Trump, China, and the Cloud: What Does This Mean for Your Digital Sovereignty?

Today’s digital world is increasingly complex and uncertain. Wars and threats from China are causing increased geopolitical tensions.

Trump’s policies put a brake on international trade, which had flourished over the past 40 years through collaboration and global supply chains. Now that borders are blurring and national interests are becoming more important, digital sovereignty and autonomy are crucial for your business to grow and survive. You need to protect your data, make your own decisions about your IT systems, and ensure that your business processes continue to operate without external interference. This has become a top priority. This blog post, based on discussions with our clients and our collaboration with Microsoft, delves deeper into these themes and the role of the cloud.

Why the Cloud? A Review

Before we talk about sovereignty, let’s first look at the reasons why organizations like yours have moved to the cloud.

The cloud stimulates economic growth and improves IT services because:

• The cloud manages things better and cheaper than your company can.
• The cloud is flexible: you can easily scale up and down during busy or quiet periods.
• The cloud offers advanced cybersecurity.
• You don’t have to worry about IT and can focus on your core business.

You also face challenges, such as outdated systems, obsolete security, and shadow IT. That’s why it’s important to take modern data security measures, especially with the rise of Gen-AI. The Microsoft Digital Defense Report of 2024 shows that 80% of companies have systems designed in such a way that critical components are vulnerable to attacks.

Digital Autonomy: What Is It?

Digital autonomy is a relatively new concept. What exactly does it mean for you? Digital autonomy consists of 3 key elements:

• Data Sovereignty: This is about who has access to your company data. The rule is that data falls under the laws and regulations of the country where it is stored. The key question here is: can someone else see my data?
• Resilience: In an uncertain world, it is crucial to recover quickly from incidents and adapt to changes. This means that the business must continue to operate, even in the event of disasters or cyberattacks.
• Strategic Autonomy: This is the freedom to make your own decisions, without influence from suppliers, governments, or others. The key question here is: can I always access my data?

What is Sovereignty?

The traditional definition of sovereignty is the highest power within a state. It is about a state’s ability to govern and defend itself. In digital terms, this means that you protect your data and ensure lawful access.

Microsoft’s Commitment to Data Protection

Microsoft has been protecting customer data for over 10 years and guarantees that your data remains yours. There is extensive documentation and transparency about their security processes. They have a perfect track record in the European public sector. If a non-disclosure order prohibits Microsoft from informing you about a government request to access your data, Microsoft will take legal action to challenge this order. Microsoft will compensate you for damages resulting from the disclosure of your personal data in violation of the GDPR. Such requests are rigorously tested according to the highest legal standards in the US.

Data requests for business customer data in the first half of 2024 show that less than 1% (166) of the 27,000 requests involved legal demands for customer data. Of these 166 requests, Microsoft provided data to the US government about one non-US customer whose data was stored outside the US. This customer was not in the EU/EFTA. There were no other cases in which business data was shared across borders without permission.

In short, Microsoft takes the protection of your customer data seriously and has the following principles and measures:

• The customer owns their own data (cross-cloud commitment).
• Extensive documentation and transparency about security.
• An excellent track record in the European public sector.
• The promise to take legal action against non-disclosure orders that prohibit customers from being informed about government requests to access their data.
• Compensation for customers in the event of damage caused by the disclosure of personal data in violation of the GDPR.
• Strict control of requests according to the highest legal standards (precisely defined, least restrictive means, compelling government interest).

The Microsoft EU Data Boundary

The Microsoft EU Data Boundary (EUDB) is a solution that allows you to store and process your customer data, pseudonymized personal data in system logs, and Professional Services Data within the EU. This applies to Microsoft 365, Azure, Power Platform, and Dynamics 365 online services, as stated in the Product Terms. The EU Data Boundary reinforces Microsoft’s commitments to data residency for customer and personal data stored and processed in the EU and the EFTA.

Sovereignty: Trade-offs and Technology

There is a clear tension between the benefits of the cloud and your need for sovereign control. The cloud offers scalability, innovation, cybersecurity, reliability, cost savings, flexibility, and redundancy. But there is also a downside: your need for control over sovereignty, residency, and operations.

Microsoft offers a Sovereign Control Portfolio to protect workloads against external access with advanced sovereignty and encryption controls, such as confidential computing and Azure Managed HSMs. In addition, there are Sovereign Guardrails & Guidance in the form of architectures, policies, templates, and tooling to help you create compliant architectures and address sovereignty issues. Compliance & Transparency are guaranteed by local policy packages and greater transparency in the operations of the environment. Microsoft Cloud for Sovereignty helps governments with their digital transformation by meeting compliance, security, and policy requirements.

This includes various technologies and solutions:

• Sovereign Landing Zones
• Azure Key Vault Managed Hardware Security Module (HSM)
• Azure Confidential Computing (ACC)
• Azure Customer Lockbox
• Azure Boost
• Azure Government Cloud (US only)
• MS Cloud for Sovereignty (global solution)
• Virtual Data Embassy (secure cloud environments for sensitive workloads)
• Azure Virtual Enclaves
• Azure Sovereign Regions (Bleu – France, Delos – Germany)
• Azure Hybrid (Azure Local/Azure Arc) (for distributed locations with cloud management)

Operational Sovereignty and Resilient Infrastructure

Microsoft invests heavily in a resilient infrastructure with 65+ Azure Regions and 300+ data centers worldwide, connected by 442,000+ km of fiber and submarine cables. Regions are sets of data centers close to each other, connected by a fast network. Availability Zones are physically separated locations within a region. Region pairs offer redundancy and business continuity within the same region. Geographies (geos) are separate markets of two or more regions that maintain data residency and compliance boundaries. Microsoft has 17+ data centers in Europe and has invested more than 20 billion USD in AI and cloud infrastructure in Europe over the past 16 months.

Business Continuity, Dependencies, and Exit Strategy

An important aspect of digital sovereignty is ensuring business continuity and mapping dependencies. Developing and testing business continuity plans and an exit strategy is essential for you. Microsoft offers free egress for customers leaving Azure and taking their data with them. In addition, there are strong contractual clauses and extensive security measures for the protection of your customer data. Microsoft has a proven track record of taking legal action against government requests.

Where to Start?

Microsoft and Intwo advise you to take the following steps towards digital sovereignty:

• Perform an organizational digital sovereignty risk analysis based on probability and impact.
• Prepare business continuity plans and an exit strategy, and test them.
• Understand the technological and architectural options.
• Identify critical assets, applications, and data and map dependencies.
• Design with a balance between the acceptable level of risk and the acceptable reduction in benefits.

Conclusion

Digital sovereignty is crucial for your organization in today’s digital world. The cloud offers many benefits in terms of flexibility, innovation, and cybersecurity, but also raises questions about data sovereignty, resilience, and strategic autonomy. Microsoft offers various solutions, such as the EU Data Boundary, to meet these requirements and emphasizes the importance of transparency and data protection. You need to weigh the benefits of the cloud against the need for sovereign control and develop a sound risk analysis, business continuity plan, and exit strategy.

Does your organization struggle with digital sovereignty and are you looking for help to deal with it? Then contact Intwo. Our experts have the knowledge and experience to help your organization develop a strategy that fits your specific needs and compliance requirements. This way, you can benefit from the cloud, with the assurance that your digital sovereignty is guaranteed.