Proof that American Big Tech companies can not offer sovereign clouds - despite the marketing hype they are creating around their “sovereign” branded products - was actually given by a Microsoft lawyer himself. After watching his testemony on YouTube, you will agree that any sovereign offering by Big Tech is nothing but “Sovereign Washing”.

But let’s dive into this a bit more and find out what happened and why digital sovereignty in Europe matter more than ever!

The questioning of the Microsoft lawyer in the French Senate took place on June 11th, 2025. Under oath, Microsoft’s legal chief for France, M. Anton Carniaux, admitted he cannot guarantee that data of French citizens and businesses stored in Microsoft datacenters - even if located in Europe - is safe from the U.S. silently accessing the data.

France to boycott Microsoft?

Consequently, France has decided to stop using US products such as Microsoft Teams and Zoom and is planning to replace these with a truly sovereign solution by 2027 in a first step to achieve strategic autonomy. For now, France and Europe did not stop using Microsoft over night, but things are changing, with real world consequences for American tech providers. Europe is slowly moving towards a digital sovereign future, focusing on protecting its critical infrastructures, and this is great news for everyone living in Europe!

Digital Sovereignty Definition

By definition, digital sovereignty is independent control over digital infrastructure such as communication, software, storage of data. When digitally sovereign you do not depend on a foreign provider or technology, in a best-case scenario you do not depend on any provider, but have your digital infrastructure set up in an independent and flexible way that allows easy and fast migration. The goal is to keep data and communication safe from intrusion and protect is in accordance with local legislation and security requirements.

US Big Tech often transfer data cross borders and gives access to US authorities, which infringes the EU general data protection regulation (GDPR) on how to protect personal information of European citizens. Thus, using US cloud services is not an option in Europe, it could even harm nation security and independence. To achieve digital sovereignty, European businesses and authorities must focus on local providers offering open source solutions with good migration options so that there is not new vendor-lockin taking place.

Microsoft blocking ICC account

Interestingly enough, 2025 saw another sovereignty wake-up call for Europe: The Chief Prosecutor of the International Criminal Court (ICC), a court based in The Hague and central to Europe’s upholding of human rights, suddenly found that his email account was shut down. The service provider? Microsoft. The reason? Mr. Trump. In February, Trump sanctioned International Criminal Court (ICC) for issuing arrest warrants for Israeli Prime Minister Benjamin Netanyahu and his former defense minister, Yoav Gallant. The court argued that the Israeli politicians have committed war crimes by restricting humanitarian aid in Gaza amid the war against Hamas, thus, harming civilians.

Israeli officials denied all charges, and, consequently, US President Donald Trump issued sanctions against the ICC saying that the court had committed “illegitimate and baseless actions targeting America and our close ally Israel”. Trump also called the warrants “baseless arrest warrants”.

Following these sanctions, the ICC has found itself faced with several issues:

• The chief prosecutor, Karim Khan, has lost access to his email; his bank accounts were frozen.
• American employees of the court risk arrest when traveling to the U.S.

Due to the blocking of Khan’s Microsoft email account, the court is facing severe issues in its day-to-day work.

Microsoft blocked email account based on U.S. sanction

Microsoft shut down Khan’s email account.

The blocking of Khan’s Microsoft email account took place because of an executive order signed by Trump which the U.S.-based company – Microsoft – fulfilled. This gets even more explosive when one considers that Microsoft - even if it wanted to - had to obey this order because of the legal and political situation.

The Open-Source Business Alliance (OSBA) told Heise that it considers Microsoft’s actions to be “unprecedented in this context and with this impact”, and that this incident proves that Europe needs digital sovereignty by choosing European-based tech services over U.S.-based Big Tech.

”This must be a wake-up call for all those responsible for the secure availability of state and private IT and communication infrastructures. … We cannot rely on companies that are not under our jurisdiction.”

Wake-up call for digital sovereignty

These incidents, indeed, are a wake-up call for digital sovereignty.

U.S. sanctions – unrelated to Europe and imposed by a foreign power – led to the shutdown of the digital communication of a leading public figure, the Chief Prosecutor of the International Criminal Court. Plus, a Microsoft lawyer swore under oath that data of Europeans can not be protected from U.S. access, even if Microsoft stores the data in its European data centers.

This marks a clear turning point in Europe’s relationship with foreign technology providers. If key figures in international law can be digitally silenced by a company subject to U.S. law, what does that say about our control – or lack thereof – over the very digital foundations we rely on? If U.S.-based services can not protect European data from access by U.S. authorities, what does that say about our security and data protection?

For years, European institutions have relied on a false promise of security and data protection by Silicon Valley tech giants. Cloud providers like Microsoft, Amazon, and Google have repeatedly assured us that they respect European law, including the GDPR, the DSA, and the DMA. These tech companies have built data centers within EU borders, and have pledged to protect personal data based on the rules laid out in the General Date Protection Regulation of the European Union. While at the same time Microsoft’s New Outlook uploads all data, including passwords, into the cloud, Microsoft’s Office 365 has been declared illegal for German schools because of data protection issues, and Denmark has banned Gmail from schools due to privacy concerns based on the GDPR. And these are just a few examples.

Jurisdiction trumps everything

Jurisdiction matters more than we used to think to protect critical infrastructure: European authorities should stick to European tech services.

In the light of all this, the confession by the Microsoft lawyer and the ICC incident have just put the final nails in the coffin. It reveals a deeper truth, one that Europeans must start acting upon!

Jurisdiction trumps geography. It doesn’t matter if your servers are in Frankfurt, Rome, or Paris – if your provider is subject to foreign law, if it has to share data with the American authorities based on the Cloud Act or Date Governance Act, your data is at risk.

And this possibility must be included in every worst case scenario of every business and every authority. The question is obvious: Is my data secure and protected – not just from external threats like malicious attackers, but also from internal threats stemming from the company hosting my data?

If political decisions made thousands of kilometers away can have immediate and severe consequences on European digital communications and European data, this poses a huge risk. One that you should not be taking. And with the recent Microsoft incidents, it’s no longer a theoretical threat. That is exactly what happened.

Dependency is a threat

Let’s imagine this was not about email, but about the energy sector.

Would Europe ever hand over control of its national power grids to foreign companies bound by non-European law? Would we trust a foreign supplier’s guarantee for 99.99% uptime (which is the standard uptime SLA agreement of cloud providers) while at the same time a foreign power could force them anytime to cut Europe’s power?

Of course not.

Yet this is how we’re managing our digital infrastructure in Europe.

We are blind to the risks, and much too trusting of American tech providers. Cloud platforms, communication tools, and email providers are core services that run our governments, schools, hospitals, and courts. And in most cases, European institutions have chosen American providers - while great email alternatives for businesses exist.

Europe has the services – let’s start using them!

What makes all this even more frustrating is that Europe doesn’t lack innovation; Europe has great tech services that are better than their U.S. equivalents. Particularly when it comes to tech services, Europe has much more on offer than some would expect – especially if you value privacy and security.

Across the continent, privacy-first, security-focused, and truly sovereign digital solutions are being developed. One of the best examples is Tuta, which offers secure, encrypted email and calendar tools, even with quantum-safe encryption. The email provider not only operates under German data protection laws with all company-owned servers based in German data centers, but it also uses the most advanced encryption technologies to protect businesses’ data.

So why don’t we see services like this one powering ministries, parliaments, and courts?

Because despite all the speeches about “strategic autonomy”, European tech is still often treated as a backup plan by the authorities – and most of them have not even started putting this plan into action. For decades, European authorities have relied on Microsoft’s products. Stemming from Microsoft’s integration into Windows, the most widely used OS since its launch in the 1980s, most businesses and authorities still use Microsoft Outlook for email, Microsoft Word, Excel, etc. While switching from Microsoft to European-based alternatives can’t be done in a day, authorities must start planning the switch.

Now it’s time to break free from the dependency on American tech!

Turn ON Privacy in one click.

Get

The sovereign cloud

There’s a saying in tech that goes as follows: There is no cloud, just other people’s computers.

When taking this concept into action, one has to ask themselves: On whose computer would I like to store my data? With an American tech provider – to which the U.S. (government, NSA, CIA, FBI, etc.) can potentially have full access? Even if the data stays in Europe, the control – the ability to operate, deny, or transfer access – remains elsewhere. As long as American tech providers hold the key, Europe does not own its data.

We need true sovereignty – by choosing European services that are built and operated under European law and that store the data solely in Europe, best with end-to-end encryption.

We are already seeing positive examples of Europeans achieving digital sovereignty, for instance the French city of Lyon is about to stop using Microsoft, the Ministry of Digitilization in Denmark wants to reduce its dependency on Microsoft, and the German state of Schleswig Holstein is in the process of replacing Microsoft Office with open source solutions.

So while not all of Europe is stopping to use Microsoft just yet, there’s more reason than ever to switch since Microsoft is using bait-and-switch tactics to get business users onto their paid plans by first offering a free version. This can be seen with the recent phasing out of free Microsoft Office licenses for NPOs. Even though Microsoft is making billions, it is now ending free offerings for NPOs forcing these organizations to fuel the tech giant’s profits instead of using their money for doing good.

Looking into a brighter future

The Tuta Team welcoming a brighter future!

If Europe wants to regain control of its digital infrastructure, we need a structural change; and an immense effort from all parties involved. But in the end, the effort will pay off. Not only by gaining sovereignty, but also by supporting and building a European tech industry – one that can easily compete with American and Chinese tech companies.

To achieve this, we don’t even need new laws, all we need is a commitment by the public sector. When Trump says “America first”, Europe must say “Europe first” – and in tech the gain is double:

1. A big share of what the public sector spends on European tech, they get back in the form of company taxes.
2. The public sector could help boost an already vibrating and innovative European tech industry to gain a competitive edge, not just in Europe but also abroad.

Make “European” a requirement for public procurement of tech products: EU institutions, governments and local authorities should make being “European” a requirement for procuring tech products. This way they can make sure that the services they purchase follow European data protection laws and are not under the influence of foreign governments.

Going forward, European and local authorities can make a real difference. All they have to do is get active!

Let’s build systems that adhere to European laws and regulations, protect European citizens and their data, and strengthen European independence.

Let’s stop borrowing digital power – and start generating our own. Together we can make the web a better place!