Can your data be SOVEREIGN WITH Microsoft?

Transcript

1. How to benefit from the Microsoft Cloud for Sovereignty Zurich,

   19th March 2026 Oliver Dörr Field CTO EMEA Enterprise Partners https://www.linkedin.com/in/oliver-doerr Patrick Fontana Cloud & AI Sr Specialist https://www.linkedin.com/in/p-fontana/

2. Source: Swiss Airline Magazine – ABOVE the CLOUDS Source: https://www.linkedin.com/posts/katrinpeter_stra%C3%9Fburg-

   sendet-ein-signal-die-zeit-der-activity-7420417042643718144-agn5 Source: https://www.linkedin.com/posts/carlabueng er_azure-was-down-last-week-on-a-global- scale-activity-7391834539066634240-OLak Source: https://www.capgemini.com/news/press-releases/capgemini-partners-with-microsoft-to-enable- resilient-and-trusted-digital-transformation-for-clients-with-integrated-sovereignty-solutions/ https://www.pwc.com/gx/en/services/alliances/microsoft/cloud- sovereignty-without-compromise.html

3. Agenda – Microsoft Sovereign Cloud Insights 3 WHAT HOW How

   TO QnA SPOILER: YES – you will get the slides ☺

4. Agenda – Microsoft Sovereign Cloud Insights 4 WHAT HOW How

   TO QnA
5. None
6. None

7. Sovereignty Maturity Advanced Configuration “Control Grade” Sovereignty - Basics Innovation

   Configuration Reduce operational risk Program Unify Operation Model Becoming “Frontier” Think it “End-to-End” “Compliance / Transparency” Sovereignty - Advanced “Environment” Sovereignty - Master Basics Configuration

8. Sovereignty Maturity (Key function points) Advanced Configuration “Control Grade” Sovereignty

   - Basics Innovation Configuration Reduce operational risk Program Unify Operation Model Becoming “Frontier” Think it “End-to-End” “Compliance / Transparancy” Sovereignty - Advanced “Environment” Sovereignty - Master Basics Configuration Contractual Amendment Hybrid or Autarky Solution Transparency & Compliance Log Confidential Compute & Services / Key Mgmt SLZ / ARC-enabled / Azure Local Data Guardian & Regulated Environment Mgmt (REM) SLZ / ARC / Local over Terraform / Bicep / ARM Swiss Cloud Operations (Extended Log & Telemetry Screening) SLZ / Azure ARC & Workload Orch, Azure Autoscal in Sovereign Sovereign Control Portfolio Network Security Perimeter / Direct Route NPC EU Data Boundary / Emergency Code Residence / Policy Sovereign AI (Foundry / Foundry Local / AI on Confidential Compute)

9. Digital sovereignty is the capability to participate in the digital

   economy securely, independently and with self-determined controls. The digital sovereignty landscape is evolving, driven by growing consideration for data security, compliance and regulatory standards, and global trade and geopolitical issues. Our approach to digital sovereignty Available to all: Digital sovereignty is a foundational capability of Microsoft services. Well-governed controls: Delivered through technical, contractual, and operational measures. Workload dependent: Sovereign control requirements vary based on sensitivity and criticality.

10. Microsoft Sovereign Cloud Comprehensive spectrum of digital sovereignty capabilities, across

    integrated productivity, security and cloud platform workloads Sovereign Public Cloud Technical, operational and contractual controls built into Microsoft Cloud services to meet digital sovereignty requirements Continuous innovation and improvements without the need for re-design or migration Sovereign Private Cloud Hybrid or disconnected cloud services on customer infrastructure Supports building solutions on cloud services that are portable across public and private environments in case requirements change National Partner Clouds Specialized cloud environments with Microsoft 365 and Azure services, for critical infrastructure workloads to meet local ownership criteria • Germany: Delos Cloud designed to meet BSI Cloud requirements • France: Bleu designed to meet SecNumCloud requirements • Switzerland: Partner Hosted Azure Local Option in creation (Announcement in the next weeks) Consistent management and development platform Sovereign controls

11. Microsoft's new European digital commitments We will help build a

    broad AI and cloud ecosystem across Europe. We will uphold Europe’s digital resilience even when there is geopolitical volatility. We will continue to protect the privacy of European data. We will always help protect and defend Europe’s cybersecurity. We will help strengthen Europe’s economic competitiveness, including for open source. 1 2 3 4 5

12. We will uphold Europe’s digital resilience even when there is

    geopolitical volatility. 2 Microsoft’s European Digital Commitments A European cloud for Europe A Digital Resilience Commitment Business Continuity partnerships

13. This Amendment’s are required Contractual Risk Mitigation M248 add. M1186

    (DORA) M329 (Swiss Standard) M744 (Professional secret / Confidential provisioning) M453 (FINMA) “CAPS” Regional Amendments (on special request)

14. Think of it – What´s easier? Trick an employee of

    the “victim” company that has the right permission to the relevant data into a social engineering trap or a phishing mail? Process the Microsoft legal court route in order to get the data you want from your “victim” while even ending up with encrypted data rubbish due to customer managed key encryption?

15. Agenda – Microsoft Sovereign Cloud Insights 15 WHAT HOW How

    TO QnA

16. Microsoft Sovereign Cloud Most comprehensive set of sovereignty solutions, with

    integrated productivity, security and cloud platform Sovereign Public Cloud Data stays in Europe, under European law Data Guardian: Operations and access controlled by European personnel Sovereign controls for policy enforcement Applies to existing Europe cloud datacenter regions with no migration Sovereign Private Cloud Azure Local + Microsoft 365 Local: Integrated cloud and productivity Hybrid or disconnected at your location Validated architecture and partner ecosystem Virtualization services National Partner Clouds For government and critical infrastructure criteria Government approved local operator independent from Microsoft Clouds in Germany (Delos Cloud) and France (Bleu) with local ownership and isolated infrastructure Consistent management and development platform

17. Digital sovereignty with Microsoft Sovereign Cloud Participate in the digital

    economy securely, independently and with self- determined controls Operational Controls Data Controls Data Guardian Regulated Environment Management External Key Management External Key Management Azure Key Vault Managed HSM Azure Key Vault Managed HSM Customer Lockbox Azure Confidential Computing Sovereign Landing Zones Azure Key Vault Premium Azure Key Vault Premium Network Security Perimeter

18. Network Security Perimeter (NSP) Plan: • Restrict public exposure of

    Azure Services Manage inbound and outbound access for resources within perimeter. Secure by default by denying access from unauthorized networks • Secures PaaS to PaaS service communications and prevents data exfiltration Deploy: • Azure Portal, PowerShell, CLI, or Infrastructure-as-Code (IaC) (ARM/Bicep) • Define a clear profile: - 3 Modes (Learning / Enforce / SecuredbyPerimeter) - Inbound Rule / Outbound rule / Limits Operate: • Gain visibility into any connections and monitor access to resources in the perimeter 8

19. Sovereign Policies - Building a platform for tailored and unique

    needs Microsoft Sovereign Cloud offers an integrated solution that combines the scale and power of public cloud technology with advanced sovereignty controls and local policy enforcement. Additional functional requirements addressing customer performance, workload functionality, and partner/government operational models. Customer specific The Policy Portfolio offers a library of policy initiatives aligned to established regulatory frameworks, addressing industry and/or regional concerns. It helps to enforce organizational standards, assess compliance-at-scale, and facilitates cloud adoption. Policy Portfolio Sovereign Landing Zone (SLZ) Baseline policies establish guardrails that address sovereignty concerns and enable organizations to run workloads within the confines of the sovereign service and associated configurations. SLZ Baseline Security Baselines define and deploy common security best practices for several standards, including Azure Security Baseline, which relies on core Azure capabilities and underlying Microsoft security responsibilities. Security baseline

20. Regulated Environment Management (REM) Plan: • Configure Data Guardian •

    Tailor landing zone configurations designed for sovereignty • Limit deployment locations to EU and EFTA regions Deploy: • Portal, API and SDK processes supported • Enables consistent and repeatable sovereign environments Operate: • Access Data Guardian logs REM will be available to existing customers of our European cloud services in all 15 EU/EFTA cloud regions 20
21. None

22. External Key Management Customer keys in HSM physically controlled by

    customer. No availability SLA from Microsoft. Customer has physical control over the HSM: ・ Supports scenarios where the customer is obligated by compliance or regulatory reasons to physically control the HSM ・ Customers can connect Azure to keys stored on their own Hardware Security Module (HSM) deployed on- premises or hosted by a third party. ・ Gives physical control over the HSM, but impacts availability SLA and support Supported HSM manufacturers include External Key Management support will be available in all 15 EU/EFTA cloud regions

23. Key Management Solutions AKV Standard AKV Premium Azure Key Vault

    Managed HSM Azure Dedicated HSM Azure Payment HSM External Key management What level of compliance do you need? FIPS 140-2 level 1 FIPS 140-2 level 2 FIPS 140-2 level 3, PCI DSS, PCI 3DS FIPS 140-2 level 3, HIPAA, PCI DSS, PCI 3DS, eIDAS FIPS 140-2 level 3, PCI HSM v3, PCI PTS HSM v3, PCI DSS, PCI 3DS, PCI PIN Coming soon.. Do you need key sovereignty? No No Yes Yes Yes What kind of tenancy are you looking for? Multitenant Multitenant Single Tenant Single Tenant Single Tenant What are your use cases? Encryption at Rest, CMK, custom Encryption at Rest, CMK, custom Encryption at Rest, TLS Offload, CMK, custom PKCS11, TLS Offload, code/document signing, custom Payment PIN processes, custom Do you want HSM hardware protection? No Yes Yes Yes Yes What is your budget? $ $$ $$$ $$$ $$$$ Who takes responsibility for patching and maintenance? Microsoft Microsoft Microsoft Microsoft Customer Who takes responsibility for service health and hardware failover? Microsoft Microsoft Shared Shared Customer What kind of objects are you using? Asym Keys, Secrets, Certs Asym Keys, Secrets, Certs Asym/Sym Keys Asym/Sym Keys, Certs Local Master Key Root of trust control Microsoft Microsoft Customer Customer Customer How to choose the right key management solution

24. Microsoft Sovereign Cloud Most comprehensive set of sovereignty solutions, with

    integrated productivity, security and cloud platform Sovereign Public Cloud Data stays in Europe, under European law Data Guardian: Operations and access controlled by European personnel Sovereign controls for policy enforcement Applies to existing Europe cloud datacenter regions with no migration Sovereign Private Cloud Azure Local + Microsoft 365 Local: Integrated cloud and productivity Hybrid or disconnected at your location Validated architecture and partner ecosystem Virtualization services National Partner Clouds For government and critical infrastructure criteria Government approved local operator independent from Microsoft Clouds in Germany (Delos Cloud) and France (Bleu) with local ownership and isolated infrastructure Consistent management and development platform

25. For customers with extraordinary requirements, we extend our sovereignty offering

    to include the Sovereign Private Cloud We aim to meet all customer needs by helping modernize on-prem environments Customers with high data privacy requirements • Governments, defense, critical infrastructure sectors • Strict data infrastructure control and data storage visibility requirements Geopolitical factors • Unpredictable national foreign policies and growing regulatory complexity • Rising tensions reinforce national data security and business continuity concerns Rise of critical sensitive AI workflows • AI models increasingly trained on sensitive datasets • Increasing demand for innovation without compromising privacy Workflow fragmentation • Fragmented workflows from legacy environments • Inconsistent data polices, and varying regional presence On-prem operational complexity • High effort to maintain, patch, and secure infrastructure • Limited agility to meet evolving security, scalability and workload needs Azure Local Sovereign Private Cloud

26. Azure Local: One flexible offering for all target use cases

    New! Unified distributed infrastructure service spanning all hardware/scale points Enabled by Azure Arc Embedded/IoT Ex: ASUS NUC Rugged Ex: Lenovo SE100 Tower Ex: Dell T160 Edge Server Ex: HPE DL360 Rack Server Ex: Cisco UCS *Must meet minimum requirements per operating system and solution-level pass validation “Azure Local” Managed Kubernetes/AKS General-Purpose VMs/IaaS Core Infrastructure Services: Compute | Storage | Networking | Availability Host OS: Windows Server | Windows IoT | Azure Linux Azure-based Management Infrastructure management: Provisioning, deployment, full- stack updates, secure by default, catalog/validation, support Workload management: Images/templates, extensions, access control, accelerations, networks, storage paths More in future Virtual apps and desktops Azure IoT operations Azure data services Linux applications Windows applications Azure AI/ML Any app Any type of hardware*

27. 1 : Reduced requirements allowed up to maximum of 3-node

    cluster 2 : Excludes OS boot disk 3 : Must support Hyper-V virtualization 4 : In preview now, coming 2025 Azure Stack HCI Requirements at launch Azure Local 1 Requirements at launch Windows Server certified Windows Server certified Min. 2+ machines 1+ machine Min. 4+ disks per machine 1+ SSD per machine 2 Min. 10 Gbps w/ RDMA 1 Gbps/2.5 Gbps Ethernet 3 Active Directory required Doesn’t require AD 4 Low-spec, low-cost options for edge use cases NEW Example possible solutions, pending validation HPE MicroServer Gen11 Micro tower server SuperMicro SYS-E302 Fan-less server Lenovo ThinkEdge SE350v2 Half-width, half-depth 1U Dell MC-4000r/z + MC-4510c Rugged two-sled chassis

28. Management and security 4 Operate with unified management and security

    for all your resources Hardware Compute Kubernetes Networking Storage Azure Local Apps, data, and AI 1 Get hardware from your preferred vendor, connect power and network 2 Provision the Azure Local software to form local cloud infrastructure 3 Deploy apps onto cloud-consistent virtual machines and Kubernetes Local Enabled by Azure Arc Region How Azure Local works (connected)

29. Satisfy regulatory requirements by operating permanently disconnected from the cloud

    Host backend Azure resource manager, portal, and services in local appliance VM Subset of services available: Portal ARM Registries Key Vaults Policy 2 Local Machines Kubernetes Copilot AVD Defender Others 1 : Available only to customers who prequalify based on industry, use case, and other considerations 2 : Partial functionality Infrastructure Infrastructure Control plane Workloads Control plane 1 (appliance VM) Workloads Cloud region Distributed location Azure Local (connected) Azure Local disconnected Disconnected operations (GA - NOW) NEW Sign up to become an Azure Local disconnected approved Partner https://aka.ms/az-local-disconnected-operations-prequalify

30. Where is Azure Local available?

31. Azure Local solution categories Visit the Azure Local Catalog to

    discover the current hardware solutions available to fit your edge needs Premier Solutions Turnkey Azure Local solution • Deepest integration and highest level of automation, built through deep engineering collaboration between Microsoft and solution partners • Continuous testing by Microsoft and our partners, to ensure higher reliability and minimal downtime • End-to-end deployment workflows that make it easy to deploy one cluster or a thousand clusters Integrated Systems Single purpose system with pre-installed software • Optimized hardware selection with regular testing for ongoing reliability • Delivered with software pre-installed and security set by default • Validated full-stack updates and native hardware management tools Validated Nodes Broadest choice of hardware components • Choose from a diverse selection of validated hardware from more than 30 partners, or re-use existing validated hardware • Engage with preferred SI for deployment and integration, as needed • On new hardware or check with your OEM or solution provider to ensure you are running a validated solution. In certain cases, you may be able to reuse existing hardware

32. Sign Up to become a M365 Local eligible delivery Partner:

    https://aka.ms/m365localsignup

33. What is Microsoft 365 Local (NOT)? What Microsoft 365 Local

    is ✓ Solution for the most sovereignty sensitive customers needing full jurisdictional support ✓ A more modern alternative for on-premises customers, offering extended operational support and maintenance through Azure Local ✓ Solution that enables offline collaboration with core Microsoft 365 server workloads (Exchange, SharePoint, Skype for Business) What Microsoft 365 Local is not X Set of new features bringing parity to Public Cloud capabilities (e.g., Copilot, Teams) X Self-service deployment without Microsoft Azure or partner coordination X Replacement for Sovereign Public Cloud

34. Microsoft 365 Local Features Key capabilities (not exhaustive) Microsoft 365

    in Sovereign Public Cloud1 Microsoft 365 On-premises Anti-spam & malware protection DLP & Compliance Policies Exchange MFA & conditional access External sharing SharePoint Version history & autosave Chat and messaging Federation & external access Meeting recording Skype for Business/Teams Audit logging Compliance manager Azure workloads2 Unified control plane Full-stack solution validation Hardened security Infrastructure Integrated infra management Hybrid, disconnected flexibility Sovereign Public Cloud has most advanced capabilities Infrastructure management plane, and extended Azure workloads enabled by Azure Local are the key benefits of running Microsoft 365 workloads in the Sovereign Private Cloud vs. on-prem environments Microsoft 365 workloads have similar capabilities across Sovereign Private Cloud and on-prem environments Illustrative representation of key capabilities when running Microsoft 365 across different environments (not entirety of features) • Full availability • Partial / limited availability − No availability 1. Comparison includes key Microsoft 365 capabilities equivalent to Public Cloud, therefore for this comparison is not including other distinct Sovereign Public Clouds features such as data guardian, external key management; 2. E.g., VMs, K8, AI workloads Modern auth through ADFS Additional infrastructure required Microsoft 365 Local (in Sovereign Private Cloud)

35. Displayed resources are ONLY for visual purpose, NOT for the

    real amount
36. None

37. Azure Local as a SUCCESS – a JOINT responsibility! Prerequisites

    to deploy Azure Local, version 23H2 Firewall requirements for Azure Local Compare Azure Local to Windows Server - Key Differences and Benefits

38. https://jumpstart.azure.com/

39. Agenda – Microsoft Sovereign Cloud Insights 39 WHAT HOW How

    TO QnA

40. Regulatory compliance: ・ Align with regulatory compliance requirements using Azure-native

    tools ・ Enforces consistent management, policy, and naming schemas for a reliable deployment environment Operational efficiency: ・ Easily configurable and deployable with a single script ・ Leverages automation for smooth setup ・ Follows the Cloud Adoption Framework for easy integration Sovereign Landing Zones Sovereign Landing Zones are now available in all 15 EU/EFTA cloud regions Learn more Learn more

41. Sovereign Landing Zones architecture

42. The “secret-sauce”!  Azure Bicep version - GA  Azure

    Terraform version – GA Source: SLZ with Terraform Source: SLZ with Bicep
43. None
44. None
45. None
46. None

47. Bring Azure’s app, data, and AI services anywhere Subset of

    Azure services extended to the edge enabled by Azure Arc Azure Local delivers consistent Azure IaaS foundation to run CNCF-compliant 3P OSS anywhere *Planned for CY26 WORKLOADS & APPLICATIONS MANAGEMENT & SECURITY DATA & AI Cloud (Thousands of services and tools available in Azure regions and more still coming) Azure services, tools Table Storage Virtual Network Blob Storage Load Balancer Gateway Monitor Copilot Cost Mgmt Sentinel Defender Portal CLI Key Vault Marketplace Firewall Queue Storage Fire Services Entra ID Update Manager Policy App Services Functions Virtual Machines Kubernetes Container Apps RedShift OpenShift Container Registry Synapse Virtual Desktop API Mgmt DevOps M365 SQL PostgreSQL Cosmos DB AI Agent Services AI Foundry AI Search OpenAI AI Translator Databricks AI Speech AI Language AI Custom Vision AI Document Intelligence AI Face AI Immersive Reader AI Bot Service AI Content Safety Machine Learning AI Video Indexer On-Premises Limited set of Azure services extended to disconnected edge Azure Local (connected) Azure Local (disconnected) Site Recovery Copilot Defender Sentinel Key Vault Backup Logical Network Resource Manager Monitor Portal CLI Entra ID Policy Monitor Portal CLI Key Vault Virtual Machines Kubernetes Migrate IoT Operations Container Apps M365 Local Skype Virtual Desktop Virtual Machines Kubernetes Container Registry Skype M365 Local Machine Learning SQL Video Indexer* AI Local Search* AI Agent Services* AI Translator AI Speech AI Language Document Intelligence Content Safety Open-Source AI Model catalog AI Video Indexer AI Local Search AI Agent Services* AI Speech Edge RAG AI Content Safety AI Document Intelligence AI Language AI Translator Foundry Local

48. Wrap UP

49. None

50. Microsoft Sovereign Cloud supports full spectrum of digital sovereignty scenarios

    No cloud provider access Fully disconnected environments 100+ compliance frameworks Data residency & geoblocking Business continuity

51. Sovereignty approach comes down to: Potential threats Identifying the potential

    treats and legal requirements. Customer considerations Implementation strategy shaped by timelines and risk tolerance, emphasizing cost and complexity considerations Provider readiness Microsoft delivers contractual clauses, capabilities and optional solutions to meet customer and industry requirements. Core Sovereign Requirements Data Sovereignty Lawful access Data residency …. Operational Sovereignty Service Availability Service Termination Trade ban Personal Sanction …. Legal Sovereign Requirements Regulations Law … Third-party Risk Oversight End-to-end vendor risk governance Customer considerations Risk appetite Timelines Mitigating controls Workload classification Control Mapping (SCF Compliance Reporting Residual Risk Secure by default Zero Trust Tooling Concept Architecture Principals Movable workloads Movable data Abstractions: Arc, Dapr Supporting tech Azure Local M365 local ZeroTrust Patterns Microsoft’s sovereign controls Legal Foundation Contractual clauses Legal track record EU commitments EU data boundary Local investments Locations under local entity Operated by EU personal Under EU Board of directors Escrow & partner handover Platform capabilities Customer Managed key’s Confidential Compute Regulated Environment Manager Customer Lock Box Operational Transparency Sovereign, Partner, Private Cloud

52. Sovereign cloud – a joint adoption journey 1 Assess Perform

    an assessment Evaluate the customer’s data estate and workloads against sovereignty and regulatory needs. Use Microsoft’s Cloud Adoption Framework and Sovereign Landing Zone as baselines for governance and policy alignment. 2 Advise Drive Conversations with Facts and Data Lead with proof points: EU Data Boundary completion, Data Guardian, External Key Management, and Regulated Environment Management. Reinforce Microsoft’s track record in defending customer data legally and technically — to replace fear with confidence. 3 Accelerate Establish Trust → Pilot → Deploy Build customer trust through transparent assessments and joint POCs to validate controls in their own context. Start with Sovereign Public Cloud POCs; expand to Private Cloud only where specific isolation or jurisdiction is mandated.
53. None

54. Learn more about Microsoft Sovereign Cloud Watch the announcement 1

    Read the blog: Announcing comprehensive sovereign solutions empowering European organizations 2 Public Website: Microsoft Sovereign Cloud 3 Get Skilled UP: MSFT-SovCloud-Skilling Path 4

55. LevelUp: Accelerating Partner Success with On-Demand Skilling On-Demand Partner Enablement

    Access comprehensive training resources anytime to accelerate partner onboarding and skill development. Be Project-Ready Equip teams with the knowledge and tools needed to confidently deliver on real-world projects from day one. Integrated Hands-On Labs Reinforce learning through immersive, practical lab environments that simulate real business scenarios. End-to-End Enablement,Sales, Presales & Technical Deliver role-specific training that empowers sales, presales, and technical teams with the skills to drive results. Sign Up today skillupwithlevelup.com 18K+ Enrollments 55+ AI courses 84 Courses with Labs 10+ Years of successful training LevelUp | Sponsored by Microsoft

56. Oliver Dörr Field CTO – EMEA Enterprise Partner [email protected] Patrick

    Fontana Cloud & AI Sr. Specialist – Public Sector [email protected] Merci vielmals! Azure UserGroup Z-U-R-I-C-H