Microsoft Sovereign Cloud

Provider-specific sources from the current dataset. Use the Compass for scoring, weighting, and A/B comparison.

Compare in the Compass

Provider Snapshot

Criterion	Score
Customer content in the EU	4.0
Customer-created metadata in the EU	2.0
Physically & logically separated	2.0
EU-based operations & support	3.0
No critical non-EU dependencies	1.0
Ownership / ultimate parent (EU-owned?)	0.0
Controlling interest & FISA 702 risk (jurisdiction ≠ residency)	1.0
Local contracting entity & EU governance (operational model)	2.0
Independent advisory board	0.0
EU root CA / trust services	2.0
BSI C5	4.0
ISO 27001 / ISMS	5.0
IT-Grundschutz (BSI)	1.0
SecNumCloud (ANSSI)	1.0
Open standards / API portability	2.0
Service portfolio depth	5.0
Geographic footprint & redundancy (regions/AZ/DCs in EU/DE)	5.0
Audit reports / evidence pack	5.0
Policy enforcement (guardrails)	4.0
Default deny / secure by default	3.0
Independent verification (continuous)	4.0
Blackbox exposure (ops/control plane)	2.0
Operator access exclusion (workload scope)	3.0
IaC & automation (Terraform/OpenTofu, SDKs, APIs)	5.0
Everyday SDLC/DevOps (CI/CD, registry, secrets, K8s)	5.0
Observability (logs/metrics/traces, alerting)	5.0
Limits/quotas (transparency & increase)	4.0
Reference architectures / landing zones	5.0
Unified security stack	5.0
Energieeffizienz / PUE & Zielwerte	5.0
CO₂-/Wasser-Reporting + erneuerbare Energiequellen	5.0

Scope: Full Stack Suite (Azure/M365)

Customer content in the EU: 4.0; Customer-created metadata in the EU: 2.0; Physically & logically separated: 2.0; EU-based operations & support: 3.0; No critical non-EU dependencies: 1.0; Ownership / ultimate parent (EU-owned?): 0.0; Controlling interest & FISA 702 risk (jurisdiction ≠ residency): 1.0; Local contracting entity & EU governance (operational model): 2.0; Independent advisory board: 0.0; EU root CA / trust services: 2.0; BSI C5: 4.0; ISO 27001 / ISMS: 5.0; IT-Grundschutz (BSI): 1.0; SecNumCloud (ANSSI): 1.0; Open standards / API portability: 2.0; Service portfolio depth: 5.0; Geographic footprint & redundancy (regions/AZ/DCs in EU/DE): 5.0; Audit reports / evidence pack: 5.0; Policy enforcement (guardrails): 4.0; Default deny / secure by default: 3.0; Independent verification (continuous): 4.0; Blackbox exposure (ops/control plane): 2.0; Operator access exclusion (workload scope): 3.0; IaC & automation (Terraform/OpenTofu, SDKs, APIs): 5.0; Everyday SDLC/DevOps (CI/CD, registry, secrets, K8s): 5.0; Observability (logs/metrics/traces, alerting): 5.0; Limits/quotas (transparency & increase): 4.0; Reference architectures / landing zones: 5.0; Unified security stack: 5.0; Energieeffizienz / PUE & Zielwerte: 5.0; CO₂-/Wasser-Reporting + erneuerbare Energiequellen: 5.0

Sources / Evidence

Customer content in the EU

EU Data Boundary: Speicherung/Verarbeitung von Customer Data & personenbez. Daten für Enterprise Online Services in EU/EFTA (mit Ausnahmen). (stated)

Customer-created metadata in the EU

EU Data Boundary definiert „Customer Data“ (Konfigurationsinfos wie Ressourcennamen sind nicht umfasst); Metadaten-Scope je Service → unklar. (partial)

Physically & logically separated

Sovereign Public Cloud in bestehenden Azure-Regionen; primär logische/operative Controls (Lockbox/Policy), keine dedizierte EU-Only Physik (außer Partner-Clouds). (stated)

EU-based operations & support

Operational Controls: Customer Lockbox + Data Guardian (Audit/Protokoll). EU-Ops-Ansatz, aber Microsoft-betrieben. (stated)

No critical non-EU dependencies

US-Hyperscaler (nicht EU-unabhängig); kritische Non‑EU Abhängigkeiten/Jurisdiktion bleiben. (high risk)

Ownership / ultimate parent (EU-owned?)

Ultimate Parent: Microsoft Corp (USA). (fact)

Controlling interest & FISA 702 risk (jurisdiction ≠ residency)

US-Jurisdiktion: Residencies/Controls ≠ vollständige Exklusion ausländischer Rechtszugriffe (Risiko bleibt). (high risk)

Local contracting entity & EU governance (operational model)

Lokale Vertragsparteien möglich; Governance/Operations jedoch Microsoft. Partner-Clouds für gov use-cases (z.B. national). (partial)

Independent advisory board

Kein unabhängiger „Trustee/Board“ explizit; stattdessen Kontroll-/Transparenzprogramme. (unclear)

EU root CA / trust services

CMK via Azure Key Vault/Managed HSM; EU-Root-CA/Trust-Service nicht als eigenes Konzept beschrieben. (unclear)

BSI C5

Azure: Germany C5 (C5 im kombinierten SOC2 Type2 Report). (stated/verified)

ISO 27001 / ISMS

Breites ISO/SOC-Portfolio (Service Trust Portal). (stated)

IT-Grundschutz (BSI)

IT‑Grundschutz: Artefakte/Workbooks vorhanden, aber kein generelles IT‑Grundschutz‑Zertifikat der Public Cloud. (partial)

SecNumCloud (ANSSI)

SecNumCloud i.d.R. über nationale Partner-Clouds (z.B. Frankreich); Microsoft selbst nicht als SecNumCloud-Anbieter ausgewiesen. (partial)

Open standards / API portability

Viele Open-Source/Standards (Kubernetes), aber Azure-APIs/Services teils proprietär → Portabilität begrenzt. (mixed)

Service portfolio depth

Sehr tiefes Portfolio (IaaS/PaaS/SaaS inkl. Security & Productivity). (stated)

Geographic footprint & redundancy (regions/AZ/DCs in EU/DE)

Audit-Pakete über Service Trust Portal (SOC/C5 etc.). (stated)

Audit reports / evidence pack

Azure Policy + Sovereign Landing Zones (Guardrails/Baselines). (stated)

Policy enforcement (guardrails)

Operator Access via Customer Lockbox; Encryption at rest/in transit; CMK möglich. (stated)

Default deny / secure by default

Regelmäßige Third‑Party Audits (SOC2/C5 etc.). (stated)

Independent verification (continuous)

Hoher Blackbox-Anteil (proprietäre Plattform); Transparenzprogramme/Docs helfen, aber begrenzt. (mixed)

Blackbox exposure (ops/control plane)

Lockbox verlangt explizite Freigabe für Supportzugriff auf Customer Content; Data Guardian protokolliert. (stated)

Operator access exclusion (workload scope)

IaC: Terraform/ARM/Bicep/Policy; Automatisierung stark. (stated)

IaC & automation (Terraform/OpenTofu, SDKs, APIs)

DevOps & SDLC: umfangreiche Toolchain (DevOps, AKS, Registry, etc.). (stated)

Everyday SDLC/DevOps (CI/CD, registry, secrets, K8s)

Observability: Azure Monitor/Log Analytics/App Insights etc. (stated)

Observability (logs/metrics/traces, alerting)

Service Limits/Quotas dokumentiert (Azure Service Limits). (stated)

Limits/quotas (transparency & increase)

Cloud Adoption Framework / Landing Zones verfügbar. (stated)

Reference architectures / landing zones

Teilweise Portabilität (Container/OSS), aber starker Vendor Lock‑in über proprietäre Services möglich. (mixed)

Unified security stack

Viele EU-Regionen; EU Data Boundary (EU/EFTA) als Datenresidenz-Commitment. (stated)

Energieeffizienz / PUE & Zielwerte

Publiziert PUE/WUE nach Region; FY24 global PUE 1.16, EMEA PUE 1.16 (WUE 0.03). (Quelle: Microsoft Datacenters)

CO₂-/Wasser-Reporting + erneuerbare Energiequellen

Sustainability Report + Ziele: 100% Stromverbrauch 24/7 mit Zero-Carbon Energy purchases bis 2030; Water-positive Ziel 2030 + Reporting. (Quellen: Microsoft Reports + Datacenter page)

Service catalog (core/security)

Expand to load the service catalog …