Three months ago, Microsoft announced its “European Digital Commitments”, a set of promises aimed at rebuilding trust in the services of Microsoft sovereign cloud for Europe. The message was clear: Europe can count on Microsoft, even in times of geopolitical tension or when faced with pressure from its own government. The company pledged to defend European interests in court if necessary, to ensure stable and independent operations, and to ensure digital resilience.
So what exactly do Microsoft’s commitments offer?
We put its five principles to the test, and also look at what it would take for Europe to achieve real digital sovereignty — not just on paper, but also in practice.
Microsoft’s version of “building a Microsoft sovereign cloud ecosystem for Europe” actually entails something else. They are not interesting in building a digitally sovereign European system. Instead, they are expanding US-controlled infrastructure across the continent. So instead of building autonomy, they are actually deepening dependency. No matter how many data centers are added, Azure remains a proprietary, centralized system operated by a US corporation.
If resilience depends on legal promises from a US-based vendor, it’s not resilience, but risk management. Microsoft is subject to US law, including the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) Act. No contract can override that, as Microsoft France reps themselves admitted under oath recently. Europe can only ensure continuity if it owns and operates its infrastructure, including the legal, operational, and technical layers.
Let’s have a look at the facts to assess if a Microsoft sovereign cloud for Europe truly exists.
Microsoft claims they will challenge government orders that threaten customer data. But their own transparency reports tell a different story. In the first half of 2024 alone, Microsoft received over 160 legal orders from US authorities for enterprise customer data, including from customers outside the US. Of those, almost 30% resulted in some form of data being handed over.
Even more concerning: Microsoft confirmed it disclosed content data in at least one case involving a non-US enterprise customer, with data stored outside the US. The company didn’t name the country, but it did state that the customer wasn’t based in the EU or EFTA.
Still, the principle is clear: US authorities can and do access enterprise data, regardless of where it’s hosted. Microsoft’s strategy to reassure Europe includes putting source code in Swiss vaults and promising that local partners could take over if US courts forced a shutdown. But none of that changes the underlying dynamic.
If a US order arrives, Microsoft must comply or fight, and possibly lose. Europe cannot build digital sovereignty on systems it doesn’t control. Real digital resilience means that you own the legal, operational, and technical stack.
If someone else holds the keys, it’s not your infrastructure, but theirs.
Microsoft talks about encryption, EU boundaries, and customer control. But all of it exists within the boundaries of Microsoft systems, which remain closed and under non-European laws. Real privacy starts with ownership. Open source gives users instead of vendors the full control. That’s why data protection is not just about technical features, but also about transparency and accountability.
Microsoft often highlights its role in defending Ukraine from cyberattacks and its cooperation with European governments on threat intelligence. These efforts are important, but they don’t tell the full story. Microsoft’s dominance creates systemic risk.
Most public institutions in Europe rely on the same tightly integrated stack: Exchange, Office, Windows, Azure. When a vulnerability is discovered, it affects thousands at once.
In 2023, hackers identified as Storm 0558, exploited a vulnerability in Microsoft Exchange Online, gaining unauthorized access to the email accounts of senior US officials, including Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns.
The Cyber Safety Review Board (CSRB) concluded that this intrusion was preventable and resulted from a “cascade of avoidable errors” by Microsoft. The report criticized inadequate security practices and a corporate culture that deprioritized enterprise security investments and rigorous risk management.
This incident exposes the importance of sovereign architecture. True resilience means diversity, transparency, and the ability to act independently. That’s not possible in a closed ecosystem maintained by a single vendor.
Open source is not a checkbox or a compatibility layer, but a founding principle for a company. Hosting open source models on Azure is not supporting the open source ecosystem. Especially not when the underlying platform is proprietary and the ecosystem is controlled by one vendor.
Join our upcoming webinar to learn how Nextcloud Enterprise empowers teams with the tools to collaborate, communicate, and stay compliant while helping organizations regain control over their data and achieve digital sovereignty. Can’t attend? You can still register to receive the recording.
Register nowMicrosoft knows that its credibility in Europe is on the line. Over the past weeks, company president Brad Smith has been touring European capitals, giving speeches and meeting policymakers to promote a simple message: Microsoft is listening and investing, so it can be trusted.
These promises may sound reassuring on paper. But Europe doesn’t need reassurance, it needs control. Legal clauses, local subsidiaries and datacenter expansion won’t fix the underlying issue: If your infrastructure depends on a single foreign vendor, it remains vulnerable to decisions made far outside your legal and democratic reach.
When political pressure rises, even the most carefully negotiated contracts can’t protect access. Even critical institutions can lose service overnight without any warning, recourse, or real fallback.
Microsoft tries to address this with legal safeguards and emergency plans. But these measures only offer the appearance of autonomy. Being promised access to source code, under certain conditions, in a Swiss vault: that’s not independence. It’s like being handed the keys to an F-15 fighter jet: a complex and powerful machine, but one you can’t actually operate without the vendor’s ongoing support, such as the technicians, the manuals, and the spare parts.
You might have the asset, but you don’t have the capability.
With open source, the model is fundamentally different: You can rely on auditable code with no single point of failure, vendor lock-in, or legal grey zones. This make open source not just an asset, but an important step towards digital sovereignty for Europe.
The commitments of Microsoft versus the offering of Nextcloud is the difference between sovereignty on paper and sovereignty by design. And it’s the choice Europe has to make.
The landing page for our upcoming Nextcloud Hub release is now live! On September 27, 2025, at 10AM (CEST), we will present the latest Nextcloud Hub live from the Nextcloud Community Conference in Berlin, Germany. And you can be part of it, too, by signing up for the online launch! While you’re registering, you might […]
Read More
Nextcloud has published its first Digital Sovereignty Index (DSI) to showcase the status of digital sovereign infrastructure.
Read More
Passionate about data privacy and Nextcloud? We invite you speak at the Nextcloud Community Conference to share your experience, knowledge and news with the community!
Read More
Nextcloud becomes the first cloud software platform to earn the Blauer Engel ecolabel, proving that digitally sovereign and green IT is possible.
Read More
For the ninth time, Nextcloud has been nominated for the CloudComputing-Insider Readers’ Choice Award in the category of Cloud Content Management. We’d love to reach the top again! And we’re looking for the support of you and everyone else in our amazing community to get there. Nextcloud as the best Cloud Content Management tool? Only […]
Read More
In the Nextcloud 2024 wrap-up, we want to take a moment to celebrate this year's achievements. Join us as we continue to reimagine what’s possible - shaping a world where open source, privacy and connection come together and drive progress for the greater good.
Read More
Organisations, small and large, need a way to ensure the resiliency and digital sovereignty of their operations – an open-source, privacy-respecting alternative to Teams. And today, we present that solution - Nextcloud Talk.
Read More
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
Read More
Nextcloud has been awarded Platinum at the IT Awards 2024. Today, we celebrate this win together!
Read More
The first ethical, open-source AI assistant that can get a multitude of tasks done for you without compromising your data.
Read More
DIE ZEIT, a prominent German outlet, interviewed Nextcloud’s founder Frank Karlitschek for an article on Microsoft’s anti-competitive behaviour on the European office software market. Read for a recap of the article and the key takeaways.
Read More
MagentaCLOUD’s migration to Nextcloud in 2021 resulted in a fully equipped Online Storage with an integrated online office suite that further improves the user experience, flexibility and security for customers.
Read More
We bring you a major update to the Nextcloud AI Assistant, plus the news we work with several big hosting providers like IONOS and OVHcloud to bring AI-as-a-Service options to you!
Read More
Bechtle and Nextcloud announce today a complete managed collaboration platform for the public sector that requires no tender and can be deployed immediately.
Read More
Discover how to make the switch from ownCloud to Nextcloud. Our quick guide provides insights into the migration process, helping you make the transition smoothly.
Read More
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
Read More
Nextcloud founder and CEO Frank Karlitschek earns the honorary SFS Award at the 20th annual SFSCON taking place in South Tyrol, Italy.
Read More
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Read More
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
Read More
With the Nextcloud Community Conference, we are bringing together contributors, fans, and first-time attendees for two days of talks, workshops, and sharing experiences on 27 and 28 September in Berlin, Germany. But the event doesn’t stop there! We will continue our ventures during the Nextcloud Contributor Week from 29 September to 2 October with our […]
Read More
Schleswig-Holstein published a proposal with guiding principles for a Deutschland-Stack, an initiative to achieve digital sovereignty in Germany.
Read More
