Back to overview

Microsoft 365 in the Public Sector: When Data Crosses 100 Borders

21. October 2025

More and more public sector organizations are integrating Microsoft 365 into their IT landscapes – driven by the need for efficiency, digital transformation goals, and expectations for modern services. But precisely where data is most sensitive, the technical foundation often collapses under legal pressure.

The Scottish Police migration to Microsoft 365 made this clear: data processing across national borders without transparent control – a system structurally incompatible with data sovereignty, access restrictions, and legal compliance.

Microsoft 365 Data Management: A Risk for Public Authorities

As reported by ComputerWeekly, the Scottish Police’s M365 migration revealed that Microsoft may process data in over 100 countries – including jurisdictions considered problematic from a data protection or national security perspective. The issue lies in the hyperscale cloud’s design: replication and failover mechanisms automatically distribute data across regions, without user control over actual data locations. This brings us to the central governance question: who controls where data is replicated – and how can legal safeguards be applied?

For public agencies subject to data localization laws – as in Scotland’s case – this presents a major governance challenge. Local law mandates that certain data must remain within national borders. In this context, Microsoft refused to provide specific details about data flows or its internal risk assessment processes for sensitive data transfers to third countries.

Skepticism is growing in Switzerland too – with cantonal administrations in Zurich, Bern, Basel-Stadt, and Lucerne raising concerns. The key issue remains the same: lack of transparency in data processing and potential dependency on a non-European provider headquartered in the US.

Microsoft 365 Cloud Architecture & Control

The Microsoft 365 cloud infrastructure offers extensive automation, centralized management, and deep integration with Azure services. But this complexity makes it harder for public authorities to meet regulatory control obligations. Data flows, roles and permissions, and logging mechanisms largely remain under the provider’s control – not the user’s.

Microsoft references its EU Data Boundary initiative, which aims to keep data processing within EU data centers. However, metadata, support processes, and telemetry data are excluded – leaving third-party access technically and legally possible.

For critical infrastructure and public institutions, this means that while public cloud use may be technically sound, it may fall short in terms of regulatory compliance – especially concerning data sovereignty, access control, and auditability. This is where the true debate on digital sovereignty begins. The question is not whether cloud services should be used – but whether they can be architected to maintain technical control and compliance.

Digital Sovereignty in the Public Sector

The Microsoft 365 discussion exemplifies a broader issue in modern IT governance: digital sovereignty is rooted in technical design, transparent data architecture, and controllable infrastructure.

This is especially vital for the public sector and regulated industries like healthcare, energy, or finance, where compliance requirements are strict – and the ability to control data flows both technically and organizationally is critical.

Only modular, API-based systems with clearly defined data ownership can be designed to meet regulatory demands. Modern, cloud-native architectures with configurable data residency, tenant-based encryption (BYOK/HYOK), and granular access controls make it possible to meet legal requirements without sacrificing scalability or automation. However, the legal impact only materializes when the technical foundation is sound.

Microsoft 365 and Data Protection

Data protection concerns and lack of technical safeguards have already led to political backlash. In countries like France, Germany, and Switzerland, public sector M365 projects have come under scrutiny.

Microsoft points to certifications and compliance credentials such as ISO 27001, SOC 2, and EU Standard Contractual Clauses. But these are insufficient if state-controlled data could theoretically be accessed by foreign governments. The core problem lies not in the technology, but in the governance model:

Who controls where data is processed, who has access, how encryption keys are managed, and whether logs are auditable by third parties – this is what determines true digital sovereignty.

Public sector organizations thus operate in a dilemma: on one hand, the push for efficient, collaborative platforms; on the other, a regulatory environment that doesn’t allow unknown data flows. These legal tensions can’t be solved through policy alone – they require technical governance. Only when localization, access control, and encryption management are technically enforceable does true sovereignty emerge.

Technical Governance in Microsoft 365

Microsoft 365 does not demand distrust – but it does require technical governance. Without complementary architectural measures, critical questions around data residency, access, and encryption remain unanswered. Only with targeted control of key management, logging, and permissions can a cloud platform become a legally compliant infrastructure.

Practical implementation includes mechanisms such as tenant restriction policies, conditional access, and sovereign cloud connectors – tools that embed control and traceability at the infrastructure level.

Key technical requirements include:

  • Enforceable data localization
  • Full auditability of data flows
  • Independent key management
  • Access control down to the root level

Only under these conditions can Microsoft 365 be operated in a legally secure way in the public sector.

Recommendations for the Public Sector

Microsoft 365 can only be legally compliant in public sector environments if technical governance is embedded from the outset – not added later. It is essential to clearly define responsibilities and control mechanisms, regardless of whether the deployment is in a public, private, or hybrid cloud.

A multi-layered security and governance model is recommended, which:

  • Anchors cryptographic procedures and key management within the organization’s own domain
  • Automates data classification and access control
  • Implements logging and monitoring as a dedicated control layer
  • Governs API-based integrations in strict compliance with regulatory requirements

This creates the technical foundation for operating Microsoft 365 not as a compliance risk, but as a controllable infrastructure – with verifiable accountability and full traceability of data flows.

M365 in Action.
Do you know where your data is?

Data stored across more than 100 countries – for many public authorities, that's not an option. CONVOTIS builds architectures that ensure control, encryption, and access sovereignty remain not with third parties, but exactly where they belong.

Get in Touch

More articles from the category

From Legacy to SaaS: Achieving Sustainable Cloud Migrations
Cloud Solutions

From Legacy to SaaS: Achieving Sustainable Cloud Migrations

Read more
Open Source Cloud Stack: Architekturprinzip für digitale Souveränität in regulierten Umfeldern
Cloud Solutions

Open Source Cloud Stack: Architekturprinzip für digitale Souveränität in regulierten Umfeldern

Read more
Switching to Open Source: A Key Step Toward Digital Sovereignty
Cloud Solutions

Switching to Open Source: A Key Step Toward Digital Sovereignty

Read more
Microsoft confirms potential access to EU data by US authorities
Cloud Solutions

Microsoft confirms potential access to EU data by US authorities

Read more
Digital Sovereignty Starts at the Endpoint – Not in the Cloud
Cloud Solutions

Digital Sovereignty Starts at the Endpoint – Not in the Cloud

Read more
Why the Origin of Your Cloud Provider Matters
Cloud Solutions

Why the Origin of Your Cloud Provider Matters

Read more

Find your solution

To top