Microsoft’s blocking of ICC emails raises new questions about data sovereignty in the EU

When Microsoft recently shut down email accounts belonging to the International Criminal Court (ICC) due to US sanctions, serious questions were once again raised about Europe’s dependence on US cloud services. According to Computer Weekly, the shutdown was carried out as a direct result of US sanctions against ICC Chief Prosecutor Karim Khan, linked to the court’s ongoing investigations into senior Israeli politicians, which can be interpreted as an attempt to exert political influence through control over digital infrastructure.

Digital infrastructure as a geopolitical tool

This clearly shows that control over data is no longer just a technical or regulatory issue – but also a geopolitical one. The incident underscores the risks previously highlighted in the February article, which pointed out how sensitive information risks falling under the control of foreign powers when stored in cloud services governed by US jurisdiction.

Tech giants in political crossfire

But it doesn’t stop there. When US-based private tech giants are forced, or even given the option, to shut down companies, organizations or individuals based on political, legal or strategic disagreements, a dangerous door opens. For example, what happens if a US company disagrees with a European regulatory decision – or a court ruling? Then European actors, authorities and companies may also find themselves in the firing line.

US law governs global infrastructure

In practice, this means that the US administration can exert pressure by using the country’s technological infrastructure as a political tool – even when it is owned and operated by private actors that operate globally and have significant revenues from Europe. Technology companies such as Microsoft often find themselves in a legal and political tension, where – regardless of their own intentions – they are forced to act in accordance with US law and government orders.

Digital sanctions and parallels to economic pressure

It is not difficult to see parallels to the ongoing tariff war, where economic and technological means are strategically used to shape the behavior of other countries in line with US interests. When digital infrastructure becomes a tool for foreign policy objectives rather than a neutral tool for communication and storage, it turns into a pawn in a larger geopolitical game – with potentially serious consequences for European sovereignty.

The EU’s double standards in the name of digital freedoms

At the same time, we must also cast a critical eye on the EU’s own handling of digital freedoms. Proposals like the so-called Chat Control, where messaging services are forced to review private conversations for law enforcement purposes, show that even within the EU, the line between security, political control and privacy is far from clear. When political objectives are prioritized over the individual’s right to privacy, trust in the European model is undermined. It therefore becomes crucial that the discussion on data sovereignty is not only about external influence, but also about securing freedoms from within.

Organizations must act – data sovereignty as a foundation

For organizations in the EU – especially in the public sector, justice and critical infrastructure – it is now crucial to re-evaluate their cloud strategies in light of GDPR, DORA and NIS2.

Data sovereignty is no longer optional – it is a prerequisite for long-term digital security. How do you view data sovereignty in your organization?

Kim Haverblad is a senior information security strategist and co-founder of Njordium, with over 20 years of experience in GRC and regulatory compliance in the EU and US.