Digital sovereignty is high on the agenda of European organizations, but the discussion is more complex than it seems. Microsoft implements sovereignty at four levels, but does that offer a full guarantee?
Geopolitical tensions, new legislation such as NIS2, and the rapid rise of AI are causing companies and governments in Europe to think increasingly critically about whom they entrust with their data. Questions about where data is located, who has access, and who has control are no longer reserved for the public sector, but are also heard more frequently among private companies.
This reality has not escaped Microsoft either. “The trend towards sovereignty can no longer be denied,” says Frank Callewaert, regional CTO for Microsoft in the Benelux, when he receives us at Microsoft’s Innovation Hub, located in the heart of the European quarter in Brussels. “We see geopolitical conflicts all over the world. Companies are wondering how they should deal with them.”
The friction in the relationship between the European Union and the United States is also putting pressure on Microsoft’s position as a public cloud provider. As an American company, can it guarantee sovereignty in Europe? On behalf of Microsoft, Callewaert does not shy away from any question.
Four dimensions
According to Callewaert, there is no simple answer to the question ‘what is sovereignty’. “It is a broad concept: everyone uses their own definition and emphases. Companies must first determine what it means to them. We base ourselves on Gartner’s three categories: data, operational, and technical, and add a fourth dimension to that: cybersecurity.”
“Data sovereignty in itself is not new: the public sector has been asking questions about where data resides since the introduction of the GDPR. The GDPR is still the ‘North Star’ in this discussion. Operational sovereignty means that the customer retains control over their data; technological sovereignty must guarantee that the customer’s data is and remains theirs. Microsoft is merely the ‘processor’ of customer data.”
“We are adding a fourth component ourselves: cyber sovereignty. State actors are particularly active. That is why, for example, we share our security information with the CCB,” says Callewaert.
Legal, technological, and operational
To fulfill those four promises, Microsoft has legal, technological, and operational measures in place. Callewaert: “Every local data center region is organized as a building that is subject to national and European law and falls under the responsibility of a European board of directors. Since September 2025, explicit resilience commitments have been included in our contracts. This is how we are expanding the capacity to ‘Europeanize’ our cloud in Europe end-to-end.”
On a technological level, Microsoft is investing in encryption and access restriction. “The Data Boundary stipulates that data from European customers remains within the EU,” Callewaert continues. “Data is double-encrypted by default, both in storage and in transit. Customers who wish to do so can add extra encryption or manage their own keys. Microsoft administrators then have no access to the keys: the customer bears the responsibility. For many organizations, that will be sufficient, but starting this summer, we are also offering the possibility to store keys on their own hardware.”
Finally, Callewaert points out the operational layer. In data centers, a strict separation between physical and software access to servers is maintained. “Those who see servers physically do not know what is running on them, and vice versa. Every intervention is given a specific task and time limit. When using the so-called ‘lockbox’, customers get access to logs and have an ’emergency button’ to block interventions.”
“A new addition is Data Guardian. Our cloud services are developed globally. We organize support from Europe as much as possible, but it is impossible to have all the knowledge here. Mutual questions between engineering teams are documented and shared with the customer. With international support, someone in Europe is always looking over their shoulder.”
The power of the cloud
According to Callewaert, Microsoft already covers many sovereignty needs with this method. “But there are organizations that seek the ‘extremes’. That is why we are investing again in local alternatives, evolved from hyperconvergence.” An example is Azure Local, which Callewaert describes as a ‘mini-set for Azure on certified hardware’.
“This principle is not new. We were already working on it before sovereignty came to the surface. It offers a good answer for organizations that want to fall back on on-prem. Azure Local offers the possibility to theoretically set up a cloud environment and then cut the connectivity. The worlds of on-prem and cloud are being brought closer together.”
Microsoft is also extending that possibility to its cloud and AI services. It recently introduced the ability to run Microsoft 365 applications locally. Callewaert: “In the past, you lost productivity apps if you moved away from the cloud. We offer an answer to that by making SharePoint, email, and chat available locally. AI Foundry allows customers to use AI models on their own hardware in an identical way to the public cloud. This way, the customer is in control of where their AI models run.”
Callewaert acknowledges that misconceptions about sovereignty are still widespread. “Many companies think they can just move their existing environment. But if you want to run large AI models yourself, you need a lot of hardware. The power of the public cloud is still often underestimated, both for computing power and for security. Many attacks take place on locally hosted environments.”
Cloud Act
Despite all the measures, Microsoft is increasingly facing negative perception. As an American company, it falls under the American Cloud Act: legislation stating that the government can request access to company data, even if it is outside the United States. Callewaert’s French colleagues recently admitted themselves that Microsoft cannot promise ‘full sovereignty’.
Callewaert immediately nuances the impact of the legislation. “The Cloud Act is an instrument with which the government can request access to data outside the US in very limited circumstances, for example, in investigations into serious criminal activities such as terrorism, arms trafficking, or drug trafficking. It is not a wildcard for the government: every request must contain sufficient justification, evidence, proportionality, and specificity for a particular person.”
Microsoft also promises to resist such requests as far as possible. “Our principle is that we do not provide access to customer environments, but as a company, we are not above the law. Every request regarding a European company will be assessed by a team of European lawyers. We then refer the request to the customer. If that is not enough to refuse the request, we look at technical and operational means. In any case, we cannot comply with the request if the customer has their own keys.”
Never in our history have we handed over public sector data to any government.
Frank Callewaert, CTO Microsoft BeLux
“We report on this every six months. In the last six months, out of 168 requests regarding corporate data, 95 were immediately refused. Moreover, only a fraction comes from the US government: we also receive many questions from European countries such as France and Germany. Never in our history have we handed over public sector data to any government,” Callewaert reassures.
A lasting theme
Callewaert expects that sovereignty will not die down anytime soon. He points out three developments that are putting pressure on companies’ data strategies. “Driven by generative AI, the pace of innovation has never been so fast. This applies to both the consumer market and the business world. Organizations don’t want to miss the boat, but those applications need a lot of data. Secondly, there is the legal framework with associated compliance requirements, which can sometimes slow down adoption.”
The third and perhaps most profound evolution is the current geopolitical uncertainty. “The current situation creates questions that might not have been asked before. It is good that companies and governments are concerned with it and dare to question things. Microsoft has not remained deaf to those concerns,” Callewaert concludes.