EU Data Boundary and Microsoft Sovereign Cloud, what does it mean for your data?

EU Data Boundary is Microsoft's commitment to store and process customer data and pseudonymized personal data within the EU and EFTA regions. It covers Microsoft 365, Dynamics 365, Power Platform, and most Azure services.

EU Data Boundary rolled out in three phases: phase 1 (customer data, January 2023), phase 2 (pseudonymized personal data, January 2024), and phase 3 (support data, February 2025). The project is fully complete. For the vast majority of European customers it means: your M365 data does not leave the EU.

Important nuances:

• •EU Data Boundary is included in all Microsoft 365 and Azure agreements, no extra license required
• •There are still limited scenarios where data may leave the EU (e.g. certain global support escalations)
• •Microsoft publishes a transparent service-by-service overview of what's covered

In 2026 Microsoft renamed their sovereignty offering from "Cloud for Sovereignty" to Microsoft Sovereign Cloud. It's a suite of models designed for governments and heavily regulated industries.

There are three deployment models:

1. Sovereign Public Cloud Runs in Microsoft-operated datacenters within geopolitical boundaries (e.g. EU Data Boundary). Adds customer-managed encryption keys, Data Guardian (operator access monitoring), and tamper-evident audit logs. Built on top of standard Azure with extra sovereignty controls.

2. Sovereign Private Cloud Runs in customer-owned or partner-operated datacenters, delivered via Azure Local and Microsoft 365 Local. For defense, critical infrastructure, and scenarios where you must operate disconnected from public cloud.

3. National Partner Clouds Localized instances operated jointly with approved national partners, typically relevant for public sector organizations with specific national-operator requirements.

This is one of the most misunderstood parts of Microsoft's cloud portfolio, so let's be explicit:

GCC (Government Community Cloud) and GCC High are only for US government organizations and their contractors. They are physically hosted in the US, operated by US citizens with security clearance, and designed to meet US regulations (FedRAMP, ITAR, CJIS, DoD IL5).

European organizations cannot buy or use GCC/GCC High. If someone offers it to you, it's either:

• •A misunderstanding
• •A US-based vendor trying to sell you something that doesn't apply here
• •A confusion with EU Data Boundary or Sovereign Cloud

For European requirements (NIS2, national compliance frameworks, regulator requirements for critical vendors), EU Data Boundary is the default choice, and Microsoft Sovereign Cloud is the upgraded option.

Microsoft officially opened their first Danish datacenter region Denmark East on March 26, 2026, with facilities in Høje Taastrup, Køge and Roskilde on Zealand.

What it means for Danish customers:

• •Data location choice on Azure: You can select Denmark East as the primary region, meaning data physically resides in Denmark
• •Lower latency for services running in Denmark East
• •GDPR advantage: Data stored in Denmark falls under full Danish and EU jurisdiction
• •For M365 specifically: Microsoft 365 services still use the Northern European primary region (Ireland) as default, but the new Danish datacenter gives Microsoft more capacity in the region

This especially helps industries with strict data residency requirements: healthcare, finance, energy, and the public sector. But it requires configuration. Azure services don't automatically pick Denmark East as their location.

Let me be direct: most European organizations don't need Microsoft Sovereign Cloud. EU Data Boundary covers the vast majority of requirements.

Sovereign Cloud (with extra licensing) becomes relevant when you have one of these profiles:

1. Government or municipal organizations with classified data Where you must be able to document that no non-EU citizen has potential access, not even Microsoft operations staff in the US in an escalated support case.

2. Critical infrastructure (NIS2 Annex I) Energy, water, transport, telecommunications. Here Sovereign Public Cloud's Data Guardian and operational transparency may be a real requirement from the regulator.

3. Defense and national security Here you likely need Sovereign Private Cloud (Microsoft 365 Local) or a National Partner Cloud.

4. Finance with specific regulator requirements around operator control E.g. requirements that you manage encryption keys yourself (Customer-Managed Keys) or that access to underlying infrastructure is logged in a specific way.

For regular SMBs, consulting firms, educational institutions without classified material, NGOs, and most private companies, the answer is no. EU Data Boundary is enough.

Our practical recommendations:

Regular SMB with no specific compliance requirements? Standard Microsoft 365 + Business Premium covers you. EU Data Boundary is already on.

SMB with GDPR-sensitive customer data? Business Premium + Conditional Access + Intune. Document your access management. Sovereign Cloud is overkill.

Public organization or heavily regulated industry? E3 or E5 as baseline. Consider Sovereign Public Cloud (extra licensing) if your regulator requires Data Guardian, customer-managed keys, or elevated operational transparency.

Defense, critical infrastructure, or classified data? Talk to a partner experienced with Microsoft 365 Local or Sovereign Private Cloud. It's not an off-the-shelf product.

Remember that sovereignty is about documentable control, not about owning a specific product. Many organizations can meet real sovereignty requirements with good Conditional Access, Customer Lockbox, and documented access policies on a regular M365 license.

If in doubt, start by getting clarity on what requirements your regulator or auditor actually demands. That's cheaper than choosing wrong.