This site is also available in: Deutsch (German)
In May 2025, Microsoft blocked the email account of Karim Khan – the chief prosecutor of the International Criminal Court (ICC) in The Hague. The reason: US President Donald Trump had imposed sanctions against the ICC after it had issued arrest warrants for Israeli officials. Microsoft, as a US company bound by US law, implemented the sanctions – and thus cut off the official communication of an international judicial authority. Khan had to switch to the Swiss provider Proton in order to continue his work.
This incident is not an isolated case. It is a symptom of a structural problem.
“Sovereign cloud” – a marketing promise with an expiration date
Almost at the same time, Anton Carniaux, Chief Legal Officer of Microsoft France, testified under oath before the French Senate: Microsoft could not guarantee that EU customer data in European data centers would be protected from access by US authorities. If a legally valid request comes from the USA, Microsoft must deliver – regardless of where the servers are located. And: customers may not even be informed about the process.
This officially debunks the illusion of the “sovereign cloud”. As long as a provider is subject to US law – in particular the CLOUD Act and the Patriot Act – the location of the infrastructure remains secondary. “EU-localized” is not the same as “EU-controlled”.
Three inconvenient truths
Jurisdictional vulnerability: Anyone using a cloud service from a foreign provider is subject to that provider’s domestic law. In case of doubt, US laws can override EU law – even for data that is physically located in Europe.
Political service interruption: The ICC example shows that a cloud provider can shut down services for a central public institution on political instructions – without a court order in the country concerned and without prior warning.
Creeping loss of control: Organizations are gradually losing the ability to understand who is accessing their data, where it is going and under what circumstances it is being accessed.
Why a hybrid model is the better way forward
Nobody is seriously calling for all hyperscaler services to be switched off. Their advantages – scalability, service breadth, OPEX efficiency – are real. But they are no substitute for sovereignty. A well thought-out hybrid model combines the best of both worlds:
Control and jurisdiction: Private on-prem or EU-native infrastructure keeps sensitive data within its own jurisdiction. No external subpoena can compel disclosure.
Resilience: Local infrastructure reduces dependency on geopolitical conflicts that do not directly affect the company itself – but can affect it indirectly.
Compliance with substance: For sensitive areas – government, justice, health, critical infrastructure – private cloud offers a resilient basis for GDPR compliance and true data sovereignty.
Risk diversification: A single provider is a single point of failure – technically and legally. Hybrid models distribute this risk intelligently.
Open source as a strategic pillar
The latest developments make one thing clear: digital sovereignty is not just a question of infrastructure, but also of software. Open source plays a key role here – not only technically, but also geopolitically and economically.
The global digital economy is based on open source technologies such as Linux, Apache, Nginx and Kubernetes. These form the backbone of modern cloud infrastructures and are supported by global developer communities.
China provides an instructive example: when Huawei was excluded from the Android ecosystem by US sanctions in 2019, the country invested heavily in its own open source projects such as OpenHarmony and founded the OpenAtom Foundation. Today, China is the third-largest developer nation on GitHub after the US and India and is driving open source AI models such as DeepSeek and Qwen (Alibaba).
For Europe – and especially for Switzerland – this sends a clear signal: open source is a strategic necessity. While China uses open source primarily to reduce Western dependencies, Europe can use it to promote transparency, trust and collaborative innovation.
Switzerland in particular, with its strong research landscape, regulated industries and neutral intermediary role, is predestined to rely on open source – to ensure digital independence and build interoperable, trustworthy technologies.
Conclusion: Sovereignty needs more than geography
True digital sovereignty requires governance and control – not just a European server location. If you want robust control over data and operations, you need to invest in infrastructures that are fully under your own supervision. And they must rely on open standards and open source technologies that do not create any hidden dependencies on individual providers or legal systems.
The incidents surrounding Microsoft and the ICC are not a marginal phenomenon. They are a wake-up call. The question is not whether we act – but how quickly.
Sources: heise online – ICC email blocking, heise online – Microsoft EU data, Knack Trends – China Open Source
