Contact Us Free Resources Atlas Login
Become a Member
Insights
Training
Mary Jo Foley’s Blog
CIO Blog
Lane’s Lens
Contact Us
Free Resources
Advisory
About Us
Search
Become a Member

March 16, 2026

  Analyst Report

Evaluating Digital Sovereignty Options  

My Atlas / Analyst Reports

1,895 wordsTime to read: 10 min
by
Greg DeMichillie
by
Greg DeMichillie

Greg brings with him over two decades of engineering, product and GTM experience. He has held leadership positions at premier... more

In This Content

Risk Analysis and PrioritizationDigital Sovereignty OptionsDigital Sovereignty Options ComparedDirections Recommends
  • Digital sovereignty is increasingly important as enterprises face shifting legal and geopolitical environments.
  • Microsoft has several options, but all involve serious trade-offs, and a complete solution is unavailable.
  • Customers should adopt a disaster recovery mindset: make their own assessment of risks and focus on workloads critical for business continuity.

Enterprises are increasingly using the public cloud for mission-critical and data-sensitive workloads. But as customers face even more fragmented legal structures and nations appear likelier to use trade and commerce as tools of foreign policy, Microsoft, along with other vendors, is racing to fill the void with what it calls digital sovereignty solutions. But with an IT landscape that includes cloud and on-prem systems, SaaS and traditional software, and first- and third-party applications, IT leaders should not focus their efforts on achieving complete digital sovereignty but instead use a disaster recovery mindset. The key questions every organization must answer are as follows:

  • What is required to ensure business continuity?
  • What is an acceptable time to recovery?
  • Which Microsoft products, if any, best match the organizations’ needs?

Although the exact meaning of digital sovereignty can vary, Merriam-Webster defines sovereignty as “supreme power” and “freedom from external control” particularly with respect to foreign or outside powers.

This report is the first in a series that assesses Microsoft’s digital sovereignty offerings according to the types of risks from foreign actors they claim to protect against as well as the effectiveness and cost of those protections.

Risk Analysis and Prioritization

Digital sovereignty solutions are essentially a form of insurance: a company pays a premium to help limit the damage done by a potentially dangerous event.

There are three broad types of outcomes that digital sovereignty attempts to mitigate:

Regulatory. Can a foreign government or agency impose new regulatory requirements on the organization that it is unable or unwilling to meet?

Unwanted data access. Can a foreign government or agency access the organization’s data without its consent or without notifying it?

Service disruption. Can a foreign government or agency force Microsoft to “pull the plug” and remove the service the organization relies on, through either technical or legal means?

The value of any specific digital sovereignty solution will vary widely, depending on how any given company rates the likelihood of those risks against the cost of protecting against them. Regardless, there are four dimensions companies need to consider when making cost/benefit analysis of any solution:

Likelihood of the risk. Some of the outcomes are likelier to occur than others. As with insurance, where a homeowner in Florida is likelier to buy hurricane coverage than earthquake coverage, different companies may come to different assessments of the risk, depending on their business and countries they operate in.

Consequences of the risk. Not all risks are created equal. Some applications being unavailable for data to be accessed are at most an inconvenience, while others pose existential risks.

Effectiveness of the protection. Put simply, there is no complete solution. Even setting aside issues such as higher-level SaaS applications being subject to the same risks as basic infrastructure, Microsoft offers a patchwork of products with varying levels of protection across risk types.

Cost of the protection. As with insurance, there is an additional cost to even the smallest mitigations. All forms of digital sovereignty involve some trade-offs, and the costs aren’t simply additional license fees. Many of them require the customer to use some form of on-prem software or specialized cloud instances, so customers must consider the opportunity cost of restricting themselves to a more limited set of capabilities.

Why Now?

The risk isn’t new, but the odds are shorter and consequences are higher.

The risks of foreign agencies disrupting a company’s IT infrastructure aren’t new. Adopting the public cloud brought undeniable benefits in terms of agility as well as access to capabilities previously not possible in an on-prem datacenter. But it also brought changes that implicitly transferred control over key aspects of IT infrastructure.

Customers used to operate traditional app architectures using perpetually licensed software and running on one or two servers owned and operated by their own employees in their own datacenter. Today, that same application is likely to use a highly distributed architecture with processing spread across dozens of servers (or more), running software that “phones home” to verify ongoing rental fees are paid, and running on servers owned and operated by other companies.

What has changed, however, is the perceived likelihood of these risks being exploited and the potential consequences. On the risk front, customers face more fragmented legal structures, and nations appear likelier to use trade and commerce as tools of foreign policy, raising the risks that the IT services that companies rely on could be disrupted. And the costs are higher. Not only do many companies now run mission-critical workloads with sensitive data in the cloud, but they may also no longer have the skills needed to run those same services in house.

Digital Sovereignty Options

Specifically, Microsoft uses “Sovereign Cloud” as an umbrella term for a variety of products and features. As is often the case, Microsoft’s marketing is ahead of its products, with a combination of product names and umbrella terms that imply more capabilities than are available.

Broadly speaking, Microsoft’s digital sovereignty solutions come in two flavors: on-prem solutions that attempt to mitigate the downsides of on-prem software while also giving customers near complete control, and specialized clouds that try to give the customer more control. For a summary of the options and their overall effectiveness, see the table “Digital Sovereignty Options Compared.”

On-Prem: Highly Effective, but Costly

The on-prem options include Windows Server, Azure Local, and a new variant of Azure Local Microsoft calls Sovereign Private Cloud.All three share the basic approach of running applications in an on-prem environment on hardware that is owned and operated by the customer. Because they run on hardware owned and operated by customers, all three options give customers the highest level of protection against regulatory and data-access risks. By choosing where to place their servers, customers make an explicit choice about regulation, and because they operate the system, customers will be the ones notified should a governmental agency demand access to data.

They also share common limitations:

  • Customers must purchase and deploy servers, shifting back to capital expenses
  • Customers must take back the burden of managing and maintaining the hardware and operating systems
  • Many of Microsoft’s on-prem products have stagnated compared with their Azure counterparts and lack many advanced features available in the cloud.

But the options offer different levels of protection against service disruption and different trade-offs in costs.

Windows Server. Although Microsoft continues to push customers toward subscriptions, Windows Server is still available with a perpetual license. This license limits the ability of a government to force Microsoft to “pull the plug” on Windows Server and provides the highest level of protection against service disruption.

Azure Local. Although it offers many of the same basic capabilities as Windows Server, with the promise of bringing more cloud-like capabilities to on-prem environments, Azure Local is more prone to service disruption. First, Microsoft is only now rolling out the ability for Azure Local to run fully disconnected from the cloud. Previous versions needed to “phone home” every 90 days to maintain support and functionality. Even now, Microsoft requires customers to get specific permission for what it calls disconnected operations. In addition, Azure Local is subscription based, leaving open the possibility that Microsoft could be forced to terminate a customer’s subscription with little or no notice.

Sovereign Private Cloud. Based on Azure Local, Sovereign Private Cloud adds on-prem versions of Exchange Server, SharePoint Server, Skype for Business Server, and Microsoft Foundry. Exchange and SharePoint are widely used and essential to many enterprises, while AI is an obvious priority for Microsoft. Microsoft also claims it will offer workload mobility, implying that customers will be able to start a workload on-prem or in the cloud and migrate to the other. Sovereign Private Cloud has the same basic effectiveness and limitations as Azure Local. But customers should recognize that the on-prem versions supported by Sovereign Private Cloud differ significantly from the cloud versions customers may have become used to.

Cloud: Limited but Growing

For companies that have moved most of their workloads to the cloud, the idea of going back to the future and moving workloads back to an on-prem can be unappealing as well as impractical. That’s why Microsoft, along with the other hyperscalers, offers specialized versions of its public cloud as a middle ground. In Microsoft’s case, that includes Sovereign Public Cloud and National Partner Clouds. Both are offered in a limited set of specialized regions, but National Partner Clouds are aimed specifically at government and public sector use cases while Sovereign Public Cloud is a more general-purpose solution. Both are still subject to disruption in the event a government orders Microsoft to discontinue the service to any given customers or to an entire country.

Sovereign Public Cloud. Sovereign Public Cloud is available in Europe and builds on Microsoft’s existing data residency controls for Azure while adding additional safeguards including tamper-evident access logs. Although the logs don’t prevent unwanted data access, they ensure customers will at least be aware should Microsoft be ordered to access a customer’s data without notifying the customer. Sovereign Public Cloud doesn’t support Microsoft’s entire suite of applications, but it does include Microsoft 365 and Power Platform. To fully protect themselves against unwanted data access, customers will need to use customer-managed encryption keys to ensure even Microsoft is unable to decrypt data without the customer’s permission. But customer-managed encryption is more complex, making the overall solution more expensive to deploy and maintain. It is worth noting that Sovereign Public Cloud also includes a number of confidential computing features that, although not directly related to digital sovereignty, do provide a more secure overall environment.

National Partner Clouds. National Partner Clouds are independently operated environments that deliver Azure functionality under the ownership and control of a local operator. Examples include Bleu, a joint venture of French telecom provider Orange and Capgemini, and Delos, operated in Germany by a subsidiary of SAP. Like on-prem options, National Partner Clouds enable customers to choose the specific country they operate in, and therefore the legal regime they are subject to. Beyond basic infrastructure, they support a limited set of applications, including Exchange, SharePoint, and Teams, and are designed to meet the needs of a specific country.

Digital Sovereignty Options Compared

LEVEL OF PROTECTION
OptionLocationRegulatoryData AccessService DisruptionCosts/Limitations
Windows ServerOn-premHIGHHIGHHIGHLoss of features compared with cloud

Customer takes full responsibility for management

Subscription-based apps still can be disrupted
Azure LocalOn-premHIGHHIGHMEDSame as Windows Server

Must get approval from Microsoft for disconnected operations

Still subscription based
Sovereign Private CloudOn-premHIGHHIGHMEDSame as Azure Local
Sovereign Public CloudCloudHIGHMEDLOWEurope only

Limited app support

Customer-managed encryption keys required for maximum protection
National Partner CloudsCloudHIGHn/aHIGHLimited countries

Limited app support

Aimed at government and public sector use
Table gives a high-level overview of Microsoft’s digital sovereignty products.

Directions Recommends

Prioritize workloads. For most organizations, a complete solution is impractical. Companies should prioritize systems that are essential for business continuity.

Perform your own risk analysis. Each company is different, and future events are difficult to predict, so building a digital sovereignty strategy requires a company to do its own analysis of both the likelihood of various events and the consequences to the business.

by
Greg DeMichillie

Greg brings with him over two decades of engineering, product and GTM experience. He has held leadership positions at premier tech companies such as Microsoft, Google, AWS, and Adobe, as... more