Many organisations adopted Microsoft Copilot with a simple assumption:

If the service sits inside the EU Data Boundary, their data remains within Europe.

That assumption now deserves a second look.

Microsoft has introduced flex routing for Copilot. During peak demand, large language model inferencing — the stage where prompts are processed and responses generated — may occur outside the EU.

Potential destinations include:

• United States
• Canada
• Australia

Unless administrators actively disable it.

This is not a dramatic breach story.

It is something more common in enterprise technology:

a quiet change in operational reality.

---

What Actually Changed

Many organisations confuse two very different things:

• where data is stored
• where data is processed

They are not the same.

Microsoft states customer data at rest remains within the EU Data Boundary, with limited pseudonymised operational data potentially stored elsewhere.

But under flex routing, processing may occur outside Europe when local capacity is constrained.

That means your prompts, files, context, and requests may be handled under a different jurisdiction during inferencing.

Encrypted in transit? Yes.

Encrypted at rest? Yes.

But encryption is not the same as sovereignty, residency, or simplified compliance.

---

Why CIOs Should Care

This is not just a Microsoft story.

It is a governance story.

Many organisations positioned Copilot internally as:

• enterprise-ready
• compliant by design
• aligned to EU expectations
• low-friction AI adoption

Now they need to ask:

• Was that position fully validated?
• Did we review the default settings?
• Has legal assessed the change?
• Has the DPO been informed?
• Does procurement understand the implications?
• Have works councils been briefed where relevant?

If your compliance model relied on vendor branding rather than technical verification, this is the moment to revisit it.

---

The Quiet Risk of Defaults

The most important part of this story may be the least technical:

Flex routing is enabled by default for many customers.

That means some organisations may inherit cross-border processing simply by doing nothing.

This is how risk often enters large enterprises:

Not through hacks.

Not through negligence.

Through defaults no one rechecked.

---

Why This Lands Differently in Europe

European concerns around sovereignty are no longer theoretical.

They now intersect with:

• GDPR
• NIS2
• DORA
• public-sector procurement standards
• growing concern around strategic dependence on non-EU hyperscalers

This does not mean US vendors are unusable.

It means European organisations increasingly need stronger evidence, clearer controls, and less ambiguity.

AI is accelerating that conversation.

---

What Pragmatic CIOs Should Do Now

1. Check Your Tenant Settings Immediately

Do not assume someone else already has.

2. Revalidate Your Risk Position

Legal, privacy, security, procurement.

3. Review Internal Communications

If staff were told data stays in the EU, confirm whether that remains accurate.

4. Separate Security from Sovereignty

Encryption improves security.

It does not automatically solve jurisdictional exposure.

5. Expect More of This

As AI demand grows, vendors will optimise for:

• performance
• capacity
• uptime
• customer experience

Your job is to optimise for:

• control
• accountability
• regulatory alignment
• enterprise risk

---

The Uncomfortable Truth About Sovereignty

Many firms believed sovereignty was something a vendor could provide.

It is not.

It is something you verify, govern, and continuously monitor.

If a vendor can materially alter cross-border processing through a settings update, sovereignty was never absolute.

It was conditional.

---

Closing Thought

Data sovereignty is not where your vendor stores data.

It is where they can decide to process it.