Microsoft's Denmark East region launches in the first half of 2026, with Denmark West — facilities in Esbjerg and Varde — announced in December 2025. Between 2023 and 2027, Microsoft is investing $3 billion in datacenter capacity on Danish soil. Brad Smith called it an investment that would "strengthen Europe's digital sovereignty."
The performance, residency, and sustainability benefits are real. For many Danish organisations, this is good news. But the sovereignty framing deserves scrutiny — because residency and sovereignty mean very different things.
Residency vs. Sovereignty
Data residency is about geography: where does data physically sit? When Denmark East goes live, tenants who select that region will store data at rest in Denmark. That is a real capability.
Data sovereignty is about jurisdiction: who can legally compel access to that data? Every authoritative definition — including Microsoft's own documentation — is consistent: data sovereignty means data is subject to the laws of the nation where it resides, and that nation holds authority over access, processing, and disclosure.
One partner whitepaper recently redefined data sovereignty as "responsibility" and "making informed decisions you can stand behind in front of your board, citizens, customers, and authorities." That is good governance. It is not data sovereignty. When a vendor redefines sovereignty as accountability rather than jurisdictional control, they are sidestepping the one question that matters: which government can legally compel access to your data, and can you stop them?
The Jurisdictional Reality
Microsoft is a US corporation. Two pieces of US legislation follow that fact regardless of where the servers sit. The CLOUD Act (2018) authorises US authorities to compel US companies to produce data stored anywhere in the world. FISA Section 702 authorises surveillance of non-US persons through US companies, irrespective of server location — and its scope was expanded in April 2024 with a broader definition of "electronic communication service provider."
On June 10, 2025, Microsoft France's legal director Anton Carniaux testified under oath before the French Senate. Asked whether he could guarantee that EU-stored data would not be disclosed to US authorities, he answered: "Non, je ne peux pas le garantir" — no, I cannot guarantee that.
The EU and US have tried three times to create a stable legal basis for transatlantic data transfers. Safe Harbor fell in 2015. Privacy Shield in 2020. The current Data Privacy Framework rests on an executive order that any president can modify — and in January 2025, the Trump administration removed three of five Privacy and Civil Liberties Oversight Board members, breaking a key DPF safeguard mechanism.
None of this makes Microsoft illegal or unusable. The DPF is in force. The EU Data Boundary is genuine engineering. For many organisations, Microsoft 365 remains a practical and lawful choice. But EU datacenter does not equal EU data sovereignty.
Who Should Celebrate — and Who Should Be Cautious
The value of Danish datacenters depends entirely on your regulatory context and data sensitivity.
| Highly Regulated | Regulated | Standard Commercial | |
|---|---|---|---|
| Examples | Defence, critical infrastructure, healthcare, core banking, government | Pharma (GxP), legal, education, energy, insurance | Professional services, retail, media, general enterprise |
| Latency benefit | Significant — real-time systems, AI workloads | Moderate — integration-heavy environments | Low to moderate |
| Residency benefit | High — meets localisation mandates | High — simplifies compliance | Moderate — reduces audit complexity |
| Sovereignty gap | Critical — CLOUD Act exposure may be disqualifying. Evaluate sovereign alternatives or customer-managed encryption. | Significant — requires documented risk acceptance. DPIA must address US jurisdictional access. | Manageable — DPF provides current legal basis. Monitor stability. |
| Verdict | Do not treat residency as sovereignty. Evaluate EU-owned alternatives for sensitive workloads. | Use Danish datacenters for general workloads. Classify sensitive data separately. | Celebrate. Lower latency, simpler compliance, better sustainability. Adopt them. |
The problem is not the datacenters. The problem is when marketing leads highly regulated organisations to believe that residency solves sovereignty. It does not. The consequences of that misunderstanding land on the organisation, not the vendor.
The Danish Contradiction
In June 2025, Denmark's Minister for Digitalisation Caroline Stage Olsen announced the Ministry would migrate from Microsoft Office 365 to LibreOffice, citing sovereignty concerns. Copenhagen and Aarhus are pursuing similar paths. Six months later, Microsoft announced its largest-ever Danish investment.
The Danish government understands that physical presence does not resolve jurisdictional control. That is why they are diversifying away from Microsoft for sensitive workloads while welcoming the infrastructure investment. That posture — adopt the datacenters, reject the sovereignty narrative — is exactly right.
What Would Real Sovereignty Require?
Microsoft is not ignoring the problem. The EU Data Boundary, confidential computing, and customer-managed encryption keys represent genuine effort to reduce practical risk. But none resolve the structural issue.
Customer-managed keys sound definitive — if you hold the keys, Microsoft cannot read the data. But anyone who has set up BitLocker with a Microsoft account has seen their recovery key silently uploaded to Microsoft's cloud. That is key escrow, not customer-managed encryption. Even with keys in external hardware security modules, the platform operator processes decrypted data in memory during use. A CLOUD Act order does not ask for your encryption keys. It compels Microsoft — as the infrastructure operator — to cooperate in producing data. If Microsoft has administrative access to the environment, that obligation can be fulfilled regardless of where your keys sit.
Confidential computing with trusted execution environments is designed to close that last gap. But you still trust the silicon vendor, the attestation chain, and the operator's implementation. These are meaningful mitigations. They are not sovereignty.
The only path to genuine sovereignty using Microsoft technology is to separate the operating entity from the US corporate parent. France understood this. In 2021, Orange and Capgemini created Bleu — a legally independent French company, majority-owned by French entities, operating datacenters physically isolated from Microsoft's global infrastructure, staffed entirely by French employees. Bleu licenses Microsoft technology but is not a Microsoft subsidiary. It is not subject to the CLOUD Act because it is not a US company.
For Microsoft to deliver real sovereignty in Europe, it would need to let go — help establish legally independent EU entities that license its technology but operate without a US parent in the chain of command. Microsoft could retain minority ownership. But the operating entity must be European-owned, European-governed, and European-operated. The jurisdictional chain must be severed, not mitigated.
No US hyperscaler has done this at scale. The Bleu model comes with real tradeoffs: narrower services, slower feature rollout, higher cost. But it is the only model that addresses the actual problem. That or get rid of the US Cloud Act.
What to Do Now
If you are evaluating Microsoft's Danish datacenters, start with three things. First, distinguish residency from sovereignty in your DPIA — explicitly address CLOUD Act and FISA 702 exposure, even if the risk is acceptable for your data classification. Second, classify data by sensitivity: general business data on Danish infrastructure is a straightforward win; patient records, classified data, or core banking systems require a harder conversation. Third, watch the DPF — if Schrems III materialises, the legal basis for US cloud providers processing EU data could be invalidated for the third time.
The Danish datacenters are a genuine improvement. For most organisations, they are worth adopting. They are not a sovereignty solution. And until someone builds a Danish Bleu — a legally independent, EU-governed entity operating Microsoft technology without a US parent in the chain — they never will be.
