Effective February 26, 2025, Microsoft has completed the EU Data Boundary for the Microsoft Cloud, offering enhanced data residency and transparency for European customers. This allows you to store and process your customer data and pseudonymized personal data for Microsoft core cloud services within the EU and European Free Trade Association (EFTA) regions. In this last phase, Phase 3, now also storage of professional services data is handled within the EU and EFTA. Let’s explore EU Data Boundary and Microsoft’s solutions addressing European regulatory requirements, and answer your most commonly asked questions.
What is the Microsoft EU Data Boundary?
The Microsoft EU Data Boundary is a solution that stores and processes public sector and commercial customer data within the EU and European Free Trade Association (EFTA) regions. This includes data for Microsoft 365, Dynamics 365, Power Platform, and most Azure services. Additionally, professional services data from technical support interactions for these core cloud services will also be stored within these regions. The implementation of EU Data Boundary happened in three (3) phases and is now complete.
Phases of EU Data Boundary
Phase 1: Customer Data
Phase 1 of the EU Data Boundary initiative began on January 1, 2023. During this phase, Microsoft enabled the storage and processing of customer data for core services, including most of the Microsoft Cloud suite of online services: Microsoft 365, Dynamics 365, Power Platform, and Azure. This phase built upon previous local storage commitments and significantly reduced data outflows from the EU and EFTA regions. Microsoft also introduced the EU Data Boundary Trust Center Page, which offers comprehensive documentation. It details the initiative’s commitments, data flows, and any limited transfers of customer data outside the region required for maintaining service security, functionality, and reliability.
Phase 2: Pseudonymized Personal Data
Phase 2, launched in January 2024, expanded the scope of the EU Data Boundary to include pseudonymized personal data. This category of data, produced during service operations, is now also retained within the EU and EFTA regions under the revised guidelines. Pseudonymized personal data refers to data where the identity of the individual is not apparent without additional information. By keeping this data within the EU and EFTA territories, Microsoft aims to enhance data protection and privacy for its customers. Detailed updated documentation was provided to help customers understand data transfers, including any limited transfers necessary for maintaining service excellence and security.
Phase 3: Professional Services Data
Phase 3, completed in February 2025, ensures that when customers in the EU and EFTA request technical support for services such as Microsoft 365, Power Platform, and Dynamics 365, the professional services data provided by customers (such as logs) and generated by Microsoft (such as support case notes) are now stored within the EU and EFTA regions. For certain Azure services, additional customer action may be required to obtain the professional services data storage commitment.
Microsoft solutions with focus on Europe
Microsoft has been heavily investing in Europe-focused solutions with significant investments in AI and cloud infrastructure to support local options and meet growing demand.
Here are some key solutions tailored for European customers:
- 17+ Local Data Centers: Microsoft has established data centers in multiple European countries, including Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Netherlands, Norway, Poland, Spain, Sweden, and Switzerland.
- Microsoft EU Data Boundary: Customer data, pseudonymized personal data and professional services data is being stored and processed locally.
- Microsoft 365 Advanced Data Residency: Provides more granular controls over the location of Microsoft 365 customer data, ensuring compliance with European data residency requirements.
- Microsoft Cloud for Sovereignty: Enables specific public sector customers to build and digitally transform Azure workloads while meeting sovereignty, compliance, security, and policy requirements.
- European Cloud Principles: Microsoft continually innovates to meet customer needs and lead in transparency and accountability through its European Cloud Principles.
These efforts reflect Microsoft’s ongoing focus on supporting Europe’s innovation, growth, and technology needs as the region moves into an increasingly digital future.
FAQ:
What is included as part of the EU Data Boundary for Microsoft services as of January 1, 2023?
On January 1, 2023, Microsoft launched Phase 1 of the EU Data Boundary initiative. This phase focused on increasing the local storage and processing of Customer Data within the European Union (EU) and European Free Trade Association (EFTA) regions. Core services like Azure, Microsoft 365, Dynamics 365, and Power Platform were part of this rollout, ensuring that Customer Data generated from these services remained primarily within Europe. However, limited continuing transfers of Customer Data may still occur to ensure that customers benefit from the full scope of hyperscale cloud computing. This includes instances where maintaining performance or security requires minimal data transfers outside the EU. Microsoft has documented these transfers in its Data Protection Addendum (DPA) and Product Terms, ensuring transparency for all customers. The full list of services and specific transfer scenarios can be found on the EU Data Boundary Trust Center.
Why is the EU Data Boundary necessary if I am already using Microsoft Online Services in compliance with EU regulations?
While Microsoft Online Services already comply with EU regulations, including GDPR, the EU Data Boundary introduces a more robust, localized approach to data residency, ensuring that Customer Data remains within the EU/EFTA regions. By limiting cross-border data transfers, the EU Data Boundary makes it easier for customers to comply with local laws that may demand more stringent data protection standards. The initiative also simplifies the process of conducting Transfer Impact Assessments (TIAs), reducing the number of potential transfer scenarios that need to be assessed. Additionally, Microsoft’s enhanced transparency documentation allows customers to understand exactly how and why data transfers occur, streamlining compliance and minimizing administrative efforts.
How can I configure Microsoft services to use the EU Data Boundary?
Each of Microsoft’s core cloud services—Azure, Microsoft 365, Dynamics 365, and Power Platform—has specific technical configurations to align with the EU Data Boundary. To use the EU Data Boundary version of these services, customers must follow the service-specific configuration requirements outlined in the Product Terms and supporting documentation. To store Professional Services Data in the EU Data Boundary for Azure, customers must configure Azure Resource Manager to the EU Data Boundary as described in the EU Data Boundary Transparency Documentation. These resources provide clear, detailed instructions on how to set up services within the EU/EFTA regions, ensuring that personal data remains fully compliant with local residency requirements.
Will there be any loss of functionality within the EU Data Boundary compared to standard cloud services?
No. The EU Data Boundary does not reduce or change the functionality of Microsoft’s cloud services. Whether operating within or outside of the EU Data Boundary, customers will receive the same high-quality, secure services with all the features and performance they expect from Microsoft 365, Azure, Dynamics 365, and Power Platform. The EU Data Boundary is a data residency enhancement, ensuring that customer data is stored and processed within the EU/EFTA regions without sacrificing functionality, performance, or cloud scalability.
Does using the EU Data Boundary version of services come with additional costs?
No, Microsoft does not charge any additional fees for the use of EU Data Boundary services. Customers can use services that comply with EU data residency requirements without any price increases, ensuring cost efficiency while benefiting from enhanced data protection and compliance.
Where can I find documentation on the ongoing transfers of data outside the EU?
Microsoft is committed to transparency regarding any ongoing data transfers that occur outside the EU as part of the EU Data Boundary. Customers can access detailed data flow documentation on the EU Data Boundary Trust Center. This includes information on the scenarios in which limited data transfers may still be necessary, along with comprehensive descriptions of how such transfers are managed to ensure security and compliance.
What is the relationship between the EU Data Boundary, Microsoft Cloud for Sovereignty, and Advanced Data Residency?
These solutions address different aspects of data protection and regulatory compliance:
- EU Data Boundary: Focuses on ensuring that Customer Data remains within the EU/EFTA regions for key services, reducing cross-border transfers and providing localized compliance.
- Microsoft Cloud for Sovereignty: Designed for public sector customers, this solution enables greater control over data governance and compliance processes, while still leveraging the full power of Microsoft’s cloud offerings.
- Advanced Data Residency: Offers more granular control over the location of Microsoft 365 data, ensuring that customer data at rest is stored within specific geographies, including the EU.
How does Microsoft handle security data that may be transferred outside the EU?
While the EU Data Boundary keeps the majority of personal data within the EU/EFTA, certain limited data transfers may be necessary for global security operations. This data is used to enhance threat detection, investigation, remediation, and prevention across all regions. To protect this data, Microsoft uses protections such as encryption, pseudonymization, and strict access controls, ensuring that only authorized security personnel access it. The global threat intelligence gained from these transfers is crucial for detecting and mitigating cyberattacks.
How does cross-boundary data analysis comply with data protection regulations?
Microsoft’s cross-boundary data analysis complies fully with GDPR (Article 32) and the EU Charter of Fundamental Rights (Article 6). When limited data transfers occur outside the EU for security or threat detection, they are carried out with strict pseudonymization, encryption, and access controls to ensure compliance with EU regulations. For more details, see the Microsoft GDPR Resource Center.
Can customers opt out of having their data transferred outside the EU for security analysis?
No, customers cannot opt out of limited and necessary data transfers for global cybersecurity purposes. These transfers are crucial for maintaining a robust, global security posture that protects against sophisticated cyberattacks. However, Microsoft employs stringent security controls and contractual commitments to ensure that customer data is always handled with the highest level of protection and transparency.
What are the next steps for the EU Data Boundary after Phase 3?
With Phase 3 now complete, Microsoft will continue to assess customer needs and regulatory developments. Future enhancements may include additional controls and capabilities to ensure ongoing compliance with evolving regulations. The EU Data Boundary Trust Center will remain the central resource for updates, ensuring that customers are informed about any changes or new features introduced post-Phase 3.
More Information:
Microsoft EU Data Boundary product page: https://www.microsoft.com/en-us/trust-center/privacy/european-data-boundary-eudb.
Microsoft EU Data Boundary documentation: https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn.
Contact SCHNEIDER IT MANAGEMENT for consultancy on Microsoft licensing and to request a quote for Microsoft licenses.