Thinking Realistically About Digital Sovereignty

The Directions on Microsoft Briefing Podcast – April 9, 2026
Host: Mary Jo Foley
Guest: Greg DiMaschelli, VP of Research, Directions on Microsoft

Episode Overview

In this episode, host Mary Jo Foley discusses the escalating topic of digital sovereignty with Greg DiMaschelli, Directions’ VP of Research. The conversation explores what digital sovereignty means in the Microsoft ecosystem, why it now matters more than ever, and how enterprises can realistically approach sovereignty-related risks. Greg discusses Microsoft’s on-premises and cloud offerings for sovereignty, the unique risks in today’s subscription-based IT landscape, and practical frameworks for managing these risks, all while offering valuable advice for business and IT leaders navigating this complex territory.

Key Discussion Points and Insights

1. What Is Digital Sovereignty and Why Now?

• Definition & Context
  • Digital sovereignty is about controlling your organization’s fate regarding its digital infrastructure, particularly from the influence or intervention of foreign governments and agencies.
  • “Sovereignty implies control of your own destiny. And so digital sovereignty is the ability for companies to basically control their own fate when it comes to their digital infrastructure, in particular, to control that from foreign governments and agencies.” — Greg DiMaschelli [02:00]
• Why It’s Suddenly Important
  • The shift from owned, on-premise software to cloud and SaaS has introduced new types of risk.
  • Global events have made regulatory changes, trade barriers, and service disruptions more likely and their impact potentially devastating.
  • “The temperature on this has been slowly turning up and now there are companies starting to say, we're starting to get at a boiling here.” — Greg [02:00-03:56]

2. Three Categories of Digital Sovereignty Risk

• Regulatory Risk: Sudden imposition of new rules by foreign governments.
• Data Access Risk: Unauthorized or unknown government access to sensitive company data.
• Service Disruption Risk: Forced cutoff of technology access by legal (or technical) means, potentially at the government’s directive.
  • “I think of the risks in three broad categories. The first category is a regulatory risk. The second one is data access. The third is service disruption.” — Greg [04:05]

3. Digital Sovereignty as “Insurance”

• Companies must weigh:
  1. Likelihood of disruption
  2. Consequence of disruption (from inconvenience to existential threat)
  3. Effectiveness of Microsoft’s safeguards
  4. True costs, including opportunity cost and lost features
  • “It’s insurance... everybody has to make their own evaluation.” — Greg [04:55]

4. On-Premises Sovereignty Solutions

• “Back to the Future”
  • Returning workloads to on-premises gives maximum control but at a high cost:
    • Hardware purchasing, maintenance, skills deficit, and opportunity cost (stagnating features).
  • “If you can bring a workload on Prem, there is no doubt that is the most effective solution. But it also is the one that has the highest costs.” — Greg [07:00]
• Product Rundown
  • Windows Server: Highest protection, least modern functionality; “It's back to you manage everything.” [08:28]
  • Azure Local: Aims to bring Azure-like features on-prem; still subscription-based and prone to the same disconnection risks unless “air-gapped” with special permission.
  • Sovereign Private Cloud: The most promising—but not fully realized—combination of Exchange, SharePoint, Skype, Foundry, and Azure Local intended to enable “workload mobility” (move from cloud to on-prem and back).
  • Major Caveat: On-premises server products lag behind their cloud counterparts.
    • “These are the SE versions and they've been sort of frozen in Carbonite ever since Microsoft went all in on the cloud.” — Greg [10:53]
    • “You are not getting the same capabilities as you got in the cloud. In addition to you are now back to managing Exchange and managing SharePoint.” — Greg [11:12]

5. Cloud-Based Digital Sovereignty Offerings

• Sovereign Public Cloud (EU-specific)
  • Specialized Azure “mini regions” within Europe, with added data residency and access safeguards (e.g., tamper-evident logs).
  • Major support for Microsoft 365 and Power Platform only.
  • Strongest protections require “Customer Managed encryption keys.” Without these, companies don’t have meaningful data access protection.
    • “With customer managed encryption keys, Microsoft can only give up encrypted data because you hold the keys.” — Greg [15:58]
• National Partner Clouds
  • Operated completely by independent local partners, designed for government/public sector needs with top-to-bottom domestic control.
  • Not generally appropriate for global/multinational enterprises.
    • “They're not really suitable for a multinational enterprise or enterprises in general to use.” — Greg [17:15]

6. The Case for Prioritizing Business Continuity Over “Pure” Digital Sovereignty

• No Silver Bullet
  • There’s no comprehensive, perfect sovereignty solution outside of abandoning cloud entirely — too many “holes.”
  • Companies should adopt a disaster-recovery mindset:
    • Assess their own unique risk profiles.
    • Prioritize based on workload criticality and exposure.
    • Define acceptable “time to recovery” for each workload.
  • “Given that any of the outcomes we're talking about would be kind of disastrous. I think you need a disaster recovery mindset... Every company should do their [own] risk analysis. Every company's exposure... is different.” — Greg [17:36]
  • “Start with those workloads that you've identified as highly essential and that have the highest risk. And the third point is: any of these events is a disaster. In a disaster recovery scenario, you focus on time to recovery.” — Greg [18:44]

7. Microsoft’s Unique Position in the Market

• Best Positioned Among Cloud Providers
  • Microsoft’s neglected-but-existing on-premises products offer more sovereignty options than AWS or Google.
    • “Of the three big clouds Microsoft is actually best positioned here. They have on prem products even if they've been neglected for years.” — Greg [20:30]
  • AWS Outposts “have really gone nowhere;” GCP’s Anthos “flamed out.” [20:45]
  • Will Microsoft reinvest in on-prem? “Maybe defrost the Carbonite a little bit. Let's see Han Solo come out alive. I think that would be very interesting to watch... That will be the biggest sign to me that Microsoft is really taking this seriously.” — Greg [21:05]

Notable Quotes and Memorable Moments

• “The modern world of everything is by subscription. It runs in a data center on hardware you don't own, operated by somebody who isn't your employee.” — Greg [02:16]
• “If you go back to On Prem, you are going to be stuck with versions that lack features that you may be used to.” — Greg [07:34]
• “Other than completely abandoning cloud and SaaS, there is no complete solution. There are just too many holes.” — Greg [17:36]
• “Skype for business server is never going away. That's what you're telling us, right?” — Mary Jo [21:36]
• “As much as I might wish it.” — Greg (on Skype for Business Server) [21:43]

Timestamps for Key Segments

• [02:00] What is Digital Sovereignty? Why now?
• [04:05] Three types of digital sovereignty risk
• [06:39] Framework for evaluating sovereignty solutions as “insurance”
• [07:00] On-premises options: Windows Server, Azure Local, Sovereign Private Cloud
• [10:53] The limitations and stagnation of on-premises server products
• [13:33] Cloud sovereignty: Sovereign Public Cloud and National Partner Clouds
• [15:58] Customer managed encryption keys and their importance
• [17:36] Why business continuity/disaster recovery should be the core focus
• [20:30] Microsoft’s position vs. AWS and GCP

Closing Thoughts

Greg and Mary Jo underscore that digital sovereignty is nuanced and complex—there are no turnkey solutions, only trade-offs between sovereignty, risk, functionality, and cost. Companies must perform their own risk assessments and balance disaster recovery preparedness with practicality. Microsoft’s position, with its legacy of on-prem and now cloud-based sovereignty offerings, gives it a unique edge, but customers should be cautious not to assume feature parity or perfect protection.

For more analysis and coverage, visit Directions on Microsoft.