What happens in Europe does not stay in Europe – Microsoft cannot guarantee that data from European customers will not be passed on to the US government. There is a great deal of unrest and uncertainty: will it not only be data that is transferred, but will cloud services even be shut down if the transatlantic partnership becomes further strained? Europe is alarmed—and is pushing ahead with digital sovereignty on a massive scale.
Paris, June 2025
The chief legal officer of Microsoft France had to admit in a public hearing before the French Senate that European citizens' data was not protected against disclosure to the US government (source: sdxcentral.com). He added that this had never happened before. Microsoft could only refuse requests for information from the US if they were formally unfounded. Accordingly, Microsoft would check the validity of all requests very carefully.
Background: Like all US companies, Microsoft is required by the CLOUD Act to disclose data to US authorities.
Karim Khan, chief prosecutor of the International Criminal Court, suddenly no longer has access to his emails. Coincidence?
Or a consequence of the sanctions imposed on the court by US President Donald Trump (source: AP News)?
The cause is unclear, but the incident may have set the ball rolling. Shortly afterwards, the International Criminal Court announced that it would be switching from Microsoft Office to a German open-source alternative.
The Hague, November 2025
Digital sovereignty begins where organisations are most vulnerable: in communication.
Anyone who wants to communicate in compliance with the GDPR today needs more than "EU hosting" or marketing promises—they need a secure communication platform that allows control over contact, connection, and metadata and is not dependent on foreign jurisdiction or geopolitical tensions.
”Microsoft's security promises are built on sand.“
”We cannot take the risk of exposing our scientific exchanges, sensitive data, and strategic innovations to non-European actors.“
Europe is no longer just talking about digital sovereignty.
The debate surrounding digital sovereignty is no longer purely theoretical. European capitals are engaged in intense discussions about how government institutions and public bodies can make their digital infrastructure more independent. The goal is clear: to reduce dependence on non-European cloud and platform providers and to strengthen control over critical communication processes.
It is tacing action.
- Denmark is discontinuing Windows and Office.
- France has already migrated 550,000 workstations in school administration to open source software.
- Italy is beginning to convert its military to open source.
- Austria has already completed this process.
- Germany intends to review the entire digital ecosystem of the Bundestag.
For public authorities, local governments, and regulated industries in particular, the question arises as to how GDPR-compliant communication, data residency, and actual data sovereignty can be combined.
After all, storing data in Europe alone does not guarantee digital sovereignty.
The decisive factor is who has technical and legal access to communication, connection, and metadata—and which jurisdiction the provider is subject to.
Digital sovereignty means more than just a hosting location in Europe:
- Control over your own communications infrastructure
- Avoiding dependencies (vendor lock-in)
- Transparency regarding data flows and metadata
- Compliance with regulatory requirements such as GDPR
For organisations, this makes one thing clear:
to remain operational in the long term, they need a sovereign communication solution that equally addresses technical, legal, and geopolitical considerations.
”We must move faster, smarter and more European in digital innovation […] and set our own standards in key areas of digital regulation.“
Indipendent communication solution made in Germany
100% data sovereignty with XPhone Connect
XPhone provides a unified communications solution that gives organisations true digital independence. As a sovereign communications platform "made in Germany," XPhone is subject exclusively to European data protection law—without any dependence on non-European jurisdictions or exposure to extraterritorial access.
Unlike purely cloud-based models, you decide on the operating model yourself: on-premises in your own data center or in a controlled private cloud. This ensures full data sovereignty over communication, connection, and metadata—including presence information and call detail records.
With XPhone, organisations shape their digital communication strategy independently, resiliently, and future-proof—without forced cloud adoption and without compromising on security or integration capabilities.
Discover GDPR-compliant UC software made in Germany:
TECHNOLOGICALLY INDEPENDENT COMMUNICATION WITH XPHONE
RETAIN TECHNICAL AND ORGANISATIONAL CONTROL
No vendor lock-in
Any SIP trunks, session border controllers, hardware, and end devices can be used and easily replaced.
Identity & directory sovereignty
XPhone works directly with the customer's own Active Directory. Identity data (who works where, in which department, and with which phone number) does not leave the company.
No leakage of telemetry and metadata
What happens in XPhone stays in XPhone or on the company server.
Self-determined use of AI
Customers decide for themselves on providers, data flows, and the limits of AI functions.
Software made in Europe
XPhone is subject exclusively to European legislation, for example the GDPR. Extraterritorial laws such as the CLOUD Act or international sanctions have no impact on the availability of the software or on data protection and data security.
Cryptographic self-determination
With XPhone, customers control their own PKI (public key infrastructure) and certificate chain. TLS certificates, mTLS for SIP federation, and SRTP keys are in the hands of the operator. This means no external key escrow and no cloud provider with theoretical access to decryption.
Knowing more costs nothing – get advice with no obligation:
Secure operating model
Through on-premises installation or hosting in a private cloud, communication and contact data remain on the company server and thus under your own control.
Licensing policy sovereignty
Customers can use the licensed version of XPhone for an unlimited period of time—even without active maintenance. Licensing is transparent, and the scope of functions is contractually fixed.
Sovereignty over protocols & interfaces
XPhone relies on open, standardised protocols (SIP, WebRTC, REST APIs). This enables secure communication in the long term, prevents vendor lock-in, and ensures transparent data flows.
Update and patch sovereignty
The customer decides when and whether updates are installed.
“Thanks to the one-number concept, you can always be reached at your office extension and only make external calls from this number. The fact that the call is coming from a city extension is like a golden key card. If our employees call a federal agency using their private number, for example, they simply won't get any information.”
450
government agencies and public institutions already rely on XPhone.
55.000
employees in public institutions work in compliance with the GDPR using XPhone.
1 MILLION LICENSES
are used worldwide by authorities and companies in every industry.
FAQ: Digital sovereignty with XPhone
Digital sovereignty, data sovereignty, data security, data protection—what is the difference?
Data protection focuses on the collection and use of personal data: Who has access to it? How is the data processed? It is not directly concerned with the actual protection of data—that is the subject of data security: How is it stored?
Since not all data is personal, data sovereignty refers to the entirety of the data generated by an individual, a company, or a public institution—in particular, control over this data. Around 400 million terabytes are generated worldwide every day, including 720,000 hours of video material on YouTube alone, approximately 5.3 billion photos and more than 376 billion emails sent.
Only those who retain control over their own data can ultimately exercise digital sovereignty and determine what happens to it, when, and how—provided they can use and manage their digital tools independently, without relying on cloud providers or foreign jurisdictions.
How does digital sovereignty differ from IT security?
IT security protects systems technically (e.g., encryption, access controls), while digital sovereignty means legal, organisational, and technical control over systems and data. Only the combination of both creates true independence.
What is the CLOUD Act and what should European organisations do?
The US Clarifying Lawful Overseas Use of Data Act, or CLOUD Act for short , has required US companies to disclose data in the context of investigations since 2018. This gives US authorities access to personal, company-related, or even classified data—even if this data is generated and stored abroad. The CLOUD Act overrides EU law, data protection rights, and legal protection mechanisms for the citizens affected.
Microsoft has publicly portrayed the CLOUD Act as "normal" and argues that it would defend itself against unjustified requests. In fact, however, Microsoft has responded to thousands of data requests per year from US authorities in its Transparency Report; customers are usually unaware of this. Microsoft's "EU Data Boundary" initiative, which is intended to protect data from European customers, is a marketing promise—not legal protection against the CLOUD Act.
- Use client-side encryption: This gives the user control over their keys; the provider has no access.
- Use open-source and EU-based platforms: This automatically subjects the technology and providers to European data protection and compliance requirements.
- Build zero-trust and federated architectures: These guarantee decentralised control and restrict access based on rigorous permissions.
Is EU hosting sufficient to achieve digital sovereignty?
No. Storing data in Europe (data residency) does not automatically mean digital sovereignty. The decisive factors are whether providers or parent companies are subject to extraterritorial laws and whether administrative access or key management are beyond their control. Digital sovereignty therefore requires more than EU hosting. It requires legal, technical, and organisational independence.
What does "vendor lock-in" mean in unified communications and why does it prevent digital sovereignty?
Vendor lock-in describes dependence on a specific provider. Products or services tied to a particular vendor typically function only within a defined ecosystem, often integrated seemlessly with other products from the same provider, and may even create additional value when combined. Switching to alternative products frequently results in challenges—keyword: incompatibility—and/or significant costs. Examples of such communication platforms include Microsoft Teams and Zoom Phone:
- Microsoft Teams uses a proprietary signaling protocol. A SIP connection is only possible via certified session border controllers with "direct routing" or the fee-based "Operator Connect" route. Since Microsoft decides which SBC manufacturers are certified, customers are limited in their choice and dependent on Microsoft's certification policy. In addition, the use of Teams requires Azure Active Directory (Entra ID) as an identity provider. This means that the company directory is located in Microsoft's cloud and is therefore potentially vulnerable to attack.
-
In contrast, Zoom Phone supports SIP trunking, but only via Zoom's own "BYOC" architecture, which routes traffic through Zoom's cloud infrastructure. True local SIP processing without cloud involvement is not provided. Even with SSO integration via SAML/OIDC, user data, user profiles, contact lists, and organisational structures are replicated in Zoom's cloud.
- XPhone does not lock customers into proprietary signaling: customers can set up XPhone on their existing infrastructure or flexibly modernise the technical underpinnings without limiting the functionality of the UC solution. XPhone also works without a telephone system.
What is a public key infrastructure (PKI) and how does it contribute to digital sovereignty?
A public key infrastructure (PKI) refers to a structured system that can be used to generate, manage, distribute, and verify digital certificates. These serve to securely identify individuals, machines, and services digitally and are used to secure computer-based communication.
Having their own PKI enables organizations and governments to:
- use their own digital keys and certificates instead of having to rely on public certification authorities (CAs). This reduces dependence on foreign providers and mitigates geopolitical risks.
- Define which digital identities (users, devices such as IP phones and services) are trustworthy. VoIP data is transmitted over public networks. PKI can be used to ensure that a communication partner is who they claim to be, which is particularly important for protecting critical infrastructure (KRITIS).
- Securely distribute encryption keys for VoIP data: only authorised parties can decrypt the conversations. This protects against eavesdropping and strengthens data sovereignty.
- Protecting the transmission of voice data from manipulation.
Why is metadata protection important in corporate communications?
Metadata (who communicates with whom, when, and for how long) is strategically sensitive. Information about who communicates with whom, when, for how long, from which device, and from which network is often more valuable to intelligence services than the actual content of the conversation. UC platforms collect this telemetry data, for example, to identify and predict peak loads using XPhone call analysis. What happens to this data is crucial:
- Zoom has been proven to have forwarded usage data to Facebook (via the Facebook SDK in the iOS app), even for users without a Facebook account. Zoom's privacy policy allows the use of customer data for "product improvements" and AI training—opting out is possible, but not the default setting.
- Microsoft Teams transfers usage data such as meeting duration, response times, communication patterns, and even focus time to Microsoft's cloud, where it is analysed. This happens even if the customer deactivates this feature. This is a point that the German Federal Office for Information Security explicitly criticises in its recommendations for Microsoft 365.
XPhone also generatescall detail records andpresence logs. However, with the on-premises solution, unlike cloud platforms, the metadata always remains within the protected company network. Protecting this data prevents conclusions from being drawn about organisational structures and communication patterns, making it a central component of GDPR compliance and digital sovereignty.
What role does the update or release strategy play?
Communication platforms such as Microsoft Teams or Zoom roll out updates automatically and without the user's consent. In the best case scenario, features appear or disappear unintentionally, or the user interface changes (not always for the better). The impact can be significantly greater when APIs are deprecated (classified as obsolete). In the worst case, existing certifications become invalid without the customer being able to prevent it. This is a compliance nightmare, especially in regulated industries.
XPhone relies on rolling releases, which means that new features and regulatory adjustments are rolled out regularly. Customers can decide at any time whether they want to install a release or continue using the software in its current state.
Why is using AI functions in XPhone more secure than on cloud platforms?
With XPhone, the decision on AI usage lies entirely with the customer: those who want to use MCP servers or AI connections decide for themselves on providers, data flows, and limits.
At Microsoft, Copilot processes meeting transcripts, chat content, and files from Teams to generate summaries and suggestions. This processing takes place in the cloud. It is not transparent to customers whether and how this data is used for training AI models. Microsoft has amended its terms of use several times, always in favor of expanded data use. Zoom has also changed its terms and conditions to allow customer data to be used for AI training. After massive resistance, an opt-out was introduced. The fact that an opt-out is necessary instead of an opt-in shows the basic attitude.