Data sovereignty is top of mind for business leaders across Europe, shaping strategic decisions at Microsoft’s customers, according to panelists at the tech giant’s European Digital Commitment Day in Vienna, Austria last week.
Digital sovereignty, the ability for an organization to maintain clear control over how its data is stored, accessed, and governed, has moved from a technical concern to a board-level priority. As organizations expand their digital footprints and accelerate cloud adoption, rising regulatory scrutiny and growing customer expectations are forcing businesses to rethink how they manage data.
Sovereignty means different things to different people, the panelists noted, but the common thread is the need to take control over customer data, which has become essential to maintaining trust. The pressure to demonstrate that control is now shaping transformation plans, vendor choices and long-term customer experience strategies.
Control of Critical Data Is Becoming a Strategic Must
The energy crisis following the invasion of Ukraine exposed the geopolitical dimension of critical infrastructure, reinforcing the need for systems that can operate independently in extreme circumstances.
“Digital sovereignty is about stability and resilience,” said Julia Weberberger, Head of Corporate Strategy at Energie AG Oberösterreich, describing it as a source of power. “[W]e have to make sure that we operate our critical data on our own. We operate our own data center, with emergency power supply, and rely on a multi-provider strategy to create redundancies… It’s also very important that we build expertise in digital sovereignty in Europe, but also within our company.”
Europe is developing a new mindset built on innovation and security, Weberberger said, shaping companies, knowledge, opinions and even social narratives. In this environment, European data sovereignty is becoming a key strategic concern that requires balance.
As Martina Saller, Public Sector Sales Lead at Microsoft Austria said:
“It’s not a black and white discussion. It’s not about choosing the path of sovereignty or choosing the path of innovation. It’s about balancing and orchestrating… a risk-based approach.”
That layered approach should separate highly sensitive workloads from those suited for cloud-based innovation.
Public administrators highlighted that sovereignty is multidimensional: technical, legal, economic and emotional. What customers want above all is visibility and choice. As one leader emphasized, beyond control over data processing and storage, true sovereignty also means being able to choose the parts of a technology package they need rather than being required to buy licenses for bundles, which drives up costs.
Procurement rules, however, are still playing catch-up. With different requirements scattered across the EU, organisations often end up doing the same work multiple times. A more unified approach that allows for shared certifications and tech that plays nicely across borders would make it easier for businesses and public bodies to build modern, sovereign digital systems. And to make sure those sovereignty rules help innovation instead of getting in the way, organizations say they need clear guidance and strong partnerships with their tech providers.
What Customers Need from Cloud Partners
A recurring message throughout the discussion was that sovereignty cannot be achieved in isolation. Customers expect their cloud partners to help them meet changing regulatory, security and operational demands.
As Norbert Parzer, Certified Public Accountant, Tax Advisor and Partner at EOS put it, “first find the companion before you start the journey.”
To address concerns around extraterritorial data access, Jeff Bullwinkel, VP and Deputy General Counsel, Corporate External and Legal Affairs at Microsoft EMEA, detailed the steps the vendor has taken to provide assurance and legal protection.
The tech giant has built the EU Data Boundary for the Microsoft Cloud to “mitigate the risk, or reduce the surface area of risk by just reducing situations in which data is transferring from one continent to another.”
Just as crucial is Microsoft’s assurance that it will resist demands from governments to divulge customer data, Bullwinkel said:
“When Microsoft gets a request or a demand in order for data from any government around the world, we have a contractual obligation to litigate against that order whenever there’s a lawful basis for doing so. And we have quite a history of doing that…with a view toward guarding against that kind of risk and so we will continue in the future as well.”
Microsoft has also expanded its sovereign controls and confidential computing to ensure that customers hold the keys to their data.
The vendor recently announced expanded capabilities for its Sovereign Public Cloud and Sovereign Private Cloud. By the end of this year, customers in four countries—Australia, the United Kingdom, India and Japan—will have the option to have their Microsoft 365 Copilot interactions processed in-country. This will be expanded to 11 more countries in 2026: Canada, Germany, Italy, Malaysia, Poland, South Africa, Spain, Sweden, Switzerland, the United Arab Emirates, and the U.S.
These capabilities directly address customer expectations for operational autonomy and regulatory compliance.
Partnerships help empower organizations to keep control over their processes and architecture, so that digital transformations are secure and interoperable. Organizations across sectors are embracing AI, but they need to be sure that the models they use preserve transparency and control.
“There are many areas we see it’s important to have a good collaboration. And for that, trust is… obligatory. It’s the absolutely necessary thing. And it cannot just be a marketing promise,” Weberberger said.
The use of large language models (LLMs) raises critical questions when it comes to maintaining control over customer data, Weberberger noted, highlighting the need for transparency around who trains the data, who defines which information AI models are allowed to use, how ethical principles are implemented and who has the control and influence over the models.
“We need answers in the future when it comes to… how these LLM models are trained. Many providers tell us ‘we don’t use the customer data to train our LLM.’ But for us, still, the question remains, but how do the providers develop their LLMs when they don’t use the customer data to train them? Here we need clear agreements that we all know how it works, and openness to trust.”
For critical sectors like energy, innovation must align with stringent risk-management requirements without compromising safety or resilience.
Data Sovereignty as a Shared European Project
Panelists underscored the need for different regulators in Europe to get on the same page when it comes to digital rules, to create a clearer, more unified set of standards that works in practice and gives organizations the confidence to keep innovating.
“Policy makers and industry representatives should work together on defining clear, understandable and practical frameworks, which has not always happened in the past,” Parzer said.
“It’s about establishing certainty for market participants at the end… They should understand that innovation is not a luxury. It is just an enabler for our economic growth and insurance for our future. So it is all about defining rules that are going to balance innovation with compliance.”
And when those standards line up, it doesn’t just cut down on compliance headaches — it makes it easier for governments and regulated industries to embrace AI and cloud tools, giving them the guardrails they need to move ahead with confidence.
The conversation made one point clear: sovereignty is no longer a static concept. It is a shared responsibility shaped by policy, technology, and partnership. Customers expect cloud providers not only to deliver secure platforms, but also to collaborate, openly and continuously, on the frameworks, tools, and governance models that will define Europe’s digital future.
As the panel demonstrated when customers, policymakers, and technology providers align around transparency, control and trust, Europe can innovate at the pace required to remain resilient and competitive.
“I think we cannot expect this topic is going to go away,” Bullwinkel said. “These things are front of mind, absolutely, for our customers, for our partners, for government leaders… Things we’ve been talking about… around data privacy, around data security, around resilience, around data residency, these are all things that will continue to inform the conversation.”
