From Concern to Control: An EU-Sovereign Azure path. Part 1

Part 1 - How sovereign is Azure, really?

Cloud sovereignty has quickly shifted from industry buzzword to boardroom priority. For highly regulated organizations, financial services, healthcare, government, and critical infrastructure, the central dilemma is clear: how do you leverage the speed and scale of the public cloud while maintaining control, compliance, and trust? 

With new regulations such as NIS2 and DORA, combined with mounting geopolitical concerns, the question has never been more pressing: is Microsoft Azure “sovereign enough” for European organizations? 

In this first part of our blog series From Concern to Control: An EU-Sovereign Azure Path, we unpack what “sovereignty” really means in practice. We’ll explore the EU Data Boundary, encryption and governance controls, and the gap between theory and provable compliance. In part two, we’ll zoom in on concrete mitigations and design patterns. 

Microsoft’s Key Move: The EU Data Boundary

In February 2025, Microsoft completed the EU Data Boundary, committing to keep customer and personal data for Azure, Microsoft 365, Dynamics 365, and Power Platform within the EU/EFTA. Even support data and incident handling are now primarily processed EU-first. 

That’s a major milestone, but not the end of the story. Certain exceptions remain, for example in global security operations and non-regional services, where data may still leave EU borders. And for compliance and audit teams, those exceptions represent uncertainty and risk. 

Microsoft Sovereign Cloud and Policy Enforcement

With Microsoft for Sovereignty and the Sovereign Landing Zone (SLZ), organizations can lean on ready-to-use policy baselines that: 

• Enforce EU-only regions, 

• Block non-regional services by default, 

• Require Private Link and customer-managed keys. 

Still, the responsibility doesn’t shift away from the enterprise. Sovereignty isn’t “set it and forget it.” It requires consistent execution, deep architecture knowledge, and governance discipline. 

Encryption as the Foundation of Control

Encryption remains the cornerstone of cloud compliance in Europe. Through Customer-Managed Keys (CMK) and Double Key Encryption (DKE), Microsoft cannot access plaintext data without explicit customer involvement. 

When paired with Confidential Computing, where data remains encrypted even during processing, organizations can establish a zero-access model. This model not only limits operator exposure but also mitigates extraterritorial risks like the U.S. CLOUD Act. 

EU Data Residency and Service Catalogs

Microsoft publishes detailed catalogs outlining: 

• Which services keep customer data fully within the EU, 

• Which services have residual data transfers, 

• Which are currently excluded from full EU residency. 

Some examples: 

• Non-regional services: Azure Front Door/CDN (global edge caching). 

• Residual transfers: Azure Databricks (identity metadata stored in the US). 

• Temporary exclusions: Azure DevOps and Azure Policy. 

For compliance teams, this level of transparency is critical. It allows enterprises to design geofenced architectures, avoid non-compliant services, and maintain audit-ready dataflow documentation. 

The Gap Between Theory and Practice

Here’s the reality: Microsoft Azure now provides a strong foundation for cloud sovereignty in Europe. But without the right design patterns, governance controls, and documentation, the gap between “good enough” and provably compliant remains wide. 

For regulated enterprises, bridging that gap means: 

• Enforcing strict data-location policies, 

• Using EU-hosted customer-managed HSMs, 

• Implementing auditable break-glass procedures, 

• And designing architectures that keep developer velocity high without sacrificing compliance. 

Conclusion: Sovereignty as a Design Decision

The takeaway is simple: Azure now delivers EU-ringfenced operations with enforceable, documentable controls. Where exceptions remain, organizations can design around them, keeping encryption keys within the EU, enforcing zero-access models, and ensuring no third country (including Microsoft itself) can access plaintext data. 

For European enterprises, sovereignty doesn’t have to be a blocker. Done right, it becomes a design property, an enabler for both compliance and innovation.