Digital sovereignty in Europe will not be decided in press releases, but in procurement choices and legal detail.
BeLibre has applied the European Commission’s Cloud Sovereignty Framework to Microsoft’s cloud stack and produced a full SEAL‑based assessment across all eight sovereignty objectives. The focus on Microsoft is deliberate: on multiple occasions, people at Microsoft were asked, but did not answer how its services perform against this framework, while an estimated 90–95% of Belgian government services currently depend on Microsoft infrastructure.
In its public messaging, Microsoft rightly highlights initiatives such as the EU Data Boundary, the Sovereign Public Cloud, national partner clouds (Delos/Bleu) and extensive security certifications as proof that it “goes beyond compliance” on digital sovereignty. These are real developments, and our analysis takes them fully into account. At the same time, the European Commission’s framework asks a different question than most marketing material: under which legal systems, governance structures and supply‑chain dependencies does the cloud actually operate, and what ceilings do these impose on sovereignty – even after mitigations? A SEAL‑based assessment makes these ceilings visible, without assuming that more features or more certifications automatically translate into higher sovereignty.
The dossier therefore distinguishes clearly between what Microsoft can credibly offer (e.g. strong security controls, rich compliance tooling, EU‑only data residency for many workloads) and what it cannot structurally change (e.g. exposure to US extraterritorial laws such as the CLOUD Act and FISA, non‑EU hardware and software provenance, proprietary core platforms). A similar assessment could be made for AWS or Google – the structural ceilings of US jurisdiction are not unique – but this first dossier addresses the dominant vendor in our public sector and the one on which Belgian administrations overwhelmingly rely today.
For policymakers, CIOs and architects who need to justify their choices in front of parliament, courts and citizens, this document is meant as a practical reference: it takes Microsoft’s own public commitments seriously, but measures them against the EC’s sovereignty criteria rather than against marketing narratives.
Summary
| MS Standard Public Cloud | MS EU Data Boundary | MS Sovereign Public Cloud | MS National Partner Cloud |
|---|---|---|---|
 |
 |
 |
 |
The different icons refer to the sovereignty domains (SOV) while the rings refer to the sovereignty levels, from SEAL‑0 (inner) to SEAL‑4 (outer). Details and context are given in the full document.
Reference
Corrections are welcome and can be sent to the author mentioned in the document.
For policymakers, CIOs and architects who need to justify their choices in front of parliament, courts and citizens, this document is meant as a practical reference.