Microsoft’s ‘data sovereignty’ promise for Europe comes with an asterisk. Starting April 17, 2026, the company will start sending Copilot data to foreign servers for processing.

With the introduction of flex routing for Microsoft 365 Copilot, Large Language Model (LLM) inferencing — the step where your data is actually processed — may take place in the US, Canada, or Australia when European data center capacity runs short.

These changes are being applied by default. For new customer accounts created after March 25, 2026, flex routing is already on. For everyone else, it will be enabled automatically unless you opt out. (Instructions on how to do that below.)

If your business is based in the European Union or the European Free Trade Association (EFTA), this isn’t a small technical update. Flex routing changes whether your AI workflows stay within the EU or leave it without your knowledge. And it highlights what Big Tech’s version of digital sovereignty really means for Europe: They’re still in control.

What is flex routing?

Inferencing is the moment an AI model processes your prompt to generate a response, whether that’s summarizing a document, answering a question, or drafting content. By the time this happens, your data has already been assembled. Even if your data is stored in Europe, it may now be processed elsewhere — automatically, under a non-EU jurisdiction.

EU-hosted does not mean EU-processed

Microsoft makes it clear that data will remain encrypted(fereastră nouă) in transit and at rest. That might reassure some customers. But if you’re operating under frameworks like the General Data Protection Regulation(fereastră nouă) (GDPR), the Network and Information Security Directive (NIS2), or the Digital Operational Resilience Act (DORA), protecting data in storage and transmission isn’t enough.

Processing (or inference) is where exposure can occur. And under flex routing, that point can now move.

For an AI model to perform inference, data must be made accessible for computation. Your prompts, emails, files, and metadata are gathered and sent to the model. With flex routing, that package can be processed outside the EU. 

Where your data is processed matters — even if it’s encrypted on the way in and out.

The burden of compliance is yours

Microsoft’s decision to make flex routing a default feature is a red flag. Research shows that most people don’t bother to check their defaults or update them. If data sovereignty was something the company cared about for its European customers, it would not have implemented flex routing automatically.

It also puts your compliance department on notice that vendors may suddenly decide to change an important policy. You are now responsible for monitoring vendor updates, interpreting their implications, and adjusting settings to remain compliant. This may seem unfair if you selected a US-based vendor under the impression your data sovereignty was important to them.

What EU businesses can do now

  1. Disable flex routing. If your policies require EU-only processing, don’t rely on defaults.
    • Sign in to the Microsoft 365 admin center as an administrator assigned the AI Administrator role(fereastră nouă).
    • Go to Copilot -> Settings -> Flexible inferencing during peak load periods.
    • Select Do not allow flex routing
  2. Understand cross-border implications. Your current setup may not meet your business requirements. Consider:
    • Data transfer obligations under GDPR and sector-specific rules
    • Internal data residency policies and contractual commitments
    • Legal access and oversight in non-EU jurisdictions
  3. Audit AI-specific data flows closely. Most businesses know where data is stored. Fewer know where it’s processed. Start questioning:
    • Where your data is processed
    • Whether there are laws that can compel third-party data disclosure
    • Who can access data during processing and if that can change
  4. Choose vendors that are transparent about how they process your data. Proton’s AI assistant(fereastră nouă) processes data exclusively on European servers and publishes detailed description of its security model.

Flex routing reveals something deeper about data governance

If your vendors are based in the US, you’re relying on systems built for a different regulatory reality — one you don’t control, but still have to answer to.

Software updates, support, legal policies, and pricing decisions are made in Silicon Valley or Seattle. The rules your vendor follows are set in Washington. But your business is held to European standards.

That’s why more companies are starting to look at European alternatives to Big Tech(fereastră nouă). When your infrastructure, policies, and legal framework are aligned with the region you operate in, data sovereignty becomes enforceable, not conditional.