
Few topics occupy IT decision-makers in Europe right now as much as the question of who actually owns their digital infrastructure – legally, technically, and politically. Tariffs, export controls, and shifting political winds in the US have shown in recent months just how quickly the rules of the game can change, with European customers having no influence whatsoever over that process. Against this backdrop, Microsoft has announced five "digital commitments" for Europe aimed at rebuilding lost trust. Sounds good – but commitments are, first and foremost, marketing, not a contractual or technical guarantee. We take a sober look at the five points, weigh them against the counterarguments, and show why the path to genuine digital independence runs through open source.
1. Expansion of Cloud and AI Infrastructure
The announcement: Microsoft plans to expand its European data center capacity by 40% and extend into 16 countries.
The counterargument: More data centers in Europe don't solve the underlying problem. The US CLOUD Act still obliges US companies to hand over data upon request from US authorities – regardless of where the server is physically located. A data center in Frankfurt or Zurich changes nothing about the parent company sitting in Redmond. What's more, this expansion ties customers even more tightly to a proprietary ecosystem, making a later switch increasingly costly both technically and contractually ("vendor lock-in").
The open-source alternative: Anyone who wants genuine control over the location and sovereignty of their data should turn to European open-source cloud stacks such as OpenStack, Kubernetes-based platforms, or providers built on open standards. These can be migrated between providers as needed, without proprietary interfaces blocking the switch.
2. Support for European Cloud Providers
The announcement: Microsoft intends to partner with local cloud providers and offer them discounted terms for Microsoft software.
The counterargument: In practice, this "partnership" turns European providers into resellers of Microsoft technology rather than strengthening independent solutions of their own. The value creation and control over licensing models, pricing, and roadmap remain with Microsoft. Critics describe this as cementing dependency under the guise of support.
The open-source alternative: Genuine European sovereignty emerges where providers deploy and further develop open software such as Nextcloud, ownCloud, Proxmox, or open-source groupware solutions (e.g., OX App Suite). The source code is auditable, further development doesn't depend on the discretion of a single corporation, and the value creation stays within the region.
3. Protection of Privacy and Data
The announcement: The "EU Data Boundary" is meant to ensure that European customers' data is stored and processed within the EU.
The counterargument: The EU Data Boundary primarily covers the storage and processing of customer data – metadata, diagnostic data, and administrative access can still be processed outside the EU. Legally, Microsoft remains a US company and therefore subject to the CLOUD Act. Encryption "by design" also offers limited protection when the key holder is the very company that could be compelled to hand over data.
The open-source alternative: Open-source solutions allow organizations to fully control encryption and key management themselves (bring-your-own-key / hold-your-own-key on their own infrastructure). Combined with hosting through a European provider without a US parent company, this actually closes the CLOUD Act's legal gray area – not just contractually, but technically.
4. Cybersecurity and Digital Resilience
The announcement: A new Deputy CISO for Europe and compliance with the Cyber Resilience Act are meant to strengthen cybersecurity.
The counterargument: A new staff position and meeting minimum legal requirements do not amount to a security strategy. Microsoft products have for years ranked among the most frequently attacked targets worldwide, partly due to their sheer market share ("monoculture risk") and repeatedly disclosed vulnerabilities in Exchange, Active Directory, and Azure. A single software vendor that dominates a large share of the global IT landscape becomes, by that very fact, a systemic risk.
The open-source alternative: Open software offers no guarantee against vulnerabilities, but it does enable independent third-party audits, faster community patches, and – thanks to the diversity of systems in use – a smaller attack surface for large-scale compromise. Diversifying the software in use is an established principle of IT security, one that a monoculture fundamentally contradicts.
5. Boosting Economic Competitiveness
The announcement: Open access to AI and cloud platforms is meant to keep European start-ups and established companies competitive.
The counterargument: "Open access" to a proprietary platform is not the same as an open standard. Start-ups that build their products on Azure or Microsoft's AI services fall into the same dependency as established enterprises – just earlier in their life cycle. Price changes, API adjustments, or strategic pivots by the corporation hit them unfiltered.
The open-source alternative: Open AI models (for example, from the Hugging Face ecosystem) and open infrastructure frameworks let companies innovate without surrendering themselves to a single vendor. Control over models, data, and infrastructure stays in-house – a prerequisite for sustainable competitiveness rather than short-term dependency.
Microsoft's commitments are a sign that the company feels the growing pressure from Europe – and that's a positive development. But commitments are voluntary, revocable at any time, and don't solve the structural problem: as long as critical infrastructure runs on proprietary software from a single foreign vendor, Europe remains vulnerable to political, economic, and legal developments beyond its control.
In our view, the more sustainable path lies in deliberately building open-source expertise and gradually diversifying the software in use. Not as an ideological break from Microsoft, but as pragmatic risk mitigation – in the interest of genuine digital sovereignty rather than contractually promised dependency.
Do you have a question about this or any other topic? We're here for you. Fast. Agile. Reliable.