"In a time of geopolitical volatility, we are committed to providing digital stability."
We’ve committed to a number of changes to our European cloud operations, strengthening the nexus between Microsoft and Europe and helping European countries better manage risk. Going forward, Microsoft’s European datacenter operations and boards will be overseen by a European board of directors that consists exclusively of European nationals and operates under European law. We’ll also include a “Digital Resilience Promise” in all our contracts with European national governments and the European Commission to contest any order to cease providing cloud services in Europe. In the unlikely event that such an order were ever issued, we commit to working with European partners to ensure the continuity of cloud operations in Europe.
We’ve announced plans to increase our European datacenter capacity by 40% over the next two years, doubling our European capacity between 2023 and 2027.
To strengthen Europe’s cybersecurity, we’ve appointed a dedicated Deputy Chief Information Security Officer (Deputy CISO) for the region, accountable for compliance with critical regulations such as DORA, NIS2, and the Cyber Resilience Act (CRA).
To empower customer choice, drive innovation, and nurture a vibrant technology ecosystem across Europe, we’ve prioritized open-source interoperability. Microsoft supports more than 1,800 AI models, including prominent European open-source models, such as those from Hugging Face and Mistral. These open platforms enable your European business or startup to innovate rapidly, efficiently adopt emerging technologies, and remain globally competitive in an increasingly AI-driven economy.
We have the most comprehensive cloud footprint in Europe, with datacenter regions across the continent to support local data residency and resiliency. This includes multiple regions in EU member states and EFTA countries, such as France, Germany, Norway, Switzerland, Ireland, the Netherlands, and Poland (among others). Azure is organized into regions that consist of multiple datacenters and Availability Zones.
Store and process your customer data within EU/EFTA regions with our EU Data Boundary. This is a formal commitment covering Azure, Microsoft 365, Dynamics 365, and Microsoft Power Platform services to keep customer content, personal identifiers, and even support data inside datacenters in Europe. By bolstering data protection and user trust, this initiative aligns with European digital values and gives you greater control and transparency over where your data resides, minimizing unnecessary data flows outside Europe.
You have additional options if you have comprehensive data residency requirements and wish to keep your Microsoft 365 data within national boundaries. For local regions launched prior to 2022, including France, Germany, Norway, Sweden, Switzerland, and the United Kingdom, core data residency commitments for Exchange Online, OneDrive for Business, SharePoint Online, Microsoft 365 Copilot, and Microsoft Teams are provided through the Microsoft 365 product terms. For local regions launched after 2022—and for earlier regions where additional workload coverage is desired—the Microsoft 365 Advanced Data Residency add-on offers committed data residency to a specific local datacenter region and expanded coverage of Microsoft 365 workloads and customer data, as well as prioritized tenant migration services.
Protect your data not only at rest and in transit, but also while in use in the cloud. Azure Confidential Computing uses hardware-based trusted execution environments (TEEs) to create encrypted enclaves for workloads. Data in memory is encrypted and isolated to prevent Microsoft or any third party from accessing it during processing. Azure confidential VMs and containers use specialized chips, including Intel SGX, Intel TDX and AMD SEV-SNP), to enforce this “lockbox” around data. This means sensitive workloads—such as personal data and proprietary algorithms—can run in Azure without being accessible to the cloud provider. When you encrypt data in use, you are better able to meet stringent privacy requirements and help mitigate insider or outsider threats, enabling cloud adoption for highly sensitive or regulated data.
Increase your cloud innovation and agility in Europe with additional sovereign controls, governance tools, and guidance for government and regulated customers. Built on the Azure public cloud, Cloud for Sovereignty is a configuration approach that helps clients deploy workloads on Azure while meeting country-specific compliance, security, and policy requirements. It offers a “sovereign landing zone” with Azure policies, blueprints, and guardrails that keep data within chosen regions, enforce encryption, and increase operational transparency. This allows public sector organizations to access hyperscale services in Azure—including broad developer tools, AI, and analytics—while maintaining greater control over data location, administrative access, and auditing.
A joint venture between Orange and Capgemini, Bleu is a “cloud de confiance” operated under French law and oversight. It will offer a broad range of Microsoft Azure and Microsoft 365 cloud services, run exclusively by a French company and personnel from datacenter regions located in France. Bleu will provide modern cloud capabilities that meet the unique security, resiliency and sovereignty needs of the French government and critical infrastructure customers. Bleu will obtain SecNumCloud certification (the French government’s security standard) to validate its controls.
A sovereign cloud for Germany under an agreement between Microsoft and Delos Cloud (an SAP subsidiary) will offer a broad range of Microsoft Azure and Microsoft 365 cloud services, run exclusively by a German company and personnel from datacenter regions in Germany. Like Bleu, it is independent from Microsoft’s global cloud while using Azure technical architecture, thereby combining trusted local operation with state-of-the-art cloud functionality. Delos aims to help German federal, state, and local agencies move to the cloud in a way that fully complies with Germany’s strict data sovereignty and IT security requirements.
We want to demonstrate to our European customers that we are committed to providing digital stability even at times of geopolitical uncertainty. By offering additional digital commitments, we further ground our customer relationship in trust and show our steadfast support and leadership by building on our robust portfolio of sovereignty offerings.
Microsoft customers in Europe don’t need to take any action—and can take advantage of the comprehensive set of capabilities available now from our European hosted cloud regions. Microsoft’s Digital Resilience Commitment is being incorporated in contracts with European national governments and the European Commission to make this commitment legally binding on Microsoft Corporation and all its subsidiaries.
There are many sovereignty capabilities already available in Europe. Microsoft Cloud for Sovereignty is currently available in all Azure regions to help government and regulated customers in Europe, and worldwide, deploy Azure with sovereignty features enabled. In addition, the EU Data Boundary for the Microsoft Cloud was fully implemented in February 2025 and Microsoft 365 Advanced Data Residency is currently available in France, Germany, Italy, Norway, Poland, Spain, Switzerland, Sweden, and the UK, with future local region geographies coming for Austria, Denmark, and Greece. We will continue to expand our cloud services and notify customers when available.
Microsoft believes that most customers' sovereignty requirements can be met through our public cloud offerings as we’ve built a robust set of sovereignty capabilities in Azure, including the European Data Boundary, the Microsoft Cloud for Sovereignty, and Confidential Computing. That list now includes our commitment to provide a set of European partners with the rights to use our code if ever needed to ensure operational continuity. Bleu and Delos Cloud, on the other hand, are separate instances of Microsoft cloud services that run in sovereign cloud datacenters that are operated by independent local partners in France and Germany, outside of the public cloud. They are intended for certain customers who meet eligibility criteria and need to satisfy specialized national requirements, such as operating under the local partners' control and meeting France's SecNumCloud requirements and Germany's cloud platform requirements.
We announced last year that ensure open access to our AI and cloud platform for a variety of business models, both open source and proprietary, and will continue to expand on these commitments in the coming months.
We provide extensive third-party assurances through compliance certifications and independent audits. Our commercial cloud offerings have one of the broadest compliance portfolios in the industry—more than 100 compliance offerings globally, audited by independent third parties. Microsoft undergoes regular assessments for standards like ISO/IEC 27001 (information security management), ISO/IEC 27017 (cloud security), ISO/IEC 27018 (cloud privacy), as well as SOC 1, SOC 2, SOC 3 attestations by independent auditors. In Europe, Azure has been certified for schemes such as the Cloud Computing Compliance Controls Catalogue (C5) in Germany and is compliant with EU regulations, such as GDPR, with audit reports available on the Microsoft Trust Center. Microsoft publishes audit reports and compliance documentation on its Service Trust Portal for customers to review. These third-party audits verify that Azure controls operate effectively and that you inherit a secure, compliant cloud platform.
Our end-to-end resilience strategy—spanning an unparalleled global infrastructure, fault-tolerant service architecture, and robust disaster recovery planning—allows customers to architect for high availability. Organizations with mission-critical workloads benefit from reliability safeguards, such as Availability Zones, geography-redundant regions, and rigorously tested continuity plans, which reduce risk of technical issues.
In addition, to address risk of service disruption due to geopolitical issues, Microsoft is putting in place designated European partners with contingency arrangements for operational continuity in the unlikely event Microsoft were ever required by a court to suspend services.
This digital commitment is focused on our investments in Europe. We will continue to invest in meeting the needs of our global customers and make region- and country-specific investments, as appropriate. Microsoft is committed to complying with all applicable laws and regulations in the markets that we operate.
At all times. Microsoft accesses your content only to provide the services you choose, following your agreements. We do not mine data for marketing or advertising, nor share it with third-party advertisers. Microsoft Generative AI Services will not use Customer Data to train any generative AI foundation model, except pursuant to a customer’s documented instructions. You control storage, access, classification, and deletion of your content. These principles are supported by Microsoft's contracts and compliance with privacy standards like ISO/IEC 27018.
You decide where your customer content is stored by selecting the geographic region for your services. Azure has a global infrastructure with more regions than any other provider—more than 60 worldwide, including many in Europe—which gives you flexibility in choosing data location. You specify without your authorization. Customer content remains within the chosen Azure region unless you explicitly enable replication to other locations for resilience or unless needed to comply with the law. For example, if you choose an Azure region in the European Union, Microsoft will keep your data in that specific region. For Microsoft 365, eligible customers have options to choose where their data is located via the Microsoft 365 Advanced Data Residency add-on.
Microsoft Azure uses industry-standard strong cryptographic algorithms. For data at rest, Azure employs 256-bit AES encryption for all customer data stored in the cloud. AES-256, one of the strongest block ciphers, is used in services like Azure Storage, SQL Database, and Azure Key Vault, and meets FIPS 140-2 encryption standards. For data in transit, Microsoft uses the latest Transport Layer Security (TLS) protocols. Azure Front Door supports TLS 1.2 and TLS 1.3 for communications, using robust cipher suites, ensuring encryption of data in transit with at least 256-bit symmetric encryption and modern key exchange.
Microsoft offers robust options for managing and protecting encryption keys in Azure. By default, all Azure services use strong encryption and Microsoft-managed keys to protect customer data at rest. However, customers who require more control have multiple choices. Customer-managed keys stored in Azure Key Vault for services like Azure Storage, Azure SQL, and Azure Cosmos DB, allow you to control rotation and access policies for your keys. You can also use Azure Key Vault Managed HSM, which gives you dedicated Hardware Security Modules (FIPS 140-2 Level 3 validated) for storing keys that you solely control. Additionally, Azure supports bring-your-own-key and customer-provided keys scenarios, enabling you to generate keys on-premises or in a third-party HSM and use them in the cloud.
No. The Microsoft Cloud is designed to prevent access to customer content by Microsoft personnel without customer permission. By default, Microsoft engineers have “Zero Standing Access” (ZSA) to customer data—they do not have standing administrative privileges to view your content. If Microsoft personnel ever needs to access customer content to resolve an issue, they must go through a rigorous just-in-time access request process that requires customer approval, for certain services via Customer Lockbox, or managerial approval. All access is time-limited and fully logged and audited. These controls are regularly audited, for example, as part of SOC 2, to ensure Microsoft compliance.
For information about requests for customer data and Microsoft’s principles for defending customer data, including additional FAQs, go to: Government Requests for Customer Data Report.
With a secure-by-design cloud infrastructure and extensive built-in security services, you’ll meet your data protection requirements. The datacenters and network architecture in Azure are engineered to satisfy the needs of the most security-sensitive organizations. We employ multilayered security controls and Zero Trust principles while offering Azure Confidential Computing to protect data in use, so cloud operators cannot access your data during processing. In addition, we provide a wide array of security tools—more than 200 security, compliance, and governance features—to safeguard your applications and data. For example, we encrypt all data at rest and in transit by default, continuously monitoring threats and leveraging more than 65 trillion daily security signals to rapidly detect and respond to emerging risks. Help fulfill your regulatory and data protection obligations with our robust security practices and compliance portfolio with more than 100 certifications.
Microsoft provides architectural framework guidance on designing for multi-cloud and portability scenarios. Because Azure is highly compatible with open-source technologies, designing your application with portable components is straightforward. For instance, you can use containerization and orchestration via Azure Kubernetes Service (AKS), or use databases like PostgreSQL/MySQL on Azure which can be migrated off since they use standard engines. It’s recommended to use Infrastructure-as-Code (IaC) templates (Azure Resource Manager templates or Terraform) to define your environment in a portable manner. Azure also integrates with CI/CD tools like GitHub that work across clouds. Multi-cloud and hybrid services such as Azure Arc and Azure Local can help you deploy Azure services on-premises or in other clouds, ensuring consistency and making workloads portable.
Yes. Microsoft supports the transfer or copy of your data out of Microsoft Cloud services to external destinations. We impose no technical restrictions on moving your data out of the Microsoft Cloud and you can retrieve all your customer data from Azure at any point, including data related to Microsoft services like Microsoft 365, through standard mechanisms. Azure provides features like data export services, the Azure Data Box for petabyte-scale data migrations via shipped hardware, and high-speed network options, such as Azure ExpressRoute or VPN, to help migrate data to other environments. We do not require lengthy notice or special permissions to transfer your data—you can initiate transfers on-demand and we also offers free data egress out on premises or to another cloud provider. Additionally, we have contractual commitments ensuring customers can extract their data and that it will be deleted from the Microsoft Cloud after they leave (in line with data protection commitments).
Follow Microsoft