Glossary · EU Cloud Sovereignty EU Data Boundary (Microsoft EU Data Boundary (and similar US-hyperscaler offerings))
Microsoft commercial offering committing to store and process EU customer data within EU data centres. Similar arrangements offered by AWS (European Sovereign Cloud) and Google (Sovereign Controls). Important to understand: data residency in EU data centres does NOT change the underlying corporate jurisdiction of the US-domiciled service provider.
## What the EU Data Boundary actually is
Microsoft EU Data Boundary is a commercial offering — launched in 2023 and progressively expanded since — under which Microsoft commits to storing and processing customer data for Microsoft 365, Dynamics 365, Power Platform, and Azure within EU/EFTA data centres. Similar arrangements have been launched by AWS (European Sovereign Cloud) and Google Cloud (Sovereign Controls).
The Boundary is a *technical and commercial commitment* about *where* customer data is processed and stored. It is **not a jurisdictional reassignment** — the provider remains a US-domiciled legal entity subject to US legal process regardless of where customer data physically lives.
This distinction is operationally critical. It is also widely misunderstood in procurement conversations.
## What the EU Data Boundary actually does
For Microsoft's EU Data Boundary specifically (the most mature of these offerings), the commitments include:
### Data residency
- **Customer Data** (the main business data) stored in EU/EFTA data centres
- **Pseudonymised personal data** processed within EU/EFTA boundary
- **System logs and diagnostic data** progressively brought into the boundary (this has been the trickiest part — taking longer than initial commitments suggested)
- **Generated content** (AI outputs etc.) for in-scope services within the boundary
### Service exposure
The Boundary covers (as of 2026):
- **Microsoft 365** core services (Exchange Online, SharePoint, OneDrive, Teams)
- **Dynamics 365** core services
- **Power Platform** core services
- **Azure** core compute, storage, networking services (excluding some specialised regional services)
Some services remain out of the Boundary — notably some AI-related services, certain advanced analytics, and services where global routing is structurally required (some CDN, edge, identity).
### Operational changes
Microsoft has invested significantly in:
- EU-based operational staff for Boundary-scope services
- EU-resident support engineers handling Boundary-scope customer interactions
- Technical architecture changes routing in-scope data through EU infrastructure only
## What the EU Data Boundary does NOT do
This is the operationally critical part — and the source of most procurement confusion.
### Does not change corporate jurisdiction
Microsoft Corporation remains a Washington-state-domiciled US company. Microsoft Ireland Operations Limited remains an Irish subsidiary of Microsoft Corporation. The Data Boundary commitments are operational; the corporate jurisdiction is unchanged.
### Does not eliminate CLOUD Act exposure
The US CLOUD Act allows US authorities to compel US-domiciled companies to disclose data regardless of where the data is physically stored. This applies to Microsoft Corporation (and its subsidiaries) regardless of EU Data Boundary status. The Boundary is about physical data location; the CLOUD Act is about which corporate entity holds the keys.
### Does not eliminate FISA 702 exposure
FISA Section 702 allows US intelligence agencies to compel US-domiciled providers to disclose non-US-persons communications and data. Microsoft's status as a US-domiciled provider means this exposure persists regardless of EU Data Boundary commitments.
### Does not provide structural protection against sanctions-driven service termination
The 2025 [ICC / Microsoft incident](/en/blog/icc-microsoft-sanctions-cloud-sovereignty-lesson/) is the operational demonstration. Microsoft's EU Data Boundary did not (and structurally could not) prevent the prosecutor's email cutoff under US sanctions. US executive branch decisions about which European users a US-domiciled provider may serve are not constrained by data-residency commitments.
## How the Data Boundary interacts with European regulation
The Boundary's operational status in European regulatory frameworks is nuanced:
### GDPR
Data residency within the EU is one of several factors GDPR considers for international transfers and processing. EU Data Boundary commitments help satisfy GDPR's data-residency expectations but do not satisfy the broader question of Schrems II-style transfer assessment for data subject to US legal process.
### Schrems II and Standard Contractual Clauses
The European Court of Justice's Schrems II ruling specifically addresses the structural exposure that creates risk for transfers to US-domiciled providers. The EU Data Boundary does not address the structural exposure — it addresses the physical data location.
### NIS2 and DORA
Sectoral cybersecurity and operational resilience frameworks evaluate "where data lives" alongside "who can compel disclosure." EU Data Boundary addresses the first part; the corporate-jurisdiction question requires separate analysis.
### SecNumCloud / EUCS High
National and EU-level sovereign-cloud schemes ([SecNumCloud](/en/glossary/secnumcloud/), the contested [EUCS](/en/glossary/eucs/) High level) require *both* EU data residency *and* immunity from non-EU legal process. EU Data Boundary alone does not satisfy these criteria — which is why US hyperscalers have built joint-venture structures (S3NS, Bleu) for these procurement categories.
## What the Data Boundary IS useful for
Despite the structural limitations, the EU Data Boundary has real operational value:
- **Data residency compliance** for sectoral or contractual requirements that focus on physical location
- **Latency reduction** for European customer-facing services
- **Reduced cross-border transfer documentation** burden under GDPR
- **Public-facing sovereignty positioning** that satisfies less-sophisticated procurement conversations
- **Operational integration** with Microsoft's broader EU presence
For organisations whose sovereignty requirements are limited to data-residency (rather than corporate-jurisdiction), EU Data Boundary is genuinely useful and significantly better than US-data-residency default.
## When the Data Boundary is NOT sufficient
For organisations where sovereignty requirements include corporate-jurisdiction protection:
- **Public-sector buyers** subject to SecNumCloud, Cloud de Confiance, or equivalent national frameworks
- **Regulated industries** (financial services under DORA, healthcare under EHDS) with strict immunity requirements
- **Sensitive workloads** including legal, political, or competitively sensitive operations
- **Member State sovereignty-cloud procurement** with explicit immunity requirements
For these categories, the EU Data Boundary does not solve the structural sovereignty question. European sovereign-cloud providers (OVHcloud, Scaleway, Infomaniak, others) or US-hyperscaler joint-venture structures (S3NS, Bleu) are required.
## EU Data Boundary vs European Sovereign Cloud
Several US hyperscalers have launched or announced "European Sovereign Cloud" offerings beyond basic Data Boundary commitments:
| Offering | Type | Sovereignty depth |
|----------|------|-------------------|
| **Microsoft EU Data Boundary** | Data residency commitment | Limited (CLOUD Act exposure persists) |
| **AWS European Sovereign Cloud** | Separate EU-only AWS region operated by EU subsidiary | Improved but still parent-controlled |
| **Google Sovereign Controls** | Customer-controlled encryption + EU data residency | Better than baseline but US-parent persists |
| **S3NS (Thales + Google)** | Thales-controlled JV with Google technology | True French jurisdiction (SecNumCloud) |
| **Bleu (Capgemini/Orange + Microsoft)** | French JV with Microsoft technology | True French jurisdiction (in qualification process) |
The pattern: data-residency-only offerings are easier to build but less sovereign; joint-venture structures with EU operational control offer stronger sovereignty at greater operational complexity.
## Practical implications
- **For procurement teams**: clarify whether your sovereignty requirements are about data-residency or corporate-jurisdiction; the answers determine vendor eligibility
- **For DPOs and compliance**: EU Data Boundary helps GDPR data-residency but does not satisfy Schrems II structural questions
- **For regulated-industry buyers**: EU Data Boundary alone does not satisfy SecNumCloud or sectoral sovereign-cloud requirements
- **For sensitive workloads** (legal, political, competitively sensitive): EU Data Boundary is insufficient — consider European sovereign cloud providers or JV structures
- **For ordinary commercial workloads**: EU Data Boundary is genuinely useful and better than US-default residency
The EU Data Boundary is a meaningful operational commitment that addresses one dimension of cloud sovereignty (data residency) while not addressing the deeper structural dimension (corporate jurisdiction). Understanding the distinction is operationally essential for European cloud procurement in 2026.
Was this helpful?
Thanks for your feedback!