4 min reading time
Guest commentary by Andreas Knols, Director enthus cloud
Microsoft’s announcement that M365 Copilot data will henceforth be processed on German servers deserves neither reflexive scepticism nor uncritical applause. It deserves precision.
Key Takeaways
- Microsoft guarantees physical data residency: M365 Copilot queries and contextual data will be processed in German data centres, no longer in the US or Ireland.
- The CLOUD Act remains in force: Microsoft remains a US company. Server location does not alter the applicable legal framework in the event of access.
- BSI C3A criteria catalogue makes sovereignty auditable: residency, portability, subcontractors, access rights and legal jurisdiction form an operational template before rollout.
Related:Google Gemini in the enterprise: what the AI Act demands / SAP Sovereign Cloud France: implications for IT decision-makers
What Microsoft is concretely pledging: physical data residency for inference processes inside Germany. When users invoke Copilot in Word, Teams or Outlook, their queries and contextual data are processed on servers in German data centres – not in the US, not in Ireland. For many companies we guide on their cloud journey, this is a substantial improvement over the previous state.
Yet the move answers one important question. Not the decisive one.
What physical residency does not resolve
Jurisdiction. Microsoft remains a US company. The 2018 CLOUD Act obliges US companies, under defined conditions, to surrender data on official request – irrespective of where those data are physically stored. A German data centre does not alter the provider’s corporate structure; it merely changes the server’s address.
This is neither a veiled reproach nor a hidden critique. It is a statement of the legal reality – and one that Microsoft itself cannot overturn, because it is rooted in corporate structure, not infrastructure.
Anyone reading Microsoft’s sovereign commitment as a complete answer to the sovereignty question has overlooked one dimension: where a server stands and which legal order applies in the event of doubt are two distinct statements. The first Microsoft has clarified with its announcement. The second remains open.
What the BSI Catalogue Now Delivers
This distinction is precisely what the BSI’s C3A criteria catalogue, published on 27 April 2026, is designed to address. It transforms sovereignty claims into verifiable criteria-not as a political manifesto, but as an operational grid: residency, portability, transparency over sub-contractors, access rights, and explicitly: the applicable legal framework in the event of access.
Microsoft’s announcement meets a relevant portion of these requirements under this grid. It does not meet them all. That is not a weakness on the provider’s part-it is the finding of an honest analysis. And that is precisely the value of the catalogue: it compels precision where assertion once sufficed.
| Sovereignty Dimension | Microsoft’s Current Commitments | Open Questions |
|---|---|---|
| Physical Residency | Inference data in German data centres | Address issue resolved |
| Jurisdiction / CLOUD Act | unchanged: US corporate structure | Legal framework in case of access remains open |
| BSI C3A Grid | relevant portion met | not all criteria covered |
What Decision-makers Should Clarify Before Roll-out
Not: avoid M365 Copilot. Not: take the announcement at face value and sign the contract unread.
Instead: ask three questions-preferably before the go-live decision is made. First: what does Microsoft commit to contractually-and what appears only in the product announcement? Second: what disclosure obligations does Microsoft have to state authorities, and under which legal framework? Third: if the answers to questions one and two change-can I migrate without prohibitive costs?
We ask these questions in every cloud-architecture project. The answers determine which data belongs in which environment-and which does not. This is not a compliance exercise. It is architectural craftsmanship.
Microsoft’s move is a positive signal-seeing the market leader respond to sovereignty requirements is relevant for us as cloud practitioners. But a signal is not a contract. Who asks the right architecture question today need not answer it under pressure tomorrow.
About the Author: Andreas Knols oversees enthus cloud, the Managed Private Cloud offering from enthus, and supports mid-sized companies in building sovereign, resilient cloud architectures.
Frequently Asked Questions
What exactly does Microsoft mean by Sovereign Data Processing?
Physical data residency for inference processes within Germany. Requests and contextual data from M365 Copilot are processed on servers in German data centers, not in the US or Ireland.
Why isn’t physical data residency enough for sovereignty?
Because it doesn’t address jurisdiction. Microsoft remains a US company, and the CLOUD Act of 2018 obliges US providers to surrender data under certain conditions, regardless of physical storage location. Server address and applicable legal framework are two different statements.
What does the BSI C3A criteria catalog achieve?
It makes sovereignty claims auditable. The operational framework covers residency, portability, transparency over subcontractors, access rights, and explicitly the applicable legal framework in case of access. Published on 27 April 2026.
Which three questions should decision-makers clarify before rollout?
First: what does Microsoft contractually guarantee, and what appears only in the product announcement? Second: what disclosure obligations does Microsoft have to government agencies, and under which legal framework? Third: if the answers change, can I switch without prohibitive migration costs?
Does that mean avoiding M365 Copilot?
No. But the architecture question belongs before the rollout decision, not after. The answers determine which data goes where and which does not. This isn’t a compliance exercise-it’s architectural craftsmanship.
More from the MBF Media Network
Source title image: panumas nikhomkhai / Pexels
