Increasing geopolitical volatility has characterized the last three years in Europe, reaching new heights, with ongoing disputes on US tariffs and possible EU retaliation measures hitting US big tech – including hyperscalers. European technology leaders worry about the potential consequences of these actions, from higher costs, to service availability, and other disruptive consequences. The latest blog from Microsoft’s Vice Chair & President Brad Smith tries to reassure these tech executives of Microsoft’s commitment to supporting its European customers, promising digital sovereignty, respect for privacy and local laws, and its contribution to strengthening cybersecurity in the region. But in doing so, it also highlights how vulnerable the IT backbone of many European organizations is to shifting political winds. Here is what Microsoft is committing to do and what tech executives should watch out for.

Expanding Data Center And Sovereign Cloud Capacity

According to Brad Smith’s blog, Microsoft is committing to: 1) increase its European datacenter capacity by 40% over the next two years, 2) complete its sovereign cloud offering in Germany (France already being available), and 3) offer support to European cloud providers to host Microsoft applications and services on their local cloud infrastructure.
Each of these measures has its own caveats for European tech executives: 1) increasing data center capacity expands Microsoft’s footprint but does not make European organizations less vulnerable to ongoing geopolitical volatility, 2) Microsoft’s sovereign cloud offerings in France and Germany are well architected but leave organizations in other European countries short of similar sovereign options, and 3) making Microsoft’s applications and services available on European vendors’ local cloud infrastructure solves a competition problem in the infrastructure space but does not help reducing European dependability on non-sovereign solutions.

Pursuing Litigation To Protect Customers’ and Other Stakeholders’ Rights

The blog also considers the unlikely scenario that a government asks Microsoft to suspend or cease cloud operations in Europe. Microsoft stated its determination to stand by its customers and use all legal avenues available, including by pursuing litigation in court. It’s not just words, but a new European Digital Resilience Commitment. In fact, the hyperscaler will include new clauses in all of its contracts with European national governments and the European Commission to make this promise binding.
Despite the unlikelihood of this scenario, it’s one that many European technology executives and their risk leaders are considering. Microsoft’s decision to talk explicitly about it and make it a binding commitment to resist helps to partially reassure these customers. But, it also inevitably confirms that the risk, albeit remote, exists.

Protecting The Personal Data Of Europeans

Microsoft has long committed to protecting the personal data of Europeans through different measures, including: 1) giving customers control over where their data is stored and processed, how it is secured, and making it clear when Microsoft can access it, 2) implementing the EU Data Boundary project, which effectively extends the scope of data residency safeguards, and 3) limiting the ability of third parties—including Microsoft—to access customer data by ensuring data is processed within a trusted environment, though a Confidential Compute offering in Azure.
Preventing unauthorized access and ensuring compliance with data residency requirements are points of tension for all US organizations operating in Europe. Ultimately these US organizations, like their Chinese counterparts, could be forced to grant access to their government according to their local laws, such as:

  • Stored Communications Act and Cloud Act. The Stored Communications Act (‘SCA’) governs law enforcement access and grants American courts and regulators the power to issue production orders to cloud providers targeting customer data. The US CLOUD Act amends the SCA, by clarifying that such orders apply to any data held by a US cloud provider, regardless of data location. This has been a major point of concern for European organizations for years, and now gains new resonance from ongoing US-EU disputes.
  • Foreign Intelligence Surveillance Act. The Foreign Intelligence Surveillance Act (‘FISA’) governs access for intelligence purposes. Section 702 grants the National Security Agency (NSA) the power to issue production orders to cloud providers targeting customer data. FISA directives also apply to data that a US cloud provider stores in Europe. US law prohibits cloud providers from publishing details of directives in their transparency reports. This makes it much harder to assess the frequency of such access – and therefore to even assess the risk FISA directives pose to European data.

Microsoft’s initiatives for protecting European customers’ privacy are a step in the right direction. But they do not solve the tension between the demand of European customers to ensure that their data is protected at all times against any form of unauthorized access and the obligation of US hyperscalers to obey their national laws. European technology leaders worried about unauthorized access to their data by a foreign government should take note that these measures help mitigate – not remove – the risk.

Appointing A New Deputy CISO For Europe

Microsoft announced a new Deputy CISO for Europe as part of the Microsoft Cybersecurity Governance Council, dedicated to Microsoft’s security responsibilities in Europe. The Deputy CISO for Europe will be accountable for compliance with current and emerging cybersecurity regulations in Europe, including the Digital Operational Resilience Act (DORA), the NIS 2 Directive, and the Cyber Resilience Act (CRA). Having a dedicated Deputy CISO for Europe is a further signal of Microsoft’s attention to European organizations’ unique requirements. It also highlights how compliance with local norms needs more and more local context and local resources. For governments, banks, telcos, and utilities in Europe, having a person in the region with accountability shows intent and that Microsoft is taking these mandates seriously. Yet this is not a silver bullet. Unless this Deputy CISO has real authority over Microsoft’s security architecture and incident response in Europe, it might be a layer of PR and not power. There is skepticism that the appointment might be more about optics and public relations than substantive change.

Providing A Variety Of Models For AI And Public APIs

Any technology blog in 2025 cannot possibly ignore the importance of AI, and Brad Smith’s is no exception as it reinforces the point that the Azure AI platform and infrastructure is open to a variety of models both proprietary and open-source, such as those from European-based AI developers Mistral and Hugging Face. Furthermore, thanks to public APIs, European customers can choose which models to use and where to build their AI-powered solutions, be it on Azure, in another public cloud, or their own datacenter.
Today’s leading tech companies began by targeting specific niches but have grown to dominate the global digital economy. The models’ variety of choice and the availability of multiple deployment options for AI-powered solutions strengthen Microsoft’s AI value proposition for its European customers and underline the importance of having sovereign and open-source options to reduce dependability and vendor lock-in.

Reach out to Forrester to schedule an inquiry to help guide your sovereign cloud infrastructure initiatives or to dig into Microsoft’s initiatives for Europe.