Microsoft has completed its EU data boundary, however, analysts and some regional cloud players are voicing concerns over dependencies on a US entity, even with the guarantees in place.

A digital trade war benefits no one. Tariffs or taxes imposed by either side risk fracturing the global cloud ecosystem…

The EU Data Boundary has been a multi-year effort by Microsoft to allow its European customers to store and process data for its core cloud services within the EU and European Free Trade Association (EFTA) regions.

The US-based biz said: “The EU Data Boundary reflects Microsoft’s commitment to delivering unmatched cloud services that support European transparency, protect privacy, and enhance customer control. It’s a reflection of our commitment to Europe and is part of a wide range of residency capabilities and solutions we provide to our customers. “

Microsoft claims it has invested over $20 billion in AI and cloud infrastructure across the continent. It has added controls over where Microsoft 365 customer data is located, created the Microsoft Cloud for Sovereignty, and implemented the EU Data Boundary itself.

While Microsoft might have met the letter of the law, it is still a US company, and EU corporations are facing up to a new reality: is dependence on a US cloud, even one with an EU Data Boundary, a good idea?

Bert Hubert, a part-time technical advisor to the Dutch Electoral Council, has his doubts, and worried about dependency on the clouds of Microsoft and other US vendors during an interview with The Register.

Hubert is not alone. Frank Karlitschek, CEO of Nextcloud, said, “The Cloud Act grants US authorities access to cloud data hosted by US companies. It does not matter if that data is located in the US, Europe, or anywhere else.”

In an email to The Register, he added, “There is also the question of what happens if the US government decides to cut off services in Europe, making security updates impossible.”

Nader Henein, Gartner VP Analyst for Data Protection and AI Governance, noted Microsoft’s move does not remove US dependency “because the data centres are owned and operated by Microsoft.”

“We are seeing examples of completely sovereign offerings, such as Bleu, which is a joint venture between Orange and Capgemini, which then licenses Microsoft products that will run on European owned and operated infrastructure.”

Henein was also less concerned than Karlitschek about the possibility of Microsoft being instructed by the US government to cut off updates, yet said of the continuing US dependency, “It still does not remedy the scenario where Microsoft is not allowed to provide software updates.

This scenario, he added, is not likely as Microsoft and other SaaS providers continue to operate in China where geopolitical tensions with the US are far more strained than those with Europe.

European cloud vendor OVHcloud claimed Microsoft’s EU data boundary validated its, and others’, advocacy for data sovereignty but cautioned, “All offers are equal.

“While some guarantee an immunity towards extraterritorial data access requests from non-European authorities, others only focus on data residency.

“OVHcloud considers that European data residency does not protect against such extraterritorial accesses. Ultimately, users should have the freedom to choose, in full transparency, their offer and level of data protection they need knowing the risks associated with extraterritorial legislations data access request.”

Mark Boost, CEO of Civo, told us: “Microsoft is the latest hyperscaler to announce a major data residency scheme with great fanfare – without offering any guarantees of sovereignty. True data sovereignty ensures data is only ever subject to the jurisdiction in which it is stored and processed. Data residency, however, concerns where the data is stored geographically. With data residency, the data can be subject to the laws of a third country depending on where the cloud provider is headquartered.

“In addition, Microsoft’s EU Data Boundary only applies to core services. Any services outside this bracket, as well as technical support, will continue as is, with data being processed anywhere in the world. Until users are assured of total transparent data sovereignty, full transparency of data flows including a guarantee that their data will not be used to train AI models without their express consent, customers will continue to have valid concerns over security and privacy.”

We asked Francisco Mingorance, general secretary at EU cloud trade body Cloud Infrastructure Services Providers of Europe (CISPE), about the attitude towards members’ clients on holding data on the infrastructure of US clouds providers.

Mingorance said: “Choice is essential for Europe’s digital economy. Any tariff on digital services would be an own goal in a market with limited short-term alternatives. Now more than ever, investment is needed to reinforce sovereign options and strategic autonomy in key areas. But, this must not lead to protectionism or the exclusion of any providers willing and able to comply with Europe’s regulations and uphold its values.”

“A digital trade war benefits no one. Tariffs or taxes imposed by either side risk fracturing the global cloud ecosystem and will simply increase prices for customers, inhibit growth and undermine innovation in this critical sector just as all economies are looking to AI, cloud and digitalisation to unlock productivity and create prosperity. Uncertainty over the legality, availability, reliability and affordability of overseas cloud services will doubtless factor into the decisions of European customers moving to the cloud.”

“The solution for Europe must be to invest in a distributed, multi-cloud future that maximizes the capacity, capability and differentiation of Europe’s cloud infrastructure providers to ensure customers are free to run the services and software they need in the clouds of their choice.”

The world has changed since Microsoft began its lengthy response to the fallout from the Schrems II ruling, which invalidated the privacy shield upon which data could be exchanged between the EU and US. In those far-off days, the concern was where a company’s data was being processed and stored.

Dr Alberto P. Marti, veep of Open Innovation at OpenNebula Systems, and Chair of the Industry Facilitation Group at IPCEI-CIS, told The Register:

“Data residency is just one of many aspects of what we currently understand as digital sovereignty. While Microsoft and other hyperscalers market ‘sovereign cloud’ solutions, they keep expecting European customers to rely on them for providing the same critical infrastructures and technologies that have turned Europe into a digital colony.

“This raises concerns about the potential influence of external regulations on European data and operations, and doesn’t tackle the fundamental issues around EU digital sovereignty.

“The reality is that US corporations like Microsoft are one Executive Order away from unleashing absolute chaos across the EU. Fortunately, there’s growing awareness in Europe about the need for greater technological autonomy. It’s more important than ever for EU businesses and governments to resort to truly sovereign, open source alternatives—such as those emerging from initiatives like the €3B IPCEI Cloud.”

Today, EU companies are faced with an altogether more complicated dilemma. Given the unpredictable nature of the country’s administration, can a US company be trusted at all? ®