Microsoft’s European Digital Commitments

Microsoft’s relationship with its customers is grounded in trust. At times of geopolitical uncertainty, we want to demonstrate to Europe that we are committed to providing digital stability. Building on Microsoft’s robust portfolio of sovereignty offerings, we wanted to show our steadfast support and leadership with a set of five additional commitments.

Microsoft customers in Europe do not need to take any action – and can take advantage of the comprehensive set of capabilities available now from our European hosted cloud regions. Microsoft’s Digital Resilience Commitment is being incorporated in contracts with European national governments and the European Commission to make this commitment legally binding on Microsoft Corporation and all its subsidiaries.

Microsoft has many sovereignty capabilities already available in Europe. Microsoft Cloud for Sovereignty became generally available in December 2023 for all Azure regions. This means government and regulated customers in Europe (and worldwide) can now deploy Azure with sovereignty features enabled. Furthermore, Microsoft’s EU Data Boundary for the Microsoft Cloud was fully implemented in February 2025. Microsoft 365 Advanced Data Residency is already available in France, Germany, Italy, Norway, Poland, Spain, Switzerland, Sweden, and the UK, with future local region geographies forthcoming in Austria, Denmark, and Greece. We will continue to expand our cloud services to improve transparency and control for our customers. More information will be shared in the future.

Microsoft believes that most customers' sovereignty requirements can be met through our public cloud offerings. Over time, we have built a robust set of sovereignty capabilities in Azure, including the European Data Boundary, the Microsoft Cloud for Sovereignty, and Confidential Computing. That list now includes our commitment to provide a set of European partners with the rights to use our code if ever needed to ensure operational continuity. Bleu and Delos Cloud, on the other hand, are separate instances of Microsoft cloud services that run in sovereign cloud datacenters that are operated by independent local partners in France and Germany, outside of the public cloud. They are intended for certain customers who meet eligibility criteria and need to satisfy specialized national requirements, such as operating under the local partners' control and meeting France's SecNumCloud requirements and Germany's cloud platform requirements.

We announced AI Access Principles last year that ensure open access to our AI and cloud platform for a variety of business models, both open source and proprietary, and will continue to expand on these commitments in the coming months.

Microsoft provides extensive third-party assurances through compliance certifications and independent audits. Microsoft’s commercial cloud offerings have one of the broadest compliance portfolios in the industry – over 100 compliance offerings globally, audited by independent third parties. Microsoft undergoes regular assessments for standards like ISO/IEC 27001 (information security management), ISO/IEC 27017 (cloud security), ISO/IEC 27018 (cloud privacy), as well as SOC 1, SOC 2, SOC 3 attestations by independent auditors. In Europe, Azure has been certified for schemes such as the Cloud Computing Compliance Controls Catalogue (C5) in Germany and is compliant with EU regulations (like GDPR, with audit reports available on the Microsoft Trust Center). Microsoft publishes audit reports and compliance documentation on its Service Trust Portal for customers to review. These third-party audits verify that Azure’s controls operate effectively and that you inherit a secure, compliant cloud platform. 

 

Microsoft’s end-to-end resilience strategy – spanning an unparalleled global infrastructure, fault-tolerant service architecture, and robust disaster recovery planning – allows customers to architect for high availability. Organizations with mission-critical workloads benefit from Microsoft’s reliability safeguards, such as Availability Zones, geo-redundant regions and rigorously tested continuity plans, which reduce risk of technical issues. 

 

In addition, to address risk of service disruption due to geopolitical issues, Microsoft is putting in place designated European partners with contingency arrangements for operational continuity in the unlikely event Microsoft were ever required by a court to suspend services. We look forward to sharing further information on this moving forward.

This announcement is focused on our investments in Europe. We will continue to invest in meeting the needs of our global customers and make region and country specific investments as appropriate. Microsoft is committed to complying with all applicable laws and regulations in the markets that we operate.

You retain ownership and control of your data at all times. Microsoft accesses your content only to provide the services you choose, following your agreements. We do not mine data for marketing or advertising, nor share it with third-party advertisers. Microsoft Generative AI Services will not use Customer Data to train any generative AI foundation model, except pursuant to a customer’s documented instructions. You control storage, access, classification, and deletion of your content. These principles are supported by Microsoft's contracts and compliance with privacy standards like ISO/IEC 27018. 

You decide where your customer content is stored by selecting the geographic region for your services. For example, Azure has a global infrastructure with more regions than any other provider (over 60 worldwide, including many in Europe), which gives you flexibility in choosing data location. Microsoft will not store or process your data outside the region/geo you specify without your authorization. Customer content remains within the chosen Azure region (or geo) unless you explicitly enable replication to other locations for resilience or unless needed to comply with the law. For example, if you choose an Azure region in the EU, Microsoft will keep your data in that region. For Microsoft 365, eligible customers have options to choose where their data is located via the Microsoft 365 Advanced Data Residency add-on. 

Microsoft Azure uses industry-standard strong cryptographic algorithms very similar to AWS. For data at rest, Azure employs 256-bit AES encryption for all customer data stored in the cloud. AES-256, one of the strongest block ciphers, is used in services like Azure Storage, SQL Database, Azure Key Vault, etc., and meets FIPS 140-2 encryption standards. For data in transit, Microsoft uses the latest TLS (Transport Layer Security) protocols. Azure Front Door supports TLS 1.2 (and supports TLS 1.3) for communications, using robust cipher suites, ensuring encryption of data in transit with at least 256-bit symmetric encryption and modern key exchange.

Microsoft offers robust options for managing and protecting encryption keys in Azure. By default, all Azure services use strong encryption and Microsoft-managed keys to protect customer data at rest. However, customers who require more control have multiple choices: you can use customer-managed keys (CMK) stored in Azure Key Vault for services like Azure Storage, Azure SQL, Azure Cosmos DB, etc., allowing you to control rotation and access policies for your keys. You can also opt for Azure Key Vault Managed HSM, which gives you dedicated Hardware Security Modules (FIPS 140-2 Level 3 validated) for storing keys that you solely control. Additionally, Azure supports bring your own key and customer-provided keys scenarios, enabling you to generate keys on-premises or in a third-party HSM and use them in the cloud. 

No. Microsoft’s cloud is designed to prevent access to customer content by Microsoft personnel without customer permission. By default, Microsoft engineers have “Zero Standing Access” (ZSA) to customer data – they do not have standing administrative privileges to view your content. If Microsoft personnel ever need to access customer content to resolve an issue, they must go through a rigorous just-in-time access request process that requires customer approval (for certain services via Customer Lockbox) or managerial approval, and all access is time-limited and fully logged and audited. These controls are regularly audited (for example, as part of SOC 2 and other certifications) to ensure Microsoft’s compliance.

 

For information about requests for customer data and Microsoft’s principles for defending customer data, including additional FAQs, see: Government Requests for Customer Data Report | Microsoft CSR.

Microsoft helps you meet data protection requirements through a secure-by-design cloud infrastructure and extensive built-in security services. Azure’s datacenters and network architecture are engineered to satisfy the needs of the most security-sensitive organizations. Microsoft employs multi-layered security controls and Zero Trust principles, and it offers Azure Confidential Computing to protect data in use (such that cloud operators cannot access your data during processing). In addition, Microsoft provides a wide array of security tools (over 200 security, compliance, and governance features) to safeguard applications and data. For example, all data is encrypted at rest and in transit by default, and Microsoft continuously monitors threats, leveraging over 65 trillion daily security signals to rapidly detect and respond to emerging risks. Microsoft’s compliance portfolio (with over 100 certifications) and robust security practices help customers fulfill regulatory and data protection obligations in the Microsoft Cloud.

Microsoft provides architectural framework guidance on designing for multi-cloud and portability scenarios. Microsoft Azure is highly compatible with open-source technologies, so designing your application with portable components is straightforward. For instance, you can use containerization and orchestration via Azure Kubernetes Service (AKS), or use databases like PostgreSQL/MySQL on Azure which can be migrated off since they use standard engines. It’s recommended to use Infrastructure-as-Code (IaC) templates (Azure Resource Manager templates or Terraform) to define your environment in a portable manner. Azure also integrates with CI/CD tools like GitHub that work across clouds. Multi-cloud and hybrid services such as Azure Arc and Azure Local can help you deploy Azure services on-premises or in other clouds, ensuring consistency and making workloads portable.

Yes – Microsoft supports the transfer or copy of your data out of Microsoft Cloud services to external destinations. Microsoft imposes no technical restrictions on moving your data off its cloud. At any point, you can retrieve all your customer data from Azure, including data related to Microsoft services like Microsoft 365, through standard mechanisms. Azure provides features like data export services, the Azure Data Box (for petabyte-scale data migrations via shipped hardware), and high-speed network options (e.g. Azure ExpressRoute or VPN) to help migrate data to other environments. Microsoft also does not require lengthy notice or special permissions to get your data out – you can initiate transfers on-demand and Microsoft offers free data egress out on premises or to another cloud provider. Additionally, Microsoft has contractual commitments ensuring customers can extract their data and that it will be deleted from Microsoft’s cloud after they leave (in line with data protection agreements).