The Great Divorce 

How European governments stopped trusting American software (and what took them so long) 

Part 1 of 3 

On a morning in April 2024, civil servants in the northern German state of Schleswig-Holstein arrived at their desks to find something unusual: Word, Excel, Outlook and Teams were gone. In their place sat LibreOffice, Open-Xchange and Thunderbird. The state had made a decision, cross-party and deliberate, to become the first government in Europe to fully exit the Microsoft ecosystem. Sixty thousand public servants and thirty thousand teachers would, over the following months, learn to work without the tools that had defined office life for a generation.¹ 

The move carried unmistakable political weight. Across Europe, others were watching. 

A continent reassesses 

In the summer of 2025, Denmark's Ministry of Digital Affairs announced a similar transition, replacing Microsoft Office 365 with LibreOffice across its entire staff. The Danish digital minister, Caroline Stage Olsen, put it plainly: "We must never make ourselves so dependent on so few that we can no longer act freely."²  

In Switzerland, privatim, the conference of all Swiss cantonal data protection commissioners, issued a formal resolution in November 2025 declaring that the outsourcing of sensitive personal data to international cloud providers is, in most cases, unlawful for public bodies, and told them to avoid American cloud services for data covered by professional secrecy, including medical records, tax data, legal files and social services information.³ The commissioners concluded that sovereignty over data cannot be achieved through server location alone: what matters is who controls the infrastructure and holds the encryption keys. The Swiss federal government went further still, launching the Swiss Government Cloud project, a CHF 319 million initiative running from 2025 to 2032, designed to build sovereign infrastructure at the federal level.⁴  

France has moved in stages, from legislation to operational planning. The SREN law already mandates that sensitive government data migrate to cloud providers certified under SecNumCloud, a standard that structurally excludes providers exposed to extraterritorial legislation like the CLOUD Act.⁵ On April 8, 2026, the French digital agency DINUM convened an interministerial seminar at which concrete timelines were set for replacing foreign IT systems across all ministries. DINUM announced it would replace Windows with Linux on its own workstations, while the national health insurer Caisse nationale d'Assurance maladie is transitioning its roughly 80,000 employees to state-operated tools: the Tchap messenger, Visio for video conferencing, and FranceTransfert for file sharing. Each ministry, including subordinate agencies, must submit its own migration roadmap by autumn 2026, covering operating systems, collaboration tools, AI systems and network infrastructure. Budget Minister David Amiel framed the ambition plainly: "The state can no longer be content with acknowledging its dependence. It must overcome it."5 

In Berlin, the Bundestag itself is rethinking its digital architecture. A cross-party commission led by Vice President of the German Bundestag Andrea Lindholz (CSU) is working through the implications of a parliament running on Microsoft 365 across more than ten thousand workstations. The commission is due to present its full digital strategy in May 2026. As Grünen-Abgeordnete Anna Lührmann framed it: the working capacity of the German parliament should not depend entirely on the infrastructure of a handful of foreign corporations.⁶ 

The risk made visible 

The concern driving all of these decisions can seem abstract, until it isn't. The International Criminal Court found out what it looks like in practice. In February 2025, the Trump administration imposed sanctions on ICC officials, targeting the court's efforts to prosecute Israeli Prime Minister Benjamin Netanyahu for alleged war crimes in Gaza. Reports then emerged that Karim Khan, the ICC's chief prosecutor, had lost access to his Microsoft Outlook account as a result. Those reports, and what they implied, unleashed an international outcry: the possibility that an American technology provider had, at Washington's behest, cut off an international court's chief prosecutor from his own institutional infrastructure.7 

Three months later, in August 2025, the same logic reached further still. Judge Nicolas Guillou, a French magistrate sitting on the ICC's Pre-Trial Chamber, was placed on the US sanctions list for his role in authorizing arrest warrants against Israeli Prime Minister Benjamin Netanyahu. Within days, his Visa card stopped working. His accounts with Amazon, Airbnb and PayPal were closed. A hotel booking made through Expedia was cancelled by email, citing the sanctions. A judge of an international court, sitting in The Hague, exercising a mandate conferred on him by 125 member states, had been rendered a digital pariah, not by any European authority, but by a decision in Washington relayed through American technology and payment companies. Guillou described his situation to Le Monde as a form of "civil death." He warned European officials in Brussels that the same fate could befall any of them.8 The ICC subsequently announced it would replace Microsoft 365 with openDesk, a European open-source suite assembled by the German state-owned firm Zendis.9 

The legal foundation 

What connects all of these decisions is a single, uncomfortable question that European institutions have been avoiding, with some success, since the entry into force of the Clarifying Lawful Overseas Use of Data Act (better known as the CLOUD Act) in March 2018: what does it actually mean to store, transmit, or process your data through an American company's infrastructure? 

Under the CLOUD Act, US authorities can, given certain conditions (which Part 2 of this series examines in detail), compel whichever American company controls your cloud infrastructure to hand over your data. Not the data stored in their American offices. Not data generated by American users. Your data, whether it sits on a server in Frankfurt, travels through a data center in Dublin during a video call, or is processed in real time by a cloud-based application in Paris, because the company that controls the infrastructure has its headquarters in the US. Storage is only part of the story. Every document that transits through a US-controlled system, every query sent to a cloud application, passes through infrastructure subject to the same legal compulsion. The point is worth sitting with: when we turn to AI tools in the concluding piece of this series, it will be at the heart of the argument. 

Seven years of looking away 

The CLOUD Act is eight years old. The Schrems II ruling, which invalidated the EU-US Privacy Shield on the basis that US surveillance law was incompatible with European data protection standards, is five years old. But while the legal risk has not changed, the political tolerance for ignoring it has collapsed. Its implications were not unknown: they had been aired in academic papers and data protection conferences for years. What was missing was not analysis but urgency. 

A major catalyst was the return of Donald Trump to the White House in January 2025. What followed was a shift in the geopolitical climate so abrupt that risks which had seemed theoretical suddenly felt immediate. The ICC case was an early illustration. In Germany, the Federal Ministry of the Interior commissioned scholars at the University of Cologne to put the legal question on the record. Their unambiguous opinion, published in December 2025 after a Freedom of Information request, concluded that US authorities could access cloud data stored in Europe.10 The German Ministry of the Interior, for its part, adjusted its classified information rules immediately upon receiving the Cologne opinion, acknowledging in effect that classified materials cannot be processed on US-controlled infrastructure. 11 

“No, I cannot guarantee that.” 

And in June 2025, before a French Senate inquiry into public procurement and digital sovereignty, Anton Carniaux,  at the time Associate General Counsel at Microsoft France, was asked under oath whether he could guarantee that French citizens' data stored on Microsoft's European servers would never be transmitted to US authorities without the consent of the French government. His answer was precise and, for many, devastating: "No, I cannot guarantee that."12 

A sentence that European policymakers had always known to be true was now on the record. Spoken under oath, by the company itself. 

Divorce is messy – and this one is just beginning 

Several paths forward have been proposed: sovereign European cloud providers, joint ventures between US hyperscalers and European partners, customer-controlled encryption, and SecNumCloud-certified alternatives. The question of whether any of these actually resolves the underlying legal exposure, rather than repackaging it, is where Part 2 of this series begins. 

The divorce is underway. Whether it can be completed is another matter. 

What is certain is that Washington has noticed. On February 18, 2026, a State Department cable signed by Secretary of State Marco Rubio instructed American diplomats across the world to actively lobby against data sovereignty laws, framing them as threats to AI services, global data flows and civil liberties. Diplomats were ordered to track proposals that could limit cross-border data flows and to counter regulations deemed excessive. The GDPR was cited by name as an example of an "unnecessarily burdensome" rule. 13 

European governments moving away from American cloud infrastructure, it turns out, are not simply making an IT procurement decision. They are participants in a geopolitical confrontation, whether they intend to be or not. The next months will tell us how far each side is prepared to go. The saga has barely begun. 

Part 2 of this series examines the legal mechanics of the CLOUD Act and FISA Section 702, the fiction of "sovereign cloud" branding, and what the German government's own legal opinion concluded about the limits of technical solutions. 

Footnotes 

1. Schleswig-Holstein began its transition in April 2024, deploying LibreOffice across 30,000 workstations with a target of 70% Microsoft Office removal by October 2025 and full migration to Open-Xchange for email. See: "German State Schleswig-Holstein Ditches Microsoft for Open Source Software in 2025," Eagle Eye Technology, September 2025; EuroStack Directory Project, "Schleswig-Holstein's Bold Open Source Leap," March 2025. 

   
   

2. Denmark's Ministry of Digital Affairs announced its transition in summer 2025, with half the staff migrating by August and full implementation by autumn. Quote from Danish digital minister Caroline Stage Olsen, originally published in Danish on her LinkedIn page, June 2025. Translated from Danish; reported in multiple outlets, including "A Search for Digital Sovereignty: EU Governments Shift from Microsoft to Linux & LibreOffice," 2-data.com, and The Document Foundation Blog, July 8, 2025. 

   
   

3. privatim, "Resolution zur Auslagerung von Datenbearbeitungen in die Cloud," adopted November 18, 2025, published November 24, 2025. Privatim is the conference of all Swiss cantonal data protection commissioners. Full text available at privatim.ch. Note that the Canton of Glarus did not sign the resolution. 

   
   

4. Swiss Government Cloud (SGC) project details, Federal Office of Information Technology (FOITT). Total cost CHF 319.4 million, running from 2025 to 2032. See: bit.admin.ch/en/sgc-en. 

   
   

5. France's SREN law (loi visant à sécuriser et réguler l'espace numérique) and its SecNumCloud certification requirements. Analysis in "European Digital Sovereignty at Risk: Microsoft's Senate Testimony," Windows Forum, July 2025. Interministerial seminar of April 8, 2026: Moritz Förster, "Frankreichs Plan: Weg von Windows, hin zu Linux," heise online, April 10, 2026. Primary source: Direction interministérielle du numérique (DINUM), numerique.gouv.fr. 

   
   

6. "Operation Souveränität: Bundestag plant Befreiungsschlag von Microsoft & Co.," heise online / Table.Media, February 2, 2026. Quote from Anna Lührmann (Grüne) cited therein. 

   
   

7. Whether Microsoft cut Khan's access in response to US sanctions pressure or whether the ICC preemptively disabled the account to protect Microsoft from sanctions liability remains disputed. Microsoft denied having suspended services, and later asked the UK Parliament to correct testimony on the matter as containing an inaccuracy. The Register, 18 February 2026: https://www.theregister.com/2026/02/18/microsoft_asks_uk_parliament_to_correct_record 

   
   

8. See: "US Sanctions Turn ICC Judge's Daily Life into a Nightmare," Euronews, February 18, 2026; Nicolas Guillou interview with Le Monde, reported by Nordic Times, December 2025; Verfassungsblog, "The Sanctioning of Law," December 2025. President Macron formally requested that Trump lift the sanctions in a letter reported by Anadolu Agency, Politico, and La Tribune Dimanche, February 2026. 

   
   

9. "International Criminal Court Drops Microsoft 365 for European Open-Source Suite Amid Geopolitical Fears," WinBuzzer, November 6, 2025. 

   
   

10. Legal opinion prepared by the University of Cologne on behalf of the German Federal Ministry of the Interior (Bundesinnenministerium), published via Freedom of Information request, December 2025. Reported in "Gutachten: US-Behörden können auf europäische Cloud-Daten zugreifen," multiple outlets including heise online and Tagesspiegel Background, December 10-11, 2025. 

    
    

11. Benjamin Stiebel, "BMI passt wegen Cloud-Gutachten Geheimschutzregeln an," Tagesspiegel Background, 11. Dezember 2025. https://background.tagesspiegel.de/it-und-cybersicherheit/briefing/bmi-passt-wegen-cloud-gutachten-geheimschutzregeln-an 

    
    

12. Testimony of Anton Carniaux, Director of Public and Legal Affairs, Microsoft France, before the French Senate inquiry on public procurement and digital sovereignty, June 10, 2025. Transcript available at senat.fr. Reported in "Not Sovereign: Microsoft Cannot Guarantee the Security of EU Data," heise online, July 2025; "Microsoft Admits It Cannot Guarantee EU Cloud Data Sovereignty from US Government," WinBuzzer, July 25, 2025. 

    
    

13. State Department cable dated February 18, 2026, signed by Secretary of State Marco Rubio, reported by Reuters: "Exclusive: US Orders Diplomats to Fight Data Sovereignty Initiatives," February 25, 2026. Also reported by TechCrunch and the Japan Times the same day.