| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent (Microsoft Corp, Redmond WA) -> controlling entity entirely outside the EU -> SOV-1.1 opt1. (src: https://www.microsoft.com/en-us/investor) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Microsoft is one of the world's largest US-listed companies; takeover/transfer to a non-EU sovereign entity is very unlikely (kept per instruction; all-seal-4 factor). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap set centrally by Microsoft US; EU customers influence only via 'voice of the customer' channels, no binding EU governance -> foreign-set roadmap -> SOV-1.3 opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funded by US capital markets and global shareholders; funding almost entirely non-EU (kept; all-seal-4 factor). |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | Substantial EU data-centre investment but bulk of value capture, IP and profit accrues to the US parent -> 'some' EU economic contribution (kept; all-seal-4 factor). |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | Gaia-X member and some EU engagement but not a core EU strategic-program (IPCEI-CIS) participant -> limited participation (kept; all-seal-4 factor). |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Published European digital sovereignty commitments (EU Data Boundary, Sovereign Cloud) constitute an existing action plan rather than EU-governed measured achievement (kept; all-seal-4 factor). |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | medium | No own_stack, but the Microsoft Sovereign Cloud / EU Data Boundary offering runs in EU regions with EU-resident operations and contractual continuity arrangements, so the qualified EU offer can continue operating temporarily per contractual agreement on a parent cut-off -> opt3 (seal 2). Normalised to opt3 across the US-hyperscaler cluster (same EU-region continuity profile as AWS/Oracle); an EU-region offering does not 'stop on cut-off' more than a peer's. (src: https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Contracts use Microsoft Ireland/EU law for EU customers but the US parent and US law remain in play -> mixed EU/non-EU jurisdiction -> SOV-2.1 opt2. (src: https://www.microsoft.com/en-us/trust-center/privacy/data-access) |
| SOV-2.2 | Extraterritorial laws exposure | 3. EU subsidiary with contractual protections | 84/167 | SEAL-1 | high | No certified immunity: EU contracting subsidiary with contractual data-protection protections (EU Data Boundary/Data Guardian/'Defending Your Data'), but a US-parented group's EU subsidiary is compellable via the parent and holds no SecNumCloud/EUCS-High -> EU subsidiary with contractual protections (opt3, seal 1). Normalised to opt3 across the cluster. (src: https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn) |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent: under US CLOUD Act/FISA 702 Microsoft can be compelled to provide data without notification in gag-ordered cases (confirmed under oath before the French Senate); cannot refuse lawful US orders -> SOV-2.3 opt2 (seal 1 cap). (src: https://blogs.microsoft.com/on-the-issues/2025/04/30/european-digital-commitments/) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | medium | Subject to US EAR, but >50% of relevant cloud revenue/operations is EU for European customers and no current export restriction targets EU MSs -> SOV-2.4 opt3. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core platform IP (Windows, Hyper-V, Azure control plane, services) developed and owned by Microsoft in the US -> IP origin entirely outside the EU (kept; all-seal-4 factor). |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP held by Microsoft Corporation under US law, a single non-EU country -> SOV-2.6 opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | high | Customer-managed keys (Key Vault, Managed HSM, BYOK) give primary control, but Microsoft operates the platform and (absent confidential computing) can read data -> customer primary, provider can read -> SOV-3.1 opt4. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | Azure Monitor, access transparency logs and Customer Lockbox give full customer-controlled visibility but provider-mediated/near-real-time, not independent real-time -> SOV-3.2 opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | medium | Deletion documented per policy with internal validation but no independently verifiable cryptographic proof of irreversible erasure -> policy-only -> SOV-3.3 opt3. |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | high | Not eu_exclusive: EU Data Boundary stores/processes data EU-by-default with tightly controlled exceptions (security ops, some AI, lawful US orders); third-country fallback not eliminated, and it is not an air-gapped realm -> SOV-3.4 opt4 (seal 1). Above the seal-0 gate but genuinely below AWS ESC / Oracle Sovereign Cloud isolated realms (opt5). (src: https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | medium | Azure AI (Azure OpenAI, hosted models) relies on largely non-EU/licensed models on foreign accelerators (NVIDIA) with chip dependency -> mostly non-EU AI -> SOV-3.5 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | high | Documented data export, Azure Migrate and standard APIs provide formal migration services, though proprietary managed services create lock-in -> SOV-4.1 opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | high | Critical platform ops, engineering and follow-the-sun support delivered substantially by non-EU (US/global) teams; no eu_ops -> SOV-4.2 opt1. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | Engineering/SRE talent is a global team with the majority outside the EU, centred in the US -> SOV-4.3 opt2. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | Support is a global follow-the-sun model with majority of capacity outside the EU, though EU support tiers exist -> SOV-4.4 opt2. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge is global (Microsoft Learn, global repos); EU residency optional not enforced -> SOV-4.5 opt2. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Critical functions use non-EU subcontractors (the US parent); if cut off the service would stop with a delay for customer reaction rather than continuing autonomously -> SOV-4.6 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | Some supply-chain/hardware info published but not full physical component provenance -> partial disclosure -> SOV-5.1 opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Server/silicon hardware largely manufactured outside the EU (US/Asia) under Microsoft/ODM designs with only partial disclosure -> SOV-5.2 opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code provenance (BIOS/BMC/silicon firmware) only partially disclosed, largely non-EU vendors (kept; all-seal-4 factor). |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | high | foreign_core: Azure platform software is foreign-origin (US Microsoft), proprietary, with partial disclosure via source-available/security-review programs but not EU-maintained -> SOV-5.4 opt2 (seal 2 ceiling). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Software build and release controlled and largely executed by Microsoft in the US -> non-EU control & execution -> SOV-5.5 opt1. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | medium | Critical services depend predominantly on the non-EU parent (Microsoft US) and its global suppliers, with limited public documentation of all critical dependencies -> mostly non-EU, undocumented -> SOV-5.6 opt2. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | medium | Audits of some suppliers and a supplier program exist, but the full supply chain is not independently auditable by customers -> some suppliers auditable -> SOV-5.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Many open/standards-based APIs but also significant proprietary services and formats -> mixed/partial openness -> SOV-6.1 opt3. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Open standards adopted for some core services (Kubernetes/AKS, OIDC, OData) but not as a comprehensive policy across all services -> partial core adoption -> SOV-6.2 opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | foreign_core: Azure platform is closed-source; source at best available for limited review under strict rights, not openly governed -> SOV-6.3 opt2 (seal 2 ceiling). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Extensive architecture documentation, reference architectures and transparency program give meaningful public insight into service architecture -> SOV-6.4 opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Azure HPC is EU-hostable but runs a foreign hardware/software stack (US/Asia silicon, NVIDIA accelerators, Microsoft stack) -> EU-hosted, foreign stack -> SOV-6.5 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds BSI C5 plus ISO 27001 + SOC 2 (and ENS); no SecNumCloud/EUCS-High. Per key, a high-assurance EU/national cloud certification (BSI C5 / ENS-High) maps to EAL3 -> SOV-7.1 opt4 (seal 3). Normalised across the cluster (all five hold C5). (src: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-germany-c5) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | Independently audited GDPR/NIS2/DORA support and extensive certifications (ISO 27001/27017/27018, SOC 1/2/3, C5, ENS, HDS) -> full independently audited compliance (kept; all-seal-4 factor). |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | medium | Global SOC with EU components and EU Data Boundary security ops, but incident handling/threat intel is a hybrid EU/non-EU global operation -> SOV-7.3 opt2. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get full direct access to security monitoring/logs (Sentinel, Defender, Azure Monitor) storable in EU regions, though tamper-proof immutability is not default -> SOV-7.4 opt4. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | high | GDPR/NIS2-aligned incident disclosure with contractual SLAs and a monitored notification flow, but not full real-time CSIRT-network sharing -> SOV-7.5 opt4. |
| SOV-7.6 | Maintenance autonomy | 2. Limited autonomy (vendor schedules) | 36/143 | SEAL-1 | medium | As a managed hyperscaler, patching and platform maintenance follow Microsoft's schedules with limited customer control -> limited autonomy -> SOV-7.6 opt2. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | No tender-grade audit_rights: auditability relies on Microsoft-provided audit reports and constrained audit rights, not full independent audit by any entity -> SOV-7.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | high | Newer European data centres operate at PUE ~1.12-1.16 (fleet design PUE 1.12), in the PUE < 1.3 band, with a published efficiency roadmap -> SOV-8.1 opt4. (src: https://blogs.microsoft.com/on-the-issues/2024/05/15/microsoft-environmental-sustainability-report-2024/) |
| SOV-8.2 | Hardware reuse & recycling | 4. Circular economy, EU-aligned | 188/250 | SEAL-4 | medium | Circular Centers and a documented circular-economy hardware reuse/recycling program aligned with EU circular-economy goals -> circular economy, EU-aligned -> SOV-8.2 opt4. |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | high | Detailed annual environmental/sustainability reports with carbon, water and waste methodology, though not EU-authority-audited -> detailed EU methodology -> SOV-8.3 opt4. |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | Matches 100% of consumption with renewable energy and signs EU PPAs; European regions use EU energy supplies with high renewable content (kept; all-seal-4 factor). (src: https://blogs.microsoft.com/on-the-issues/2024/05/15/microsoft-environmental-sustainability-report-2024/) |