstein
I would be happy to serve you and my team as a personal advisor.
You can contact me by filling out the contact form or simply call me on +49 89 89 674 804 (Munich) . My email address is: wolfenstein ∂ xpert.digital
I'm looking forward to our joint project.
