Microsoft Cloud for Sovereignty: The Latest & How It Works

Transcript

1. How to benefit from the Microsoft Cloud for Sovereignty Bern,

   29th October 2025 Oliver Dörr Field CTO EMEA Enterprise Partners https://www.linkedin.com/in/oliver-doerr Patrick Fontana Cloud & AI Sr Specialist https://www.linkedin.com/in/p-fontana/

2. Agenda – Microsoft Sovereign Cloud Insights 2 WAS WIE WOMIT

   QnA SPOILER: YES – you will get the slides ☺

3. Vegan options are available …

4. None

5. Sovereignty Maturity Advanced Configuration “Control Grade” Sovereignty - Basics Innovation

   Configuration Reduce operational risk Program Unify Operation Model Becoming “Frontier” Think it “End-to-End” “Compliance / Transparancy” Sovereignty - Advanced “Environment” Sovereignty - Master Basics Configuration

6. Sovereignty Maturity (Key function points) Advanced Configuration “Control Grade” Sovereignty

   - Basics Innovation Configuration Reduce operational risk Program Unify Operation Model Becoming “Frontier” Think it “End-to-End” “Compliance / Transparancy” Sovereignty - Advanced “Environment” Sovereignty - Master Basics Configuration Contractual Amendment Hybrid or Autarky Solution Transparency & Compliance Log Confidential Compute & Services / Key Mgmt SLZ / ARC-enabled / Azure Local Data Guardian & Regulated Environment Mgmt (REM) SLZ / ARC / Local over Terraform / Bicep / ARM Swiss Cloud Operations (Extended Log & Telemetry Screening) SLZ / Azure ARC & Workload Orch, Azure Autoscal in Sovereign Sovereign Control Portfolio Network Security Perimeter / Direct Route NPC EU Data Boundary / Emergency Code Residence / Policy Sovereign AI (Foundry / Foundry Local / AI on Confidential Compute)

7. ` 2026 2020 • Launched “Defending Your Data” to legally

   oppose government data requests • Committed to compensation if personal data is disclosed in violation of GDPR • Reaffirmed opposition to government encryption backdoors 2022 • Launched Microsoft Cloud for Sovereignty with enhanced data residency, privacy, and compliance • Introduced Advanced Data Residency add-on • 60+ Azure regions live • Expanded Go Local program to 15 countries • Over 100 compliance certifications, including 50+ region- specific ones 2024 • Expanded EU Data Boundary to Phase 2, adding pseudonymized personal data and telemetry in- region • Reduced data transfers outside the EU by keeping Microsoft cloud service data and metadata within Europe Over the past decade, Microsoft has invested extensively in data privacy, compliance and security 7 Major milestone 2016 • Launched German sovereign cloud with local trustee • Invested $3B to double European cloud capacity • Challenged U.S. gag order on customer data for transparency • 30 Azure regions live 2017 • Committed to full GDPR compliance for all cloud services by 2018 enforcement • Secured policy win as U.S. Justice Department limited indefinite gag orders • Revised contracts and privacy controls to support customer compliance 2018 • First major tech company to apply GDPR data rights to customers globally • Met the GDPR deadline 2019 • Launched first cloud datacenters in Africa and the Middle East, enabling local data storage • Extended California’s CCPA privacy rights to all U.S. customers, adopting a “beyond compliance” stance • 54 Azure regions live 2021 • Announced EU Data Boundary for Microsoft Cloud • Committed to storing and processing all EU customer data within EU datacenters by end of 2022 2023 • Launched EU Data Boundary Phase 1, storing core customer data in European datacenters • Expanded Go Local program to 25+ countries 2025 • Completed EU Data Boundary (Phase 3) with all EU customer data in European datacenters • Announced expansion of Microsoft Sovereign Cloud to Public and Private cloud environments • Launched Bleu (France) and Delos (Germany) national cloud providers • Announced 5 European data commitments • Over 70 Azure regions live • Invested $20B+ in European cloud infrastructure since 2023

8. Microsoft Deepens Switzerland's Digital Future with Strategic Investment in Cloud

   and AI Infrastructure, Startups, Skilling and Innovation - Microsoft Switzerland News Center Microsoft Deepens Switzerland’s Digital Future with Strategic Investment in Cloud and AI Infrastructure, Startups, Skilling and Innovation European Digital Commitments Supporting Commerce and Culture Microsoft Sovereign Solutions European Security Program How Microsoft is addressing digital sovereignty in Switzerland

9. Digital sovereignty is the capability to participate in the digital

   economy securely, independently and with self-determined controls. The digital sovereignty landscape is evolving, driven by growing consideration for data security, compliance and regulatory standards, and global trade and geopolitical issues. Our approach to digital sovereignty Available to all: Digital sovereignty is a foundational capability of Microsoft services. Well-governed controls: Delivered through technical, contractual, and operational measures. Workload dependent: Sovereign control requirements vary based on sensitivity and criticality.

10. Microsoft Sovereign Cloud Comprehensive spectrum of digital sovereignty capabilities, across

    integrated productivity, security and cloud platform workloads Sovereign Public Cloud Technical, operational and contractual controls built into Microsoft Cloud services to meet digital sovereignty requirements Continuous innovation and improvements without the need for re-design or migration Sovereign Private Cloud Hybrid or disconnected cloud services on customer infrastructure Supports building solutions on cloud services that are portable across public and private environments in case requirements change National Partner Clouds Specialized cloud environments with Microsoft 365 and Azure services, for critical infrastructure workloads to meet local ownership criteria • Germany: Delos Cloud designed to meet BSI Cloud requirements • France: Bleu designed to meet SecNumCloud requirements Consistent management and development platform Sovereign controls

11. Microsoft's new European digital commitments We will help build a

    broad AI and cloud ecosystem across Europe. We will uphold Europe’s digital resilience even when there is geopolitical volatility. We will continue to protect the privacy of European data. We will always help protect and defend Europe’s cybersecurity. We will help strengthen Europe’s economic competitiveness, including for open source. 1 2 3 4 5

12. We will uphold Europe’s digital resilience even when there is

    geopolitical volatility. 2 Microsoft’s European Digital Commitments A European cloud for Europe A Digital Resilience Commitment Business Continuity partnerships

13. This Amendment’s are required Contractual Risk Mitigation M248 add. M1186

    (DORA) M329 (Swiss Standard) M744 (Professional secret / Confidential provisioning) M453 (FINMA) “CAPS” Regional Amendment

14. Agenda – Microsoft Sovereign Cloud Insights 14 WAS WIE WOMIT

    QnA

15. Microsoft Sovereign Cloud Most comprehensive set of sovereignty solutions, with

    integrated productivity, security and cloud platform Sovereign Public Cloud Data stays in Europe, under European law Data Guardian: Operations and access controlled by European personnel Sovereign controls for policy enforcement Applies to existing Europe cloud datacenter regions with no migration Sovereign Private Cloud Azure Local + Microsoft 365 Local: Integrated cloud and productivity Hybrid or disconnected at your location Validated architecture and partner ecosystem Virtualization services National Partner Clouds For government and critical infrastructure criteria Government approved local operator independent from Microsoft Clouds in Germany (Delos Cloud) and France (Bleu) with local ownership and isolated infrastructure Consistent management and development platform

16. Digital sovereignty with Microsoft Sovereign Cloud Participate in the digital

    economy securely, independently and with self- determined controls Operational Controls Data Controls Data Guardian Regulated Environment Management External Key Management External Key Management Azure Key Vault Managed HSM Azure Key Vault Managed HSM Customer Lockbox Azure Confidential Computing Sovereign Landing Zones Azure Key Vault Premium Azure Key Vault Premium Network Security Perimeter

17. Network Security Perimeter (NSP) Plan: • Restrict public exposure of

    Azure Services Manage inbound and outbound access for resources within perimeter. Secure by default by denying access from unauthorized networks • Secures PaaS to PaaS service communications and prevents data exfiltration Deploy: • Azure Portal, PowerShell, CLI, or Infrastructure-as-Code (IaC) (ARM/Bicep) • Define a clear profile: - 3 Modes (Learning / Enforce / SecuredbyPerimeter) - Inbound Rule / Outbound rule / Limits Operate: • Gain visibility into any connections and monitor access to resources in the perimeter 7

18. Regulated Environment Management (REM) Plan: • Configure Data Guardian •

    Tailor landing zone configurations designed for sovereignty • Limit deployment locations to EU and EFTA regions Deploy: • Portal, API and SDK processes supported • Enables consistent and repeatable sovereign environments Operate: • Access Data Guardian logs REM will be available to existing customers of our European cloud services in all 15 EU/EFTA cloud regions 8
19. None

20. Sovereign Landing Zones Regulatory Compliance: • Align with regulatory compliance

    requirements using Azure-native tools • Enforces consistent management, policy, and naming schemas for a reliable deployment environment Operational Efficiency: • Easily configurable and deployable with a single script • Leverages automation for smooth setup • Follows the Cloud Adoption Framework for easy integration Sovereign Landing Zones are now available in all 15 EU/EFTA cloud regions Learn more

21. External Key Management Customer keys in HSM physically controlled by

    customer. No availability SLA from Microsoft. Customer has physical control over the HSM: ・ Supports scenarios where the customer is obligated by compliance or regulatory reasons to physically control the HSM ・ Customers can connect Azure to keys stored on their own Hardware Security Module (HSM) deployed on- premises or hosted by a third party. ・ Gives physical control over the HSM, but impacts availability SLA and support Supported HSM manufacturers include External Key Management support will be available in all 15 EU/EFTA cloud regions

22. Microsoft Sovereign Cloud Most comprehensive set of sovereignty solutions, with

    integrated productivity, security and cloud platform Sovereign Public Cloud Data stays in Europe, under European law Data Guardian: Operations and access controlled by European personnel Sovereign controls for policy enforcement Applies to existing Europe cloud datacenter regions with no migration Sovereign Private Cloud Azure Local + Microsoft 365 Local: Integrated cloud and productivity Hybrid or disconnected at your location Validated architecture and partner ecosystem Virtualization services National Partner Clouds For government and critical infrastructure criteria Government approved local operator independent from Microsoft Clouds in Germany (Delos Cloud) and France (Bleu) with local ownership and isolated infrastructure Consistent management and development platform

23. For customers with extraordinary requirements, we extend our sovereignty offering

    to include the Sovereign Private Cloud We aim to meet all customer needs by helping modernize on-prem environments Customers with high data privacy requirements • Governments, defense, critical infrastructure sectors • Strict data infrastructure control and data storage visibility requirements Geopolitical factors • Unpredictable national foreign policies and growing regulatory complexity • Rising tensions reinforce national data security and business continuity concerns Rise of critical sensitive AI workflows • AI models increasingly trained on sensitive datasets • Increasing demand for innovation without compromising privacy Workflow fragmentation • Fragmented workflows from legacy environments • Inconsistent data polices, and varying regional presence On-prem operational complexity • High effort to maintain, patch, and secure infrastructure • Limited agility to meet evolving security, scalability and workload needs Azure Local Sovereign Private Cloud

24. Azure Local: One flexible offering for all target use cases

    New! Unified distributed infrastructure service spanning all hardware/scale points Enabled by Azure Arc Embedded/IoT Ex: ASUS NUC Rugged Ex: Lenovo SE100 Tower Ex: Dell T160 Edge Server Ex: HPE DL360 Rack Server Ex: Cisco UCS *Must meet minimum requirements per operating system and solution-level pass validation “Azure Local” Managed Kubernetes/AKS General-Purpose VMs/IaaS Core Infrastructure Services: Compute | Storage | Networking | Availability Host OS: Windows Server | Windows IoT | Azure Linux Azure-based Management Infrastructure management: Provisioning, deployment, full- stack updates, secure by default, catalog/validation, support Workload management: Images/templates, extensions, access control, accelerations, networks, storage paths More in future Virtual apps and desktops Azure IoT operations Azure data services Linux applications Windows applications Azure AI/ML Any app Any type of hardware*

25. Management and security 4 Operate with unified management and security

    for all your resources Hardware Compute Kubernetes Networking Storage Azure Local Apps, data, and AI 1 Get hardware from your preferred vendor, connect power and network 2 Provision the Azure Local software to form local cloud infrastructure 3 Deploy apps onto cloud-consistent virtual machines and Kubernetes Local Enabled by Azure Arc Region How Azure Local works (connected)

26. Satisfy regulatory requirements by operating permanently disconnected from the cloud

    Host backend Azure resource manager, portal, and services in local appliance VM Subset of services available: Portal ARM Registries Key Vaults Policy 2 Local Machines Kubernetes Copilot AVD Defender Others 1 : Available only to customers who prequalify based on industry, use case, and other considerations 2 : Partial functionality Infrastructure Infrastructure Control plane Workloads Control plane 1 (appliance VM) Workloads Cloud region Distributed location Azure Local (connected) Azure Local disconnected Introducing disconnected operations (preview) NEW

27. Azure Local solution categories Visit the Azure Local Catalog to

    discover the current hardware solutions available to fit your edge needs Premier Solutions Turnkey Azure Local solution • Deepest integration and highest level of automation, built through deep engineering collaboration between Microsoft and solution partners • Continuous testing by Microsoft and our partners, to ensure higher reliability and minimal downtime • End-to-end deployment workflows that make it easy to deploy one cluster or a thousand clusters Integrated Systems Single purpose system with pre-installed software • Optimized hardware selection with regular testing for ongoing reliability • Delivered with software pre-installed and security set by default • Validated full-stack updates and native hardware management tools Validated Nodes Broadest choice of hardware components • Choose from a diverse selection of validated hardware from more than 30 partners, or re-use existing validated hardware • Engage with preferred SI for deployment and integration, as needed • On new hardware or check with your OEM or solution provider to ensure you are running a validated solution. In certain cases, you may be able to reuse existing hardware
28. None

29. Sovereign Private Cloud supports extensive Azure-aligned services and workloads, now

    also including Microsoft 365 Local Windows applications Azure AI/ML Provisioning, deployment, lifecycle management, security, updates With the introduction of Sovereign Private Cloud, you can now run your server productivity applications in an Azure Local environment Microsoft 365 Local Exchange Server SharePoint Server Skype for Business Server Windows applications Linux applications Virtual apps and desktops Microsoft 365 Local Azure IoT operations Azure AI/ML Azure data services More in future Azure Local supported workloads Azure Local Managed Kubernetes/AKS General-Purpose VMs/IaaS Core Infrastructure Services: Compute | Storage | Networking | Availability VM OS: Windows Server | Azure Linux Azure-based infrastructure Management OS: Azure Stack HCI OS

30. What is Microsoft 365 Local? What Microsoft 365 Local is

    ✓ Solution for the most sovereignty sensitive customers needing full jurisdictional support ✓ A more modern alternative for on-premises customers, offering extended operational support and maintenance through Azure Local ✓ Solution that enables offline collaboration with core Microsoft 365 server workloads (Exchange, SharePoint, Skype for Business) What Microsoft 365 Local is not X Set of new features bringing parity to Public Cloud capabilities (e.g., Copilot, Teams) X Self-service deployment without Microsoft Azure or partner coordination X Replacement for Sovereign Public Cloud

31. Microsoft 365 Local Features Key capabilities (not exhaustive) Microsoft 365

    in Sovereign Public Cloud1 Microsoft 365 On-premises Anti-spam & malware protection DLP & Compliance Policies Exchange MFA & conditional access External sharing SharePoint Version history & autosave Chat and messaging Federation & external access Meeting recording Skype for Business/Teams Audit logging Compliance manager Azure workloads2 Unified control plane Full-stack solution validation Hardened security Infrastructure Integrated infra management Hybrid, disconnected flexibility Sovereign Public Cloud has most advanced capabilities Infrastructure management plane, and extended Azure workloads enabled by Azure Local are the key benefits of running Microsoft 365 workloads in the Sovereign Private Cloud vs. on-prem environments Microsoft 365 workloads have similar capabilities across Sovereign Private Cloud and on-prem environments Illustrative representation of key capabilities when running Microsoft 365 across different environments (not entirety of features) • Full availability • Partial / limited availability − No availability 1. Comparison includes key Microsoft 365 capabilities equivalent to Public Cloud, therefore for this comparison is not including other distinct Sovereign Public Clouds features such as data guardian, external key management; 2. E.g., VMs, K8, AI workloads Modern auth through ADFS Additional infrastructure required Microsoft 365 Local (in Sovereign Private Cloud)

32. Displayed resources are ONLY for visual purpose, NOT for the

    real amount

33. Preview GA 2024 H2 2025 H1 2025 H2 2026 H1

    Forward-looking roadmap is always subject to change. Azure Local (public) product roadmap Azure Arc gateway for simpler connectivity Zero-touch OS provisioning from cloud Day N cluster/storage/network management Advanced update scheduling and rings For VMs and container-based apps Right-sized solutions on broad hardware choices Advanced security by default Out of the box cloud-based operation Migrate from VMware Hydrate pre-existing VMs into Azure Arc VMs features: day N operations, OS disk, gallery, connect Local AI services Low-spec, low-cost hardware options Local identities (no on-prem Active Directory) Rack-aware clustering to replicate between rooms Disconnected operations Remediate Defender recommendations Network security groups Trusted launch with attestation Confidential computing

34. What does Microsoft 365 Local mean for the long- term

    support for on-premises server products? With the introduction of the Sovereign Private Cloud, we are committing to providing support for Microsoft 365 Server products at least through 2035 2025 – Today 2035 Exchange Server SharePoint Server Skype for Business Server Plan with confidence With the latest Sovereign offering extension, we want to ensure that our customers can plan long-term knowing their server workloads will remain supported Consistent support across deployments Server productivity products will receive support, when deploying Microsoft 365 as part of the Sovereign Private Cloud1 or independently Microsoft offers and maintains products in accordance with the Modern Lifecycle Policy2 1. Microsoft 365 Local will allow customers to run the Subscription Edition (SE) version of the core server productivity products on Azure Local; 2. https://learn.microsoft.com/en-us/lifecycle/policies/modern

35. https://aka.ms/M365LocalSignup REALLY GOOD TO KNOW – Limits and Options Microsoft

    365 Local • is in private preview NOW. Planned GA: end of the year in European markets. • preview is restricted to customers who have an Enterprise Agreement • is supported only on Premier tier solutions Microsoft 365 Copilot is not available in Microsoft 365 Local

36. Microsoft Sovereign Cloud Most comprehensive set of sovereignty solutions, with

    integrated productivity, security and cloud platform Sovereign Public Cloud Data stays in Europe, under European law Data Guardian: Operations and access controlled by European personnel Sovereign controls for policy enforcement Applies to existing Europe cloud datacenter regions with no migration Sovereign Private Cloud Azure Local + Microsoft 365 Local: Integrated cloud and productivity Hybrid or disconnected at your location Validated architecture and partner ecosystem Virtualization services National Partner Clouds For government and critical infrastructure criteria Government approved local operator independent from Microsoft Clouds in Germany (Delos Cloud) and France (Bleu) with local ownership and isolated infrastructure Consistent management and development platform

37. Purpose of National Partner Clouds Provides an independently owned and

    operated Azure & Microsoft 365 environment. Independent Ownership Enables jurisdictions whose laws prohibit reliance on a U.S.–owned cloud. National Control Serves ministries and security-sensitive agencies needing in-country hosting. Sovereign Requirement Microsoft cedes day-to-day operational control to a nationally governed operator. Operations Examples: • Germany | Delos Cloud (designed to meet BSI Cloud requirements) • France | Bleu (designed to meet SecNumCloud requirements).

38. Agenda – Microsoft Sovereign Cloud Insights 38 WAS WIE WOMIT

    QnA

39. Regulatory compliance: ・ Align with regulatory compliance requirements using Azure-native

    tools ・ Enforces consistent management, policy, and naming schemas for a reliable deployment environment Operational efficiency: ・ Easily configurable and deployable with a single script ・ Leverages automation for smooth setup ・ Follows the Cloud Adoption Framework for easy integration Sovereign Landing Zones Sovereign Landing Zones are now available in all 15 EU/EFTA cloud regions Learn more Learn more

40. Controls at every layer of the stack integrated in landing

    zone architectures

41. Sovereign Landing Zones architecture update

42. The “secret-sauce”!  Azure Bicep version - GA  Azure

    Terraform version – PublicPreview! GA is expected end of Sep.´25 Source: SLZ with Terraform Source: SLZ with Bicep
43. None

44. How to choose the right key management solution

45. Sovereign AI: Confidential inferencing with Azure OpenAI Service Enterprise Cloud

    AI application Data Prompts Responses OHTTP proxy Encrypted prompts Encrypted responses Azure OpenAI service front door Azure Confidential GPU VM OHTTP Gateway Azure OpenAI Whisper OS + GPU driver vTPM NVIDIA H100 Tensor core GPU (Confidential mode) Private key release Attested public key Key Management service Azure Attestation service

46. Microsoft Sovereign Cloud supports full spectrum of digital sovereignty scenarios

    No cloud provider access Fully disconnected environments 100+ compliance frameworks Data residency & geoblocking Business continuity

47. Learn more about Microsoft Sovereign Cloud Watch the announcement 1

    Read the blog: Announcing comprehensive sovereign solutions empowering European organizations 2 Public Website: Microsoft Sovereign Cloud 3 Get Skilled UP: MSFT-SovCloud-Skilling Path 4 Register for Microsoft Ignite - November 18–21, 2025

48. Oliver Dörr Field CTO – EMEA Enterprise Partner [email protected] Patrick

    Fontana Cloud & AI Sr. Specialist [email protected] Merci vielmals! Azure UserGroup B-E-R-N