When Microsoft Cut Off the ICC: The 2025 Incident That Changed European Cloud Policy

The Incident, In Five Sentences

In 2025, the United States imposed sanctions on the chief prosecutor of the International Criminal Court in response to ICC investigations that the US government opposed. Shortly afterward, the prosecutor lost access to his Microsoft email. Microsoft, as a US-domiciled company, had no legal option to refuse compliance with the sanctions regime. The ICC — an international treaty body headquartered in The Hague, with formal Dutch host-state status — discovered mid-investigation that the email infrastructure underpinning its prosecutorial function depended on the discretion of the US executive branch. It is the single most concrete illustration to date of why “data residency in Europe” is not the same thing as “digital sovereignty.”

Why This Specific Incident Matters

European policy discourse on cloud sovereignty has, for years, treated the CLOUD Act and the Schrems-line rulings as theoretical risks. Yes, in principle, US authorities could compel American companies to disclose data stored anywhere in the world. Yes, in principle, transatlantic data transfers operated under fragile legal regimes. But for most procurement teams, this remained an abstract concern. Everyone kept signing Microsoft 365 contracts.

The ICC incident is what moved this from “abstract concern” to “directly demonstrated.” A sitting prosecutor of one of the world’s most important international tribunals lost the basic tool of his job — email — because of a decision made in Washington. Not a US court decision. An executive sanctions order, applied to a US company, executed against a European-based institution that had presumably done extensive due diligence before adopting Microsoft 365.

If the ICC can have its prosecutor’s email cut off, the structural question for every European hospital, ministry, university, bank, and law firm is simple: what’s the exposure here?

The Structural Lesson

The lesson is not “Microsoft did something wrong.” Microsoft acted exactly as any US-domiciled provider would and arguably must, given the legal framework it operates inside.

The lesson is that the choice to run critical European operations on US-domiciled cloud infrastructure means accepting a risk that the US executive branch can, at any time, decide that a particular European user is no longer authorized to use the service. This is not a theoretical capability. It has been used.

The exposure has three parts:

Direct user-level cutoff. The ICC case. A specific individual is designated and their access to US-provided services is terminated. This applies to anyone whom the US sanctions regime touches — increasingly including diplomats, lawyers, NGOs, and researchers working in politically contested areas.

Organization-level disruption. Larger sanctions actions can target entire entities. European companies trading with sanctioned jurisdictions have already faced US-provider service termination, often with little warning.

Data access under foreign legal process. The CLOUD Act remains in force. US authorities can compel US providers to disclose data regardless of where the data is physically located. This is distinct from sanctions but operates through the same structural channel.

European data residency does not address any of these. The Microsoft data center in Frankfurt that hosts your data is still operated by an American company subject to American law. Putting the data in Europe doesn’t change the corporate jurisdiction of the entity that holds the keys to it.

What the ICC Case Specifically Demonstrated

A few things that the ICC case made empirically concrete in a way prior discussions did not:

Speed. The cutoff happened fast. There was no extended legal process visible to outsiders, no negotiation period. One day the email worked; the next day it didn’t.

Asymmetry of options. The ICC, as the customer, had no meaningful recourse. The provider, as a US legal entity, had no choice. The decision lay with neither party to the customer relationship.

Visibility gap. The episode became publicly known because it involved a high-profile institution and a high-profile official. The number of less-visible incidents involving smaller European customers under sanctions-adjacent circumstances is unknown but presumably not zero.

Reputational containment. Microsoft’s broader European business was minimally affected by the episode in commercial terms. The structural risk became visible, but the inertia of installed enterprise customers absorbed the political pressure.

What European Procurement Should Conclude

Three procurement-level conclusions are now defensible in a way they weren’t in 2024.

1. For prosecutorial, judicial, and legal-sensitive workloads, US cloud providers are not appropriate. This is no longer a precautionary position. There is direct precedent.

2. For workloads involving political or diplomatic exposure to US sanctions regimes, the same conclusion applies. This affects diplomatic services, intergovernmental organizations, certain NGOs, and any European entity whose work touches geopolitical hotspots.

3. For ordinary commercial workloads, the calculus has shifted but not flipped. Cost, capability, and integration still matter. But the “what’s the worst case” answer has become concrete enough that risk registers should reflect it.

For most European public sector buyers, this points toward providers that are structurally outside US legal reach. That means:

• EU- or Swiss-domiciled providers
• Hosted in EU or Swiss data centers
• Operating under EU or Swiss law without subjugating US legal entities
• Ideally certified under European sovereign-cloud frameworks (SecNumCloud, BSI C5, the eventual EUCS)

In the cloud infrastructure space, the providers meeting all of these are a small list: OVHcloud, Scaleway, Hetzner, Infomaniak, the various national-champion clouds in France/Germany/Italy, and a handful of specialized players.

The Governance Layer

Picking a non-US provider doesn’t automatically solve everything. The question of what happens if that provider gets acquired by a US strategic in 2029 is real. A European provider sold to AWS still gives you the same problem you started with, on a delay.

This is why the May 2026 Infomaniak Foundation announcement is structurally significant. Steward ownership — the legal mechanism that prevents share transfer to outside acquirers — closes the loophole that ordinary “EU-headquartered” doesn’t. We’ve written separately about steward ownership and why it matters for European tech sovereignty.

For procurement teams thinking about long-term vendor risk, “is this vendor structurally protected against acquisition by US tech” is increasingly a question worth asking. It joins the existing question of “is this vendor structurally protected against US legal reach.”

What the EU Policy Response Looks Like

In the months after the ICC incident, several policy threads accelerated.

EUCS sovereignty criteria pushback. The contested sovereignty requirements in the European Cybersecurity Certification Scheme for Cloud Services gained renewed support from member states that had previously been ambivalent. The argument shifted from “do we need this” to “we already needed this.”

Cloud-first-EU procurement guidance. Several member states — France (already), Italy, Belgium, Netherlands — issued or strengthened guidance pushing public-sector and regulated-industry buyers toward European-sovereign cloud where feasible.

The Microsoft-ICC clauses. New procurement templates began appearing that specifically address sanctions-cutoff scenarios — requiring providers to disclose their own legal exposure and provide notice-and-cure rights before access termination. These are imperfect (US providers cannot legally make most of these commitments) but signal the shift in buyer expectations.

Workload categorization. Risk frameworks began categorizing workloads by sanctions-cutoff exposure, not just by data sensitivity. A workload that is “not personally identifying” but is “operationally critical” gets a new column in the spreadsheet.

What Hasn’t Changed

Honesty requires acknowledging that for most European businesses, none of this changes daily reality. Microsoft 365 is still the easiest path. AWS is still the deepest feature set. The migration cost of moving off US providers is real. Many European procurement teams will continue to weigh this and continue to choose US providers for most workloads.

That is not necessarily wrong. The trade-off is real and the conclusion will be different for different organizations.

What has changed is that for certain workloads — sanctions-sensitive, legally critical, sovereignty-essential — the calculation now points unambiguously away from US providers. That category was always there in theory. After 2025, it’s there in practice.

The Practical Takeaway

If you are a European procurement or risk leader, the productive question coming out of the ICC incident is not “should we panic about Microsoft?” The answer to that is no.

The productive question is: which of our workloads, if they went dark tomorrow, would create damage we cannot tolerate, and are those workloads currently dependent on the discretion of the US executive branch?

For most organizations, that’s a small subset of workloads. But it’s not zero. And the answer to that question now informs procurement in a way that abstract discussion of the CLOUD Act for the last seven years did not.

Sovereignty stops being an ideology when something concrete happens to demonstrate the gap. The 2025 ICC incident is what that concrete demonstration looks like.

If you want to start mapping your own organization’s exposure, our US Exposure Assessment tool walks through twenty common US vendors and the sovereignty layer underneath each. Or take the decision wizard for a category-level European alternative shortlist.

The lesson of the ICC incident isn’t that sovereignty matters. It’s that sovereignty isn’t optional once you’ve seen how it fails.