Microsoft met Europe digital pledges; sovereignty doubts persist

Microsoft published a one-year progress review of the digital commitments it made to Europe, reporting investments, new data protections and expanded cybersecurity support while noting remaining questions about data sovereignty and the U.S. Cloud Act.

The company reported multi-billion euro investments in Portugal, Norway and the United Kingdom to expand cloud and AI infrastructure and place capacity closer to European customers.

Microsoft outlined partnership agreements designed to maintain operational continuity and provide sovereign cloud services. Those include a European resiliency partnership with Delos Cloud, a strategic deal with Capgemini to offer managed sovereign cloud services, and work with Accenture to design and implement sovereign cloud and AI solutions.

On developer access, Microsoft said about 25 million European developers are active on GitHub and that Microsoft Foundry expansions provide access to roughly 11,000 AI models on its platforms.

The company described several data protection initiatives. Microsoft launched the Defending Your Data Initiative and said it follows an EU Data Boundary that covers storage and processing of European customer data. The Data Guardian program requires remote access by Microsoft engineers to European customer data to be approved and monitored by personnel based in Europe. Microsoft also wrote that it has added contractual assurances, closer partnerships with European providers, and expanded customer support.

Microsoft described expanded cybersecurity support under a free European Security Program available to governments across the UK, the EU, EFTA countries and EU accession states. The company reported providing threat intelligence, election protection and efforts to disrupt attacks targeting European governments, companies and citizens, and helping move critical data and services to secure data centers since the start of Russia’s full-scale invasion of Ukraine.

The review also addressed unresolved questions about data sovereignty. Microsoft acknowledged in a past court hearing that it “cannot guarantee” data sovereignty for French customers if the U.S. government demands access under the Cloud Act. Regulators and industry groups have debated continued reliance on U.S. cloud providers. The European Commission included non-European cloud providers in some digital sovereignty contracts, and an industry group introduced a framework for enterprises to validate whether services meet sovereign requirements.

Samer Abu-Ltaif, president of Microsoft EMEA, and Jeff Bullwinkel, vice president and deputy general counsel for Microsoft EMEA, wrote that the commitments are intended to let Europe use global technology at scale under European rules and that Microsoft will continue consulting policymakers, regulators, customers and partners and adapt where its offerings do not meet European requirements.