International Criminal Court Abandons Microsoft 365 Over US Data Access Concerns

The International Criminal Court's decision to migrate away from Microsoft 365 highlights critical sovereignty risks that European organisations can no longer ignore—risks that Sovereign Sky helps enterprises navigate and resolve.

ICC's Digital Sovereignty Wake-Up Call

The International Criminal Court (ICC) has taken the extraordinary step of abandoning Microsoft Office 365, citing insurmountable concerns over US government access to sensitive judicial data. This decision by one of the world's most security-conscious institutions sends a stark warning to European enterprises: reliance on US hyperscalers creates unacceptable sovereignty and compliance risks.

The ICC's move wasn't motivated by service quality or cost—it was driven by the fundamental conflict between American law and European digital autonomy. Under the US CLOUD Act, Microsoft and other American technology providers can be compelled to hand over data stored anywhere in the world, regardless of local privacy laws or international agreements.

For an institution prosecuting war crimes and crimes against humanity, this represented an existential threat to judicial independence and witness protection.

The CLOUD Act: A Sovereignty Minefield

The US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 grants American law enforcement agencies extraterritorial reach over data controlled by US companies, even when stored on European soil. This creates a direct collision with European data sovereignty principles enshrined in GDPR, NIS2, and DORA.

The ICC discovered what many European organisations are only beginning to recognise: contractual commitments and data residency options from US providers offer no protection against lawful American government demands. Microsoft's assurances about European data centres become meaningless when the parent company remains subject to US jurisdiction.

This isn't theoretical. European regulators have repeatedly raised alarms about US hyperscaler compliance with EU law, and organisations in regulated sectors face mounting pressure to demonstrate genuine data sovereignty.

Beyond the Courthouse: Your Organisation's Risk

The ICC's situation may seem extreme, but the underlying sovereignty challenges apply across European enterprises:

Telecommunications providers handling customer communications data face NIS2 requirements for supply chain security and incident reporting. Reliance on US cloud infrastructure introduces dependencies that regulators increasingly view as unacceptable risks.

Financial institutions must comply with DORA's digital operational resilience requirements, including stringent ICT third-party risk management. US hyperscaler dependencies create concentration risk and potential regulatory friction.

MVNOs and communications service providers managing subscriber data under the ePrivacy Directive face particular exposure. The CLOUD Act's extraterritorial reach directly conflicts with European telecommunications confidentiality obligations.

Critical infrastructure operators under the Critical Entities Resilience (CER) Directive must demonstrate resilience against supply chain risks—including geopolitical dependencies on non-European technology providers.

The question isn't whether your organisation faces these risks. It's whether you've assessed and addressed them before regulators or security incidents force your hand.

The Hyperscaler Lock-In Trap

The ICC's migration also highlights another critical challenge: extracting yourself from US hyperscaler ecosystems isn't straightforward. Organisations become deeply embedded through proprietary services, APIs, identity systems, and architectural patterns designed to maximise switching costs.

This vendor lock-in compounds sovereignty risks. Even organisations recognising the CLOUD Act problem often feel trapped by:

• Technical dependencies on proprietary hyperscaler services without European equivalents

• Skills gaps as teams become fluent in AWS, Azure, or Google Cloud but lack multi-cloud or European provider expertise

• Migration complexity requiring significant architecture redesign and business disruption

• Budget constraints making large-scale cloud migration projects difficult to justify and fund

The result? European organisations remain dependent on US infrastructure despite clear regulatory, security, and sovereignty imperatives to reduce that dependency.

Sovereign Sky: Your Path to Digital Autonomy

This is precisely the challenge Sovereign Sky was founded to address. We help European telecommunications providers, MVNOs, and enterprises navigate the journey from hyperscaler dependency to genuine digital sovereignty.

Dependency Assessment

We begin by quantifying your actual exposure using the European Commission's Cloud Sovereignty Framework. Our assessment evaluates five critical dimensions:

• Data sovereignty and jurisdiction risks under GDPR, NIS2, and sector regulations

• Operational autonomy and your ability to maintain services without hyperscaler dependency

• Software and technology independence from proprietary lock-in

• Supply chain sovereignty across your entire technology stack

• Regulatory compliance gaps that auditors and supervisors will identify

This creates a clear baseline and business case for action.

Migration Architecture & Strategy

We design pragmatic migration paths that balance sovereignty goals with business continuity and budget realities. This includes:

• European sovereign cloud providers like OVHcloud, Scaleway, and IONOS that offer GDPR-native infrastructure outside US jurisdiction

• Multi-cloud architectures that reduce concentration risk and maintain competitive leverage

• Hybrid approaches that migrate sensitive workloads first whilst maintaining controlled hyperscaler usage where appropriate

• Open-source technology stacks that eliminate proprietary vendor lock-in

Our approach prioritises quick wins and regulatory risk reduction whilst building toward comprehensive digital autonomy.

Governance & Ongoing Compliance

Digital sovereignty isn't a one-time project—it's an ongoing operational posture. We establish governance frameworks that ensure:

• Continuous compliance monitoring against NIS2, DORA, CER, and sector-specific requirements

• Vendor risk management processes that identify and mitigate emerging dependencies

• Architectural guardrails preventing re-introduction of sovereignty risks

• Skills development programmes building European cloud expertise across your teams

Take Action Before Regulators Force Your Hand

The ICC's Microsoft 365 exodus demonstrates that digital sovereignty risks are real, material, and increasingly impossible for European organisations to ignore. Regulators are tightening requirements, and organisations that proactively address hyperscaler dependencies will be better positioned than those forced to react under pressure.

Sovereign Sky brings deep expertise in cloud economics, telecommunications infrastructure, and European regulatory frameworks. We've helped organisations navigate similar challenges at global scale, and we understand both the technical complexity and business imperatives driving digital sovereignty decisions.

Ready to assess your organisation's cloud sovereignty position? Contact Sovereign Sky today for a confidential consultation on your path to digital autonomy.

Sovereign Sky is a European digital sovereignty consultancy helping telecommunications providers and enterprises navigate cloud compliance, reduce hyperscaler dependency, and achieve genuine digital autonomy under NIS2, DORA, and CER.