Skip to main content Company News Official Microsoft Blog Microsoft On The Issues Source Asia Canada Latin America The Code of Us Conexiones AI Innovation Digital Transformation Diversity & Inclusion Sustainability Work & Life Microsoft 365 Azure Copilot Windows Surface Xbox Deals Small Business Support Windows Apps Outlook OneDrive Microsoft Teams OneNote Microsoft Edge Moving from Skype to Teams Computers Shop Xbox Accessories VR & mixed reality Certified Refurbished Trade-in for cash Xbox Game Pass Ultimate PC Game Pass Xbox games PC games Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 for business Microsoft Power Platform Windows 365 Small Business Digital Sovereignty Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Software companies Visual Studio Microsoft Rewards Free downloads & security Education Gift cards Licensing Unlocked stories View Sitemap

Tags:

Why Digital Sovereignty Is About Control, Not Location 

By
Tilemachos Moraitis, Governmental Affairs Director for Greece, Cyprus, Malta, Adriatic at Microsoft

Opinion by: Tilemachos Moraitis, Governmental Affairs Director for Greece, Cyprus, Malta, Adriatic at Microsoft 

For years, Europe’s cloud debate revolved around a simplistic question: “Where is my data stored?” That question once offered reassurance. Today, it no longer defines sovereignty. 

In an environment shaped by geopolitical uncertainty, escalating cyber threats, and rapid AI adoption, data location does not guarantee control. What matters instead, is whether organisations can continue operating when pressure is highest — whether systems remain secure, available, and recoverable in the face of disruption. 

When leaders describe digital sovereignty in practical terms, the focus tends to narrow to three questions: where data is stored and processed; who controls access and governance; and whether systems can continue to operate securely under adverse conditions. Sovereignty, in other words, is about operational control under stress — not geography. 

Across Europe, and increasingly in Bulgaria and the wider Adriatic region, digital sovereignty has become a board‑level topic for both public and private sectors. This conversation is not about retreating from global technology ecosystems. It is about ensuring authority, resilience, and continuity in a highly interconnected world. 

This shift is reflected in recent global research. The World Economic Forum’s Global Cybersecurity Outlook 2026 shows that twothirds of organisations have adjusted their cybersecurity strategies in response to geopolitical instability, while AI is now seen as the most significant driver of cybersecurity change. Sovereignty today is measured by preparedness and resilience, not by physical borders. 

From Residency to Resilience 

For years, digital sovereignty was often equated with data residency. Today, that understanding has evolved. In a cloud‑ and AI‑driven world, sovereignty extends beyond where data sits to how it is governed, protected, and operated.  

Modern cloud platforms are designed to be distributed by nature, combining geographic diversity with security, redundancy, and compliance. This model supports both regulatory alignment and innovation at scale. As AI becomes a critical driver of productivity and economic growth, resilience is built through trusted architectures, strong security controls, and customer choice — not isolation. 

European regulation increasingly reflects this reality. Rather than retreating into fragmentation, the EU has defined sovereignty through enforceable technical and operational standards. The NIS2 Directive strengthens cybersecurity governance across critical sectors. DORA embeds resilience requirements for financial services and their technology providers. The EU AI Act introduces accountability for high-risk AI systems, while the Data Act mandates data portability and easier cloud switching. Therefore, it is safe to argue that EU regulatory frameworks promote technical quality standards rather than demands that are geo-oriented.  

What This Means for Bulgaria

Bulgaria does not host a local Microsoft cloud datacenter region, but it operates within one of the world’s most advanced regulatory environments — the European Union. In practice, workloads from Bulgaria are served from nearby EU cloud regions such as Milan, Vienna, Warsaw, and Frankfurt. 

This distributed architecture supports low latency, built‑in redundancy, and alignment with EU data‑protection and cybersecurity requirements. In this context, sovereignty is best understood as the ability of digital systems to remain secure, resilient, and governed in line with EU rules — regardless of the physical distance to a server. 

AI Redefines Digital Sovereignty 

AI fundamentally changes what digital sovereignty means. As AI systems encapsulate organisational knowledge, automate decisions, and shape competitive advantage, sovereignty increasingly depends on control over models, identities, and encryption keys — the elements that determine how technology is governed and secured. 

When control over critical digital assets weakens, their strategic value can dissolve long before any data physically moves. Ukraine made this reality unmistakably clear. Today, a similar pattern is emerging in parts of the Middle East, where organizations are moving data abroad in the name of sovereignty—disrupting longstanding data localization policies that just couldn’t serve national interests and security. We have seen the same logic at work after natural disasters. Wildfires and floods in countries such as Germany and Slovenia forced organizations to pivot quickly to cloud services, not as a matter of convenience, but of continuity and resilience.  

And this is why software choices alone — including open source — are not a sufficient guarantee of sovereignty. What ultimately matters is governance: who manages access, who operates the systems, and who holds the encryption keys. 

Microsoft expanded their efforts with Microsoft Sovereign Cloud. Source: Judson Althoff – CEO, Microsoft Commercial Business

Microsoft’s approach focuses on putting these controls into customers’ hands. This includes options such as customer‑managed encryption keys, EU‑based operations, and sovereign or disconnected environments. This enables organisations to work with both proprietary and open‑source models — including the more than 11,000 models available through Microsoft Foundry — while maintaining clear governance and oversight. 

Cybersecurity: The Real Test 

Cybersecurity is where digital sovereignty is tested in practice. According to the Microsoft Digital Defense Report, organisations now face more than 600 million cyberattacks every day, spanning ransomware, phishing, identity compromise, and nation‑state activity. Microsoft tracks over 1,500 unique threat groups globally and analyses more than 100 trillion security signals daily.  

Top ten global sectors most impacted by threat factors, January-June 2025. Source: Microsoft Threat Intelligence

Across Europe, public administration remains among the most targeted sectors. To help address this challenge, Microsoft has established the European Security Program (ESP), which provides governments — including EU member states, accession countries, and partners — with AI‑driven threat intelligence, early warnings, and close coordination to help detect and disrupt sophisticated cyberattacks and foreign influence operations.

Importantly, Microsoft has also made a public Digital Resilience Commitment, including a legally binding pledge to contest any order to suspend or restrict cloud services for European governments and critical institutions — reinforcing sovereignty through continuity of service, even under geopolitical pressure.

Your data, your control  

Meeting modern sovereignty expectations requires a technology model built on verifiable control and enforceable commitments. Microsoft’s approach to digital sovereignty in Europe has evolved over more than a decade of investment in privacy, security, and compliance. There is no one‑size‑fits‑all model. It is a spectrum of choices that allows organizations to balance control, compliance, and innovation based on their regulatory and risk requirements.

Microsoft therefore offers sovereign public and private cloud options designed for different operational needs. Through initiatives such as the EU Data Boundary and capabilities like Data Guardian, customers can keep their data within the EU and maintain control over who can access it and how it is manage 

Across Microsoft’s cloud and AI stack, one principle remains consistent: your data stays yours. By combining customer‑controlled encryption, confidential computing, and purpose‑built sovereign architectures, organizations can innovate with cloud and AI while staying aligned with European laws and continuity expectations.  

A Test of Leadership 

Data is sovereign where control is real — where encryption remains in the customer’s hands, systems withstand disruption, and operations continue under pressure.

Ultimately, digital sovereignty is not only about protection; it is about enabling European organisations and economies to innovate, compete, and grow with confidence in a rapidly evolving global digital landscape.

It is a test of leadership.

Sources: 

  1. Microsoft announces new European digital commitments (April 30, 2025) 
  1. Microsoft launches new European Security Program – Microsoft On the Issues (June 4, 2025) 
  1. Announcing comprehensive sovereign solutions empowering European organizations (June 16, 2025) 
  1. Unlocking data to advance European commerce and culture – Microsoft On the Issues (July 20, 2025) 
  1. Microsoft strengthens sovereign cloud capabilities with new services (November 4, 2025) 
  1. Microsoft offers in-country data processing to 15 countries to strengthen sovereign controls for Microsoft 365 Copilot (November 4, 2025) 
  1. Microsoft Sovereign Cloud adds governance, productivity and support for large AI models securely running even when completely disconnected  (February 25, 2026) 
  1. Global Technology Leaders Launch Trusted Technology Alliance (February 13, 2026) 
Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Software companies Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads